Commerce and communications systems. Airlines and health insurers. Phone companies and filmmakers. National governments and even the White House. All have been hacked – part of the series of damaging, high-profile attacks that have made headlines around the world. It is clear today that no one is immune from damaging cyber attacks – but for one set of critical infrastructure, the consequences could be catastrophic: Nuclear facilities.
The scenario is not hard to imagine. An attack could facilitate the theft of nuclear materials or an act of sabotage in any number of ways. Access control systems could be compromised, allowing the entry of unauthorized persons seeking to obtain nuclear material or damage the facility. Accounting systems could be manipulated so that the theft of material goes unnoticed. Reactor cooling systems could be deliberately disabled, resulting in a Fukushima-like disaster.
Preventing acts of nuclear or radiological terrorism is the main goal of the Nuclear Security Summit process, which ends in its current form with this month’s final meeting in Washington. Given that, experts and citizens should ask: How are world leaders using the process to address cyber security vulnerabilities at nuclear facilities?
The good news is that this topic gained prominence at the 2014 Nuclear Security Summit in the Netherlands, earning a section in the official Summit communiqué, which articulates the consensus of all participating states. The communiqué reads, in part:
“In order to address the growing threat of cyber attacks, including on critical information infrastructure and control systems, and their potential impact on nuclear security, we encourage States and the private sector to take effective risk mitigation measures to ensure that the systems and networks of nuclear facilities are appropriately secured. Unauthorized access to these systems could compromise the safe and secure operation of the facility as well as the confidentiality, integrity and availability of the relevant information.”
The bad news is that, despite this high-level recognition, protecting against a rapidly evolving threat is challenging and the current status of government initiatives on cyber security leaves much to be desired. In fact, the 2016 NTI Nuclear Security Index found that 20 out of 47 countries with weapons-usable nuclear materials or nuclear facilities that, if sabotaged, would cause significant off-site health consequences, have no requirements at all that nuclear facilities be protected from cyber attack. More worrisome still, some of these countries are looking to expand their nuclear power programs.
There are many reasons for this lack of preparedness:
• First, computer systems at nuclear facilities are highly complex and could consist of more than 1,000 digital components as well as legacy systems with no built-in security. In addition, new nuclear facilities are increasingly being digitized. Although this improves reliability and safety, it also introduces new vulnerabilities. Overhauling such complex systems is a difficult task.
• Second, the world is short on skilled cyber security experts—a shortage exacerbated for the cyber-nuclear discipline, which requires specific knowledge of digital control systems in a nuclear environment. Expertise is concentrated in the United States and Europe, which puts countries in other regions at a serious disadvantage when it comes to finding experts to either improve current cyber security practices or craft cyber security policies and regulations for burgeoning nuclear programs.
• Third, a bevy of domestic issues, including cost, bureaucratic inertia, and the difficulty of bridging the gap between technical and policy communities, prevents states from taking action at a pace commensurate with the urgency of the threat.
To help mitigate the risk of cyber attacks on nuclear facilities, international organizations like the IAEA and the World Institute for Nuclear Security (WINS) are working to provide guidance and best practices in for cyber security in the nuclear space. Additionally, non-governmental organizations around the world, including NTI, are jumping into the breach to help where they can.
Cyber attacks can have physical consequences, often transcend national borders, and are difficult to attribute. The consequences of a cyber attack resulting in theft of nuclear materials or the sabotage of a nuclear facility would reverberate around the globe. World leaders must build on the steps taken at the 2014 Nuclear Security Summit and commit to making cyber security a central component of a comprehensive system to address global nuclear and radiological security.