Saturday, 27 December 2014

Media Publication: Drone Flights over French Nuclear Plants

Chatham House publishes an article in Newsweek on the security vulnerabilities that the drone flights over French nuclear power plants have exposed.

Full article here:

Tuesday, 23 December 2014

Media Interview: Cyber Attack on South Korean Nuclear Plant

Dr Patricia Lewis, Research Director of the International Security Department at Chatham House, speaks to The Guardian about the recent cyber attack on a South Korean nuclear power plant:

Patricia Lewis, research director in international security at Chatham House, said concern was reasonable, even though people were thinking about security

“The key thing with all of this stuff is never think you’re invulnerable,” she said. “Always be aware of your vulnerability and put things in place so you can be prepared for an attack. Always be aware that something unusual that happens could be the result of a cyber-attack.” 

Full article here:

Friday, 28 November 2014

Conference Presentation: NATO Advanced Research Workshop - Protection of Critical Energy Infrastructure

Chatham House gave a talk on the project findings thus far at the NATO Advanced Research Workshop: The Protection of Critical Energy Infrastructure Against Emerging Security Challenges in Tbilisi, Georgia on 25-28 November 2014. The meeting was organized by the Atlantic Treaty Association and the Atlantic Council of Georgia.

Slides from the presentation here:

Saturday, 8 November 2014

Media Interview: Drone Flights over French Nuclear Plants

Chatham House Associate Fellow David Livingstone speaks to the Financial Times about the recent spate of drone flights over French nuclear power plants: 

“The concern is that someone is considering an attack, looking to penetrate the perimeter using genuine weaponry, or planning a protest,” said David Livingstone, associate fellow for international security at the think-tank Chatham House. “Unless you know where the data are going back to, or who is controlling the drone, you don’t know if it’s just people messing around, an environmental group, terrorists, or even a nation state.”

He said the mystery also raises questions – at a time when Western governments are increasingly using drones to catch criminals at home and attack enemies abroad – about the preparedness of states for the use of the technology against themselves. 

Full article here:

Friday, 31 October 2014

Conference Presentation: NATO Advanced Research Workshop - Cyber Defense for Critical Infrastructure

Chatham House gave a talk on the project findings thus far at the NATO Advanced Research Workshop: Strengthening Cyber Defense for Critical Infrastructure in Kiev, Ukraine on 30-31 October 2014.  The meeting was organized by the Polish Institute of International Affairs (PISM) in partnership with the Institute for Euro-Atlantic Cooperation.

We spoke on the panel entitled, "How is the Threat Environment Evolving" which looked at:

Most of the companies operating Critical Infrastructure (CI) have already experienced cyber-attacks and it is only a matter of time before a large scale attack happens. The majority of the attempts will come from non-state players. Although they do not possess the skills and extensive funding to create sophisticated weapons, they can challenge the stability of networks by performing a significant number of different types of attacks and intrusions. Even low end hackers without sophisticated skills can use a black market of cyber crime services and goods such as “zero day vulnerabilities” (previously undisclosed security holes in software), which can be used for infiltration of CI systems.

Additionally, non-state players create well organised and structured criminal gangs, possibly comprising thousands of individuals around the world, who are more effective due to the synergy effect.

States are able to develop sophisticated cyber-weapons but they will use them sparingly so as not to disclose their capabilities. The risk that advanced cyber-warfare capabilities will be developed or acquired by unsophisticated hackers or terrorists should be regarded as low, but cannot be disregarded.

Power grids are cheap to attack, and it should be expected that they will remain a primary warfare target. Attacks against energy infrastructure already make 60% of all the attacks against CI. It is also the sector that, should it be affected, will most likely trigger a cascade of negative effects to other sectors.

For more details:

Conference Presentation: Cyber Security in the Energy Sector

Roger Brunt CBE, member of the project Steering Committee and former director of the Office for Civil Nuclear Security, speaks on "Cyber and Nuclear Security" at an event on Cyber Security in the Energy Sector organized by the Energy Studies Institute, National University of Singapore.

Full conference programme here:

Tuesday, 23 September 2014

Second Roundtable on Cyber and Nuclear Security

At our Second Roundtable on Cyber and Nuclear Security today, Dr Masahiro Kikuchi, former Executive Director, Nuclear Material Control Center (NMCC) presented a Japanese perspective on the cyber security challenges in the nuclear sector.

