The use of nuclear energy to produce electric power is found in approximately 13% of the World’s countries. Some of the biggest producers of electric power in this manner are the United States of America, Japan, China, France, United Kingdom and Russia. Countries that rely on a smaller percentage of their electric needs include Sweden, and South Korea. At this time, nuclear power plants reactors are under construction in Brazil, South Korea. There are over 440 Operating Nuclear Power Plants worldwide. Most countries rely on light water nuclear reactors, which are inherently safe, with the gas-cooled, graphite moderator reactor being the safest. Canada, however, relies on heavy water nuclear reactors, which when compared to light-water reactors, are far more dangerous to run, and therefore provide additional risk relative to cyber-security. Similarly, the Russian Chernobyl reactor design, a high-power channel reactor is a combination pressurized water-cooled reactor with individual fuel channels and using graphite as its moderator, whose design has core characteristics that make it prone to power surges. The disaster at Chernobyl depicts very well the threat of this reactor design and the potential threat of the peaceful use of the atom. In anticipation of issues, which are naturally going to occur, the United Nations, in 1957, established the International Atomic Energy Agency (IAEA) whose intent is to provide a word-wide collaborative effort between States regarding the use of nuclear energy for peaceful means or “Atoms for Peace.” The programs of the IAEA encourage the development and sharing of information for the peaceful applications of nuclear technology, provide international safeguards against misuse of nuclear technology and nuclear materials, and promote nuclear safety. The mission of the IAEA includes development of nuclear security standards and their implementation. In this regard, nuclear security involves the prevention, detection, and response to, criminal or intentional, unauthorized acts involving or directed at nuclear material, other radioactive material, associated facilities, or associated activities, and other intentional acts that could directly or indirectly produce harmful consequences to persons, property, society or to the environment.

The cyber threat to the infrastructure of the United States of America is well known and understood. This threat is against all forms of infrastructure including basic utilities that including communications systems, power and water distribution and production capabilities. Most citizens don’t appreciate the infrastructure behind talking on their new cell phone or in switching on the electric lights in the morning. Electric generating plants convert thermal energy from a boiler (using coal, oil or gas), or a nuclear reactor (using uranium), into mechanical energy which in turn, is converted into the electrical energy we all use in our homes and businesses. The process is extremely complex and requires a substantial amount of automation. Most of this automation comes in the form of digital controls and although this automation significantly increases both the reliability and capacity of the nuclear powered electric generating station, digital controls offer a significant threat to the safe operation of the facility. The need for cyber-security for the nuclear power plant stems from Federal regulations that require the physical protection of such requirements. Although these regulations have been in place for decades, the emergence of cyber-security regulations are only recent. This introduction of new regulations, especially after the emergence of the newer digital technologies has placed a significant resources burden on the nuclear power plant. Initial systems were not designed for required security measures, i.e., password protection and automatic auditing of systems. In addition, the additional regulations are costly to implement. Of course, the electric utility only passes on these costs to the consumer.

The Heartbleed bug is in the news. The bug, found in a software library used in servers, operating systems and email / instant messaging systems. OpenSSL or open-source secure-socket layer provide cryptographic protocols designed to provide secure communications over the internet. SSL uses the X.509 or public key infrastructure (PKI) and Privilege Management Infrastructure (PMI) security. The core library implements basic cryptographic functions and provides various utility functions. The vulnerability was initiated when the maintainer of Debian (open-source product for operating systems) issued a patch to prevent the Valgrind analysis tool from initiating error messages. Apparently, the patch was not adequately tested. The patch broke the random number generator. This occurred with the Debian release of September 2006, version 0.9.8c-1. Some sources contend the bug occurred in 2011 and 2012.The result is that any key generated with the broken number generator, along with any encrypted data, was compromised. These problems were recently corrected. However, any data transmitted in the mean time, including any user names and passwords are compromised. The good news here is that the bug was not intentional and the discovery is through peer review and not through some form of hacker, although some sources contradict this latter position. Based on examinations of audit logs by researchers, it has been reported that some attackers may have exploited the flaw for at least five months before discovery and announcement. On April 12, 2014, two independent researchers were able to steal private keys using this attack from an experimental server. Also, some sources indicate the US National Security Agency also discovered the bug but kept this news to itself in order to exploit it. http://www.bbc.com/news/technology-26935905 http://en.wikipedia.org/wiki/OpenSSL http://en.wikipedia.org/wiki/Transport_Layer_Security http://en.wikipedia.org/wiki/X.509 http://en.wikipedia.org/wiki/Heartbleed

