In this posting I present a white paper, published jointly by Nixu, Teollisuuden Voima (TVO) and the Finnish Radiation and Nuclear Safety Authority (STUK) in Vienna in early June, discussing ways of developing and maintaining information security management in a nuclear power plant. The event is the International Conference on Computer Security in a nuclear World: Expert Discussion and Exchange (1st - 5th. June, 2015), hosted by the International Atomic Energy Agency (IAEA).
Why complicate things? Just ask to enter!
The easiest way to get what you want is to ask. Want access? Ask if you can go inside! You can also come up with a trick, bribe somebody or break in. When you want to keep out uninvited guests, then you have to look further than your resistance against burglary. Making the supermarket burglary proof does not keep out the shoplifter.
In the digital world, access is often controlled by username and password. The easiest way to find out is: ask. In 2007 people gave their password for a bar of chocolate. Whether they gave their real password is not clear, but in 2014 people seemed to lend their company’s badges at a fair price. My guess is they would offer their password cheaper.
The most common way to get login data is trickery and deceit: phishing. Would you please login on this webpage? Would you please enter your username and password? Thank you! This trick is so easy that it is still widely practiced.
Often one and the same password is used in more places. Just looking around can also provide a password that way. Your LinkedIn and Yahoo password already leaked. You do use the same password for payments? There are people who will check.
Apparently we don't see the problem. Consciously or unconsciously, the comparison is made with the physical world. A password looks like a cyber-equivalent of a key. But it is not. A key is not directly copied when you use it. House, mailbox and car have different keys. A lost house key gives an uncomfortable feeling. Many people will at least consider to replace the locks. A password is not stolen, does not disappear. It is copied without notice. Two-factor authentication, where the user needs something physical to get in, is more in line with the existing perception.
In the IT world, it is customary to determine the level of security with penetration testing and Red Teaming. Physical: can we break the door or pick the lock, or cyber: can we hack it? In both cases, we look at the system. That's useful, but not enough. Take the time to evaluate the procedures. How do you grant access? How do you revoke access? What are you doing to notice abuse in a timely manner and stop it? What happens when an intruder enters with a real key or a real account? What then?