A link to his presentation here:

Thursday, 30 January 2014

Steering Committee for the Project

We are delighted that the following experts have agreed to join the Steering Committee for the project:

1. Irma Arguello (Argentina) - Associate Fellow, Chatham House
2. Guido Gluschke (Germany) - Co-Director of the Institute for Security and Safety (ISS), Brandenburg University of Applied Sciences
3. General Adrian Freer (United Kingdom) - Deputy Chief Inspector, Security, Office for Nuclear Regulation
4. Roger Brunt CBE (United Kingdom) - Visiting Senior Research Fellow, King’s College London
5. Dr Anita Nilsson (Sweden) - Associate Fellow, Chatham House; former Director, IAEA Office of Nuclear Security
6. David Livingstone (United Kingdom) - Associate Fellow, Chatham House
7. Tom Parkhouse (United Kingdom) - Head of Strategy, Policy and Plans for Civil Nuclear Security, Office for Nuclear Regulation
8. Mark Raeburn (United Kingdom) - CEO, Context Information Security
9. Dr Tatsujiro Suzuki (Japan) - Director of the Research Center for Nuclear Weapons Abolition, Nagasaki University; former Vice Chairman, Japan Atomic Energy Commission
10. Peter Young (United Kingdom) - CEO, VEGA Space

The full bios for all of the Steering Committee members are available here:

Thursday, 16 January 2014

Literature Review: Nuclear Power Plant Security and Vulnerabilities

Another good article, "Nuclear Power Plant Security and Vulnerabilities", published by Mark Holt and Anthony Andrews at the Congressional Research Center, 3 January 2014:

  •  The Energy Policy Act of 2005 (EPACT05) imposed specific criteria for NRC to consider in revising the “Design Basic Threat” (DBT).  EPACT05 required NRC to conduct force on “force-on-force” security exercises at nuclear power plants at least once every three years. When NRC  conducted 23 “force-on-force” (FOF) inspections at 22 commercial nuclear plants and one fuel cycle facilities in 2012, eleven of those inspections found performance deficiencies: 19 with low significance (green findings), one with “greater than green” finding, and three severity level IV (least serious) violations.
  • Following the 9/11 attacks, Congress enacted new nuclear security plant requirements and has repeated focused attention on regulation and enforcement by the Nuclear Regulatory Commission (NRC). 
  • The Energy Policy Act of 2005 (EPACT05) imposed specific criteria for NRC to consider in revising the “Design Basic Threat” (DBT) which specifies the maximum severity of potential attacks that a nuclear plant’s security force must be capable of repelling. In response, the NRC revised the DBT on April 18, 2007. The revisions expanded the assumed capabilities of adversaries to operate as one or more teams and attack from multiple entry points.
  • EPACT05 required NRC to conduct force on “force-on-force” security exercises at nuclear power plants at least once every three years. In these exercises, a mock adversary force from outside a nuclear plant attempts to penetrate the plant’s vital area and simulate damage to a “target set” of key safety components.
  • In March 2009, NRC published a series of security regulations that require power plants to prepare cyber-security plans, develop strategies for dealing with the effects of aircraft crashes, strengthen access controls, improve training for security personnel, and implement other new security measures.
  • In 2012, NRC  conducted 23 “force-on-force” (FOF) inspections at 22 commercial nuclear plants and one fuel cycle facilities. Eleven of those inspections found performance deficiencies: 19 with low significance (green findings), one with “greater than green” finding, and three severity level IV (least serious) violations.  One exercise resulted in the simulated destruction of or damage to a complete “target set” of vital plant components that were under mock attack.
  • Nuclear power plant vulnerability to deliberate aircraft crashes has been a continuing issue. After much consideration, NRC published final rules on June 12, 2009, to require all new nuclear power plants to incorporate design features that would ensure that, in the event of a crash by a large commercial aircraft, the reactor core would remain cool or the reactor containment would remain intact.
  • Cybersecurity – existing U.S. nuclear power reactors, designed in the 1960s and 1970s, are controlled primarily by analog systems that are resistant to cyber attack. However, new reactors are being designed with digital controls, and existing analog plants increasingly rely on digital computers to run auxiliary monitoring systems. This increasing use of digital systems in nuclear power plants, along with post 9/11 security concerns and at least one ‘worm’ infection at a US reactor, have prompted increased NRC attention to cybersecurity.
  • A year after the 9/11 attacks, NRC issued an order that included cyber attacks among the threats that nuclear plants would be required to defend against. NRC issued formal cybersecurity regulations in March 2009: “Protection of Digital Computer and Communications Systems and Networks.” NRC’s cybersecurity regulations require each nuclear power plant to submit a cybersecurity plan and implementation schedule. The plan must provide ‘high assurance” that digital computer and communications systems that perform the following functions will provide adequate protection against design basis attacks.
  • NRC began inspecting the implementation of nuclear plant cybersecurity plans in January 2013. The inspections are part of the NRC’s Cyber Security Oversight Program, which is being incorporated into the existing Reactor Oversight Program.
  • Nuclear power plants are also required by the Federal Energy Regulatory Commission (FERC) to comply with cybersecurity standards issued by the North American Electric Reliability Corporation (NERC). However, nuclear plants computer systems that are covered by NRC security regulations are exempt from NERC standards.

