Cyberattacks on Nuclear Power Plants: How Worried Should We Be?

The New York Times reported last week on a U.S. government report accusing Russia of conducting a series of cyberattacks aimed at U.S. and European nuclear power plants and water and electric systems from 2015 through 2017. In addition to attacks on water and electric plants, publicly available evidence suggests that Russia infiltrated the business systems of the Burlington, Kan., Wolf Creek nuclear plant but not the plant’s control systems. It was not clear whether the goal of the attack was to conduct reconnaissance or, more seriously, some type of sabotage.

Needless to say, any type of attack on a nuclear plant is very concerning. An attack that allows hackers to manipulate the systems that control a nuclear reactor, while very difficult, could have very serious consequences, including potentially nuclear reactor core damage and off-site release of radiation.

This is not the first time that nuclear facilities have been attacked. The most well-known example is the Stuxnet attack on Iran’s uranium enrichment facility, generally attributed to the U.S. and Israel (for a summary of attacks on nuclear facilities, click here. Very recently, a new piece of dangerous malware, TRISIS, which specifically targets the industrial controllers used for safety critical applications, including in nuclear plants, has been found in the Middle East.

So how worried should we be?

The good news is that the safety and security of nuclear facilities is taken very seriously. In the United States, cyber security at nuclear facilities is receiving increased attention from regulators, plant operators and technical experts. In addition, as the United States has an aging nuclear infrastructure, many of the plants are still operating mostly with analog controls and/or safety systems, meaning they are less vulnerable to cyberattacks. 

Unfortunately, this attention to the cyber threat does not exist everywhere. A 2016 NTI study found that nearly half of the countries with relevant nuclear facilities had no regulations for cyber security at those facilities.

 Looking forward, there are a number of concerning signs.

As recent attacks have confirmed, cyberattacks are getting increasingly sophisticated. Complex attacks are no longer just the purview of nations but can now be conducted by smaller groups. Furthermore, systems which may have been analog at one time are increasingly digital and increasingly complex. The growing Internet-of-Things will present additional challenges.

Responding to this growing threat is not easy. Airgaps, originally designed to counter untargeted attacks, are not effective against a determined adversary. Existing safety systems may not be effective against cyberattacks that can lead to failures that would never occur naturally. Furthermore, threats do not just arise from the internet—defenders must consider supply chain risks and the potential for insider threat.

NTI is increasingly focused on this area. NTI’s 2016 study concluded in the release of a report, Outpacing Cyber Threats: Priorities for Cybersecurity at Nuclear Facilities,that summarized the key pillars of a new strategy, urging operators to address fundamental issues such as system complexity and promoting the importance of an active defense. The report also highlighted the importance of developing transformational approaches (perhaps new, non-programmable solutions) that would be immune to cyberattacks. In addition to the need for a more robust strategy, the current shortfalls in global technical capacity must be addressed, perhaps by improving means to provide international assistance.

The cyber threat to nuclear facilities is serious, but the challenge going forward is evident. Threats and vulnerabilities will continue to mount. Today’s strategy is not sufficiently robust or scalable, and a high level of cyber security may never be compatible with current nuclear plant business models. Governments, regulators, facility operators, vendors, and experts need to accelerate our efforts to develop new approaches that can scale to the threats of the future.

March 19, 2018
Page Stoutland, PhD
Page Stoutland, PhD

Vice President, Scientific and Technical Affairs

Most Popular