Nuclear Satcoms

The Fukushima Daiichi nuclear incident in 2011 has led to safety changes that may have an interesting knock-on effect on reactor security.

Loss of telemetry during the flooding, as a result of the subsequent loss of power, made assessment of the incident hard to manage. Critical data about the state of the reactor and associated infrastructure was not available, so containment and remedial actions were not as effective as they could have been.

As a result, several regulators including the U.S.NRC made recommendations around  “development of simple self-powered telemetry equipment to allow remote monitoring of key parameters.”

This led several plant operators to investigate satellite connectivity as a backup, in the event that other communication transports for telemetry data were knocked out during an incident.

In our view, this was a reasonable conclusion; so long as the satellite terminal remained battery powered and operational, there was no reliance on any other communications infrastructure around the plant. Further, there was no reliance on 3^rd party land-based infrastructure such as cell towers that were potentially exposed to damage.

Satcoms

We’ve spent several years looking at satellite terminals used in the maritime and aviation sectors. Whilst security has improved of late, this is primarily a result of exposure of some really quite serious vulnerabilities by several researchers, including us. What did we keep finding wrong in satcoms?

Some were configuration issues:

• Terminals on the public internet, easily discovered using shodan if you know the right search terms
• Terminals with default admin credentials
• Terminals displaying publicly that they’re running out of date & vulnerable software versions
• Operators failing to apply updates, either through a lack of alerting by the vendor, or the ‘it ain’t broke’ view that often pervades OT

– It also doesn’t help that many older OT devices aren’t capable of supporting updates through lack of available memory, which means that those updates are often useless

Some were vendor issues:

• A lack of firmware signing, allowing rollback to earlier less secure software versions or bricking of the terminal
• Vulnerabilities in the web interface, such as cross site scripting, missing SSL/TLS and even a lovely admin account login bypass
• Exposed telnet interfaces
• The terminal itself becoming a ‘bridge’ between less sensitive IT networks and more sensitive OT environments

There have even been vulnerabilities exposed that may allow takeover of the terminal, either breaking its uplink connection or modifying its ability to transmit.

Satcoms in nuclear

Whilst the nuclear sector is heavily regulated, understanding of satcoms and terminal hardware is not as widely understood as wider IT network security:

Bolt in satellite terminal > Wire it up to the telemetry systems > Add UPS  > Off you go

Even though work will have been done to ensure that the satellite connection was locked down, it’s conceivable that errors have been made through a lack of knowledge by both the nuclear operator and the vendors involved.

Who would have thought that a satellite terminal had remote code execution vulnerabilities and trivial admin account compromise?

Interaction between OT and IT security staff is often limited; understanding of each others roles is also usually quite limited. By working together and building suitable controls for both networks, security can be improved and risks can be mitigated.

Satcoms comes with a risk of ‘slipping down the gap in the middle’ between IT and OT. Whose device is it and who is responsible for its security? Even if it was configured well in the first place, who looks after its ongoing security?

Did the OT team get the appropriate help to secure it in the first place? Did anyone even think about its security?

Consider the alternative

If left unmanaged, that ‘last ditch’ backup to the telemetry system could be useless when it was needed most

Worse, it could be reporting deliberately incorrect data, leading to bad decisions being made during an incident

Worst, it may even expose the telemetry system to tampering, even when there is no incident.

Advice?

IT security and OT need to co-operate closely. Several of my colleagues used to run OT networks, so they’re very familiar with the ‘arms length’ interaction.

OT people guard their safefy critical-systems with a passion, yet IT and OT networks are increasingly converging in unexpected ways, including through satcoms.