Friday, 10 January 2014

Literature Review: Nuclear Plant Control System Cyber Vulnerabilities and Recommendations Towards Securing Them

An excellent White Paper by Juniper Networks, “Nuclear Plant Control System Cyber Vulnerabilities and Recommendations Towards Securing Them”, published in 2009:

The paper provides an overview of some system-specific policies that might reduce vulnerabilities in nuclear facilities.

Summary of key points:
  • Malicious code (malware): Malware includes the broad range of software designed to infiltrate or damage computer systems without user knowledge or consent. The most well-known forms of malware include:
1. Viruses (manipulate users to bypass proper authentication and access control mechanisms)

2. Worms (self-replicating program)

3. Trojans (kind of virus in which the malicious code is hidden behind a functionality desired by the end user)

  • Denial of service attacks 
  • Rogue devices: In wireless networks, an unauthorized access point might be inserted into the control system. This can be done in a non-malicious manner, which inadvertently provides an unknown access point.  
  • Reconnaissance attacks: Enable the first stage of the attack life cycle by probing. This serves to provide a more focused life system and improves the odds of success in the attacker’s favour.  
  • Eavesdropping attacks:  The goal of an eavesdropper is to violate the confidentiality of communications by ‘sniffing’ packets of data on the control network or by intercepting wireless transmissions. Advanced eavesdropping attack, also known as ‘Man in the Middle’ or path-insertion attacks, are typically leveraged by a hacker as a following ip to a network probe or protocol violation attack.  
  • Collateral damage  
  • Unauthorized access attacks   
  • Unauthorized use of assets, resources, or information
Threats to the control system network: Control system vendors still are not designing technologies for security. In fact, many are instead including vulnerable applications and technologies such as Microsoft IIs, Bluetooth Wireless communications, and wireless modems in their latest offerings. 

Seven-step plan for plant control system cyber security: To address the security needs of nuclear power plant control networks, it is essential to begin with a layered defence-in-depth approach that enables administrators to monitor the network at every level.

1. Identifying critical assets: Policy creation begins with identifying assets that need protection and the requisite level of protection. On a control system network these are real-time serves, field devices, and peripherals such as printers and network routers and switches. The primary vectors of most concern is the compromise of communication that can alter the operation of field devices. In order to gain a foothold behind a firewall, attackers typically target non-essential appliances that are most vulnerable. Hence, any network-enabled device on the control network must be considered critical for security.

2. Profiling the network: since a majority of devices are vulnerable to disruption from active scans using tools such as Nessus, passive scanning and identification is currently the only viable option to discover and identity all devices detected on the network.

3. Creating and managing policies across the network.

4. Creating a strong defence perimeter: Given the need to access control networks from the corporate network or, in some cases, from the internet, it is essential to create a strong defence perimeter. A perimeter firewall must create at least three security zones - a secure zone for the control system network elements, a demilitarized zone (DMZ), and insecure zone.

5. Ensuring identity management and rogue device mitigation: The most likely vector for an intrusion in a control system network is unintentional inappropriate use. An employee or contractor might plug in a laptop to perform routine tasks without realizing that it has picked up a worm or spyware. (This has already occurred in nuclear plants). The worm can then start scanning the control system network, and cause outages and devices as PLS due to unexpected traffic. This scenario is even more likely with the proliferation of wireless access points. Control over access points through authentication of every user and health-checking of every device is essential to ensure security within the perimeter. A network access control (NAC) solution should combine user identity, device security, state, and location information for session-specific access control by user, enforced throughout the network.

6. Setting up secure remote access.

7. Monitoring and reporting.

The full article here: