Cyberattacks on Nuclear Power Plants: How Worried Should We Be?
Cyberattacks on Nuclear Power Plants: How Worried Should We Be?
Atomic Pulse
Outpacing Cyber Hackers: Preventing Catastrophic Cyberattacks on Nuclear Facilities
Most of us by now have received the unwelcome news that our
email or Facebook account has been hacked or that our credit card data may have
been stolen. We’ve also seen news reports about government agencies or airlines,
banks or big-box stores dealing with cyber breaches.
Imagine waking up one day to the news that a terrorist group
had hacked into a nuclear power plant’s surveillance cameras or badge readers and
facilitated the theft of materials that could be used to build a bomb. Imagine learning
that a hacker had sabotaged a plant’s safety systems and caused a serious
radiological release. Imagine if anonymous hackers seized control of a nuclear plant’s
most critical systems and then held it hostage until their demands were met.
These scenarios are not Hollywood fantasies. Cyber threats
to nuclear facilities are real and growing – and unlike social media or even
credit card hacks, the consequences could be catastrophic.
To help governments, industry and international organizations
get ahead of the urgent and evolving threat, the Nuclear Threat Initiative
(NTI) has just released a new report, Outpacing
Cyber Threats: Priorities for Cybersecurity at Nuclear Facilities, which lays out priorities for a new, overarching
strategy to protect nuclear facilities.
Such a strategy is more important than ever. Cyber incidents
at nuclear facilities are occurring with increasing frequency, and too few
countries have effective cybersecurity measures in place.
Recognizing
that, to be useful, our work must be grounded in technical realities, NTI
assembled an international group of technical and operational experts with
backgrounds in computer security, nuclear safety systems, nuclear engineering,
industrial control systems, and nuclear facility operations. This group was
tasked with identifying the core elements of a new strategy, focusing on those
elements that would have the greatest possible impact.
Over 12
months, the group identified four priorities that, if implemented, would
dramatically reduce the risk of damaging cyber-attacks on nuclear facilities. They
are:
- Institutionalize
Cybersecurity. When it comes to maintaining nuclear safety and physical
security, robust processes and practices are in use throughout facilities and
are internalized by all facility staff—from the executive level to the most
junior employees. Given the rapidly evolving cyber threat, the same is not yet
true for cybersecurity at nuclear facilities—but it must be. - Mount an
Active Cyber Defense*. The static cybersecurity architectures at today’s nuclear
facilities are not effective enough on their own to prevent a breach by a
determined adversary, nor are they effective enough to respond once a
compromise has occurred. Nuclear facilities need to update their prevention and
response plans—steps that are essential but that are challenged by the global
shortage of technical experts. - Reduce
Complexity. Complexity is the enemy of security. Today’s nuclear facilities
consist of thousands of digital systems for which the security effects,
functionalities, and interactions are not always fully understood. When it
comes to the most critical systems, reducing complexity to the extent
possible—even perhaps transitioning to non-digital systems—may be the most
advantageous option. - Pursue
Transformation. The global community is in the early stages of understanding the
magnitude of the cyber threat. In many ways, humans have created systems that
are too complex to manage; in most cases, risks cannot even be quantified. As a
result, there is a fundamental need for transformative research to develop
hard-to-hack systems for critical applications.
Alone and in
combination, each of these priorities would provide unique leverage on the
threat posed to nuclear facilities and start making it possible for defenders
to actually get ahead of the cyber threat—not just respond to it.
Moving forward will require action on the part of
governments, regulators, industry, and international organizations alike. The
risk of a cyber-facilitated theft of nuclear material or sabotage of a nuclear
facility is simply too great to remain comfortable with the status quo.
The report marks a milestone in NTI’s work on the
intersection of cyber and nuclear security. We also are examining the
implications of cyber threats to nuclear weapons and related systems and
working on options for nuclear policies, postures, and doctrines to reduce
risks in that arena.
For a more
detailed explanation of the priorities in Outpacing
Cyber Threats and NTI’s recommendations for taking action, please visit www.nti.org/cyberpriorities. For
more on all of NTI’s cyber work, please visit us here.
*We know that “active defense” in some
industries means “hacking back” against an adversary. NTI does not advocate
“hacking back,” rather, we advocate a defense strategy where analysts monitor,
respond to, learn from, and apply their knowledge of threats internal to the network in order to detect,
block, and expel adversaries.
Stay Informed
Sign up for our newsletter to get the latest on nuclear and biological threats.
More on Atomic Pulse
Crash Override: Could a Similar Cyber Weapon be Used Against a Nuclear Facility?
Tackling the Nuclear Cyber Threat
Tackling the Nuclear Cyber Threat