Civil nuclear facilities around the world are underprepared for the cyberattacks that could come from criminals, states and terrorist groups, according to a new report from the London-based Chatham House.
“The industry’s longstanding focus on physical protection” is the result of a misguided risk assessment, the report found, in an era where cyberattacks are “the most attractive route for those seeking to attack nuclear facilities without fear of interdiction.”
The report notes that Stuxnet, the most successful attack on nuclear facilities to date, was a result of insecure infrastructure. The worm, developed by the United States and Israel, ravaged Iranian nuclear facilities for years. It entered Iranian systems through a flash drive manually inserted into a computer.
“There have been a number of reported incidents of cyber interference in nuclear power plants and — assuming that the nuclear industry behaves in similar ways to other industries — we ought to assume that these examples represent the visible part of a much more serious problem,” the authors state.
They point to several incidences that have taken place around the world over the past decade. Those included a 2006 event at the Browns Ferry plant in Alabama, in which reactor recirculation pumps and condensate demineralizer controller failed because of problems with the ethernet, which nearly caused a meltdown; and a 2008 event in which the Hatch power plant in Georgia shut down for 48 hours as the result of a software update initiated by a contractor.
The Georgia incident, the authors said, “demonstrates that nuclear owner-operators often do not understand the full ramifications of connecting their business networks to a plant’s industrial control systems,” and both incidents revealed vulnerabilities that could have been exploited by hackers.
Among the problems are the use of commercial off-the-shelf systems and supply chain vulnerabilities, declining use of “air gaps” that isolate plant networks from the public Internet, reductions in system redundancies, and work culture problems such as an excess of personal devices in system control rooms.
“Perhaps the greatest cybersecurity issue facing the nuclear industry is that many in the sector do not fully understand the risk, and therefore a key first step is to develop guidelines to assess and measure this risk as accurately as possible,” the report notes.
The authors recommend that the industry realign its priorities to adapt to the evolving threat, writing, “The priorities for a cybersecurity regime are nothing but traditional: deterrence, prevention, detection and response.”
Specific solutions include building in security from an earlier stage, implementing better systems for intrusion detection, installing more secure optical data diodes (which help to prevent system violations by ensuring that information moves unidirectionally), more cybersecurity personnel, and greater assistance to developing countries with nuclear infrastructure.
“The organized way in which threats are manifested through the Internet requires an organizational response by the civil nuclear sector, which includes, by necessity, knowledgeable leadership at the highest levels, combined with dynamic contributions by management and staff and the entire stakeholder group, including members of the wider security and safety communities,” the report concludes.
