Melting security standards



  • The company operating our neighbouring nuclear power plant has been publicly criticized by insiders over lax security standards.

    One of the examples cited was the lack of oversight for administrators logging in for system maintenance. According to one source, there were 72 administrators with login permissions for this one machine. The machine concerned is responsible for collection of measurements. It feeds monitors that show plant state to operators. A well-networked machine to own for inside access, by any measure. The updates are performed from a remote location btw.

    The official response was classy:

    72? I think he got those digits confused, pretty sure it's just 27. Didn't check though.

    So they indiscirminately gave remote login to contractors on a machine that allows manipulating apparent reactor state. A mitigating factor cited by officials is the availability of mechanical dials which operators are trained to consult and compare to the digital displays. I lack the details on how the network for the remote logins is secured and whether it is something different from what we call the Internet. They didn't share.

    I can't imagine how they could have ended up with a design where anything but physical separation of networks was an option. They must have found the Stuxnet attack to have been too taxing on the attackers. The only remotely positive thing I have to say about this is that there are few moral barriers in destroying a centrifuge. An attacker that knows what she's doing might not want to go full meltdown on a reactor even when remoting in. However, relying on the goodness and common sense of other people worms is still a bold move when you're tasked with the operation of a fission reactor.



  • @gleemonk said:

    The official response was classy:

    72? I think he got those digits confused, pretty sure it's just 27. **Didn't check though.**

    That is my favorite part of the response.



  • I just reread the article and in fact I misquoted the part about it being an official quote. On his way out of what he says are unacceptable compromises, one guy had mailed all the employees to alert them about the situation, whereupon a "don't you feel good working here" statement was sent claiming the guy didn't know what he was doing. Some recipients then talked to reporters.

    Teammates of the original source, when confronted with the "must've made a typo" statement, went on record to say

    He knows the difference between 72 and 27 very well



  • :sadface: That makes it a lot less funny then.



  • Yeah, bummer. The official quote allows

    at the moment "less than 27" administrators have access to that server

    There, doesn't sound like much does it? After having had 72.



  • @gleemonk said:

    So they indiscirminately gave remote login to contractors on a machine that allows manipulating apparent reactor state.

    In other news, North Korea halts the development of its nuclear program. A high-ranking military officials goes on record saying, quote, "why would we bother? Those western idiots are gonna nuke themselves sooner or later".



  • Aah, nuclear fission, ever the bringer of peace.



  • @gleemonk said:

    > at the moment "less than 27" administrators have access to that server
    There, doesn't sound like much does it? After having had 72.

    "Turns out everyone was listed three times, so we got rid of the duplicates and now it's down to 24."



  • We left joe on the list because after we told him not to play with the switchboard he might have taken this the wrong way.


Log in to reply