tag:blogger.com,1999:blog-9745371953675484882024-03-14T03:33:14.021-07:00Project on Cyber and Nuclear Security<br>The Chatham House Project on Cyber and Nuclear Security aims to assess the risks and vulnerabilities of the international civil nuclear sector in regards to cyber security and to identify potential policies and international measures to enhance cyber security in the wider nuclear security field.<br><br>
The project is funded by the MacArthur Foundation International Peace and Security Program.Anonymoushttp://www.blogger.com/profile/16786678168742214558noreply@blogger.comBlogger14125tag:blogger.com,1999:blog-974537195367548488.post-73489606771519725452015-03-17T07:10:00.000-07:002015-06-05T01:43:58.028-07:00What can we learn from the South Korea cyber nuclear hack?<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">Last
December, South Korea’s state-run nuclear plant operator, Korea Hydro and
Nuclear Power (KHNP), reported that it was the victim of a cyber attack. <span style="mso-spacerun: yes;"> </span><o:p></o:p></span></div>
<span style="font-family: Calibri;"></span><br />
<span style="font-family: Calibri;">On December
15, a Twitter account purportedly representing an anti-nuclear group in Hawaii
claimed responsibility for the hack. Leaking information stolen from KHNP
nuclear plants over the following days – including the details of KHNP
employees, blueprints of at least two nuclear reactors, electricity flow charts
and estimates of radiation exposure among local residents</span><a href="https://www.blogger.com/editor/static_files/blank_quirks.html#_ftn1" name="_ftnref1" style="mso-footnote-id: ftn1;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><span class="MsoFootnoteReference"><span style="font-family: "Calibri","sans-serif"; line-height: 115%; mso-ansi-language: EN-GB; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">[1]</span></span></span></span></a><span style="font-family: Calibri;">
– the perpetrators issued an ultimatum. <o:p></o:p></span><br />
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">Threatening further
debilitating cyber attacks<b style="mso-bidi-font-weight: normal;">,</b> the
hackers demanded that South Korea close down three of its older nuclear power plants.
The group warned South Koreans living near the plants to avoid the areas over
the coming months.<o:p></o:p></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">South Korean
President Park Geun Hye acknowledged that it was a ‘grave situation’, stating
that nuclear power plant operations ‘directly impact that safety of the
people.’ KHNP heightened security at their plants, and implemented a two-day
cyber security drill for staff. <o:p></o:p></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">KHNP and
government spokespeople reiterated throughout this period that the cyber attacks
had only affected ‘non-core’ technologies, that the stolen information was not
more detailed than information that was already available online, and that
operations at the plants were not in any danger.<o:p></o:p></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">Indeed, the
deadline set by the hackers passed without incident.<o:p></o:p></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">Last
Thursday, following President Park’s visit to the Middle East regarding
exporting nuclear power plants,</span><a href="https://www.blogger.com/editor/static_files/blank_quirks.html#_ftn2" name="_ftnref2" style="mso-footnote-id: ftn2;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><span class="MsoFootnoteReference"><span style="font-family: "Calibri","sans-serif"; line-height: 115%; mso-ansi-language: EN-GB; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">[2]</span></span></span></span></a><span style="font-family: Calibri;">
the hackers released additional documents via the same Twitter account. A
system plan and test data from the Kori nuclear power plant in Busan was posted online and
the perpetrator threatened to sell more material, claiming this action would undermine
Park’s plan to export nuclear power. <o:p></o:p></span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">An
unidentified KHNP official, speaking to Reuters on Thursday said: ‘We don’t
know how they were leaked but one thing for sure is that there has been no
attack from anti-nuclear groups since December.’</span><a href="https://www.blogger.com/editor/static_files/blank_quirks.html#_ftn3" name="_ftnref3" style="mso-footnote-id: ftn3;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><span class="MsoFootnoteReference"><span style="font-family: "Calibri","sans-serif"; line-height: 115%; mso-ansi-language: EN-GB; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">[3]</span></span></span></span></a><o:p></o:p></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">How worried
should we really be about this series of cyber attacks and the threats made to
South Korea’s nuclear power industry? <o:p></o:p></span></div>
<o:p><span style="font-family: Calibri;"></span></o:p><br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">A KHNP
representative, speaking shortly after the initial hack, stated: ‘it is 100%
impossible that a hacker can stop nuclear power plants by attacking them
because the control monitoring system is totally independent and closed.’ The
KHNP claims that in April 2013 the internal networks at its nuclear plants were
air-gapped, physically isolated from the Internet. <o:p></o:p></span></div>
<o:p><span style="font-family: Calibri;"></span></o:p><br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">However, in
late December it was reported that a worm had been removed from devices
connected to some nuclear plant control systems. South Korea’s Energy Minister,
Yoon Sang-jick, said that plant workers using unauthorised USB devices probably
inadvertently introduced the worm.</span><a href="https://www.blogger.com/editor/static_files/blank_quirks.html#_ftn4" name="_ftnref4" style="mso-footnote-id: ftn4;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><span class="MsoFootnoteReference"><span style="font-family: "Calibri","sans-serif"; line-height: 115%; mso-ansi-language: EN-GB; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">[4]</span></span></span></span></a><span style="font-family: Calibri;">
Although in this instance the malware was low-risk, there are clear comparisons
to be made to Stuxnet - a 2010 cyber attack on critical infrastructure that resulted in physical damage to Iran's nuclear centrifuges. The control system at Iran's uranium enrichment plant was air-gapped, and the offending worm introduced via infected USB devices. </span><br />
<div class="page" title="Page 2">
<div class="layoutArea">
<div class="column">
</div>
</div>
</div>
</div>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">Yoon,
reporting to Parliament, maintained that this worm was not linked to the previous
cyberattacks, and reiterated that the closed network used for reactor
