[SystemSafety] The Intertwining of Safety and Security

Peter Bernard Ladkin ladkin at causalis.com
Sat Nov 12 06:51:42 CET 2016 


On 2016-11-11 13:17 , paul_e.bennett at topmail.co.uk wrote:
> Nice article Peter.

Thank you!

> In your item the statement. "However, in many nuclear power plants,
> over time, subsystems are replaced, and replacement subsystems
> include more digital electronics than the originals, and become
> thereby vulnerable to cyberintrusion" implies that plant systems
> changes were implemented without revisiting the calculation of the
> integrity of the safety functions.
> 
> I am quite sure that any modification of systems in the Nuclear
> Industry, when calling for a modification, will have such a re-visitation
> before replacement sub-systems are introduced. 

If the subsystem being replaced is not safety-related, then as far as I see there is no requirement
for an impact analysis. If there is no requirement, then given the usual business constraints it
will not be done.

Besides that, even if an impact analysis is performed, it may come up with strictures that operating
staff find unduly constraining, and through MttB those constraints might well not be adhered to. For
example, the Chatham House report gives an example of malware introduced into an "air-gapped" IACS
of an NPP. The contractor responsible for maintaining a piece of kit was off-site, many kilometers
away (if I remember, 2-3 hours' drive). A VPN had been installed (if a system is notionally
"air-gapped", I imagine there is a possibility of persuading management that a dial-out modem
maintains an "air gap". MttB). The malware was present on the contractor's computer and conveyed
when heshe used the VPN.

PBL

Prof. Peter Bernard Ladkin, Bielefeld, Germany
MoreInCommon
Je suis Charlie
Tel+msg +49 (0)521 880 7319  www.rvs-bi.de





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20161112/88807a59/attachment.pgp>

More information about the systemsafety mailing list