What if a hacker shut down the security system at a highly sensitive nuclear materials storage facility, giving access to terrorists seeking highly enriched uranium to make a bomb? What if cyber-terrorists seized control of operations at a nuclear power plant--enabling a Fukushima-scale meltdown? Or, worse, what if hackers spoofed a nuclear missile attack, forcing a miscalculated retaliatory strike that could kill millions?
The cyber threat affects nuclear risks in at least two ways: It can be used to undermine the security of nuclear materials and facility operations, and it can compromise nuclear command and control systems.
Traditional nuclear security practices have been focused on preventing physical attacks—putting in place “guns, guards, and gates” to prevent 1) theft of materials to build a bomb, 2) sabotage of a nuclear facility, or 3) unauthorized access of nuclear command, control, and communications systems. Important progress has been made in this "traditional" nuclear security arena, but the threat of a cyber attack is escalating. All countries are vulnerable, and nuclear cybersecurity practices haven't caught up to the risk.
Across the nuclear sector worldwide, the technical capacity to address the cyber threat is extremely limited, even in countries with advanced nuclear power and research programs. Measures to guard against the cyber-nuclear threat are virtually non-existent in states with new or emerging nuclear programs. Expertise in the field of nuclear cybersecurity is in short-supply, and the International Atomic Energy Agency (IAEA), which provides countries with assistance and training in this area, does not have the resources necessary to address the growing threat.
The threat extends to the command, control, and communications (NC3) for nuclear weapons. Even in the United States, officials have stated that it cannot be fully confident that these systems will operate as planned if attacked by a sophisticated cyber opponent. Such attacks could jeopardize the confidence of U.S. officials of our nuclear systems, lead to false warning or even potentially allow an adversary to take control of a nuclear weapons system.
Governments are working to understand and minimize these vulnerabilities, but cyber threats are becoming more sophisticated every day and those responsible—from policymakers to military officials to facility operators to regulators— are working to keep pace.
To draw attention to the growing cyber threat and bring stakeholders together to find solutions, NTI has sponsored two initial studies to assess and provide recommendations for cybersecurity practices at nuclear facilities:
- Cyber Security at Nuclear Facilities: National Approaches - This study, sponsored by NTI and undertaken by the Institute for Security and Safety at the University of Brandenburg, identified a set of criteria that reflect the basic, minimum security measures and regulatory requirements necessary to protect nuclear facilities against cyber attacks, and used those criteria to characterize the legal and regulatory approaches to cyber-nuclear security in five countries: China, Germany, Russia, South Africa, and the United States.
- A New Approach to Nuclear Computer Security - This project, sponsored by NTI and led by cybersecurity expert George Chamales, convened a group of cybersecurity and nuclear security experts to develop a new forward-looking approach for protecting nuclear facilities from cyber attacks that could lead to the theft of weapons-usable nuclear materials or an act of radiological sabotage.
Drawing upon the expertise of both nuclear and cybersecurity experts, NTI is working to develop a set of guiding principles for cybersecurity at nuclear facilities. The current mindset is one of slow, incremental change that cannot keep pace with an ever-evolving threat—a fresh look at the overarching framework that guides cybersecurity at nuclear facilities is needed.
NTI is also working to strengthen global cyber-nuclear security and response capabilities. Even with a new strategy to guide cyber-nuclear security, addressing implementation challenges will be a multi-year (or even multi-decade) effort. However, the potential for a catastrophic cyber incident will only continue to grow. In response, NTI is addressing the geographic unevenness of cyber-nuclear expertise by bringing together the global technical cyber-nuclear community to facilitate information exchange and foster a network of relationships upon which nuclear operators can draw for advice and assistance.
Finally, recognizing the game-changing threat cyber risks pose to nuclear command, control, and communications, NTI is working with former senior officials and other experts to determine the implications of cyber threats to nuclear command and control for U.S. nuclear policies and force postures.