operations meant that control systems were impervious to cyberattacks.</span><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><span class="MsoFootnoteReference"><span style="font-family: "Calibri","sans-serif"; line-height: 115%; mso-ansi-language: EN-GB; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><a href="https://www.blogger.com/editor/static_files/blank_quirks.html#_ftn5" name="_ftnref5" style="mso-footnote-id: ftn5;" title="">[5]</a></span></span></span></span><span style="font-family: Calibri;">
<o:p></o:p></span><br />
<br /></div>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">Contra to
statements like this, separating a network from the Internet does not mean that
it is safe from attack. Although Yoon denied that the malware introduced to the plant via unapproved USB devices was related to the hacking and subsequent leak of plant information, finding a worm on devices connected to nuclear plant control systems highlights the shortcomings of air-gapping. </span><br />
<br />
<span style="font-family: Calibri;">Air-gapping may indeed may lead to complacency on
cybersecurity if it is thought to offer complete invulnerability.</span><a href="https://www.blogger.com/editor/static_files/blank_quirks.html#_ftn6" name="_ftnref6" style="mso-footnote-id: ftn6;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><span class="MsoFootnoteReference"><span style="font-family: "Calibri","sans-serif"; line-height: 115%; mso-ansi-language: EN-GB; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">[6]</span></span></span></span></a><span style="font-family: Calibri;">
The cyber attacks on the South Korean nuclear power plants thus highlight the
need for a multidimensional and dynamic system of cyber defence.</span></div>
<br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<o:p><span style="font-family: Calibri;">T</span></o:p><span style="font-family: Calibri;">his is
easier said than done. Maintaining a strong cyber defence is more expensive and more difficult than orchestrating cyber attakcs – most critical infrastructure operators don’t know what
vulnerabilities their networks have, where these lie, nor how to fix them.</span><a href="https://www.blogger.com/editor/static_files/blank_quirks.html#_ftn7" name="_ftnref7" style="mso-footnote-id: ftn7;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><span class="MsoFootnoteReference"><span style="font-family: "Calibri","sans-serif"; line-height: 115%; mso-ansi-language: EN-GB; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">[7]</span></span></span></span></a><span style="font-family: Calibri;">
For offence to succeed, attackers only need to find and exploit one
vulnerabiliy. Conversely, successful cyber defence entails identifying and
defending all vulnerabilities. Vulnerability to USB devices is just one weakness of air-gapping, and as research continues into the capabilities of cyber attacks, new vulnerabilities have become apparent.<span id="goog_1774090716"></span><span id="goog_1774090717"></span><a href="http://[8]/"> </a></span><a href="http://[8]/"><span class="MsoFootnoteReference"></span><span style="font-family: Calibri;">[8]</span></a><br />
<br /></div>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span style="font-family: Calibri;">Even though
this recent hacking of South Korean nuclear power plants has not resulted in
physical damage to the plants, it is a reminder of the cyber threats that
critical infrastructures will increasingly face, and the risks associated with
relying solely on air-gaps to protect control networks.</span><span style="font-family: Calibri;">
</span><span style="font-family: Calibri;">Contrary to the perception of the KHNP, it is not '100% impossible' for a cyber attack to target air-gapped machines, and the events in South Korea should serve as a strong reminder of the dangers of this logical fallacy.</span></div>
<br />
<br />
<hr align="left" size="1" width="33%" />
<br />
<div style="mso-element: footnote-list;">
<div id="ftn1" style="mso-element: footnote;">
<div class="MsoFootnoteText" style="margin: 0cm 0cm 0pt;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><a href="https://www.blogger.com/editor/static_files/blank_quirks.html#_ftnref1" name="_ftn1" style="mso-footnote-id: ftn1;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><span class="MsoFootnoteReference"><span style="font-family: "Calibri","sans-serif"; line-height: 115%; mso-ansi-language: EN-GB; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">[1]</span></span></span></span></a>
http://www.theguardian.com/world/2014/dec/22/south-korea-nuclear-power-cyber-attack-hack<o:p></o:p></span></div>
</div>
<div id="ftn2" style="mso-element: footnote;">
<div class="MsoFootnoteText" style="margin: 0cm 0cm 0pt;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><a href="https://www.blogger.com/editor/static_files/blank_quirks.html#_ftnref2" name="_ftn2" style="mso-footnote-id: ftn2;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><span class="MsoFootnoteReference"><span style="font-family: "Calibri","sans-serif"; line-height: 115%; mso-ansi-language: EN-GB; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">[2]</span></span></span></span></a>
http://www.reuters.com/article/2015/03/04/saudi-south-korea-nuclear-idUSL5N0W61GM20150304<span lang="EN-US" style="mso-ansi-language: EN-US;"><o:p></o:p></span></span></div>
</div>
<div id="ftn3" style="mso-element: footnote;">
<div class="MsoFootnoteText" style="margin: 0cm 0cm 0pt;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><a href="https://www.blogger.com/editor/static_files/blank_quirks.html#_ftnref3" name="_ftn3" style="mso-footnote-id: ftn3;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><span class="MsoFootnoteReference"><span style="font-family: "Calibri","sans-serif"; line-height: 115%; mso-ansi-language: EN-GB; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">[3]</span></span></span></span></a>
http://uk.reuters.com/article/2015/03/12/uk-southkorea-cybersecurity-nuclear-idUKKBN0M815B20150312<span lang="EN-US" style="mso-ansi-language: EN-US;"><o:p></o:p></span></span></div>
</div>
<div id="ftn4" style="mso-element: footnote;">
<div class="MsoFootnoteText" style="margin: 0cm 0cm 0pt;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><a href="https://www.blogger.com/editor/static_files/blank_quirks.html#_ftnref4" name="_ftn4" style="mso-footnote-id: ftn4;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><span class="MsoFootnoteReference"><span style="font-family: "Calibri","sans-serif"; line-height: 115%; mso-ansi-language: EN-GB; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">[4]</span></span></span></span></a>
http://www.reuters.com/article/2014/12/30/nuclear-southkorea-cybersecurity-idUSL3N0UE1A320141230<span lang="EN-US" style="mso-ansi-language: EN-US;"><o:p></o:p></span></span></div>
</div>
<div id="ftn5" style="mso-element: footnote;">
<div class="MsoFootnoteText" style="margin: 0cm 0cm 0pt;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><a href="https://www.blogger.com/editor/static_files/blank_quirks.html#_ftnref5" name="_ftn5" style="mso-footnote-id: ftn5;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><span class="MsoFootnoteReference"><span style="font-family: "Calibri","sans-serif"; line-height: 115%; mso-ansi-language: EN-GB; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">[5]</span></span></span></span></a>
