It's believable when the industry has pivoted to pushing SaaS garbage in every place imaginable to the point that on-prem solutions don't exist anymore. Do you expect them to not use email either?
Remember, the industry told us we're in a 'zero trust' world now. The network perimeter is an anachronism.
OTOH you know damn well they keep the important stuff airgapped, in which case the title (and your predictable reaction) is just fanning the flames. It could very well be they 'breached' the receptionist's PC she uses to browse Facebook to pass the time.
That's more of a form of survivorship bias. Microsoft continued to maintain its lockdown on government IT and infrastructure through the decades, over the alternatives.
> OT cybersecurity specialists interviewed by CSO say that KCNSC’s production systems are likely air-gapped or otherwise isolated from corporate IT networks, significantly reducing the risk of direct crossover. Nevertheless, they caution against assuming such isolation guarantees safety.
This was also not a nuclear facility, however. The article says it makes "non-nuclear components".
In my experience auditing critical infrastructure, most facilities are "air gapped". I put that in quotes because while you can't browse the Internet from the control network(s), there are ways to exfiltrate data. The managers, engineers, regulators, and vendors need to know what is going on in real-time. Back in the day this could've been a serial port connecting two systems for a one-way feed. Now I imagine it's something far more sophisticated and probably more susceptible to abuse.
As an example, you might have a collection of turbines manufactured by GE and GE needs to have real-time data coming from them for safety monitoring and maintenance. The turbines might have one connection for control traffic and another for monitoring. How to secure these vendor connections was always a debate.
Ah yes, "likely air-gapped", what a high-confidence statement. Any competently designed air-gap must be precisely auditable and demonstrably, positively air-gapped.
The only world where "likely" is a reasonable word is in reference to possible physical taps or a precise enumeration of physical access points that went unaudited, but have reliably followed safe access control/configuration procedures. Anything else is plain incompetence.
KCNSC is a large organization that will have hundreds of distinct networks at different risk and control levels. Every variation of "public internet" to "single-site air-gapped network" probably exists there, including many levels in between like multi-site secure networks and networks with limited internet connectivity. Many networks air airgapped, this sometimes means that they consist of a small number of assets in a single room, and it sometimes means that they have connectivity to airgapped enclaves of AWS and hundreds of other military, government, and contractor sites. All of these controls will have been determined by a combination of risk scoring, compliance policies, legal requirements, office politics, and happenstance. Multiple contracting authorities will periodically audit many of these networks against various standards, which may or may not allow connectivity to specific other networks depending on risk levels. Connectivity between networks is sometimes controlled by NSA accredited cross-domain solutions and multi-level security systems that enforce complex policy, in other cases it's controlled by an administrative assistant with a DVD burner. There will be case-by-case risk analysis decisions made for specific systems, ultimately signed off by a government official who may or may not have read them. Inevitably some of these will appear reasonable and cautious in retrospect and others will not.
The root fault with this article, and the resulting discussion, is the extent to which it generalizes over one of the larger organizations in a very complex part of the defense industrial complex. Many parts of KCNSC's operations are absolutely not exposed by this incident. Other parts absolutely are. Determining which fall into which category, and to what extent that is acceptable, keeps quite a few people employed.
They have multiple networks. One of them is definitely airgapped (red for RD). The medium security one is protected by annoyingly strict network ACLs (yellow for ITAR). Then there's a low security one for stuff like sharepoint (green).
The standard you linked literally talks about: "High Impact BES Cyber Systems with External Routable Connectivity" and "Remote Access Management" for "High Impact BES Cyber Systems". That explicitly indicates non-airgapped critical systems. Furthermore, the proscribed auditing specifically spells out "network diagrams or architecture documents" as good evidence. Obviously, that is a high level document, but I see nothing to indicate robustness against state-level actors which are a expected threat.
Speaking from past experience with the DoE (I'm happy I don't need to deal with security like this anymore), there were constant and randomized checks to make sure fiber cables (they were all fiber to make it harder to tamper with and to avoid accidental RF) were fully visible (e.g. not hidden under a desk or something) and not tampered with. Also, lots of locks and doors, both electrical and mechanical. The guy at the front desk with a big gun probably helped too.
Wasn't the internet literally created by the military for military comms? The decentralized routing was in part to ensure that comms could survive some areas being taken out by nuclear weapons.
As the effect of yesterday's AWS event demonstrates, the major Amazon, Microsoft, and Google data centers are surely top tier targets in every adversary's war plans.
The decentralized internet is less of a reality today than it was years ago.
Don't we have more internet submarine cables and less single points of failure in our internet infrastructure today than years ago? If so, shouldn't that make it easier to route around failures?
Considering that the AWS outage took out a lot of lines of communication (email, video, chat systems) for both commercial and government entities, I'd say that US-East-1 is a pretty big single point of failure. Even if it didn't result in infrastructure impact directly, if there was some kind of infrastructure issue and you had delayed or unavailable communications, how would you know? How quickly could a response be mounted? There's some parts of the infrastructure that could damage themselves irreparably in the time it would take to to fix the outage or get comms routed through a backup channel - like parts of the electrical grid or water treatment plants.
An attacker (read: nation-state actor) wouldn't even need to take down US-East-1, it could just take advantage of the outage.
I assume (hope?) there's some kind of backup comms plan or infra in place for critical events, but I don't actually know.
Maybe yes in that regard. But in the past, most organizations ran their own mail and web servers. Software supporting the business ran on-prem. Now they use Google or Azure or AWS. So business and civilian usage, at least, seem more vulnerable now.
