Intruders

 

Image from Pixabay

In 2007, a Dutch engineer walked into the Iranian nuclear complex of Natanz and installed a water pump there. This Erik van Sabben had a second client: the Dutch intelligence service AIVD. And that is how it happened that the centrifuges, which are needed to enrich uranium, went haywire because of the infamous Stuxnet virus. This is of course the ultra-short version of the story. The long, exciting story is in the book There's a War Going On But No One Can See It by investigative journalist Huib Modderkolk.

Earlier this week, a Dutch engineer walked into the Dutch nuclear complex of Almelo. Not to install anything, and not with a secret agenda. No, because that was me, together with about thirty colleagues, and we came for a tour and a presentation on a holistic view of security.

So I walked from the parking lot and came across a fence that was several meters high. There was a pedestrian gate in it, with an intercom. People were just walking from the other side, so I thought, I'll ask them. Because I was curious how they would react. It turns out that the gate wasn't locked at all. I was welcomed with a wide arm gesture and I was kindly shown where I had to report.

Is it really that easy to get in there? Well, fortunately it is not. You get a pass and with that you can go through a gate. After that, as a visitor, you can actually only go one way: to the reception building. And from there you are constantly accompanied.

October is traditionally security month. Many organizations – including ours – pay extra attention to security. One of the topics that we are putting in the spotlight this time is physical security. As an employee, you play a somewhat uncomfortable role in this. We want you to be a little less friendly. Intruders often enter because a friendly employee holds the door open for them. Most of the time, this doesn’t work at the entrances of our buildings, because you have to go through a swing gate. But think for a moment about those internal doors, which you have to open with a badge. Those secured doors are there for a reason: only authorized personnel should enter. Of course, you can hold the door open for someone you know belongs there, but for strangers, a friendly “Would you mind using your own badge?” is appropriate. And if you see someone walking around without a badge, you could just as kindly ask if that they have lost their pass, and if necessary, accompany them to the reception. I know this is difficult and that is why I am glad that this situation usually doesn’t arise. Usually, indeed. Maybe that is an extra reason to say something anyway if you see this.

Let's go back to the visit. The security manager first talked about the physical threats that a uranium enrichment plant has to deal with. You can easily figure out where those threats come from: criminals, terrorists and activists. The security measures are not that difficult either: fences, security guards, alarm systems. Then he went on to digital threats, in which the same actors play a role. And that's where the holistic ('all-encompassing') nature of their approach comes into play: the measures against cyber threats are of the same kind as those against physical threats. You have to look at it as a whole, because an attacker will not make a distinction between them either. He might try to disable the alarm systems via a virus or a hack, after which he gains physical access to the complex. And maybe he is not after uranium at all, but after data. In most organizations, crooks and spies will try to get the coveted data via the Internet, but in facilities like these, the really important data is air gapped : there is literally air between the computers in question and the outside world, in other words: they are only attached to a strictly closed network. So you really need to make entrance to get to it.

During that tour I came face to face with exactly the kind of installation that Stuxnet was all about: the centrifuges that enrich uranium in order to turn it into fuel for nuclear power plants. With Modderkolk's book in mind, this was quite a special moment. It really takes something to break those things. The oldest installation in Almelo has been running non-stop for forty years, without any maintenance. You can't find that in ICT.

Thanks to Urenco for the hospitality and to the Security Academy for the organization.

 

And in the big bad world…

• Industrial systems are very vulnerable when connected to the Internet.
• millions of cars were vulnerable due to an error on the manufacturer's website.
• some systems are better operated manually.
• Illegal services are also sometimes affected by burglars.
• NIST is putting an end to some stupid password practices.
• This Cyber Glossary explains various cybersecurity terms.
• ChatGPT can be hacked through fake memories.
• An international alliance of intelligence and security services has published advice for securing Active Directory.