http://uk.reuters.com/article/2014/12/30/nuclear-southkorea-cybersecurity-idUKL3N0UE1A320141230<span lang="EN-US" style="mso-ansi-language: EN-US;"><o:p></o:p></span></span></div>
</div>
<div id="ftn6" style="mso-element: footnote;">
<div class="MsoFootnoteText" style="margin: 0cm 0cm 0pt;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><a href="https://www.blogger.com/editor/static_files/blank_quirks.html#_ftnref6" name="_ftn6" style="mso-footnote-id: ftn6;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><span class="MsoFootnoteReference"><span style="font-family: "Calibri","sans-serif"; line-height: 115%; mso-ansi-language: EN-GB; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">[6]</span></span></span></span></a>
http://www.itbusinessedge.com/slideshows/five-hard-truths-about-critical-infrastructure-protection.html<span lang="EN-US" style="mso-ansi-language: EN-US;"><o:p></o:p></span></span></div>
</div>
<div id="ftn7" style="mso-element: footnote;">
<div class="MsoFootnoteText" style="margin: 0cm 0cm 0pt;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><a href="https://www.blogger.com/editor/static_files/blank_quirks.html#_ftnref7" name="_ftn7" style="mso-footnote-id: ftn7;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><span class="MsoFootnoteReference"><span style="font-family: "Calibri","sans-serif"; line-height: 115%; mso-ansi-language: EN-GB; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">[7]</span></span></span></span></a>
http://www.itbusinessedge.com/slideshows/five-hard-truths-about-critical-infrastructure-protection.html<span lang="EN-US" style="mso-ansi-language: EN-US;"><o:p></o:p></span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><a href="https://www.blogger.com/">[8]<span id="goog_1774090725"></span></a> http://www.itworld.com/article/2859246/how-to-bridge-and-secure-air-gap-networks.html</span><br />
<div class="page" title="Page 2">
<div class="layoutArea">
<div class="column">
<span style="font-family: 'TimesNewRomanPSMT'; font-size: 9.000000pt;"> </span><br />
</div>
</div>
</div>
</div>
</div>
</div>
<br />
<div style="mso-element: comment-list;">
<div style="mso-element: comment;">
<div class="msocomtxt" id="_com_1" language="JavaScript" onmouseout="msoCommentHide('_com_1')" onmouseover="msoCommentShow('_anchor_1','_com_1')">
<div class="MsoCommentText" style="margin: 0cm 0cm 10pt;">
<span class="MsoCommentReference"><span style="mso-special-character: comment;"><span style="font-family: Calibri;"></span></span></span><br /></div>
</div>
</div>
</div>
Anonymoushttp://www.blogger.com/profile/10655463560083454543noreply@blogger.com0tag:blogger.com,1999:blog-974537195367548488.post-23467657379083661382015-01-22T06:16:00.000-08:002015-02-07T10:40:35.941-08:00Media Publication: How Drones Can Improve Security and Safety at Nuclear Plants<span style="font-family: Arial,Helvetica,sans-serif;">Chatham House publishes an article on how drones can be used to improve security and safety at nuclear power plants.</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSMuhYOeaNqcfD4be7QAtEGpQZsXl0nl8YlJ7juNDeKVycOZnhXqDn04EIvDn38tvwmje-sQcK0g7hNsIXKtnQr0nQ4AaYRZeTmLkWpN1a9YzR_rP5ZHBpVgkRxblzTtHyKzln804RccSD/s1600/expert+comment.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSMuhYOeaNqcfD4be7QAtEGpQZsXl0nl8YlJ7juNDeKVycOZnhXqDn04EIvDn38tvwmje-sQcK0g7hNsIXKtnQr0nQ4AaYRZeTmLkWpN1a9YzR_rP5ZHBpVgkRxblzTtHyKzln804RccSD/s1600/expert+comment.jpg" height="184" width="320" /></a></span></div>
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">Full article here:</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="http://www.chathamhouse.org/expert/comment/16722">http://www.chathamhouse.org/expert/comment/16722</a></span>Anonymoushttp://www.blogger.com/profile/16786678168742214558noreply@blogger.com0tag:blogger.com,1999:blog-974537195367548488.post-87447079178589495532015-01-10T10:53:00.000-08:002015-02-07T10:55:11.322-08:00Media Interview: Defending the Power Grid against Cyber Attack<span style="font-family: Arial,Helvetica,sans-serif;">Chatham House Associate Fellow David Livingstone speaks to Bloomberg on defending the U.K. power grid against cyber attacks:</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><i><br /></i></span>
<span style="font-family: Arial,Helvetica,sans-serif;"><i>The most successful types of hacks -- which are probably
those that infiltrated the U.S. grid -- get into the core of the
system while remaining undetected, said David Livingstone,
Chatham House international security fellow. </i></span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><i>
</i></span><span style="font-family: Arial,Helvetica,sans-serif;"><i>Criminals are recruited on the dark web and disappear after
the hack is complete, he said. They could be anyone from eco-terrorists trying to shut down a nuclear power station to
nation-states storing information for future use. </i></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAUh7GdojC_A4OB6m6y4ocyW-h5W_QdH-9wQeadcFrBWoW9ZNZq9XCyHsei8Avggjz3BEITJIOUuw2SaE6EKwKFPRPhJ6nyknNK4K4IxKh6-c2htjxLZrMcsNGDYq2DBdCr2CEnmcJe1Wh/s1600/power+grid.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAUh7GdojC_A4OB6m6y4ocyW-h5W_QdH-9wQeadcFrBWoW9ZNZq9XCyHsei8Avggjz3BEITJIOUuw2SaE6EKwKFPRPhJ6nyknNK4K4IxKh6-c2htjxLZrMcsNGDYq2DBdCr2CEnmcJe1Wh/s1600/power+grid.jpg" height="213" width="320" /></a></div>
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">Full article here:</span><i><span style="font-family: Arial,Helvetica,sans-serif;"> </span></i><span style="font-family: Arial,Helvetica,sans-serif;"> </span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="http://www.bloomberg.com/news/articles/2015-01-09/power-grid-under-cyber-attack-every-minute-sees-u-k-up-defenses">http://www.bloomberg.com/news/articles/2015-01-09/power-grid-under-cyber-attack-every-minute-sees-u-k-up-defenses</a></span><br />
<i><br /></i>Anonymoushttp://www.blogger.com/profile/16786678168742214558noreply@blogger.com0tag:blogger.com,1999:blog-974537195367548488.post-9800482786599525812014-12-27T05:58:00.000-08:002015-02-07T10:40:45.144-08:00Media Publication: Drone Flights over French Nuclear Plants<span style="font-family: Arial,Helvetica,sans-serif;">Chatham House publishes an article in Newsweek on the security vulnerabilities that the drone flights over French nuclear power plants have exposed.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7nPIDwS9qXnCSmEy6M9cTMFQvAkZHCp5oEMHnNkaiKcMTmcYssWJzUPm53M6HZytWu3Pg97GkGmdFlvNLJJ_oYynJgxYQCY_XAtpAx0xPgp3bezAPjToh-b5mlQmpIQ_YItgCFUVjgK7l/s1600/france-nuclear-drones.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7nPIDwS9qXnCSmEy6M9cTMFQvAkZHCp5oEMHnNkaiKcMTmcYssWJzUPm53M6HZytWu3Pg97GkGmdFlvNLJJ_oYynJgxYQCY_XAtpAx0xPgp3bezAPjToh-b5mlQmpIQ_YItgCFUVjgK7l/s1600/france-nuclear-drones.jpg" height="186" width="320" /><span style="font-family: Arial,Helvetica,sans-serif;"></span></a><span style="font-family: Arial,Helvetica,sans-serif;"><a href="http://www.newsweek.com/drones-threat-nuclear-plants-294458"> </a></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br />Full article here:</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="http://www.newsweek.com/drones-threat-nuclear-plants-294458">http://www.newsweek.com/drones-threat-nuclear-plants-294458</a></span></div>
