As we continue to make progress on the literature review, we are coming
across some interesting papers on cyber vulnerabilities of nuclear
facilities.
One particularly good piece by Brent Kesler, "The Vulnerability of Nuclear Facilities to Cyber Attack," which was first published in Strategic Insights in Spring 2011.
Summary: The paper examines the history of cyber security incidents at nuclear facilities to assess the significance of recorded vulnerabilities. It examines three cyber incidents that occurred at US nuclear facilities between 2003-2008 (Davis-Besse, Hatch, and Browns Ferry) as well as the 2010 Stuxnet attack.
The lessons from these four incidents suggest that situational awareness and other security measures are too weak in their current state to guarantee that a catastrophic attack will never happen. However, it also argues that launching catastrophic attack is not simple and requires a sophisticated adversary.
Lessons:
1. Skeptics claim that PCS are immune from attack since they are not connected to the internet. However, the David-Besse incident shows that this is a misconception: even operators who try to monitor and protect every connection cannot be sure they know about all of them. Stuxnet even travelled on portable thumb drives to infect computers that were not connected to the internet.
2. Skeptics argue that PCS are immune from attack since they are different from ordinary computers. However, all four incidents demonstrate that PCS have become interoperable with ordinary computers, making them vulnerable.
3. Vulnerabilities are more complicated than both skeptics and alarmists realize.
One particularly good piece by Brent Kesler, "The Vulnerability of Nuclear Facilities to Cyber Attack," which was first published in Strategic Insights in Spring 2011.
Summary: The paper examines the history of cyber security incidents at nuclear facilities to assess the significance of recorded vulnerabilities. It examines three cyber incidents that occurred at US nuclear facilities between 2003-2008 (Davis-Besse, Hatch, and Browns Ferry) as well as the 2010 Stuxnet attack.
The lessons from these four incidents suggest that situational awareness and other security measures are too weak in their current state to guarantee that a catastrophic attack will never happen. However, it also argues that launching catastrophic attack is not simple and requires a sophisticated adversary.
Lessons:
1. Skeptics claim that PCS are immune from attack since they are not connected to the internet. However, the David-Besse incident shows that this is a misconception: even operators who try to monitor and protect every connection cannot be sure they know about all of them. Stuxnet even travelled on portable thumb drives to infect computers that were not connected to the internet.
2. Skeptics argue that PCS are immune from attack since they are different from ordinary computers. However, all four incidents demonstrate that PCS have become interoperable with ordinary computers, making them vulnerable.
3. Vulnerabilities are more complicated than both skeptics and alarmists realize.
The full article here: http://fas.org/sgp/crs/homesec/RL34331.pdf
