Q: Thanks for your answer concerning nuclear reactor hacking through the Internet. I would also like to learn if total cyber safety can be guaranteed by eliminating all connections to the Internet or any other network? Can they still be attacked? Also, what is your view of the safety (regular and cyber safety) of the Russian nuclear reactor designs? How do they compare to Western ones?
H. Crowney / [email protected]
A: First, let me say that in addition to wishing both our readers and my fellow experts a Happy New Year, I would also like to thank these control experts for helping me in answering your questions, and would particularly like to thank the two most active colleagues among them: Simon Lucchini, chief controls specialist at Fluor Corp. in Australia, and Alexandro Varga, control specialist in Mexico.
Today, war can be waged by pushing buttons on keyboards, and we can't even tell who's attacking us or where the attack is coming from. In the past, the bombs could not think for themselves, they just dropped, while today's malicious computer worms can think, learn and adapt. Descartes' definition, "I think, therefore I am," no longer applies only to humans.
Today Watergate-type break-ins can be accomplished without humans climbing through windows, and nuclear attacks can be accomplished without using missiles because the potential bombs (nuclear reactors) are already here. In my book, The Next Fukushima, I discussed how malicious computer worms can reach the PLC controls or SCADA interfaces of nuclear reactors, and trigger their meltdown by turning off their cooling.
Malicious computer worms have two levels of sophistication. The lower-level worms travel through the Internet (the type used by Putin to influence the outcome of our election). Protection against this type is relatively simple. The entry of such a worm into our control computers can be blocked by eliminating all direct or indirect connections to the Internet or other networks. This is easier said than done, and for that reason, not all nuclear reactor controls are isolated from the Internet. Other reasons why this is not done is because it denies plant management convenient access to the information in the computer, or because all components in the control network must also be isolated. Yet this isolation can and should be done.
Cyber attacks can also be carried out by more sophisticated software, which does not use the Internet at all. Therefore, we should no longer assume that if a computer is isolated from the Internet or Ethernet and has no Wi-Fi connections, it is safe. It is not! The more sophisticated, higher-level computer worms (Stuxnet, Flame, Duqu, Aagent.btz, etc.) are more malicious, as they need no “road" to travel on. They are called “air gap” worms because they travel through the air.
One such malicious computer worm (Stuxnet) was used by the U.S. government to stop Iran's nuclear program by destroying the controls of a large number of their ultracentrifuges. Stuxnet entered the targets via the computers' USB flash drives and infected their control PLCs. At that time, Iran did not have air gap worms, so it could not retaliate.
Air gap-type worms can enter not only through USB flash drives, but through any of the digital control components in the plant's network. Such components can be wireless sensors (where the worm enters by faking the sensor signals), through speakers and microphones, or iOS and Android devices, etc. Malware can be injected into any of the operators’ smart phones or tablet PCs (including iPhone, iPad and iPod Touch and Android counterparts), which will then "hit" the control computers.
We know that military and industrial cyber weapons and cyber safety systems are being developed by both military and industrial teams. We also know that the bad guys are just as smart as the good guys. Therefore, when it comes to nuclear reactors, no design can be considered to be completely safe (except the sun), unless the design is such that the reactor can't melt down because its cooling system can't be turned off. This means that the initiation of the cooling must not require any man-made energy source: cooling must be initiated by energies that can't be turned off by anything or anybody because they are always available. Such energy sources include thermal expansion and gravity (Figure 1).
Now, turning to the design of Russian nuclear reactors. Mechanically, they're built to withstand military attacks. They're usually approved for use in the European Union (EU).
[sidebar id =1]
The Russian Rosatom reactors are unprotected from cyber-terrorism, and don't have gravity cooling. Therefore, a simultaneous failure of both external and internal electricity supplies can cause a meltdown. At Fukushima, the earthquake that triggered the tsunami destroyed both the regular and the backup electricity supplies (both diesel and battery).
Also, the Rusatom control design allows manual override, so automatic safey controls can be turned off by the operators (who can be hostile or incompetent), and they don't have selective override control (SOC). Also, to my knowledge, the secondary containment of the Rusatom plants is not filled with nitrogen, and therefore they're unprotected from hydrogen explosions. In addition, the operating lifespan of their reactors are often exceeded because in authoritarian states, the decision to extend is often made by employees and/or politicians and is not automatic. In some cases, Rusatom also supplies the fuel and takes away the nuclear waste, eliminating competition and causing a risk of shutdown if these services are interrupted.
Béla Lipták / [email protected]
A: You might find my book of interest (Protecting Industrial Control Systems from Electronic Threats, ISBN: 978-1-60650-197-9), and also my blog site. I've been able to document more than 900 actual control system cyber incidents to date. You might also find my keynote to the National Academy of Science, Engineering, and Medicine on control system cybersecurity of interest.
Joe Weiss, P.E., Applied Control Solutions LLC / [email protected]
A: Disconnecting control systems from the Internet is often not feasible, and has been proven to not assure safety (the Iranian facility targeted by Stuxnet had an "air gap" that was easily breached, as they all are).
Disconnecting from the Internet also might not be possible for business reasons. A company may have multiple sites and information may need to be gathered from, and distributed to, all of them. Remote support would be another. Yes, the Iranian facility was not connected to the Internet (hence the term, "air gap"). Stuxnet entered via a thumb drive connected to a PC, and the PC was connected to the Siemens PLC, which over-sped the centrifuges causing physical damage without the operators realizing or understanding why. You can easily find out much more about Stuxnet online (e.g., 60 Minutes and TED Talk videos). You'll finds several books about industrial control system cybersecurity on Amazon. Read the reviews and pick the one that most interests you. ISA published one. You'll want to do that before attempting to read the ISA 62443 series of standards.
Many control systems have already been hacked, resulting in damage and power outages, so there's not much point in talking about "potential." Standards have been written to help people on this topic, and there are several books on them as well.
Paul Gruhn / [email protected]
This column is moderated by Béla Lipták, automation and safety consultant and editor of the Instrument and Automation Engineers’ Handbook (IAEH). If you have an automation-related question for this column, write to [email protected].