News of another cyber attack on a nuclear power plant surfaced this week, as explained by Yukiya Amano, the director of the International Atomic Energy Agency’s (IAEA). Amano explained that the attack happened three years ago and was disruptive, however it was not serious because it did not shut down operations. The article discusses how serious this risk is and the need to take more precautionary measures to improve security in industrial systems.
I used to perform IT Audits of a utilities company, including their antiquated SCADA systems. Securing these systems is very complex and challenging. They are built to be available and have a very specific purpose to manage the energy grid. This often makes patching and currency a major issue and introduces vulnerabilities within the environment that are ripe for exploitation, as we see in this article.
I agree with the director that we need to improve security to our critical infrastructure. Hopefully, the industry heeds these early warning signs and begins to take significant action to improve security before it’s too late.
http://mobile.reuters.com/article/idUSKCN12A1OC
Noah J Berson says
A word that jumped out at me from your post is “antiquated” when describing working with utilities. The more specialized software has to be the fewer options a company has so they often have to pick something that isn’t maintained as often as mass consumer software. A lot of patching has to be done in-house to make sure the system can still work with modern equipment. Patching is a huge expense as that employee modifying the code has to become very specialized in their skills. Increasing budgets for security greatly may be the best fix.