Outpacing Cyber Threats: Priorities for Cybersecurity at Nuclear Facilities

Outpacing Cyber Threats: Priorities for Cybersecurity at Nuclear Facilities takes a fresh look at cybersecurity at nuclear facilities and offers a set of ambitious, forward-leaning priorities and recommendations. To download a PDF of the report, click here
 

Executive Summary

The past decade has seen unprecedented progress in the security of nuclear materials and facilities. As key improvements to physical security have been implemented, however, a threat that is potentially even more challenging is endangering these gains: the cyber threat.
 
Cyberspace provides a new opportunity for determined adversaries to wreak havoc at nuclear facilities—possibly without ever setting foot on-site. Cyberattacks could be used to facilitate the theft of nuclear materials or an act of sabotage that results in radiological release. A successful attack could have consequences that reverberate around the world and undermine global confidence in civilian nuclear power as a safe and reliable energy source.
 
Given the risk and the stakes, governments and industry must increase their focus on the cyber threat. 
 
Nuclear operators and a range of national and international organizations have recognized the challenge and have begun to accelerate their efforts to strengthen cybersecurity at nuclear facilities. However, the rapidly evolving cyber threat, combined with the proliferation of digital systems, makes it difficult to get ahead of the threat. Case after case—from the Stuxnet attacks on the Natanz uranium enrichment facility in Iran, to the hack of Korea Hydro and Nuclear Power in South Korea, to disturbing revelations of malware found on systems at a German nuclear power plant—demonstrates that the current approach to cybersecurity at nuclear facilities is not equal to the challenge. Crafting a strategy that protects facilities from dynamic, evolving cyber threats requires a fresh, unconstrained examination of the overarching framework that guides cybersecurity.
 
To try to get ahead of the threat, the Nuclear Threat Initiative (NTI) assembled an international group of technical and operational experts with backgrounds in computer security, nuclear safety systems, nuclear engineering, industrial control systems, and nuclear facility operations. This group was tasked with identifying the core elements of a new strategy, then with focusing on those elements that would have the greatest possible impact.
 
Over 12 months, the group identified four overarching priorities, as well as specific actions, that if implemented would dramatically reduce the risk of damaging cyberattacks on nuclear facilities. Similar concepts are being put to  use elsewhere, and NTI believes that, either alone or in combination, they would provide considerable leverage on the threat posed to nuclear facilities.
 
1. Institutionalize cybersecurity. Implementation of robust processes and practices is essential for the effective management of complex systems and is at the heart of long-standing quality management programs used across industry. Given the rapidly evolving cyber threat, however, such practices are generally not yet in place for cybersecurity in nuclear facilities. Nuclear facilities should learn from the examples set by safety and physical security programs to strengthen and sustain their cybersecurity programs. Specifically,
 
  • Governments and regulators should work to develop and implement regulatory frameworks, perhaps drawing on lessons learned from progress made in nuclear safety and physical security, that promote the institutionalization and ongoing improvement of cybersecurity at nuclear facilities.
  • Nuclear industry should apply lessons learned from industry experiences with safety and physical security and should support the cybersecurity efforts of relevant organizations, including the International Atomic Energy Agency (IAEA), the World Nuclear Association (WNA), the World Association of Nuclear Operators (WANO), and the Institute of Nuclear Power Operations (INPO), in an effort to continue international dialogue and contribute to key research and development necessary to improving cybersecurity.
  • International organizations should support, through international dialogue and definition of relevant best practices, international cooperation and an expanded focus on cybersecurity at nuclear facilities.
2. Mount an active defense. The static cybersecurity architectures at today’s nuclear facilities are not effective enough on their own to prevent a breach by a determined adversary—breaches will occur and having an effective response is crucial. Nuclear facilities need to develop the means to respond once a compromise occurs. Such action is essential but remains challenged by the global shortage of technical experts.  Specifically,
 
  • Governments and regulators should enhance cyber expertise within governmental and regulatory bodies, share relevant threat information with industry, consider how to develop and exercise cyber incident response capabilities, and provide additional resources for defense against threats beyond those that facilities could reasonably be expected to handle.
  • Nuclear industry should initiate the development of active defense capabilities at the facility level, including crafting mutual-aid agreements or other means to access needed skills.
  • International organizations should facilitate the sharing of threat information where possible and appropriate.
3. Reduce complexity. Complexity is the enemy of security. Today’s nuclear facilities consist of more than a thousand digital systems. The security impact of these systems, their functionalities, and how they interact are not always fully understood. Although networks may be initially characterized, this information is often not up to date. When it comes to the most critical systems, the most advantageous option may be to eliminate digital complexity entirely by transitioning to non-digital systems. Specifically,
 
  • Governments and regulators should support—with financial, personnel, and research resources—facility efforts to characterize networks, understand functionalities and interactions, and ultimately minimize complexity in critical systems.
  • Nuclear industry and facilities should characterize systems, identify excess functionalities and remove them where possible, and work with vendors to develop non-digital systems and secure-by-design products where possible and appropriate.
  • International organizations should develop and provide guidance and training to governments and facilities as requested.
4. Pursue transformation. The global community is in the early stages of understanding the magnitude of the cyber threat. In many ways, humans have created systems that are too complex to manage; in most cases, risks cannot even be quantified. As a result, there is a fundamental need for transformative research to develop hard-to-hack systems for critical applications. Specifically, 
 
  • Governments and regulators should undertake or fund transformative research into the technologies, methods, and approaches that will be necessary to get ahead of the threat.
  • International organizations should foster innovation and continue to think creatively about how to mitigate this threat and should recruit a variety of voices and perspectives to join the conversation.
  • Governments, industry, and international organizations alike should strive to boost human capacity across the cyber-nuclear field, especially in countries with new or expanding civilian nuclear energy programs.
Taken together, the priorities listed represent a new approach to getting ahead of the urgent and evolving cyber threat. Implementing them will be a multiyear effort and will not be easy, but the risk is far too great to accept the status quo.
 
 
 
December 7, 2016
About

Outpacing Cyber Threats: Priorities for Cybersecurity at Nuclear Facilities takes a fresh look at cybersecurity at nuclear facilities and offers a set of ambitious, forward-leaning priorities and recommendations.

Authors
Michael Assante

Director of Industrial Control Systems, SANS Institute

Dr. Page Stoutland, PhD
Dr. Page Stoutland, PhD

Vice President, Scientific and Technical Affairs