The risk of a major cyber attack on the nuclear industry is rising, potentially leading to blackouts or even meltdowns, researchers say. A cyber attack that takes two or three nuclear power plants offline could definitely cause major blackouts in the Country. “And if you look at a country like France, where 60 to 70 percent of its power comes from nuclear, a cyber attack could be even more serious.”
For instance, the researchers found that the conventional belief that all nuclear facilities are “air-gapped,” or isolated from the public Internet, is a myth. In recent years, many nuclear facilities have developed some form of Internet connectivity so nuclear plants can transmit data to, say, the head offices of those nuclear facilities. The nuclear plant with the Slammer worm happened when the malware spread over virtual private networks (VPN) connecting the nuclear plant with the home laptop of an engineer working for a subcontractor.
Even when nuclear facilities are air-gapped, this safeguard can be overcome with nothing more than a flash drive. In addition, nuclear plant personnel typically do not understand cyber-security procedures, often because the procedures are not clearly written. Furthermore, nuclear plant personnel often do not regularly practice cyber-security procedures in drills.
Industry Adopted Digital Systems
The researchers note that the nuclear industry adopted digital systems relatively late. One reason involved regulatory restrictions; another involved the very high costs of running nuclear plants, which meant that equipment in nuclear facilities is often kept in service for decades instead of replaced regularly. The researchers suggest the nuclear industry’s delay in adopting digital systems resulted in a lower level of cyber security experience than is the case in other industries. Researchers also suggest the nuclear industry’s longstanding focus on physical safety and protection may have contributed to less attention to cyber security.
In light of these findings, the researchers propose a number of recommendations to improve nuclear cyber security. For example, they suggest that governments can establish computer emergency response teams specialized in defending industrial control systems. Nuclear facilities can also anonymously share reports of cyber attacks against them in order to raise awareness of threats while protecting their reputations. The researchers also suggest that nuclear facilities promote “good IT hygiene,” including practices such as changing the factory default passwords on equipment, and making certain that there are manual backups for critical systems in the event of a failure.
The worst-case scenario the researchers analyzed—a cyber attack that triggered the release of radioactive material—may not be an immediate threat. “Almost no state wants to open that can of worms right now, although with rogue states, no one ever knows what they might do.”