It never amazes me the newest scams on the internet. Apparently, the purveyors of Napster aren’t satisfied with their scamming of the music and video industry, they have new targets. The US Federal Trade Commission (FTC) is investigating the operators of JERK.COM. The operators are scraping data from Facebook, including user names and pictures, and posting the information on the Jerk.com website, along with the moniker JERK or NOT A JERK. Those with the Jerk moniker can pay $30.00 to have the classification revised. Jerk.com has collected more than 73 million names of Facebook subscribers. What is particularly disturbing to the FTC is that some subscribers didn’t give permission and still found the picture on Jerk.com with the moniker “Jerk” attached. When they paid the $30 to have it removed, the moniker remained. Can’t the Jerk.com operators find a more moral endeavor and not resort to underhandedness? Jerk.com took advantage of Facebook’s corporate apps program that allows some gleaning of information. The FTC claims that Jerk.com site abused the system and processes when they collected posted information intended to be private and includes some intimate images, such as a mother breast feeding her baby. Of course the Jerk.com attorney claims the FC is barking up the wrong tree. All this just goes to show that people will make money from any means that is possible.

The consequences of a cyber-attack on a commercial nuclear power plant are very real. Examples of what can happen are visible with the disasters at the US’s Three Mile Island, Russia’s Chernobyl disaster, and Japan’s Fukushima Daiichi nuclear plant. Although none of the disasters was the result of a cyber-attack, they all provide an example of the potential results of such an attack. Although no known successful cyber-attacks have been successful, two examples of unintentional but similar occurrences highlight the potential for such an attack. Exporting the HMI (Human-Machine Interface) screen is a form of spoofing that allows the hacker to access the input/output device that provides the control panel for the computer system. Plant engineers working at the Browns Ferry Nuclear Plant in Athens, Alabama, intentionally accomplished this form of spoofing, although not intending to hack the system. The exported HMI screen allowed the Reactor Recirculation pump vendor technician to control the reactor recirculation pumps through control of the variable frequency drive (VFD) that controls the pumps speed. Ultimately, the technician gained control of reactor power, something only a United States Nuclear Regulatory Control (NRC) licensed individual is authorized to do. Data storming is a term similar to denial of service attacks, but instead of originating externally to the computer system, it is derived from within the system. Many digital control systems function using a variety of operating systems and, therefore, communicate differently. In such systems, a translator converts all such communications into one that is common to the primary computer. Again, the Browns Ferry Nuclear Plant pumps suffered such a data storm causing them to trip and then causing the reactor to trip. However, the engineers realized that a data storm could have a more adverse effect on the nuclear plant, for example, by causing the pumps to operate in such a way as to exceed reactor thermal limits, causing a meltdown. In addition to the inadvertent cyber configuration control issues occurring at Browns Ferry Nuclear Plant, at least one “worm” infection has occurred at a US nuclear plant. In January 2003, The Davis-Besse nuclear plant was infected by this worm, which caused increased data traffic in the site’s network, resulting in the plant’s Safety Parameter Display System (SPDS) and plant process computer being unavailable for several hours. The investigation determined that this was a failure by a contractor to clear his computer of malware and was not a malicious cyber-attack. In addition, plant personnel were not aware of a patch that could have protected the network.