Foreign hackers breached a US nuclear weapons plant via SharePoint flaws

There needs to be a law that all nuclear and nuclear-adjacent facilities have no connection to the Internet. The fact it's allowed is unbelievable.

It's believable when the industry has pivoted to pushing SaaS garbage in every place imaginable to the point that on-prem solutions don't exist anymore. Do you expect them to not use email either?

Remember, the industry told us we're in a 'zero trust' world now. The network perimeter is an anachronism.

OTOH you know damn well they keep the important stuff airgapped, in which case the title (and your predictable reaction) is just fanning the flames. It could very well be they 'breached' the receptionist's PC she uses to browse Facebook to pass the time.

Wasn't the internet literally created by the military for military comms? The decentralized routing was in part to ensure that comms could survive some areas being taken out by nuclear weapons.

While we're at it "and not use Microsoft products". Literally every time a story like this surfaces...

I mean there were also rules about non-sanctioned network connections in the pentagon, or using only sanctioned apps to discuss secrets, but thats not really been enforced recently.

As the effect of yesterday's AWS event demonstrates, the major Amazon, Microsoft, and Google data centers are surely top tier targets in every adversary's war plans.

The decentralized internet is less of a reality today than it was years ago.

You mean its a bad idea to slap a Starlink dish in the same building as the nuclear football?

> needs to be a law that all nuclear and nuclear-adjacent facilities have no connection to the Internet

Why the special treatment for nuclear? Do you really think redlining a dam or storm-levee system would be less damaging?

Also, turning off internet connections means less-capable remote shut shut-off. Less-responsive power plants. Fewer eyes on telemetry.

We should be mindful of what is and isn't connected to the internet, and how it's firewalled and--if necessary--air gapped. That doesn't mean sprinting straight for the end zone.

I heard that once you put up a website on the public internet, it would immediately gets attacked by all kinds of scanners or other worse things. Not sure if it's true as I'm not a web guy.

Wasn't it literally designed for that specific task? As a robust C&C system during nuclear war? The fact that we're doing it wrong doesn't mean we need to pull the plug on everything. How else do you survive WWIII?

https://ieeexplore.ieee.org/document/5432117

Every public IPv4 address is port scanned multiple times a day.

> Also, turning off internet connections means less-capable remote shut shut-off.

Why does it have to be remote what's wrong with it being in-house? Besides a shut-off should never be able to be triggered remotely.

The same goes for digital emergency shut off buttons; all should be physical.

> Less-responsive power plants.

What? How is remote any more responsive than physical workers being in-house?

If power-plants operated efficiently back in the 50's without internet, they should be able to now without internet.

Which really isn't a problem, unless you're being scanned so much your bandwidth is being overwhelmed. Certainly not the case for me, despite having port 80 and 443 open

Back in the day, I made the mistake of hooking up a fresh Windows XP (at least I think it was; pre-SP2) install directly to the internet. There was no firewall or NAT to protect me. The machine got pwned almost immediately.

Watching my website's firewall and ssh logs show all the various hacking attempts is calming in the same way that watching waves crash on to the shore is.

Which breach was that again?

That's more of a form of survivorship bias. Microsoft continued to maintain its lockdown on government IT and infrastructure through the decades, over the alternatives.

All IPv4 addresses, domains (maybe more so for recently-registered ones), and subdomains from Certificate Transparency Logs (for HTTPS certs) are all constantly checked and poked.

> needs to be a law that all nuclear and nuclear-adjacent facilities have no connection to the Internet

You want to make everything about a nuclear facility bespoke and subject to air-gapped drift? What about the guard booth that verifies peoples access, the receptionist who schedules meetings, and the janitor who wants to watch YouTube on his break? It seems unrealistic to lump everything that goes on at a nuclear facility under this umbrella.

Being airgapped didn't help Iran avoid Stuxnet.

I have a server that has a slow (5s) response to unknown pages, returns it as 200, and makes the next failing request even slower (for unauthenticated users). That seems to keep the number of requests limited. Perhaps I should just drop the connection after a certain number of requests.

