New NTI Report Outlines Strategic Priorities for Governments and Industry to Counter Threats to Nuclear Facilities From Hackers, Terrorists, Nation-States
VIENNA—With cyber threats against nuclear facilities on the rise, governments, industry, and international organizations must accelerate efforts to protect against a cyberattack with catastrophic consequences, according to a new report from the Nuclear Threat Initiative (NTI), Outpacing Cyber Threats: Priorities for Cybersecurity at Nuclear Facilities, released at the IAEA International Conference on Nuclear Security in Vienna. The report identifies key priorities and actions needed to better secure nuclear facilities and outpace today’s dynamic cyber threats. It is available at www.nti.org/cyberpriorities.
Although there has been unprecedented progress in the security of nuclear materials and facilities over the last decade, the cyber threat has increased. Cyberspace provides a new opportunity for determined adversaries to wreak havoc at nuclear facilities—possibly without ever setting foot onsite.
“Beyond the unthinkable potential human toll, a serious cybersecurity breach would profoundly shake global confidence in civilian nuclear power generation,” said NTI Co-Chairman and CEO Sam Nunn. “Governments and industry simply must get ahead of this rapidly evolving threat.”
To try to get ahead of the cyber threat, NTI assembled an international group of technical and operational experts with backgrounds in computer security, nuclear safety systems, nuclear engineering, industrial control systems, and nuclear facility operations. The group was tasked with identifying the core elements of a new strategy, then with focusing on those elements that would have the greatest possible impact.
This report identifies four overarching priorities that provide a framework for actions that stakeholders—in government, industry, and international organizations—can take to get ahead of cyber threats to nuclear infrastructure, as well as specific actions that could dramatically reduce the risk of damaging cyberattacks on nuclear facilities. The priorities include:
- Institutionalize cybersecurity. Implementation of robust processes and practices is essential for the effective management of complex systems and is at the heart of long-standing quality management programs used across industry.
- Mount an active defense. Nuclear facilities need to develop the means to respond to threats once a compromise occurs, as firewalls and airgaps have proven to be limited in their efficacy.
- Reduce complexity. Complexity is the enemy of security. Today’s nuclear facilities consist of more than a thousand digital systems. The security impact of these systems, their functionalities, and how they interact are not always fully understood.
- Pursue transformation. The global community is in the early stages of understanding the magnitude of the cyber threat. As a result, there is a fundamental need for transformative research to develop hard-to-hack systems for critical applications.
The report also provides a list of 23 publicly disclosed cyber incidents at nuclear facilities since 1990 and highlights a number of recent incidents, including a 2014 phishing and malware attack that resulted in the theft of blueprints and manuals for two nuclear power plants from a South Korean company that operates 23 of the country’s nuclear reactors. “Case after case … demonstrates that the current approach to cybersecurity at nuclear facilities is not equal to the challenge,” says the report.
Outpacing Cyber Threats is part of an expanding body of work at NTI to address cyber threats to nuclear facilities and nuclear weapons systems. “This report is our first contribution to ensuring that no one with malicious intent is able to engage in nuclear sabotage or to gain access to some of the world’s most powerful—and most dangerous—materials,” Nunn said.
The Nuclear Threat Initiative works to protect our lives, environment, and quality of life now and for future generations. We work to prevent catastrophic attacks with weapons of mass destruction and disruption (WMDD)—nuclear, biological, radiological, chemical, and cyber. Founded in 2001 by former U.S. Senator Sam Nunn and philanthropist Ted Turner, NTI is guided by a prestigious, international board of directors. Sam Nunn serves as chief executive officer; Des Browne is vice chairman; and Joan Rohlfing serves as president.