Fear of serious cyber attack at nuclear plants is 'ever present', warns think tank
- Summary:
- The nuclear industry has not invested in protecting itself against cyber attacks and yet it has been buying up digital infrastructure. A new report out warns that this is a recipe for disaster.
Chatham House has said that as cyber criminals, governments and terrorist groups increase their online activities, the fear of a serious cyber attack is “ever present”. This, it said, is of particular concern because of the risk that ionizing radiation could be released as a result.
An alarming combination of cultural challenges, lack of experience and a siloed approach to technology adoption has resulted in an industry that is wholly unprepared for an advanced cyber attack on a nuclear plant's physical infrastructure.
The three authors of the report – Caroline Baylon, David Livingstone and Roger Brunt – undertook an 18 month project in 2014-2015 on the “nexus” between cyber security and nuclear security. They interviewed 30 industry practitioners, as well as policy-makers and academics, to identify both the risks to the industry, as well as to come up with some useful recommendations.
The report states:
Notwithstanding important recent steps taken by the International Atomic Energy Agency (IAEA) to improve cyber security across the sector, the nuclear energy industry currently has less experience in this field than other sectors.
This is partly due to the nuclear industry’s regulatory requirements, which have meant that digital systems have been adopted later than in other types of critical infrastructure. In addition, the industry’s longstanding focus on physical protection and safety has meant that while these aspects of risk response are now relatively robust, less attention has been paid to developing cyber security readiness. As a result, exploiting weaknesses in digital technology could be the most attractive route for those seeking to attack nuclear facilities without fear of interdiction.
The cyber security risk is growing as nuclear facilities become increasingly reliant on digital systems and make increasing use of commercial ‘off-the-shelf’ software, which offers considerable cost savings but increases vulnerability to hacking attacks.
These comments about 'off the shelf' software (aka cloud) may need some clarity in my opinion. For example, if we are talking about enterprise cloud software, from some of the top vendors out there, then it is arguable that they would actually have better security teams and systems than a nuclear facility would have on site. However, I'm not entirely sure that this is what the report is referring to, as I doubt many of the mainstream cloud vendors out there are catering to the nuclear industry. Or that nuclear plants are buying them.
What I think the authors are implying, is essentially the use of the internet and virtual networks, which are likely to be more vulnerable than traditional systems.
The report adds:
The trend to digitization, when combined with a lack of executive-level awareness of the risks involved, also means that nuclear plant personnel may not realize the full extent of this cyber vulnerability and are thus inadequately prepared to deal with potential attacks. There is a pervading myth that nuclear facilities are ‘air gapped’ – or completely isolated from the public internet – and that this protects them from cyber attack.
Yet not only can air gaps be breached with nothing more than a flash drive (as in the case of Stuxnet), but the commercial benefits of internet connectivity mean that nuclear facilities may now have virtual private networks and other connections installed, sometimes undocumented or forgotten by contractors and other legitimate third party operators.
Meanwhile, hacking is becoming ever easier to conduct, and more widespread: automatic cyber attack packages targeted at known and discovered vulnerabilities are widely available for purchase; advanced techniques used by Stuxnet are now known and being copied; and search engines can readily identify critical infrastructure components that are connected to the internet.
All-in-all, pretty worrying insights.
Recommendations
The authors of the report also made a number of recommendations to the industry, off the back of their research into the specific cyber challenges facing nuclear facilities. They note that the cyber security threat requires an 'organisational response' by the civil nuclear sector, which includes, knowledgable leadership at the highest levels and “dynamic contributions” by management, staff and the wider community of stakeholders, including members of the security and safety communities.
The report outlines the following recommendations:
- Develop a robust ambition to match or overtake its opponents in cyberspace and thereby take the initiative, focusing its resources on critical elements of the nuclear fuel cycle.
- Fund the promotion of fostering of cyber security within the industry, aiming to encourage sectoral-level approach, from the highest levels down to the individual.
- Establish an international cyber security risk management strategy designed to maintain momentum and agility, incorporating the necessary mechanisms for in-depth preparation to meet cyber security challenges, however these may arise, and a flexible and coordinated response.
- Develop coordinated plans of action to address the technical shortfalls identified, such as in patch management, and make the necessary investments.
- Include all stakeholders in the organisational response.
- Promote an environment that enables the appropriate balance between regulated and self-determined actions.
Other more specific recommendations include promoting cyber insurance, engaging in dialogue with engineers and contractors to raise awareness of the cyber security risk, encourage nuclear facilities to share threat information anonymously, governments should lead the establishment of national Computer Emergency Response Teams specialised in industrial control systems and promoting the importance of 'security by design'.
For the full document and list of recommendations, click here.
My take
We are seeing more and more that companies are underinvesting in cyber security and are then suffering the consequences as a result, with customer details being stolen and the like. However, when it comes to nuclear power, this is a threat that simply is too dangerous to ignore and deal with later. Action needs to be taken ASAP.