Anonymoushttp://www.blogger.com/profile/16786678168742214558noreply@blogger.com0tag:blogger.com,1999:blog-974537195367548488.post-1658252292152299822014-12-23T04:50:00.000-08:002015-02-07T06:11:42.271-08:00Media Interview: Cyber Attack on South Korean Nuclear Plant<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;">Dr Patricia Lewis, Research Director of the International Security Department at Chatham House, speaks to The Guardian about the recent cyber attack on a South Korean nuclear power plant:</span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><i>Patricia Lewis, research director in international security at Chatham House, said concern was reasonable, even though people were thinking about security</i></span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><i>
</i><i>“The key thing with all of this stuff is never think you’re
invulnerable,” she said. “Always be aware of your vulnerability and put
things in place so you can be prepared for an attack. Always be aware
that something unusual that happens could be the result of a
cyber-attack.” </i></span></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKO7Qv8nJKUwqyV0Ac6ZZvOllfjFcxQugS2IK0jKfI6Eby3Xjojy_KWNuYXArTj1-ELot0rveBO-7HM6jR1qv2wvCIxeR3SQEiZP7Dnnks6TnP4hY-V15xVnD-HaEaEhs_C4V-2NTba9fA/s1600/patricia+article.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKO7Qv8nJKUwqyV0Ac6ZZvOllfjFcxQugS2IK0jKfI6Eby3Xjojy_KWNuYXArTj1-ELot0rveBO-7HM6jR1qv2wvCIxeR3SQEiZP7Dnnks6TnP4hY-V15xVnD-HaEaEhs_C4V-2NTba9fA/s1600/patricia+article.jpg" height="192" width="320" /></a></div>
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;">Full article here:</span></span><br />
<a href="http://www.theguardian.com/environment/2014/dec/22/uk-nuclear-power-generator-monitors-situation-hacking-south-korean-operator"><span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><br /></span></span></a>
<a href="http://www.theguardian.com/environment/2014/dec/22/uk-nuclear-power-generator-monitors-situation-hacking-south-korean-operator"><span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;">http://www.theguardian.com/environment/2014/dec/22/uk-nuclear-power-generator-monitors-situation-hacking-south-korean-operator </span></span></a>Anonymoushttp://www.blogger.com/profile/16786678168742214558noreply@blogger.com0tag:blogger.com,1999:blog-974537195367548488.post-63399466032525588042014-11-28T04:00:00.000-08:002015-02-07T10:56:21.783-08:00Conference Presentation: NATO Advanced Research Workshop - Protection of Critical Energy Infrastructure<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsrpnDquBbYDr0jOpN3xE7xf3fucjmMdViWx_iaTwoMBAr0hs0CoChVnn9mV5QcCMYdog57WeDhgcjDJtRK0sXgrh2qPLtDrxREDKB1LMI1YM8ItBZQr4PVKr_5npfdusu6BKK-O1GqUQ/s1600/NATO+ARW+Georgia.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsrpnDquBbYDr0jOpN3xE7xf3fucjmMdViWx_iaTwoMBAr0hs0CoChVnn9mV5QcCMYdog57WeDhgcjDJtRK0sXgrh2qPLtDrxREDKB1LMI1YM8ItBZQr4PVKr_5npfdusu6BKK-O1GqUQ/s1600/NATO+ARW+Georgia.jpg" /></a></div>
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">Chatham House
gave a talk on the project findings thus far at the NATO Advanced
Research Workshop: The Protection of Critical Energy Infrastructure
Against Emerging Security Challenges in Tbilisi, Georgia on 25-28
November 2014. The meeting was organized by the A<span style="background-color: white; line-height: 23.7999992370605px;">tlantic Treaty Association and the Atlantic Council of Georgia</span>.</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"></span><br />
<div>
<span style="font-family: Arial,Helvetica,sans-serif;">Slides from the presentation here:</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<embed flashvars="host=picasaweb.google.com&noautoplay=1&hl=en_US&feat=flashalbum&RGB=0x000000&feed=https%3A%2F%2Fpicasaweb.google.com%2Fdata%2Ffeed%2Fapi%2Fuser%2F107910919325723652385%2Falbumid%2F6112833945802468497%3Falt%3Drss%26kind%3Dphoto%26hl%3Den_US" height="267" pluginspage="http://www.macromedia.com/go/getflashplayer" src="https://photos.gstatic.com/media/slideshow.swf" type="application/x-shockwave-flash" width="400"></embed>International Security Departmenthttp://www.blogger.com/profile/16423874713150552809noreply@blogger.com0tag:blogger.com,1999:blog-974537195367548488.post-81497747201378798162014-11-08T05:55:00.000-08:002015-02-07T06:28:05.250-08:00Media Interview: Drone Flights over French Nuclear Plants<span style="font-family: Arial,Helvetica,sans-serif;">Chatham House Associate Fellow David Livingstone speaks to the Financial Times about the recent spate of drone flights over French nuclear power plants:<i> </i></span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><i>“The
concern is that someone is considering an attack, looking to penetrate
the perimeter using genuine weaponry, or planning a protest,” said David
Livingstone, associate fellow for international security at the
think-tank Chatham House. “Unless you know where the data are going back
to, or who is controlling the drone, you don’t know if it’s just people
messing around, an environmental group, terrorists, or even a nation
state.”</i></span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><i>He said the mystery also raises questions – at a
time when Western governments are increasingly using drones to catch
criminals at home and attack enemies abroad – about the preparedness of
states for the use of the technology against themselves.</i> </span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjS5Cz55BwakI-OhxTV7mMaJRz4rIrn1pjU1yPSCpispVgPbpkgOipkXi-NxXRS5E3yxaGEwrI-4hkH-G3LsVgpfva1mjuSIjIc7UM3J9QR4HUl9dSgHMh6Vv-zqQs2H0tgbc5uw_ampED/s1600/livingstone+article+2.img.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjS5Cz55BwakI-OhxTV7mMaJRz4rIrn1pjU1yPSCpispVgPbpkgOipkXi-NxXRS5E3yxaGEwrI-4hkH-G3LsVgpfva1mjuSIjIc7UM3J9QR4HUl9dSgHMh6Vv-zqQs2H0tgbc5uw_ampED/s1600/livingstone+article+2.img.png" height="320" width="286" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgI6mQ6CdGgWYTdqZHNNzVWWHr2X9ld_UczNKaXDaRqqROw5zZeNdYe0vBDjwUnL2cl4OW6YzJf18PYIntb1WhF_KFLLfSn0Ov3MmbDBJLZSY0OusFoJ75N2eBnAXVGizBVO32OMaGUXeqp/s1600/livingstone+article+3.img.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgI6mQ6CdGgWYTdqZHNNzVWWHr2X9ld_UczNKaXDaRqqROw5zZeNdYe0vBDjwUnL2cl4OW6YzJf18PYIntb1WhF_KFLLfSn0Ov3MmbDBJLZSY0OusFoJ75N2eBnAXVGizBVO32OMaGUXeqp/s1600/livingstone+article+3.img.jpg" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-family: Arial,Helvetica,sans-serif;">Full article here:</span><span style="font-family: Arial,Helvetica,sans-serif;"> </span><br />
<br />
<a href="http://www.ft.com/cms/s/0/54da14b4-64ea-11e4-ab2d-00144feabdc0.html"><span style="font-family: Arial,Helvetica,sans-serif;">http://www.ft.com/cms/s/0/54da14b4-64ea-11e4-ab2d-00144feabdc0.html</span></a><br />
<br />Anonymoushttp://www.blogger.com/profile/16786678168742214558noreply@blogger.com0tag:blogger.com,1999:blog-974537195367548488.post-31134359513764622732014-10-31T16:28:00.000-07:002015-02-07T10:57:00.924-08:00Conference Presentation: NATO Advanced Research Workshop - Cyber Defense for Critical Infrastructure<span style="font-family: Arial,Helvetica,sans-serif;">Chatham House
