Will New Generation Cyber Attacks Threaten Nuclear Plant Security?

Nuclear power plants generate around 20 percent of all the electricity produced in the United States, helping the nation meet its energy demands without releasing the greenhouse gases common to other types of power generation. Because there are only around a hundred such facilities nationwide, problems or issues facing any one of them could have a big impact on our critical infrastructure. Nowhere is this perhaps more evident than in the world of cybersecurity. Computer-based attacks are growing in sophistication and disruptive power, which affects almost all industries. The nuclear energy field is more susceptible to this kind of intrusion than many other sectors because of the existence of discrete, high-value installations that are a tempting target for online lawbreakers.

While many viruses and hacking endeavors 30 years ago were the domain of pranksters, programming enthusiasts and people eager to push their technical abilities to the limits, today's efforts are often serious business. Ransomware allows wrongdoers to effectively hold a system hostage until their demands are met while cyber-espionage is a form of spying that often allows operatives to uncover secret information without putting themselves at risk as foreign agents had to do in the past.

Cyber-sabotage, such as the sophisticated 2010 Stuxnet attack on Iranian nuclear facilities, can render multi-billion-dollar equipment useless or even harmful. In January 2003 in Ohio, the Davis-Besse nuclear site had its functionality impaired for around five hours due to a computer attack. And in 2014, crooks stole blueprints of nuclear plants from Korea Hydro & Nuclear Power Company and threatened to release this sensitive information unless they were paid a large sum.

Chatham House, a London-based think tank, recently released a report detailing the state of the nuclear industry's sensitivity to online malfeasance. While many people think that nuclear infrastructure is “air gapped” – that is, the computer systems employed are not connected to the wider Internet – the fact is that many locations use VPN connections to connect online and are therefore vulnerable. Even facilities that eschew accessing the Internet are susceptible to infection from technology no more advanced or expensive than a USB flash drive. Chatham also found that the distinct cultures of nuclear safety workers and IT experts often clash, making it difficult for both groups to work together towards common security goals.

The fact that people transferring files via USB stick, perhaps with the benign intent of sharing funny cat videos, pose a serious gap in the county's nuclear cybersecurity protections underlines how halfhearted and lackadaisical current procedures are. This state of affairs is by no means unique to nuclear power: Credit card and financial data is often stolen from banks and other financial institutions while incidents in Barcelona in 2013 illustrated the threats posed by hacking to high-stakes online gamblers. Yet having a Hermès handbag surreptitiously charged to your credit card or losing thousands of dollars in poker to someone who can view your cards isn't anywhere near as harmful as allowing high-tech villains to access our nuclear machinery.

The recommendations issued by Chatham House include stricter guidelines and enforcement regarding IT protocols, such as the requirement that employees at power plants not bring personal electronic devices into the workplace, and the adoption of universal regulatory rules. It's especially important to communicate security best practices to engineers and others who many not have a thorough understanding of them. The think tank also called for the creation of Computer Emergency Response Teams (CERT) to deal with breaches quickly as they occur.

Cybersecurity is an important component of the overall well-being of many industries, such as the home automation and home security markets wherein often-insecure wireless devices communicate with each other on a regular basis, not to mention self-driving cars and the ensuing danger of the controls being hacked. Most countries, including the United States, have gaps in the online plans and practices used in their nuclear power industries. When we consider the value and importance of nuclear plants in seamlessly providing power to millions of citizens and businesses along with the inherent danger of allowing unauthorized persons to access them, it becomes evident that we ought to tackle this subject earnestly. While current conventions and procedures are woefully inadequate, speedy action to implement robust defenses could remedy this situation.

  • Anonymous
    Anonymous

    Time to replace the new digital controls and return to the previous analog controls that are not vunerable to any outside or virus type threats.

  • Anonymous
    Anonymous

    Really??? Has Chatham House or the author researched the regulations regarding cyber-security at commercial nuclear plants which have been out for several years now? The VPN referred to in the article will only get a person access into the company LAN. Any electronic asset that controls the plant in any way is not, repeat not, connected or able to be connected to the outside world. The flurry of articles I have seen on this subject lately makes me think that the IT world is just trying to drum up a little more business.

  • Anonymous
    Anonymous

    Natural gas, coal, hydro, biomass, wind & solar power plants are much more vulnerable to cyber attack than the nuclear plants but the media is almost quiet about them.  The balancing of the supply and demand on the grid is even more dependent on internet connections therefore it is the most vulnerable.  Fear sells and nuclear fear sells even better.  The nuclear industry is much more diligent then the others and I am proud of them for it.  I am hoping for small modular reactors with there ability to be close to the demand will reduce our nations risk to loss of large area grid collapse.

  • Anonymous
    Anonymous

    It is not outside access via VPN into LAN but the laptops, thunbdrives used when servicing /testing/gathering data from systems that represent the vunerable areas. They travel from plant to plant, are used by venders to service digital systems, while also being used no doubt to receive email, communicate with family/friends and use the web.