Nuclear Security is Only as Strong as the Weakest Link: 2020 NTI Index Highlights Cybersecurity and Insider Threat Prevention

This post was written by Cira Mancuso, an intern with NTI’s Materials Risk Management team. Mancuso is a senior in Georgetown University’s accelerated BSFS/M.A. Security Studies Program, where she is majoring in International Security and minoring in Spanish.

While global stocks of nuclear materials have been declining since the Cold War, 22 countries still have enough weapons-usable nuclear materials to build a bomb, 46 countries and Taiwan have nuclear facilities that could be vulnerable to attack, and the global risk environment continues to evolve. Today, as the COVID-19 pandemic wreaks havoc on societies and economies, the context for nuclear materials security is deteriorating: great power competition has re-emerged; non-state actors have successfully seized control of sovereign territories; climate change is causing environmental degradation and resource strains; and, as the 2020 NTI Nuclear Security Index shows, global cooperation on nuclear security has slowed significantly.

Within this increasingly disordered global environment, the Index draws attention to two particularly concerning issues for nuclear security: the risk of cyber attacks and insider threats.

The NTI Index, published biennially since 2012, assesses and tracks nuclear security conditions in countries around the world. It promotes actions to strengthen nuclear security and build confidence, and it highlights progress and trends over time. The NTI Index includes two theft rankings and one sabotage ranking:

• Theft–Secure Materials: a ranking of 22 countries with 1 kilogram or more of weapons-usable materials–highly enriched uranium (HEU) and separated plutonium–to assess actions to secure materials against theft.
• Theft–Support Global Efforts: A ranking of 153 countries and Taiwan with less than 1 kilogram of or no weapons-usable nuclear materials to assess to support nuclear security efforts.
• Sabotage–Protect Facilities: A ranking of 46 countries and Taiwan with nuclear facilities, such as nuclear power reactors and research reactors, to assess actions to protect those facilities against sabotage.

Cyber Threats to Nuclear Facilities

Cyber attacks are not an imagined or distant threat. A 2016 report by NTI provides an overview of 23 publicly disclosed cyber incidents at nuclear facilities since 1990, including the 2010 Stuxnet virus attacks on the Natanz uranium enrichment facility in Iran, a facility that was notably isolated from the internet (erasing the “air gap” myth). According to the report, terrorist groups have declared their intentions of acquiring weapons of mass destruction, and while they may not yet have the technology necessary to facilitate a cyberattack on a nuclear facility, they will certainly continue to try. Nation states, on the other hand, do have the ability to develop such offensive capabilities.

Despite the potential consequences of a cyber attack on a nuclear facility–loss of employee and public confidence, radiation release, and reactor damage or shutdown–the NTI Index found that only 47 percent of countries have a response plan for a cyber incident. Cyber threats will only increase as facilities continue to digitize control centers and nuclear reactor systems.

Since 2016, when the NTI Index first measured cybersecurity, 49 countries with weapons-usable nuclear materials and/or nuclear facilities have slowly improved their scores in the indicator. However, the Index reveals that the majority of those countries do not have sufficient regulations for cybersecurity: just 34 percent receive a high score (67-100) for cybersecurity (only Romania and Taiwan receive full scores), and 24 percent receive a zero score.

The Index outlines several steps countries can take to strengthen their cybersecurity at nuclear facilities: integrating physical protection and cybersecurity; protecting critical digital assets; requiring a cybersecurity response plan; and building greater awareness of cyber threats among facility personnel. While country-based reforms are necessary, a greater effort must be made to fill capacity gaps in cooperation with other countries, and one step states can take is contributing financially to the IAEA to support its work in cybersecurity.

Addressing Insider Threats

Importantly, the NTI Index notes that all security measures—including cybersecurity—will be ineffective if an employee with knowledge of security systems and access rights can bypass the system. Fortunately, there haven’t been many, but all known cases of fissile material theft to date have involved an insider. In 2014, at Doel 4 plant in Belgium, a valve reactor was deliberately opened, causing the reactor to overheat. Police believe the person responsible was an employee or subcontractor, but the case is still open. Following the investigation, officials found that another employee of Doel 4 had died earlier that year fighting with the Islamic State in Syria, raising concerns over the frequency and extensiveness of personnel vetting.

Despite the importance of addressing threats posed by insiders, the NTI Index reports that only 55 percent of countries require that personnel vetting be conducted regularly, and only 35 percent require robust personnel vetting that includes drug tests, background checks, and psychological tests. An alarming 20 percent do not require any of these tests. In addition, the Index details how improvement in the Global Norms category has slowed, and until nuclear security treaties are universalized, the critical gap in the coverage of protection, criminalization, and cooperation on prosecuting nuclear theft, smuggling, sabotage, and terrorism will continue.

The Index outlines a number of ways to address the human factor in nuclear security, including implementing more stringent and frequent personnel vetting; enhancing surveillance of sensitive areas; creating insider threat awareness programs to enhance the ability to detect and respond to threats; and emphasizing security culture as distinct from safety culture.

Avoiding Complacency

Cyber threats and the human factor can create or exacerbate vulnerabilities in nuclear structures, and must be addressed through strong regulations, capacity building, and strengthened security culture. The NTI Index shows that countries and facilities are not prepared to address these problems. At a time when global threats are evolving and new ones emerging—and because global nuclear security is only as strong as its weakest link—combatting cyber and human threats must be a high priority. Complacency by states will come at the expense of their citizens and the international community.