gave a talk on the project findings thus far at the NATO Advanced
Research Workshop: Strengthening Cyber Defense for Critical
Infrastructure in Kiev, Ukraine on 30-31 October 2014. The meeting was
organized by the Polish Institute of International Affairs (PISM) in
partnership with the Institute for Euro-Atlantic Cooperation.</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6LtBoYvO_HIBdwDaigxzEh6KX7lLLdCbNTgudCbwR54MVRWqrgMRn2fIKnN_iDDulZrurZIG2-I4d3_d2gEVVZawvtQr2YSysPHzJ-H3GuAi5a6NYP30pMKztKACO6r0vOrW8hdD_BH6E/s1600/KievWorkshopPresentation.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6LtBoYvO_HIBdwDaigxzEh6KX7lLLdCbNTgudCbwR54MVRWqrgMRn2fIKnN_iDDulZrurZIG2-I4d3_d2gEVVZawvtQr2YSysPHzJ-H3GuAi5a6NYP30pMKztKACO6r0vOrW8hdD_BH6E/s1600/KievWorkshopPresentation.jpg" height="213" width="320" /></a></span></div>
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">We spoke on the panel entitled, "How is the Threat Environment Evolving" which looked at:</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;"><i>Most of the companies
operating Critical Infrastructure (CI) have already experienced
cyber-attacks and it is only a matter of time before a large scale
attack happens. The majority of the attempts will come from non-state
players. Although they do not possess the skills and extensive funding
to create sophisticated weapons, they can challenge the stability of
networks by performing a significant number of different types of
attacks and intrusions. Even low end hackers without sophisticated
skills can use a black market of cyber crime services and goods such as
“zero day vulnerabilities” (previously undisclosed security holes in
software), which can be used for infiltration of CI systems.
</i></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><i><br /></i></span>
<span style="font-family: Arial,Helvetica,sans-serif;"><i>Additionally, non-state players create well organised and structured
criminal gangs, possibly comprising thousands of individuals around the
world, who are more effective due to the synergy effect.</i></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><i><br /></i></span>
<span style="font-family: Arial,Helvetica,sans-serif;"><i>States
are able to develop sophisticated cyber-weapons but they will use them
sparingly so as not to disclose their capabilities. The risk that
advanced cyber-warfare capabilities will be developed or acquired by
unsophisticated hackers or terrorists should be regarded as low, but
cannot be disregarded. </i></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><i><br /></i></span>
<span style="font-family: Arial,Helvetica,sans-serif;"><i>Power grids are cheap to attack, and it
should be expected that they will remain a primary warfare target.
Attacks against energy infrastructure already make 60% of all the
attacks against CI. It is also the sector that, should it be affected,
will most likely trigger a cascade of negative effects to other sectors.
</i></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">For more details: </span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://www.facebook.com/NATOarwSCfCI?fref=photo">https://www.facebook.com/NATOarwSCfCI?fref=photo </a></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoAWQh1AnCXjw4JdxXYEdiOjpuqdMSCIVRzAMXTb9u8_bsSfhz49DkVjBUK08aTTUE4f_MhhuEDPOV1tttoY3ic93-hY6YcMCuRxRSdJhL891eBV-gy6UROeClZ3_wP3Iqh8Cq8-yrQcWh/s1600/KievWorkshopPresentation2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoAWQh1AnCXjw4JdxXYEdiOjpuqdMSCIVRzAMXTb9u8_bsSfhz49DkVjBUK08aTTUE4f_MhhuEDPOV1tttoY3ic93-hY6YcMCuRxRSdJhL891eBV-gy6UROeClZ3_wP3Iqh8Cq8-yrQcWh/s1600/KievWorkshopPresentation2.jpg" height="217" width="320" /></a></span></div>
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQnRzi1IaNSVkCpPd6vyVy1pRMOaQTL2sDpRSUK1tv_fAfRHrDmmVkkw2r8cN29iBplHf8hCnc19DKjSr1poa7J2hPbiCTbjrgajuR7FKqZo5sn8YPXwjSoZGTVvra4ggTOUUw0Auz4zAQ/s1600/KievWorkshopPresentation3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQnRzi1IaNSVkCpPd6vyVy1pRMOaQTL2sDpRSUK1tv_fAfRHrDmmVkkw2r8cN29iBplHf8hCnc19DKjSr1poa7J2hPbiCTbjrgajuR7FKqZo5sn8YPXwjSoZGTVvra4ggTOUUw0Auz4zAQ/s1600/KievWorkshopPresentation3.jpg" height="230" width="320" /></a></span></div>
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
International Security Departmenthttp://www.blogger.com/profile/16423874713150552809noreply@blogger.com0tag:blogger.com,1999:blog-974537195367548488.post-16187189495855228892014-10-31T10:24:00.000-07:002015-02-07T11:06:07.931-08:00Conference Presentation: Cyber Security in the Energy Sector<span style="font-family: Arial,Helvetica,sans-serif;">Roger Brunt CBE, member of the project Steering Committee and former director of the Office for Civil Nuclear Security, speaks on "Cyber and Nuclear Security" at an event on Cyber Security in the Energy Sector organized by the Energy Studies Institute, National University of Singapore.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7lB8iMMBqeQ_j3GQOqgDdRF3NFNcGc8HlSPlERRwi77NpYkB9RcbMb9YTfqjMPAWafFAbRBsYqdu66_G8ujJT3FmiVNHMTgaapfTjYkK59gjPj6gESw8LxPFIch26H2MiOQefTLdzRviA/s1600/roger+brunt+cropped.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7lB8iMMBqeQ_j3GQOqgDdRF3NFNcGc8HlSPlERRwi77NpYkB9RcbMb9YTfqjMPAWafFAbRBsYqdu66_G8ujJT3FmiVNHMTgaapfTjYkK59gjPj6gESw8LxPFIch26H2MiOQefTLdzRviA/s1600/roger+brunt+cropped.jpg" height="320" width="264" /></a></div>
<span style="font-family: Arial,Helvetica,sans-serif;"> <br />Full conference programme here:</span><br />
<br />
<a href="http://www.esi.nus.edu.sg/eventitem/2014/10/31/default-calendar/cyber-security-in-the-energy-sector"><span style="font-family: Arial,Helvetica,sans-serif;">http://www.esi.nus.edu.sg/eventitem/2014/10/31/default-calendar/cyber-security-in-the-energy-sector </span></a>Anonymoushttp://www.blogger.com/profile/16786678168742214558noreply@blogger.com0tag:blogger.com,1999:blog-974537195367548488.post-60589934735257737962014-09-23T15:50:00.000-07:002015-02-07T04:07:13.206-08:00Second Roundtable on Cyber and Nuclear Security<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;">At our Second Roundtable on Cyber and Nuclear Security today, <span lang="EN-US">Dr Masahiro Kikuchi, former Executive Director, Nuclear Material Control Center (NMCC) presented a Japanese perspective on the cyber security challenges in the nuclear sector.</span></span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><span lang="EN-US"><br /></span></span></span>
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><span lang="EN-US">A link to his presentation here:</span></span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><span lang="EN-US" style="color: #1f497d;"><br /></span></span></span>
