Nation’s Nuclear Power Plants Prepare for Cyber Attacks

(Aug. 27) -The Indian Point nuclear power plant in New York state. The U.S. nuclear industry has spent more than $2 billion in the last decade to defend itself against cyber attacks and other security threats (Stephen Chernin/Getty Images).
(Aug. 27) -The Indian Point nuclear power plant in New York state. The U.S. nuclear industry has spent more than $2 billion in the last decade to defend itself against cyber attacks and other security threats (Stephen Chernin/Getty Images).

Fourth in a five-part Global Security Newswire series on emerging technologies and scientific advances that might pose new proliferation risks.

WASHINGTON -- The threat to digital systems at the country's nuclear power plants is considerable, but the sector is better prepared to defend against potentially devastating cyber attacks than most other utilities, according to government and industry officials and experts (see GSN, July 9).

Cyber attacks have been an increasing source of concern in recent years but the threat was highlighted last month by the first discovery of malicious code, called a worm, specifically formulated to target the systems that direct the inner operations of industrial plants. To date the malware is thought to have infected more than 15,000 computers worldwide, mostly in Iran, Indonesia and India.

The issue is critically important for new nuclear power facilities that would be built in the United States and throughout the world as control rooms would employ digital systems to operate the plants. Those state-of-the-art instruments and systems make them targets for hackers.

A U.S. Nuclear Regulatory Commission spokeswoman declined to say whether there have been any cyber strikes against the nation's nuclear power sector. Security events, including a computer-based attack at an energy facility, would be "sensitive information" and therefore not released to the public, she said.

There have been no cyber attacks to date on U.S.nuclear facilities, according to Doug Walters, vice president of regulatory affairs at the Nuclear Energy Institute, a policy organization of the nuclear power and technologies industry.

Cyber attacks are "no different from other military activities, in that power grids are a normal target for guerrillas and militaries. It's something they usually try to attack if they get into a conflict," James Lewis, a senior fellow at the Center for Strategic and International Studies, said in an interview last week.

Nuclear power plant owners and operators "have been encouraged for a long time to think about security and to put a lot more effort into it than most civilian enterprises," he told Global Security Newswire. "The question is how vulnerable are they so someone using remote access to send damaging commands and I think the answer is they're not particularly vulnerable."

Lewis said experts know other nations, possibly including China and Russia, have conducted reconnaissance for potential weak spots in the U.S. power grid and "we don't know what they left behind."

"People with nuclear power plants ought to be and thus are, more careful about this because it's easier in the imagination to envision what happens if a hacker gets into a nuclear power plant," said Martin Libicki, a senior management scientist at RAND Corp. "If I get into a coal-fired power plant, the worst I'm going to do is cause a blackout. If I get into a nuclear power plant, I can cause a Chernobyl."

"I'm not sure that's true but you can imagine how that might play in out in the media and politically," he added.

The safety and control systems that operate nuclear power plants are isolated from the Internet and are protected against outside invasion. Yet in some cases, those operating systems and other critical infrastructure are decades old and not completely separated from computer networks used to manage administrative systems. Those gaps provide potential gateways for hackers to insert viruses, malicious codes and worms.

As much as 85 percent of the nation's critical infrastructure is owned and operated by private companies, ranging from nuclear power plants to transportation and manufacturing systems. Atomic energy facilities are a tantalizing target for digital sabotage because a meltdown could result in a major radiological event.

In all, the nuclear industry has spent roughly $2.2 billion over the last decade on enhancements to prevent physical or cyber breaches, according to Walters. Those funds paid for security upgrades to meet U.S. Nuclear Regulatory Commission requirements, including vehicle barriers, cameras, bullet resistant enclosures and other new technologies, he said.

That figure also included expenditures for additional security officers, the number of which has increased by about 60 percent "across the fleet."

Shortly after the Sept. 11 terrorist attacks, the regulatory commission, the agency with oversight of the country's atomic energy plants, put out a series of orders requiring its 104 licensees to enhance their overall security efforts, including physical protection, personnel reliability and cyber defense, Walters said. A year later the commission for the first time ordered that cyber attacks be added to the list of threats sites must be able to defend against.

