Report: Nuclear plants vulnerable to cyber attack

Industry-wide cyber security weaknesses combined with increased hacking activity by criminals, states, and terrorist groups has inflated the risk of cyber attacks at nuclear power facilities around the world, according to a report released this month by a major British think tank.

Researchers at Chatham House, part of the Royal Institute of International Affairs in London, recently concluded an 18-month study on the link between cyber security and nuclear security, conducting in-depth interviews with 30 industry practitioners, academics, and policy-makers.

The report found the risk of a serious cyber attack is growing, as nuclear facilities become increasingly reliant on digital systems and commercial off-the-shelf software.

“I didn’t expect to find as many vulnerabilities as I did,” the study’s lead author, Caroline Baylon, told IEEE Spectrum. “The nuclear industry is not mature at all when it comes to cyber-security—it’s barely starting to deal with the issue.”

The researchers found the common belief that nuclear facilities are “air gapped”—completely isolated from the public internet—is “a pervading myth.” Nuclear plants have increased their internet connectivity in recent years to make reporting to operators and regulators more convenient, but plant personnel may not fully realize the extent of the vulnerability that creates.

Even when facilities are air gapped, a simple flash drive can overcome the safeguard. That was the likely method by which the Stuxnet worm infected Iranian nuclear reactors in 2010.

The high cost of constructing and operating nuclear facilities, along with significant regulatory requirements, meant the nuclear industry was relatively late to adopt digital systems and has less experience in cyber security than other industries, according to the report. The authors also found the nuclear industry’s longstanding emphasis on physical protection and safety may have contributed to less attention being paid to cyber security.

The report noted that, while the risk of a release of radiation as a result of cyber attack is remote, even a small-scale incident at a nuclear facility would have a “disproportionate effect” on world opinion and the future of the civil nuclear industry.

A more likely scenario might involve a nuclear power plant being taken offline as a result of a cyber attack.

“A cyber attack that takes two or three nuclear power plants offline could definitely cause major blackouts in the United States,” Baylon told IEEE Spectrum. “And if you look at a country like France, where 60 to 70 percent of its power comes from nuclear, a cyber attack could be even more serious.”

The report authors urged countries to establish national Computer Emergency Response Teams (CERTs) specializing in industrial control systems. They also encouraged government regulators to push nuclear facility owner-operators to share threat information anonymously without fear of penalty or embarrassment.

The researchers recommended nuclear facilities promote “good IT hygiene”—practices such as forbidding the use of personal devices and changing factory default passwords—as well as bridging communication gaps between nuclear plant personnel and cyber security personnel by encouraging integrated projects like the development of cyber security training manuals.

The authors acknowledge the emergence of sophisticated terror organizations such as ISIS have added a note of urgency to the report’s release.

“For me, the really scary scenario is when a well-financed terrorist group like ISIS meets a hacker-for-hire company like the kind seen in Russia that may be extremely sophisticated and not have a lot of ethics,” Baylon said. “We need to address the cyber-security vulnerabilities in the nuclear sector immediately.”