<a href="https://drive.google.com/file/d/0B9rpxitOM8ytb2FTeEM2UnBWX28/view?usp=sharing"><span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><span lang="EN-US" style="color: #1f497d;">https://drive.google.com/file/d/0B9rpxitOM8ytb2FTeEM2UnBWX28/view?usp=sharing </span></span></span></a>Anonymoushttp://www.blogger.com/profile/16786678168742214558noreply@blogger.com0tag:blogger.com,1999:blog-974537195367548488.post-84023516196648491482014-01-30T13:20:00.000-08:002015-02-07T04:08:07.089-08:00Steering Committee for the Project<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;">We are delighted that the following experts have agreed to join the Steering Committee for the project:</span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;">1. <b>Irma Arguello</b> (Argentina) - Associate Fellow, Chatham House</span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;">2. <b>Guido Gluschke</b> (Germany) - Co-Director of the Institute for Security and Safety (ISS), Brandenburg University of Applied Sciences</span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;">3. <b>General Adrian Freer</b> (United Kingdom) - Deputy Chief Inspector, Security, Office for Nuclear Regulation </span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;">4. <b>Roger Brunt CBE</b> (United Kingdom) - Visiting Senior Research Fellow, King’s College London</span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;">5. <b>Dr Anita Nilsson</b> (Sweden) - Associate Fellow, Chatham House; former Director, IAEA Office of Nuclear Security</span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;">6. <b>David Livingstone</b> (United Kingdom) - Associate Fellow, Chatham House</span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;">7. <b>Tom Parkhouse</b> (United Kingdom) - Head of Strategy, Policy and Plans for Civil Nuclear Security, Office for Nuclear Regulation</span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;">8. <b>Mark Raeburn</b> (United Kingdom) - CEO, Context Information Security</span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;">9. <b>Dr Tatsujiro Suzuki</b> (Japan) - Director of the Research Center for Nuclear Weapons Abolition, Nagasaki University; former Vice Chairman, Japan Atomic Energy Commission</span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;">10. <b>Peter Young</b> (United Kingdom) - CEO, VEGA Space</span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;">The full bios for all of the Steering Committee members are available here:</span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><br /></span></span>
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><a href="https://drive.google.com/file/d/0B9rpxitOM8yteUNkTTRtMEthMTQ/view?usp=sharing">https://drive.google.com/file/d/0B9rpxitOM8yteUNkTTRtMEthMTQ/view?usp=sharing </a></span></span>Anonymoushttp://www.blogger.com/profile/16786678168742214558noreply@blogger.com0tag:blogger.com,1999:blog-974537195367548488.post-50524999784006490802014-01-16T14:39:00.000-08:002015-02-07T04:09:25.758-08:00Literature Review: Nuclear Power Plant Security and Vulnerabilities<div class="MsoNormal">
<span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-GB" style="line-height: 115%;"><span style="background-color: white;">Another good article, "Nuclear Power Plant Security and Vulnerabilities", published by Mark Holt and Anthony Andrews at the Congressional Research Center, 3 January 2014:</span></span></span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-GB" style="line-height: 115%;"><span style="background-color: white;">Summary:</span></span></span></div>
<div class="MsoNormal">
<ul>
<li><span style="font-family: Arial,Helvetica,sans-serif;"><span style="line-height: 115%;"> The Energy Policy Act of 2005 (EPACT05) imposed
specific criteria for NRC to consider in revising the “Design Basic Threat”
(DBT).</span><span style="mso-spacerun: yes;"> </span><span style="line-height: 115%;">EPACT05 required NRC to conduct
force on “force-on-force” security exercises at nuclear power plants at least
once every three years. When NRC</span><span style="mso-spacerun: yes;">
</span><span style="line-height: 115%;">conducted 23 “force-on-force” (FOF) inspections at 22 commercial nuclear
plants and one fuel cycle facilities in 2012, eleven of those inspections found
performance deficiencies: 19 with low significance (green findings), one with
“greater than green” finding, and three severity level IV (least serious)
violations.</span></span></li>
</ul>
<ul>
<li><span style="font-family: Arial,Helvetica,sans-serif;"><span style="line-height: 115%;">Following the 9/11 attacks, Congress enacted new nuclear security plant requirements and has repeated focused attention on regulation and enforcement by the Nuclear Regulatory Commission (NRC).</span><span style="mso-spacerun: yes;"> </span></span></li>
</ul>
<ul>
<li><span style="font-family: Arial,Helvetica,sans-serif;"><span style="line-height: 115%;">The </span><u style="line-height: 115%;">Energy Policy Act of
2005</u><span style="line-height: 115%;"> (EPACT05) imposed specific criteria for NRC to consider in revising
the </span><u style="line-height: 115%;">“Design Basic Threat” (DBT)</u><span style="line-height: 115%;"> which specifies the maximum severity of
potential attacks that a nuclear plant’s security force must be capable of
repelling. In response, the NRC revised the DBT on April 18, 2007. The
revisions expanded the assumed capabilities of adversaries to operate as one or
more teams and attack from multiple entry points.</span></span></li>
</ul>
<ul>
<li><span style="font-family: Arial,Helvetica,sans-serif;"><span style="line-height: 115%;">EPACT05 required NRC to conduct
force on “force-on-force” security exercises at nuclear power plants at least
once every three years. In these exercises, a mock adversary force from outside
a nuclear plant attempts to penetrate the plant’s vital area and simulate
damage to a “target set” of key safety components.</span></span></li>
</ul>
<ul>
<li><span style="font-family: Arial,Helvetica,sans-serif;"><span style="line-height: 115%;">In March 2009, NRC published a
series of security regulations that require power plants to prepare
cyber-security plans, develop strategies for dealing with the effects of
aircraft crashes, strengthen access controls, improve training for security
personnel, and implement other new security measures.</span></span></li>
</ul>
<ul>
<li><span style="font-family: Arial,Helvetica,sans-serif;"><span style="line-height: 115%;">In 2012, NRC</span><span style="mso-spacerun: yes;"> </span><span style="line-height: 115%;">conducted 23 “force-on-force” (FOF) inspections
at 22 commercial nuclear plants and one fuel cycle facilities. Eleven of those
inspections found performance deficiencies: 19 with low significance (green
findings), one with “greater than green” finding, and three severity level IV
(least serious) violations.</span><span style="mso-spacerun: yes;"> </span><span style="line-height: 115%;">One exercise
resulted in the simulated destruction of or damage to a complete “target set”
of vital plant components that were under mock attack.</span></span></li>
</ul>
<ul>
<li><span style="font-family: Arial,Helvetica,sans-serif;"><span style="line-height: 115%;">Nuclear power plant
vulnerability to deliberate aircraft crashes has been a continuing issue. After
much consideration, NRC published final rules on June 12, 2009, to require all
new nuclear power plants to incorporate design features that would ensure that,
in the event of a crash by a large commercial aircraft, the reactor core would
remain cool or the reactor containment would remain intact.</span></span></li>
</ul>
<ul>
<li><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-GB" style="line-height: 115%;">Cybersecurity – existing U.S.
