My last few blog posts (here, here and here) have been critical of the state of the Cyber Security Program being implemented at US nuclear plants. I realize that, it was my intention. There are opportunities for improvement as I have said. I believe that the Nuclear Cyber Security issues I have critiqued are due to the inexperience and steep learning curve faced by the NRC and the nuclear power industry at the beginning of this initiative and I am sure that “if they had known then…” things would have been different.
All of the issues I have mentioned to date have one thing in common, from a security perspective, they really don’t matter. They cannot lead directly to a compromise of plant CDAs. They just consume resources needlessly, introduce confusion, and reinforce the idea that this <derision>compliance program</derision> is nothing but security theater. These issues should be addressed, but they are not going to lead to or contribute to a cyber security related event at a nuclear power plant.
This posts topic however, is different. It deals with an issue that, if left unmitigated, may very well be a contributing factor, if not the root cause of a cyber security related event at a nuclear power plant in the US. Now, I don’t believe that any event caused by this issue will be very significant in the grand scheme of things, no loss of life, no radioactive release, no core damage, etc… but it’s certainly conceivable in my mind that this could lead to a turbine trip and reactor SCRAM, so as far as cyber security threats to nuclear power plants go, this is way up there.
What am I talking about? The NRC’s unreasonable, technically indefensible, apparently fear induced, and just downright silly, misplaced priority concerning the protection of AV kiosks. Some of what they are mandating is ridiculous and puts CDAs at risk of malicious code infection. Other bits are just silly and like my previous posts, represent needless waste, so in this post I will address both types of stupid. I do want to stress that I don’t think anyone from the NRC is stupid, evil, or anything other than good people, but in this case, they are wrong, and empowered, and that is a dangerous combination. (but only so much so, this is after all, just cyber security for nuclear power plants, and therefore not a significant risk to begin with)
The NRC’s prohibition on networking kiosks at all, much less connecting them to the Internet, is absurd. I know not what risk calculation they are following, in fact, I don’t believe there is any risk calculation here at all, just irrational fear. Let’s break it down. According to the NRC: Kisoks must be standalone, and apparently dedicated to a “level”, so in order to reduce the burden on plant personnel, AV data files and engines need only be updated once every two
minutes, hours, days, weeks. That’s Earth weeks, not even Jupiter weeks. 14 revolutions in space. That is completely unreasonable, absurd, and inexcusable.
There is no significant risk from networking kiosks together and connecting them through a firewall to the Internet for automatic AV updates. Use a dedicated firewall if you’re paranoid, isolated them from all other devices, have a rule set limited to just the outbound connectivity required on whatever port is necessary for the updates to the AV vendors’ sites, use and IDS, require white-listing on the Kiosk, etc… There is VERY LITTLE RISK in this situation, and a great deal of mitigating factors to apply. This poses significantly less risk than scanning files with up to two week old AV files. Forget 0-day attacks, nuclear plants may be susceptible to 14-day old attacks. This is nonsense.
I have been in the security industry for over 23 years, I’ve seen a lot of FUD (fear, uncertainty, and doubt) used to peddle just about every type of service or product and I have railed against those that would use that to hock their warez. I’ve also seen a lot of different regulators in a lot of different industries get things wrong and push for silly nonsense. But nothing comes closer to tilting at windmills than the overblown risk of a compromised kiosk. This isn’t to say that it could not happen, it certainly could, but it should be far less a concern than knowing that every day that goes by may leave you vulnerable to 7 or more known exploits and perhaps prevent your AV engine (the heuristic mechanism) from performing at its peak (based on the last 14 days of updates for Symantec.) I’ll take my chances with a compromised kiosk knowing that I have a current AV engine and 68 more definitions. Compromised kiosks are pretty easy to deal with, unknown malicious code, not so much.
Another point on this is the NRC’s equivalence of white listing technologies with running multiple scanning engines. It is also absurd. White listing technology on your kiosk, i.e. utilizing a mechanism that prevents any executable from running other than those that are known good, helps protects the kiosk from attack. Using multiple scanning engines on the kiosk helps protect the CDAs (that the scanned files will be installed on) from attack. These are two completely different things. Is this really not understood at the NRC? Running white listing on the CDAs directly (all 23 of them industry-wide that support it) mitigates the risk of malicious code and could be used to justify not using the kiosks prior to transferring files, but that is not what the current guidance is.