That's fine, when all the nodes run autonomously and the internet is only used for real information sharing. What we now have is that the nodes are display control servers and all the computation and storage happens externally. That is not how it was designed by the military.
Wasn't it literally designed for that specific task? As a robust C&C system during nuclear war? The fact that we're doing it wrong doesn't mean we need to pull the plug on everything. How else do you survive WWIII?
I heard that once you put up a website on the public internet, it would immediately gets attacked by all kinds of scanners or other worse things. Not sure if it's true as I'm not a web guy.
All IPv4 addresses, domains (maybe more so for recently-registered ones), and subdomains from Certificate Transparency Logs (for HTTPS certs) are all constantly checked and poked.
Back in the day, I made the mistake of hooking up a fresh Windows XP (at least I think it was; pre-SP2) install directly to the internet. There was no firewall or NAT to protect me. The machine got pwned almost immediately.
Watching my website's firewall and ssh logs show all the various hacking attempts is calming in the same way that watching waves crash on to the shore is.
Which really isn't a problem, unless you're being scanned so much your bandwidth is being overwhelmed. Certainly not the case for me, despite having port 80 and 443 open
I have a server that has a slow (5s) response to unknown pages, returns it as 200, and makes the next failing request even slower (for unauthenticated users). That seems to keep the number of requests limited. Perhaps I should just drop the connection after a certain number of requests.
BTW, quite a few of these port scanners are companies that offer to scan your ports for vulnerabilities. Temu pen testing, so to speak.
IIRC Carnegie Mellon did a study years ago which showed that you could not unbox a new Windows machine, connect it "directly" to the Internet, and get it fully patched before it was pwned.
> needs to be a law that all nuclear and nuclear-adjacent facilities have no connection to the Internet
You want to make everything about a nuclear facility bespoke and subject to air-gapped drift? What about the guard booth that verifies peoples access, the receptionist who schedules meetings, and the janitor who wants to watch YouTube on his break? It seems unrealistic to lump everything that goes on at a nuclear facility under this umbrella.
Opening up the internet to a nuclear facility so that the janitor can watch Youtube seems preposterous. People can afford to do things slower for the sake of security. Having things typed out, verifying security via phone calls, etc like it's the 1970s seems reasonable to me. Does it really matter if things aren't fully optimized for speed and convenience in nuclear facilities?
IRL the way we do it is separating the business network (Youtube, finance people, HR, etc.) from the operational network (relays and sensors). You use data diodes to send business-critical data from the operational network to the business network.
Also, the Kansas City Plant is like a watchmaker's factory, not a power plant. They make widgets and gewgaws, not literally split atoms.
> really matter if things aren't fully optimized for speed and convenience in nuclear facilities
For hiring and retaining people, yes. It's understood that the "guts" of what's happening at these facilities needs to be locked down to the max. But, for supporting roles you need to be able to bring people in off the street without 1) a bunch of specialized training on your bespoke way of doing things, and 2) making your employees less attractive on the job market.
Just my opinion, though. Maybe I'm completely off base but it doesn't seem like a good idea to me long-term.
> Dutch engineer Erik van Sabben allegedly infiltrated the Natanz nuclear facility on behalf of Dutch intelligence and installed equipment infected with Stuxnet. He died two weeks after the Stuxnet attack at age 36 in an apparent single-vehicle motorcycle accident in Dubai.
> A programming error later caused the worm to spread to computers outside of Natanz. When an engineer "left Natanz and connected [his] computer to the Internet, the American- and Israeli-made bug failed to recognize that its environment had changed." The code replicated on the Internet and was subsequently exposed for public dissemination. IT security firms Symantec and Kaspersky Lab have since examined Stuxnet. It is unclear whether the United States or Israel introduced the programming error.
Also bearing mention is Flame, which is often left out when Stuxnet comes up, but which was allegedly part of the wider operation.
> “We are now 100 percent sure that the Stuxnet and Flame groups worked together,” said Roel Schouwenberg, a Boston-based senior researcher with Kaspersky Lab.
> The firm also determined that the Flame malware predates Stuxnet. “It looks like the Flame platform was used as a kickstarter of sorts to get the Stuxnet project going,” Schouwenberg said.
It is funny to read this kind of comment knowing at the same time this kind of stuff was happening while the launch codes were 0000000 or some such non-secure code. At same time, the computers in the nuclear launch facilities were still using 5.25" floppies. I did wonder how often they were loading updates from those, if ever.
I mean there were also rules about non-sanctioned network connections in the pentagon, or using only sanctioned apps to discuss secrets, but thats not really been enforced recently.
> needs to be a law that all nuclear and nuclear-adjacent facilities have no connection to the Internet
Why the special treatment for nuclear? Do you really think redlining a dam or storm-levee system would be less damaging?
Also, turning off internet connections means less-capable remote shut shut-off. Less-responsive power plants. Fewer eyes on telemetry.
We should be mindful of what is and isn't connected to the internet, and how it's firewalled and--if necessary--air gapped. That doesn't mean sprinting straight for the end zone.
> When expressed in constant 2019 dollars, the average price of electricity in the United States fell from $4.79 per kilowatt-hour in 1902 (the first year for which the national mean is available) to 32 cents in 1950.
One can paraphrase the joke about democracy for nukes. Having nukes is the worst, other than every situation where you don’t have nukes and the other guy does.
Most of the other guys get nukes because we have nukes and threaten them militarily. They're very expensive, countries don't want them unless they need a deterrent, and we're often the main threat.
The one exception I can think of is remote shutdown in the face of a rapid natural disaster. Like how the japanese train network is set to shut down rapidly when a high power quake is detected.