nuclear power reactors, designed in the 1960s and 1970s, are controlled
primarily by analog systems that are resistant to cyber attack. However, new
reactors are being designed with digital controls, and existing analog plants
increasingly rely on digital computers to run auxiliary monitoring systems.
This increasing use of digital systems in nuclear power plants, along with post
9/11 security concerns and at least one ‘worm’ infection at a US reactor, have
prompted increased NRC attention to cybersecurity.</span></span></li>
</ul>
<ul>
<li><span style="font-family: Arial,Helvetica,sans-serif;"><span style="line-height: 115%;">A year after the 9/11 attacks,
NRC issued an order that included cyber attacks among the threats that nuclear
plants would be required to defend against. NRC issued formal cybersecurity
regulations in March 2009: “Protection of Digital Computer and Communications
Systems and Networks.”</span><span style="mso-spacerun: yes;"> </span><span style="line-height: 115%;">NRC’s </span><span style="line-height: 115%;">cybersecurity regulations require each
nuclear power plant to submit a cybersecurity plan and implementation schedule.
The plan must provide ‘high assurance” that digital computer and communications
systems that perform the following functions will provide adequate protection
against design basis attacks.</span></span></li>
</ul>
<ul>
<li><span style="font-family: Arial,Helvetica,sans-serif;"><span style="line-height: 115%;">NRC began inspecting the
implementation of nuclear plant cybersecurity plans in January 2013. The
inspections are part of the NRC’s Cyber Security Oversight Program, which is
being incorporated into the existing Reactor Oversight Program.</span></span></li>
</ul>
<ul>
<li><span style="font-family: Arial,Helvetica,sans-serif;"><span style="line-height: 115%;">Nuclear power plants are also
required by the Federal Energy Regulatory Commission (FERC) to comply with
cybersecurity standards issued by the North American Electric Reliability
Corporation (NERC). However, nuclear plants computer systems that are covered
by NRC security regulations are exempt from NERC standards.</span></span></li>
</ul>
</div>
<div class="MsoNormal">
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="line-height: 18.3999996185303px;">The full article here: </span><a href="http://fas.org/sgp/crs/homesec/RL34331.pdf">http://fas.org/sgp/crs/homesec/RL34331.pdf</a></span><br />
<ul>
</ul>
</div>
International Security Departmenthttp://www.blogger.com/profile/16423874713150552809noreply@blogger.com0tag:blogger.com,1999:blog-974537195367548488.post-80890702567053334372014-01-10T07:30:00.000-08:002015-02-07T03:23:40.286-08:00Literature Review: Nuclear Plant Control System Cyber Vulnerabilities and Recommendations Towards Securing Them<div class="MsoNormal">
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="line-height: 115%;">An excellent White Paper by Juniper Networks, “Nuclear Plant Control System Cyber
Vulnerabilities and Recommendations Towards Securing Them”, published in 2009:</span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="line-height: 18.3999996185303px;"><br /></span></span>
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="line-height: 18.3999996185303px;">The paper provides an overview of some system-specific policies that might reduce vulnerabilities in nuclear facilities.</span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="line-height: 115%;"><br /></span></span>
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="line-height: 115%;">Summary of key points:</span></span><br />
<ul>
<li><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-GB" style="line-height: 115%;">Malicious code (malware):
Malware includes the broad range of software designed to infiltrate or damage
computer systems without user knowledge or consent. The most well-known forms
of malware include:</span></span></li>
</ul>
<span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-GB" style="line-height: 115%;">1. Viruses
(manipulate users to bypass proper authentication and access control
mechanisms)<u><o:p></o:p></u></span><span lang="EN-GB" style="line-height: 115%;"> </span></span><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-GB" style="line-height: 115%;"><br /><br />2. Worms
(self-replicating program) <u><o:p></o:p></u></span><span lang="EN-GB" style="line-height: 115%;"> </span></span><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-GB" style="line-height: 115%;"><br /><br />3. Trojans
(kind of virus in which the malicious code is hidden behind a functionality
desired by the end user) </span></span><br />
<ul>
<li><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-GB" style="line-height: 115%;">Denial of service attacks<u><o:p></o:p></u></span><span lang="EN-GB" style="line-height: 115%;"> </span></span></li>
</ul>
<ul>
<li><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-GB" style="line-height: 115%;">Rogue devices: In wireless
networks, an unauthorized access point might be inserted into the control
system. This can be done in a non-malicious manner, which inadvertently
provides an unknown access point. <u><o:p></o:p></u></span><span lang="EN-GB" style="line-height: 115%;"> </span></span></li>
</ul>
<ul>
<li><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-GB" style="line-height: 115%;">Reconnaissance attacks: Enable
the first stage of the attack life cycle by probing. This serves to provide a
more focused life system and improves the odds of success in the attacker’s
favour. <u><o:p></o:p></u></span><span lang="EN-GB" style="line-height: 115%;"> </span></span></li>
</ul>
<ul>
<li><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-GB" style="line-height: 115%;">Eavesdropping attacks:<span style="mso-spacerun: yes;"> </span>The goal of an eavesdropper is to violate the
confidentiality of communications by ‘sniffing’ packets of data on the control
network or by intercepting wireless transmissions. Advanced eavesdropping
attack, also known as ‘Man in the Middle’ or path-insertion attacks, are
typically leveraged by a hacker as a following ip to a network probe or
protocol violation attack. <u><o:p></o:p></u></span><span lang="EN-GB" style="line-height: 115%;"> </span></span></li>
</ul>
<ul>
<li><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-GB" style="line-height: 115%;">Collateral damage <u><o:p></o:p></u></span><span lang="EN-GB" style="line-height: 115%;"> </span></span></li>
</ul>
<ul>
<li><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-GB" style="line-height: 115%;">Unauthorized access
attacks<span style="mso-spacerun: yes;"> </span><u><o:p></o:p></u></span> </span></li>
</ul>
<ul>
<li><span style="font-family: Arial,Helvetica,sans-serif;">Unauthorized use of assets,
resources, or information</span></li>
</ul>
<span style="font-family: Arial,Helvetica,sans-serif;"><u style="line-height: 18.4px;">Threats to the control system network:</u><span style="line-height: 18.3999996185303px;"> </span><span style="line-height: 18.3999996185303px;">Control system vendors still are not designing technologies for security. In fact, many are instead including vulnerable applications and technologies such as Microsoft IIs, Bluetooth Wireless communications, and wireless modems in their latest offerings. </span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial,Helvetica,sans-serif;"><u style="line-height: 18.4px;"><br /></u></span></div>
<div class="MsoNormal">
