I participated in the first International Atomic Energy Agency (IAEA) nuclear plant cyber security conference in Vienna, Austria June 1-5, 2015. The first two and half days were primarily keynote sessions with very important people from various international organizations. It was phenomenal to see the interest in cyber security, specifically for nuclear plants. The need for addressing cyber security was made abundantly clear – which was great. However, there is certainly a learning opportunity for many to understand the specific issues associated with the control systems in nuclear plants.
Some of my specific takeaways included:
- The lack of a common definitions, particularly of a cyber incident. The INL presentation discussed the public disclosure of more than 250 cyber security incidents in the energy industry in 2014 and almost the same number in 2013. Given those numbers, I would have expected to have seen more physical impacts. INL’s definition of a cyber incident was their being called in to address an end-user’s request. Often, it was to help the end-user address probes against their networks, not impacts to the systems. My database has used the NIST definition of electronic communications between systems that affect C, I, or A. Consequently, my database is consequence-based.
- As mentioned, with some exceptions, the primary focus was on traditional network cyber security.
- There was a burning desire by many people to have real examples of control system cyber incidents besides Stuxnet. Many people were frustrated because their management wasn’t interested in hearing about Stuxnet again limiting their ability to get management support for control systems.
- There was a hacking demonstration that compromised a water pumping system. I would have thought this type of demonstration, which was very well-received, would have moved the discussions more toward the control system issues. Hopefully, it will in the future.
- I was surprised (I shouldn’t have been) how many people attending the Conference were unaware of the ISA99 efforts on control system cyber security.
- Richard Danzig raised concerns about the use of digital safety systems without having an alternate back-up. Ed Marszal spoke about the petrochemical industries use of physical back-ups to digital systems to assure safety. I am in complete agreement with their concerns about the use of digital safety and have data to back-up my concerns.
- I was very pleased that when I had the opportunity to explain the real control system issues, most people started to understand the real concerns about control system cyber security. The only problem is, it is one person at a time.
- My one personal disappointment is there are still individuals more worried about the message than actually securing their systems. A US nuclear utility representative attending my session publicly complained about this presentation spreading Fear, Uncertainty, and Doubt (FUD) when I had arguably the only session dealing with actual control system incidents and real consequences. Suffice it to say, the rest of the session attendees were as stunned as was I.
It is my belief to adequately address cyber security of nuclear (and other) facilities, all of the affected communities need to work together – management, IT, Operations & Maintenance (control systems), forensics, threat analysts, vendors/consultants, and regulators as each has a necessary role to play.
I wanted to personally thank IAEA for holding this important conference and would encourage them to conduct other such global forums in the future.
Joe Weiss