BTW, quite a few of these port scanners are companies that offer to scan your ports for vulnerabilities. Temu pen testing, so to speak.

Microsoft could have been sold this with a special "nuclear license".

Opening up the internet to a nuclear facility so that the janitor can watch Youtube seems preposterous. People can afford to do things slower for the sake of security. Having things typed out, verifying security via phone calls, etc like it's the 1970s seems reasonable to me. Does it really matter if things aren't fully optimized for speed and convenience in nuclear facilities?

That also had a HUMINT element.

Fine, keep it on the internet. But SharePoint, seriously? A 15 year old version of nginx pointed to the ~/.ssh folder is more secure.

> really matter if things aren't fully optimized for speed and convenience in nuclear facilities

For hiring and retaining people, yes. It's understood that the "guts" of what's happening at these facilities needs to be locked down to the max. But, for supporting roles you need to be able to bring people in off the street without 1) a bunch of specialized training on your bespoke way of doing things, and 2) making your employees less attractive on the job market.

Just my opinion, though. Maybe I'm completely off base but it doesn't seem like a good idea to me long-term.

No, but it made the attacker's job 10000X more difficult.

> Why does it have to be remote what's wrong with it being in-house?

Nothing wrong with it being in house. But having a back-up is never bad.

> How is remote any more responsive than physical workers being in-house?

If the on-site workers are incapacitated. It's a remote (hehe) risk. But so is foreign hackers doing anything with our nukes.

> If power-plants operated efficiently back in the 50's without internet, they should be able to now without internet

If you're fine paying 50s power prices again, sure, I'm sure a power company would happily run their plants retro style.

Defense in depth is still valuable.

Don't we have more internet submarine cables and less single points of failure in our internet infrastructure today than years ago? If so, shouldn't that make it easier to route around failures?

The web though I agree isn't very decentralized.

More like looking a thin net preventing mosquitoes from biting your skin, as there is some intention behind it, not just physics.

From the article:

> OT cybersecurity specialists interviewed by CSO say that KCNSC’s production systems are likely air-gapped or otherwise isolated from corporate IT networks, significantly reducing the risk of direct crossover. Nevertheless, they caution against assuming such isolation guarantees safety.

This was also not a nuclear facility, however. The article says it makes "non-nuclear components".

In my experience auditing critical infrastructure, most facilities are "air gapped". I put that in quotes because while you can't browse the Internet from the control network(s), there are ways to exfiltrate data. The managers, engineers, regulators, and vendors need to know what is going on in real-time. Back in the day this could've been a serial port connecting two systems for a one-way feed. Now I imagine it's something far more sophisticated and probably more susceptible to abuse.

As an example, you might have a collection of turbines manufactured by GE and GE needs to have real-time data coming from them for safety monitoring and maintenance. The turbines might have one connection for control traffic and another for monitoring. How to secure these vendor connections was always a debate.

Btw, there are strong cybersecurity regulations around critical infrastructure. CIP-005-07 covers security perimeters. You can view them here: https://www.nerc.com/pa/Stand/Reliability%20Standards%20Comp...

Do you configure this in your firewall? How can I replicate this?

Ah yes, "likely air-gapped", what a high-confidence statement. Any competently designed air-gap must be precisely auditable and demonstrably, positively air-gapped.

The only world where "likely" is a reasonable word is in reference to possible physical taps or a precise enumeration of physical access points that went unaudited, but have reliably followed safe access control/configuration procedures. Anything else is plain incompetence.

Maybe yes in that regard. But in the past, most organizations ran their own mail and web servers. Software supporting the business ran on-prem. Now they use Google or Azure or AWS. So business and civilian usage, at least, seem more vulnerable now.

It is funny to read this kind of comment knowing at the same time this kind of stuff was happening while the launch codes were 0000000 or some such non-secure code. At same time, the computers in the nuclear launch facilities were still using 5.25" floppies. I did wonder how often they were loading updates from those, if ever.

You don't. Internet or not.

How do you go about positively demonstrating such a system is air-gapped?

They have multiple networks. One of them is definitely airgapped (red for RD). The medium security one is protected by annoyingly strict network ACLs (yellow for ITAR). Then there's a low security one for stuff like sharepoint (green).

