I am an engineer, not a threat analyst. I can tell you what can happen to control systems from control system cyber vulnerabilities; I cannot tell you why someone would or would not want to exploit these vulnerabilities. As such, my concerns are from a safety perspective.
Kim Zetter wrote an article about Ruben Santamarta’s paper concerning the post-Russian invasion radiation spikes around Chernobyl called “The Mystery of Chernobyl’s Post-Invasion Radiation Spikes.” If you can't trust what you measure, there is no cybersecurity, resiliency, process safety, productivity or predictive maintenance in any critical infrastructure or cyber-physical system. Moreover, incorrect sensor readings can lead operators and analysts to take wrong actions or avoid the right actions. Process sensors, included the gamma sensors used in the Ukraine, have no cybersecurity or authentication yet use remote access.
In response to the same concerns expressed in Kim’s article and Ruben’s paper, one of my first jobs at GE Nuclear Energy in the 1970s was reprogramming the nuclear plant simulator’s startup model (there was only one nuclear plant simulator at the time). The simulator was used for training nuclear plant operators and other nuclear plant personnel. However, the simulator had a problem. The physics hadn't correctly addressed the neutron flux sensors’ response when a control rod was pulled. What should have happened is when a control rod was pulled, the local power readings near the rod should significantly increase while the local indicated power from the sensors far away from the control rod that was pulled should have a smaller indicated increase in power.
However, in this case, no matter how close or far away the neutron flux sensor was to the control rod being pulled, it provided the same response. This wasn’t a cyberattack, but it demonstrated that process sensor values – in this case neutron flux values – can provide misleading results but not necessarily be recognized as wrong. There have been many other cases where inaccurate process sensors have led to incorrect automatic or manual actions, including one incident where an inaccurate process sensor caused by a manufacturing flaw contributed to a nuclear plant core melt.
Process sensor systems include the physical transducer, conversion electronics, laptops/servers, calibrators, etc. Compromising any of those elements can cause the apparent sensor reading to be wrong. Unfortunately, when it comes to OT cybersecurity, process sensor readings are too often assumed to be uncompromised, authenticated and correct. It should be evident this is not the case. Even worse, in industries like electric, water, oil/gas, pipelines, etc., the cybersecurity of process sensors is effectively ignored.
Summary
Process sensors are used globally to monitor environmental conditions around industrial facilities. This is not the first time process sensor readings have been intentionally or unintentionally compromised, nor is it the first time process sensors readings have been compromised in a nuclear application. These cases demonstrate that the gamma sensing system being hacked causing the observed radiation spikes around Chernobyl is a technologically credible scenario. It also reinforces the immediate need for the government and industry cybersecurity communities to address the cybersecurity gaps in control system field devices and associated cybersecurity policies and standards.
