Computerworld

When System Updates can kill

Security experts and sys admins are becoming more aware of the risks of exposed SCADA systems, but how many can say a simple system update was enough to shut down a nuclear power plant?

Information security experts have been steadily increasing their awareness and concern over the risks associated with poorly managed Serial Control and Data Acquisition systems (SCADA), normally used to control and manage public utilities, such as sewage, power, water, and other electronic interfaces to engineered systems.

In the United States, there has been concern that the power grid has been exposed for too long, and things should be done to improve the overall security of the power generation and distribution systems before a serious incident takes place.

A nuclear power plant in the state of Georgia was sent into precautionary shut down recently after a software update to an observing networked system went awry and issued rogue commands to control systems. As the plant had been designed with sufficient levels of safety, other safety mechanisms were tripped and the plant was placed into a 48 hour emergency shut down as a result.

While there was no loss of chemical or diagnostic data for recording, the reset command that was issued by the updated system led to the electronic record of that data being reset on the primary control system. Further monitoring systems identified a sudden loss of information and enacted the shut down as a precaution, as the sudden loss of data could have indicated a loss of coolant from the reactor. There was no risk of danger from the reactor at any time and the emergency systems functioned exactly as planned - taking conservative action when faced with an ambiguous situation.

With almost all of the incidents that have taken place, the problem has been that a SCADA system has been connected to a wider network without appropriate safeguards in place to protect against malicious commands or manipulations. In the worst cases, SCADA systems have been completely exposed to the Internet or other freely available networks (a case in Queensland a few years ago saw the attacker connecting through Wireless Access Points used to manage devices).

In the Georgia nuclear plant, it appears that the SCADA systems and managing network may have been appropriately separated from the outside world, but there was full two way communication between the business systems (the one that was updated) and the control systems (the one that forced the plant shut down).

Since the incident, engineers have introduced an actual air gap between the control systems and the business network to protect against the risk of inadvertent command activation from systems that have no place driving control system activity. It is a positive sign that those responsible for the plant operation were becoming aware of the risks associated with such activity, something which will have been reinforced by this recent incident.

Even if you aren't responsible for SCADA or similar type systems, it is still important to ensure that sensitive systems and data stores in your network are appropriately isolated from the potential of rogue commands, even from systems that would otherwise be considered trusted. As this case shows, you can't always trust a trustworthy system.