The nation’s nuclear reactors are vulnerable to cyberattacks, according to the federal agency responsible for overseeing the systems.
The Nuclear Regulatory Commission “is not optimized to protect the agency’s network in the current cyber threat environment,” according to a report published this week by the agency’s inspector general.
“The sophistication and frequency of malicious activity targeting NRC has increased,” the report adds. “These forces, combined with the need for NRC users to stay connected … through the Internet, makes effective information security a critical capability.”
That is particularly problematic because, the report notes, cyberattacks on the NRC increased by 18 percent from 2013-14, twice the 9 percent increase reported by the rest of the federal government. The incidents included “unauthorized access; malicious code; social engineering; policy violations; and scans, probes, and other access attempts.”
The report stated the NRC is ill-equipped to deter the attacks due to its weak contract with the Nuclear Security Operations Center, which omits “performance goals and metrics that can be used to determine whether agency needs are being met.”
“Robust SOC capabilities are particularly crucial given the sensitivity of the unclassified information processed on NRC’s network, and the increasing volume of attacks carried out against federal government computer systems,” the report added.
The agency concluded by advising the NRC to revise the contract in order to eliminate “generic language” and “lack of clarity.”
Authorities in the U.S. and elsewhere have warned repeatedly over recent years that nuclear systems have inadequate cybersecurity. That failing is generally attributed to basic issues that include the use of default passwords and improper storage of information.
In 2013, the Senate Homeland Security Committee issued a report that found the NRC had stored “sensitive cybersecurity details for nuclear plants on an unprotected shared drive,” rendering it generally defenseless. An October 2015 report issued by the London-based Chatham House concluded that little had been resolved in the intervening years, with facilities at risk globally due mainly to operators using default settings on their networks.
