Cyber security has been the news a lot lately. The various hacking attacks and the recent Denial of Service attack on major parts of the U.S. Internet have prompted many media stories. I believe that much of the lack of security in computer and communication systems stems from laziness and greed. We can solve these problems if we are willing to spend the money and time. Many private companies are waiting for the U.S. government to mandate universal security measures because they are afraid that if they spend the money unilaterally to be really secure, they will be at a competitive disadvantage to other companies who do not spend the money. With respect to the subject of this blog, cyber insecurity has been reported in many industries including the nuclear industry.
Many industries are using unencrypted pagers to send alerts about plant problems. A recent study found that such alerts were sent to or from several U.S. nuclear plants including references to reduced pump flow rates; leaks of water, steam, radiant coolant and electrohydraulic control oil; fires; loss of redundancy; need for medics; control rod malfunction and nuclear contamination.
There are stringent requirements for security mandated by regulatory agencies for many of the industries using the unencrypted pagers. However, pagers are often used because they are a very low power alternative cell phones and wifi due to poor reception/transmission areas for cell and wifi around industrial plants with a lot of steel and structures that block signals. The researchers also mentioned that a lot of industries continue to use antiquated equipment because it is cheap and easy.
The researchers were able to use software defined radios and a twenty dollar dongle to easily gain access to these pager messages. They were able to access pager messages in real time. Hostile parties intending harm to critical industrial systems could use such a system to access pager messages to gather valuable information about vulnerable infrastructure which would assist them in staging attacks. If they saw a pager message indicating a current serious problem, they could use that information to gain more information from personnel or even gain physical access to the system with the problem under the guise of being a repairman or an inspector.
In addition to being able to gather messages from unprotected pagers, the researchers were also able to send fake messages out over the pager system. This would mean that hostile parties could flood the system with fake messages that could overload a response system or cause inappropriate responses to real problems.
The research shows that popular online messaging system actually have better security than messaging systems that are suppose to help monitor critical infrastructure including nuclear power plants. Critical U.S. infrastructure is terribly vulnerable to attack and something must be done before this house of cards is blown down. If the companies involved in infrastructure will not deploy more secure systems on their own, then they will need to be forced to do it by government action.
Modern pager (Source: Unication, Author: Vitachao)