In March 2009 the commission unveiled a new rule that required power plants to complete cyber security plans that would protect against a "design basis threat," according to Rich Correia, who head of the agency's Security Policy Division. The plans would be amendments to the utility licenses to operate the reactors.

Design basis threat is "pretty much what the commission has determined what a private security force should be able to defend against," Correia said this week. "Since power plants are run by private entities, we couldn't expect them to defend against, say, a nation-state."

The directive describes what actions site operators must take to identify and protect "critical digital assets," computer systems and components key to the protection of the plant that, if harmed, could produce a radiological incident, he added. A critical system is identified as any that performs or is relied on for plant safety, security and emergency preparedness; provides a pathway to a system that could be used to compromise, attack, or degrade those functions; supports systems that if compromised could adversely impact those defenses; or protects against any of those cyber attacks.

"In essence, we're making sure that we have a shield up around the plant beyond normal firewalls that would protect against a cyber attack," Walters said last week.

Licensees submitted their cyber security blueprints for the country's 65 nuclear power plants for commission review last November, Correia told GSN. The agency hopes to have all the plans approved by next spring.

Power plant operators would then implement the programs and the regulatory commission's four regional offices would begin inspections to verify they were being used as designed, he said.

Correia said his division is in continuous contact with the commission's threat assessment branch, which evaluates intelligence information from various government agencies, to make any changes to the perceived cyber danger.

The commission has also put together a "mock adversary force" to test power plants' digital preparedness as part of the overall NRC site inspection process, he added. The agency conducts "force on force" exercises at facilities to challenge their physical security assets. The mock enemy's mission might include action against digital systems and components.

The U.S. nuclear power industry is also well positioned to address the evolving threat because of its size, according to Lewis. The sector only has 104 reactors at 65 plants, compared to thousands of electrical utilities. Those companies are often too small to spend money to examine the cyber security or so large that it is glossed over, he said.

"Does it mean [the atomic energy sector is] totally invulnerable? No," Lewis told GSN. "But if you're an opponent you're going to ask yourself, 'Gosh, there's so many easy targets, why should I go after hard targets when I can pretty much get the same bang for the buck with a lot less effort?'"

Walters said the industry has been "fairly proactive" on the issue even without the NRC orders, noting the Nuclear Energy Institute formed a task force in 2002 to develop cyber security guidelines, which received the regulatory agency's blessing. That guidance delineated cyber security protection memsureas that should be installed on certain plant systems.

The institute has also established a nuclear sector council that meets with Homeland Security Department officials on a quarterly basis to address potential security concerns, he said.

"With the requirements we have in place and with licensees knowing what they need to do in terms of security controls ... we are in very good shape in terms of protecting against cyber attacks," according to Walters.

The Future of Cyber Security

Officials and experts agreed the country has begun to pay more attention to cyber security over the last several years. However, more could be done to counter the ever-evolving threat to the nation's power grid, including nuclear reactors.

"If it was up to me, I would mandate that the electrical generation and distribution be provably disconnected from the [Internet]," Libicki said. He predicted that entities would argue that such a move would prove too costly.

Walters said nuclear plants are different from other utilities because many of their safety systems are already detached from the Web.

"For a nuclear plant, when you're talking about controls and the systems for safety, those things are really confined to the sites and there's no output to the Internet. There are inherent safeguards that exist," he told GSN.

Lewis predicted it would take time to secure some of the nation's power networks because "they were never designed to be secure."

"We will just have to think; we can't afford to replace everything at once," he added.

Correia described cyber security in the nuclear realm as an "ongoing process" that would require continuous observation of what is happening within cyber space so that facilities could respond to developing threats.

"Licensees have to be able to react to it quickly, to adjust their cyber plans ... to defend against it if there's an attack," he said.

Editor's Note: Look for the next article in the series on Friday, Sept. 10.

August 27, 2010

Fourth in a five-part Global Security Newswire series on emerging technologies and scientific advances that might pose new proliferation risks.