This article is full of nonsense and speculation.

Speaking from past experience with the DoE (I'm happy I don't need to deal with security like this anymore), there were constant and randomized checks to make sure fiber cables (they were all fiber to make it harder to tamper with and to avoid accidental RF) were fully visible (e.g. not hidden under a desk or something) and not tampered with. Also, lots of locks and doors, both electrical and mechanical. The guy at the front desk with a big gun probably helped too.

I don't think any Microsoft Surfaces were involved in this..

IRL the way we do it is separating the business network (Youtube, finance people, HR, etc.) from the operational network (relays and sensors). You use data diodes to send business-critical data from the operational network to the business network.

Also, the Kansas City Plant is like a watchmaker's factory, not a power plant. They make widgets and gewgaws, not literally split atoms.

IIRC Carnegie Mellon did a study years ago which showed that you could not unbox a new Windows machine, connect it "directly" to the Internet, and get it fully patched before it was pwned.

To be fair, it didn’t help the rest of us avoid Stuxnet, either.

https://en.wikipedia.org/wiki/Operation_Olympic_Games#Histor...

> A programming error later caused the worm to spread to computers outside of Natanz. When an engineer "left Natanz and connected [his] computer to the Internet, the American- and Israeli-made bug failed to recognize that its environment had changed." The code replicated on the Internet and was subsequently exposed for public dissemination. IT security firms Symantec and Kaspersky Lab have since examined Stuxnet. It is unclear whether the United States or Israel introduced the programming error.

Also bearing mention is Flame, which is often left out when Stuxnet comes up, but which was allegedly part of the wider operation.

https://en.wikipedia.org/wiki/Operation_Olympic_Games#Signif...

> The Washington Post reported that Flame malware was also part of Olympic Games.

https://www.washingtonpost.com/world/national-security/us-is... | https://web.archive.org/web/20220322045917/https://www.washi... | https://archive.is/6hRl7

> “We are now 100 percent sure that the Stuxnet and Flame groups worked together,” said Roel Schouwenberg, a Boston-based senior researcher with Kaspersky Lab.

> The firm also determined that the Flame malware predates Stuxnet. “It looks like the Flame platform was used as a kickstarter of sorts to get the Stuxnet project going,” Schouwenberg said.

https://en.wikipedia.org/wiki/Flame_(malware)

> While we're at it "and not use Microsoft products".

I'm not sure if Oracle would be better.

> Anything else is plain incompetence.

It's an answer from talking heads, not from people from the facility.

The very very earliest form of some of the protocols involved it were, yes. But not really now at all. That "internet" would not be worth using.

It’s possible that the (un)timely demise of the individual involved also had a HUMINT element as well.

https://en.wikipedia.org/wiki/Operation_Olympic_Games#Histor...

> Dutch engineer Erik van Sabben allegedly infiltrated the Natanz nuclear facility on behalf of Dutch intelligence and installed equipment infected with Stuxnet. He died two weeks after the Stuxnet attack at age 36 in an apparent single-vehicle motorcycle accident in Dubai.

https://en.wikipedia.org/wiki/Erik_van_Sabben

The standard you linked literally talks about: "High Impact BES Cyber Systems with External Routable Connectivity" and "Remote Access Management" for "High Impact BES Cyber Systems". That explicitly indicates non-airgapped critical systems. Furthermore, the proscribed auditing specifically spells out "network diagrams or architecture documents" as good evidence. Obviously, that is a high level document, but I see nothing to indicate robustness against state-level actors which are a expected threat.

There is likely a small number of people who could collectively list out the events it _did_ help Iran avoid.

I have some sad news for you, about the realities of "airgapped security" IRL.

It starts with military officers using the hallway photocopiers for secure documents, and ends with TS docs stored in a Florida hotel's restroom.

> But having a back-up is never bad.

It is always an increase in risk, in a security sense.

