Recent high-profile cyber attacks, including the deployment of the sophisticated 2010 Stuxnet worm, have raised new concerns about the cyber security vulnerabilities of nuclear facilities.
As cyber criminals, states and terrorist groups increase their online activities, the fear of a serious cyber attack is ever present. This is of particular concern because of the risk – even if remote – of a release of ionizing radiation as a result of such an attack. Moreover, even a small-scale cyber security incident at a nuclear facility would be likely to have a disproportionate effect on public opinion and the future of the civil nuclear industry.
Nuclear industry behind on developing cyber security readiness
Notwithstanding important recent steps taken by the International Atomic Energy Agency (IAEA) to improve cyber security across the sector, the nuclear energy industry currently has less experience in this field than other sectors. This is partly due to the nuclear industry’s regulatory requirements, which have meant that digital systems have been adopted later than in other types of critical infrastructure. In addition, the industry’s longstanding focus on physical protection and safety has meant that while these aspects of risk response are now relatively robust, less attention has been paid to developing cyber security readiness.
Off-the-shelf software could increase vulnerability
As a result, exploiting weaknesses in digital technology could be the most attractive route for those seeking to attack nuclear facilities without fear of interdiction. The cyber security risk is growing as nuclear facilities become increasingly reliant on digital systems and make increasing use of commercial ‘off-the-shelf’ software, which offers considerable cost savings but increases vulnerability to hacking attacks.
The trend to digitisation, when combined with a lack of executive-level awareness of the risks involved, also means that nuclear plant personnel may not realise the full extent of this cyber vulnerability and are thus inadequately prepared to deal with potential attacks. There is a pervading myth that nuclear facilities are ‘air gapped’ – or completely isolated from the public internet – and that this protects them from cyber attack.
Yet not only can air gaps be breached with nothing more than a flash drive (as in the case of Stuxnet), but the commercial benefits of internet connectivity mean that nuclear facilities may now have virtual private networks and other connections installed, sometimes undocumented or forgotten by contractors and other legitimate third-party operators.
Meanwhile, hacking is becoming ever easier to conduct, and more widespread: automatic cyber attack packages targeted at known and discovered vulnerabilities are widely available for purchase; advanced techniques used by Stuxnet are now known and being copied; and search engines can readily identify critical infrastructure components that are connected to the internet.
Chatham House report findings
In the light of these concerns, Chatham House undertook an 18-month project in 2014–15 on the nexus between cyber security and nuclear security. By drawing on in-depth interviews with 30 industry practitioners, as well as policy-makers and academics, and convening three expert roundtables, the project sought to assess the major cyber security challenges facing the wider nuclear industry; to identify international policy measures that could help to enhance cyber security in the sector; and to help increase knowledge of current concerns in this area. This report examines the major cyber threats to civil nuclear facilities, focusing in particular on those that could have an impact on industrial control systems, and suggests some potential solutions to these challenges.
Specific findings include
The conventional belief that all nuclear facilities are ‘air gapped’ (isolated from the public internet) is a myth. The commercial benefits of internet connectivity mean that a number of nuclear facilities now have VPN connections installed, which facility operators are sometimes unaware of.
Search engines can readily identify critical infrastructure components with such connections.
Even where facilities are air gapped, this safeguard can be breached with nothing more than a flash drive.
Supply chain vulnerabilities mean that equipment used at a nuclear facility risks compromise at any stage.
A lack of training, combined with communication breakdowns between engineers and security personnel, means that nuclear plant personnel often lack an understanding of key cyber security procedures.
Reactive rather than proactive approaches to cyber security contribute to the possibility that a nuclear facility might not know of a cyber attack until it is already substantially under way.
In the light of these risks, the report outlines a blend of policy and technical measures that will be required to counter the threats and meet the challenges.
Developing guidelines to measure cyber security risk in the nuclear industry, including an integrated risk assessment that takes both security and safety measures into account.
Engaging in robust dialogue with engineers and contractors to raise awareness of the cyber security risk, including the dangers of setting up unauthorised internet connections.
Implementing rules, where not already in place, to promote good IT hygiene in nuclear facilities (for example to forbid the use of personal devices) and enforcing rules where they do exist.
Improving disclosure by encouraging anonymous information sharing and the establishment of industrial CERTs (Computer Emergency Response Team).
Encouraging universal adoption of regulatory standards.
The full report can be accessed here.