What if a hacker shut down the security system at a nuclear materials storage facility, giving access to terrorists seeking highly enriched uranium to make a bomb? What if cyber-terrorists seized control of operations at a nuclear power plant--enabling a Fukushima-scale meltdown? Or what if a hacker group opposed to nuclear energy stole highly sensitive data from a nuclear facility and held it hostage until they were paid a ransom?
Traditional nuclear security practices have focused on preventing physical attacks—putting in place “guns, guards, and gates” to prevent the theft of materials to build a bomb and the sabotage of a nuclear facility.
Governments and industry have made important progress in this "traditional" nuclear security arena, but the threat of a cyberattack is escalating, and all countries and all nuclear facilities are vulnerable. Malware already has been found in systems at facilities all over the world—in some cases, it was maliciously inserted; in others, it simply wound up there by accident.
To assess the impact of the cyber threat on nuclear security and to contribute to efforts to get ahead of the threat, NTI convened an international group of technical and operational experts with backgrounds in computer security, nuclear safety systems, nuclear engineering, industrial control systems, and nuclear facility operations. The group concluded that the combination of extremely limited technical capacity in this area, the current practice of making incremental change, and the ever-evolving nature of offensive actors in cyberspace means there is a need to re-think the current approach to cybersecurity at nuclear facilities.
NTI’s first milestone toward defining a new approach is a report from this expert group, Outpacing Cyber Threats: Priorities for Cybersecurity at Nuclear Facilities. Released in December 2016 on the margins of the International Atomic Energy Agency’s International Conference on Nuclear Security, the report outlines priorities and recommendations that would dramatically reduce the risk of damaging cyberattacks on nuclear facilities. The priorities are: Institutionalize Cybersecurity, Mount an Active Defense, Reduce Complexity, and Pursue Transformation.
Download a PDF of the report here. In the coming months, NTI will develop and publish additional, specific guidance on implementing each priority.