KCNSC is a large organization that will have hundreds of distinct networks at different risk and control levels. Every variation of "public internet" to "single-site air-gapped network" probably exists there, including many levels in between like multi-site secure networks and networks with limited internet connectivity. Many networks air airgapped, this sometimes means that they consist of a small number of assets in a single room, and it sometimes means that they have connectivity to airgapped enclaves of AWS and hundreds of other military, government, and contractor sites. All of these controls will have been determined by a combination of risk scoring, compliance policies, legal requirements, office politics, and happenstance. Multiple contracting authorities will periodically audit many of these networks against various standards, which may or may not allow connectivity to specific other networks depending on risk levels. Connectivity between networks is sometimes controlled by NSA accredited cross-domain solutions and multi-level security systems that enforce complex policy, in other cases it's controlled by an administrative assistant with a DVD burner. There will be case-by-case risk analysis decisions made for specific systems, ultimately signed off by a government official who may or may not have read them. Inevitably some of these will appear reasonable and cautious in retrospect and others will not.

The root fault with this article, and the resulting discussion, is the extent to which it generalizes over one of the larger organizations in a very complex part of the defense industrial complex. Many parts of KCNSC's operations are absolutely not exposed by this incident. Other parts absolutely are. Determining which fall into which category, and to what extent that is acceptable, keeps quite a few people employed.

Just wait until these places get flooded with vibe coded stuff that even those deploying it have little understanding. What could go wrong!?

Sleep well.

We sacrificed resillience for effeciency. Now things are much more fragile and liable to exploitation.

The one exception I can think of is remote shutdown in the face of a rapid natural disaster. Like how the japanese train network is set to shut down rapidly when a high power quake is detected.

But that is very geography dependant.

That's fine, when all the nodes run autonomously and the internet is only used for real information sharing. What we now have is that the nodes are display control servers and all the computation and storage happens externally. That is not how it was designed by the military.

Per day? per minute or second.

That only works, if the nodes still operate just fine, without the Internet.

good argument against having nukes

Considering that the AWS outage took out a lot of lines of communication (email, video, chat systems) for both commercial and government entities, I'd say that US-East-1 is a pretty big single point of failure. Even if it didn't result in infrastructure impact directly, if there was some kind of infrastructure issue and you had delayed or unavailable communications, how would you know? How quickly could a response be mounted? There's some parts of the infrastructure that could damage themselves irreparably in the time it would take to to fix the outage or get comms routed through a backup channel - like parts of the electrical grid or water treatment plants.

An attacker (read: nation-state actor) wouldn't even need to take down US-East-1, it could just take advantage of the outage.

I assume (hope?) there's some kind of backup comms plan or infra in place for critical events, but I don't actually know.

One can paraphrase the joke about democracy for nukes. Having nukes is the worst, other than every situation where you don’t have nukes and the other guy does.

It's still true!

> What happens if you connect Windows XP to the Internet in 2024?

https://youtu.be/6uSVVCmOH5w

what firewall do you use?

> When expressed in constant 2019 dollars, the average price of electricity in the United States fell from $4.79 per kilowatt-hour in 1902 (the first year for which the national mean is available) to 32 cents in 1950.

https://spectrum.ieee.org/electricity-its-wonderfully-afford...

$0.32 is $0.41 accoreit BLS, which is less than I'm paying today (I live somewhere with expensive electricity), so I'd enjoy the discount if they did!

https://data.bls.gov/cgi-bin/cpicalc.pl?cost1=0.32&year1=201...

> $0.32 is $0.41 accoreit BLS, which is less than I'm paying today

Out of curiosity, what was the real power price where you live in the 60s?

Email is much easier to secure.

> receptionist's PC she uses to browse Facebook to pass the time.

Why does 'her' PC have access to the internet?

The nuclear systems are air-gapped. So this is already the case.

Had a long back-and-forth with ChatGPT and it says, accounting for inflation, that it's roughly the same from the 50s and the 60s versus today.

Most of the other guys get nukes because we have nukes and threaten them militarily. They're very expensive, countries don't want them unless they need a deterrent, and we're often the main threat.

It's in the "404" handler of the backend. It should be possible to write a caddy or nginx module for it.

Damn that's like Blood War in DND...