Global Action on Cybersecurity at Nuclear Facilities: Moving Beyond the Status Quo
This paper by Michelle Nalabandian, Alexandra Van Dine, and Page Stoutland highlights steps governments can take to protect nuclear facilities from cyber threats.
What are the potential consequences of a cyberattack on a nuclear facility?
Cyberattacks on civilian nuclear facilities can be considered in three broad categories: those that target business networks, access control systems, and industrial control systems (ICS) – including security and safety systems. Cyberattacks on nuclear facilities can have consequences ranging from minor to potentially catastrophic.
Have nuclear facilities been subject to cyberattacks?
Yes, although it is difficult to know the frequency, as cyber security incidents at nuclear facilities are often not publicly disclosed. Known recent examples, however, include: destruction of centrifuges at the Iranian Natanz nuclear facility due to Stuxnet, data theft at the Korea Hydro and Nuclear Power Company in South Korea, and the recent disclosure of computer viruses in the Gundremminger nuclear power plant in Germany.
Do existing safety and security measures already provide protection from cyberattacks?
In many cases, existing safety and security measures do provide some protection from cyberattacks, especially in facilities utilizing analog safety or security systems. Nuclear facility engineers and operators, however, must consider not just what systems are designed to do, but what they can be made to do. For example, safety systems typically guard against single,
naturally occurring failures. An adversary could circumvent this by causing multiple simultaneous failures with a cyberattack—an outcome for which systems were not designed.
What measures should countries and nuclear facilities take to protect themselves from cyberattacks?
In order to protect themselves, nuclear facilities must recognize the implications of cyberattacks on nuclear facilities, and then work to secure their systems and networks. This involves implementing industry best practices as they are developed, training personnel, and working with vendors to utilize more secure technologies. In addition, facilities can and should make use of existing resources, such as those provided by the International Atomic Energy Agency (IAEA) and the Nuclear Energy Institute (NEI), to achieve these goals.
At the regulatory level, national nuclear regulators should develop, implement, and ensure compliance with robust cyber security regulations. Over the longer term, countries need to develop more ambitious strategies to keep pace with the cyber threat. These strategies should be constructed around four key priorities: institutionalizing cyber security at nuclear facilities, implementing active defense postures to respond quickly when breaches occur, reducing complexity within computer networks and systems, and supporting transformative research to develop hard-to-hack systems for critical applications.
What international organizations are involved in addressing this issue?
Many international organizations are involved in addressing cyber security at nuclear facilities. The IAEA develops and publishes high-level cyber security guidance and provides hands-on training workshops to Member States. Cyber security at nuclear facilities was discussed within the Nuclear Security Summit (NSS) process; at the 2016 Summit, 29 countries and the United Nations signed a Gift Basket titled Cyber Security of Industrial Control and Plant Systems at Nuclear Facilities. At the 2016 Nuclear Industry Summit (an official side event of the 2016 NSS), participants agreed to undertake actions to improve the state of cyber security across all nuclear facilities and applications beyond 2016. Additionally, the United Nations Group of Governmental Experts (GGE) produced a report in 2015 recommending norms in cyberspace, as well as international cooperation and capacity-building. Finally, the World Institute for Nuclear Security (WINS), the World Nuclear Association (WNA), the World Association of Nuclear Operators (WANO), NEI, and the Organization for Security and Co-operation in Europe (OSCE) are also working to address the issue.
Sign up for our newsletter to get the latest on nuclear and biological threats.
This paper by Michelle Nalabandian, Alexandra Van Dine, and Page Stoutland highlights steps governments can take to protect nuclear facilities from cyber threats.
Sponsored by NTI and undertaken by the Institute for Security and Safety at the University of Brandenburg, this report identified a set of criteria that reflect the basic, minimum security measures and regulatory requirements necessary to protect nuclear facilities against cyber attacks.
The current, attack‐centric approach to computer security is incapable of adequately defending nuclear facilities. This paper introduces a new approach, vulnerability‐centric security, which enables nuclear facility operators to prevent successful cyber‐attacks while enhancing the day‐to‐day operation of their systems.