The guidance provided on protection of kiosks has been presented absent any technical analysis to support it and treats protecting the Kiosks as more important than protecting the CDAs. The NRC missed the mark here and needs to re-think this.
This is another point that I believe has been lost on the NRC. Security barriers (logical or physical), e.g. AV kiosks, firewalls, fences, bullet proof vests, etc… are designed in part to absorb the punishment that softer targets, e.g. plant equipment or human chests cannot withstand. A properly installed and maintained kiosk will be configured for both minimal functionality and least privilege, and best of all, with no normal logical users running inherently insecure applications like mail readers or web browsers. They should be some of the most hardened systems in the plant, capable of resisting and identifying attacks better than just about any other digital asset.
Apparently inspired by Stuxnet, slightly more capable than Melissa, more diabolical than the Morris worm, and yet, pretty much useless, BadUSB is sexy and cool, but in my estimation, will be seen to be nothing more than an unreliable delivery system for an attack. The digital equivalent of a FuGo. Sure, one killed six people in Oregon during The Big One, but that was out of 9,000 launched. Bad USB, like balloons with bombs launched from beaches beyond an ocean, will never be much of a threat to anyone, anywhere.
It is possible that someone will figure out how to get some malicious code on a huge number of flash drives (hack the factory perhaps), but in that case, what attack do you put on the flash drives. Turn them into a keyboard and execute “rm -rf /*”, download malicious code, spoof Citibank’s DNS and try to grab account credentials, maybe all three? Whatever you do, you make sure it has widespread applicability. You are NOT going to hope someone gets one of your flash disks and takes it into a nuclear plant, connects it to exactly the right system so that it could pretend to be a keyboard and execute “meltdown –now” or “drain_reactor_coolant –shhhhhh”.
Assuming there is a cyber attack that can A) be run automatically from media and B) seriously damage a nuclear power plant in the right way, it would have to be specifically targeted to a piece of equipment, most likely multiple pieces of equipment within the plant. The only reliable method of executing such an attack would be to have it carried in by an insider, and that would not require BadUSB as the media used simply wouldn’t be scanned. If FuGos were handed out at children’s birthday parties, the carnage would have been inestimably higher.
Fortunately, generally speaking, the equipment that would need to be attacked at a nuclear plant to affect real damage is very simple in nature, most likely not susceptible to a faux keyboard-based attack or connected to any external network for a DNS spoof or malicious code download. Unfortunately, the NRC’s guidance contains an enormous amount of manual processes, moving information from one type of media to another; active to passive, passive to active, then back again, all apparently to avoid the bogeyman of BadUSB.
Another thing about BadUSB, it’s not magic, regardless of what you may hear about it:
- “can’t be detected by today’s defenses”
- “the seemingly unstoppable USB stick hack that can turn a USB memory stick into a system-lethal weapon”
- “No effective defenses from USB attacks are known. Malware scanners cannot access the firmware running on USB devices. Behavioral detection is difficult since behavior of an infected device may look as though a user has simply plugged in a new device.”
My favorite is the last one, particularly this phrase “look as though a user has simply plugged in a new device”, ding ding ding, we have a winner. That is exactly what it will look like. If you plug in a BadUSB infected disk, programmed to look like a keyboard, THERE WILL BE A USB KEYBOARD INSTALLED TOO! It really isn’t magic, or necromancy, there’s no witchcraft or voodoo involved. Check what’s on your USB bus(es), plug in a usb device, check again. Symantec AV may not be able to detect it, but you can, with a few mouse clicks, know if something is not what it seems. Technology is important, but this really illustrates that oft-decried (sometimes justifiably) but very necessary human element of security.
I could go on, discussing the silliness of dedicating media and kiosks to “levels”; the flat out inane guidance on hashing files, transfer stations in general, etc… but this post is long enough. The NRC fell victim to one of the classic blunders, not the most famous: never get involved in a land war in Asia, nor the only slightly less well known: never go in against a Sicilian when death is on the line, but extremely grievous nonetheless: never confuse that which is used to protect with that which is being protected.