<span style="font-family: Arial,Helvetica,sans-serif;"><u style="line-height: 18.4px;">Seven-step plan for plant control system cyber security:</u><span style="line-height: 18.3999996185303px;"> To address the security needs of nuclear power plant control networks, it is essential to begin with a layered defence-in-depth approach that enables administrators to monitor the network at every level.</span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-GB" style="line-height: 115%;"><br />1. Identifying critical assets: Policy creation begins with identifying assets that need protection and
the requisite level of protection. On a control system network these are
real-time serves, field devices, and peripherals such as printers and network
routers and switches. <u>The primary vectors of most concern is the compromise
of communication that can alter the operation of field devices</u>. In order to
gain a foothold behind a firewall, attackers typically target non-essential
appliances that are most vulnerable. Hence, any network-enabled device on the
control network must be considered critical for security.<u><o:p></o:p></u></span><span lang="EN-GB" style="line-height: 115%;"> </span></span><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-GB" style="line-height: 115%;"> </span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-GB" style="line-height: 115%;"><br />2. Profiling the network:
since a majority of devices are vulnerable to disruption from active scans
using tools such as Nessus, passive scanning and identification is currently
the only viable option to discover and identity all devices detected on the
network. <u><o:p></o:p></u></span><span lang="EN-GB" style="line-height: 115%;"> </span></span><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-GB" style="line-height: 115%;"><br /><br />3. Creating and managing policies across the network. <u><o:p></o:p></u></span><span lang="EN-GB" style="line-height: 115%;"> </span></span><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-GB" style="line-height: 115%;"><br /><br />4. Creating a strong
defence perimeter: Given the need to access control networks from the corporate
network or, in some cases, from the internet, it is essential to create a
strong defence perimeter. A perimeter firewall must create at least three
security<span style="mso-spacerun: yes;"> </span>zones - a secure zone for the
control system network elements, a demilitarized zone (DMZ), and insecure zone.
<u><o:p></o:p></u></span><span lang="EN-GB" style="line-height: 115%;"> </span></span><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-GB" style="line-height: 115%;"><br /><br />5. Ensuring identity management and rogue device mitigation: The most likely vector for an intrusion
in a control system network is unintentional inappropriate use. An employee or
contractor might plug in a laptop to perform routine tasks without realizing
that it has picked up a worm or spyware. (This has already occurred in nuclear
plants). The worm can then start scanning the control system network, and cause
outages and devices as PLS due to unexpected traffic. This scenario is even
more likely with the proliferation of wireless access points. Control over
access points through authentication of every user and health-checking of every
device is essential to ensure security within the perimeter.<span style="mso-spacerun: yes;"> </span>A network access control (NAC) solution
should combine user identity, device security, state, and location information
for session-specific access control by user, enforced throughout the network. <br /><u><o:p></o:p></u></span><span lang="EN-GB" style="line-height: 115%;"> </span></span><span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-GB" style="line-height: 115%;"><br />6. Setting up secure remote access.<u><o:p></o:p></u></span><span lang="EN-GB" style="line-height: 115%;"> <br /><br />7. Monitoring and reporting.</span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-GB" style="line-height: 115%;"><br />The full article here: </span></span><a href="http://fas.org/sgp/crs/homesec/RL34331.pdf"><span style="font-family: Arial,Helvetica,sans-serif;">http://fas.org/sgp/crs/homesec/RL34331.pdf </span></a></div>
International Security Departmenthttp://www.blogger.com/profile/16423874713150552809noreply@blogger.com0tag:blogger.com,1999:blog-974537195367548488.post-18180521639554111562013-12-19T10:30:00.000-08:002015-02-07T04:10:37.588-08:00Literature Review: The Vulnerability of Nuclear Facilities to Cyber Attack<div class="MsoNormal">
<span style="font-family: Arial,Helvetica,sans-serif;">As we continue to make progress on the literature review, we are coming
across some interesting papers on cyber vulnerabilities of nuclear
facilities.</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">One particularly good piece by Brent Kesler, "The Vulnerability of
Nuclear Facilities to Cyber Attack," which was first published in
Strategic Insights in Spring 2011.</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><u style="line-height: 18.4px;"><br /></u></span>
<span style="font-family: Arial,Helvetica,sans-serif;"><u style="line-height: 18.4px;">Summary</u><span style="line-height: 18.3999996185303px;">: The paper examines the history of cyber security incidents at nuclear facilities to assess the significance of recorded vulnerabilities.</span><span style="mso-spacerun: yes;"> </span><span style="line-height: 18.3999996185303px;">It examines three cyber incidents that occurred at US nuclear facilities between 2003-2008 (Davis-Besse, Hatch, and Browns Ferry) as well as the 2010 Stuxnet attack.</span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="line-height: 18.3999996185303px;">The lessons from these four incidents suggest that situational awareness and other security measures are too weak in their current state to guarantee that a catastrophic attack will never happen. However, it also argues that launching catastrophic attack is not simple and requires a sophisticated adversary. </span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="line-height: 18.3999996185303px;"><u>Lessons</u>: </span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="line-height: 115%;"><br />1. Skeptics claim that
PCS are immune from attack since they are not connected to the internet.
However, the David-Besse incident shows that this is a misconception: even
operators who try to monitor and protect every connection cannot be sure they
know about all of them. Stuxnet even travelled on portable thumb drives to
infect computers that were not connected to the internet.</span></span><span style="font-family: Arial,Helvetica,sans-serif;"><span style="line-height: 115%;"><br /><br />2. Skeptics argue that
PCS are immune from attack since they are different from ordinary computers.
However, all four incidents demonstrate that PCS have become interoperable with
ordinary computers, making them vulnerable.</span></span><span style="font-family: Arial,Helvetica,sans-serif;"><span style="line-height: 115%;"><br /><br />3. Vulnerabilities are
more complicated than both skeptics and alarmists realize.</span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="line-height: 115%;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial,Helvetica,sans-serif;"><span lang="EN-GB" style="line-height: 18.3999996185303px;">The full article here: </span><a href="http://fas.org/sgp/crs/homesec/RL34331.pdf">http://fas.org/sgp/crs/homesec/RL34331.pdf </a></span></div>
International Security Departmenthttp://www.blogger.com/profile/16423874713150552809noreply@blogger.com0