Outpacing Cyber Hackers: Preventing Catastrophic Cyberattacks on Nuclear Facilities

Most of us by now have received the unwelcome news that our email or Facebook account has been hacked or that our credit card data may have been stolen. We’ve also seen news reports about government agencies or airlines, banks or big-box stores dealing with cyber breaches.

Imagine waking up one day to the news that a terrorist group had hacked into a nuclear power plant’s surveillance cameras or badge readers and facilitated the theft of materials that could be used to build a bomb. Imagine learning that a hacker had sabotaged a plant’s safety systems and caused a serious radiological release. Imagine if anonymous hackers seized control of a nuclear plant’s most critical systems and then held it hostage until their demands were met.

These scenarios are not Hollywood fantasies. Cyber threats to nuclear facilities are real and growing – and unlike social media or even credit card hacks, the consequences could be catastrophic.

To help governments, industry and international organizations get ahead of the urgent and evolving threat, the Nuclear Threat Initiative (NTI) has just released a new report, Outpacing Cyber Threats: Priorities for Cybersecurity at Nuclear Facilities, which lays out priorities for a new, overarching strategy to protect nuclear facilities.

Such a strategy is more important than ever. Cyber incidents at nuclear facilities are occurring with increasing frequency, and too few countries have effective cybersecurity measures in place.

Recognizing that, to be useful, our work must be grounded in technical realities, NTI assembled an international group of technical and operational experts with backgrounds in computer security, nuclear safety systems, nuclear engineering, industrial control systems, and nuclear facility operations. This group was tasked with identifying the core elements of a new strategy, focusing on those elements that would have the greatest possible impact.

 Over 12 months, the group identified four priorities that, if implemented, would dramatically reduce the risk of damaging cyber-attacks on nuclear facilities. They are:

  •  Institutionalize Cybersecurity. When it comes to maintaining nuclear safety and physical security, robust processes and practices are in use throughout facilities and are internalized by all facility staff—from the executive level to the most junior employees. Given the rapidly evolving cyber threat, the same is not yet true for cybersecurity at nuclear facilities—but it must be.
  •  Mount an Active Cyber Defense*. The static cybersecurity architectures at today’s nuclear facilities are not effective enough on their own to prevent a breach by a determined adversary, nor are they effective enough to respond once a compromise has occurred. Nuclear facilities need to update their prevention and response plans—steps that are essential but that are challenged by the global shortage of technical experts.
  •  Reduce Complexity. Complexity is the enemy of security. Today’s nuclear facilities consist of thousands of digital systems for which the security effects, functionalities, and interactions are not always fully understood. When it comes to the most critical systems, reducing complexity to the extent possible—even perhaps transitioning to non-digital systems—may be the most advantageous option. 
  •  Pursue Transformation. The global community is in the early stages of understanding the magnitude of the cyber threat. In many ways, humans have created systems that are too complex to manage; in most cases, risks cannot even be quantified. As a result, there is a fundamental need for transformative research to develop hard-to-hack systems for critical applications.

Alone and in combination, each of these priorities would provide unique leverage on the threat posed to nuclear facilities and start making it possible for defenders to actually get ahead of the cyber threat—not just respond to it.

Moving forward will require action on the part of governments, regulators, industry, and international organizations alike. The risk of a cyber-facilitated theft of nuclear material or sabotage of a nuclear facility is simply too great to remain comfortable with the status quo.

The report marks a milestone in NTI’s work on the intersection of cyber and nuclear security. We also are examining the implications of cyber threats to nuclear weapons and related systems and working on options for nuclear policies, postures, and doctrines to reduce risks in that arena.

For a more detailed explanation of the priorities in Outpacing Cyber Threats and NTI’s recommendations for taking action, please visit www.nti.org/cyberpriorities. For more on all of NTI’s cyber work, please visit us here.


*We know that “active defense” in some industries means “hacking back” against an adversary. NTI does not advocate “hacking back,” rather, we advocate a defense strategy where analysts monitor, respond to, learn from, and apply their knowledge of threats  internal to the network in order to detect, block, and expel adversaries.



December 7, 2016

Most Popular