Cyberattacks on Nuclear Power Plants: How Worried Should We Be?

The New York Times
reported
last week on a U.S. government report accusing Russia of conducting a
series of cyberattacks aimed at U.S. and European nuclear power plants and
water and electric systems from 2015 through 2017. In addition to attacks on
water and electric plants, publicly available evidence suggests that Russia infiltrated
the business systems of the Burlington, Kan., Wolf Creek nuclear plant but not the
plant’s control systems. It was not clear whether the goal of the attack was to
conduct reconnaissance or, more seriously, some type of sabotage.

Needless to say, any type of attack on a nuclear plant is very
concerning. An attack that allows hackers to manipulate the systems that
control a nuclear reactor, while very difficult, could have very serious
consequences, including potentially nuclear reactor core damage and off-site
release of radiation.

This is not the first time that nuclear facilities have been
attacked. The most well-known example is the Stuxnet attack on Iran’s uranium
enrichment facility, generally attributed to the U.S. and Israel (for a summary
of attacks on nuclear facilities, click here.
Very recently, a new piece of dangerous malware, TRISIS, which specifically targets
the industrial controllers used for safety critical applications, including in
nuclear plants, has been found in the Middle East.

So how worried should we be?

The good news is that the safety and security of nuclear
facilities is taken very seriously. In the United States, cyber security at
nuclear facilities is receiving increased attention from regulators, plant
operators and technical experts. In addition, as the United States has an aging
nuclear infrastructure, many of the plants are still operating mostly with
analog controls and/or safety systems, meaning they are less vulnerable to
cyberattacks. 

Unfortunately, this attention to the cyber threat does not
exist everywhere. A 2016 NTI
study found that nearly half of the countries with relevant nuclear
facilities had no regulations for cyber security at those facilities.

 Looking forward, there
are a number of concerning signs.

As recent attacks have confirmed, cyberattacks are getting increasingly
sophisticated. Complex attacks are no longer just the purview of nations but
can now be conducted by smaller groups. Furthermore, systems which may have
been analog at one time are increasingly digital and increasingly complex. The
growing Internet-of-Things will present additional challenges.

Responding to this growing threat is not easy. Airgaps,
originally designed to counter untargeted attacks, are not effective against a
determined adversary. Existing safety systems may not be effective against
cyberattacks that can lead to failures that would never occur naturally. Furthermore,
threats do not just arise from the internet—defenders must consider supply
chain risks and the potential for insider threat.

NTI is increasingly focused on this area. NTI’s 2016 study concluded
in the release of a report, Outpacing
Cyber Threats: Priorities for Cybersecurity at Nuclear Facilities,that
summarized the key pillars of a new strategy, urging operators to address fundamental
issues such as system complexity and promoting the importance of an active
defense. The report also highlighted the importance of developing
transformational approaches (perhaps new, non-programmable solutions) that
would be immune to cyberattacks. In addition to the need for a more robust
strategy, the current shortfalls in global technical capacity must be addressed,
perhaps by improving means to provide international assistance.

The cyber threat to nuclear facilities is serious, but the
challenge going forward is evident. Threats and vulnerabilities will continue
to mount. Today’s strategy is not sufficiently robust or scalable, and a high
level of cyber security may never be compatible with current nuclear plant
business models. Governments, regulators, facility operators, vendors, and
experts need to accelerate our efforts to develop new approaches that can scale
to the threats of the future.