The stuxnet worm’s infiltration of Iran’s nuclear program was the most dramatic cyberattack the nuclear sector has ever seen. But it was not the only one. the Slammer worm infected the David-Besse nuclear power plant in Ohio, leaving reactor core safety data unavailable for nearly five hours. In another hackers stole blueprints of at least two nuclear reactors and other sensitive data from Korea Hydro and Nuclear Power Co., then demanded money from the company in exchange for not releasing potentially important files.
“A cyberattack that takes two or three nuclear power plants offline could definitely cause major blackouts in the many countrys.” “And if you look at a country like France, where 60 to 70 percent of its power comes from nuclear, a cyberattack could be even more serious.”
For instance, the researchers found that the conventional belief that all nuclear facilities are “air-gapped,” or isolated from the public Internet, is a myth. In recent years, many nuclear facilities have developed some form of Internet connectivity so nuclear plants can transmit data to, say, the head offices of those nuclear facilities, or to government regulatory agencies. The infection of the Davis-Besse nuclear plant with the Slammer worm happened when the malware spread over virtual private networks (VPN) connecting the nuclear plant with the home laptop of an engineer working for a subcontractor.
Even when nuclear facilities are air-gapped, this safeguard can be overcome with nothing more than a flash drive. This was the most likely route by which the Stuxnet worm infected the Iranian nuclear program.
The researchers note that the nuclear industry adopted digital systems relatively late. One reason involved regulatory restrictions; another involved the very high costs of running nuclear plants, which meant that equipment in nuclear facilities is often kept in service for decades instead of replaced regularly. the nuclear industry’s delay in adopting digital systems resulted in a lower level of cybersecurity experience than is the case in other industries. They also suggest the nuclear industry’s longstanding focus on physical safety and protection may have contributed to less attention to cybersecurity.
In light of these findings, the researchers propose a number of recommendations to improve nuclear cybersecurity. For example, they suggest that governments can establish computer emergency response teams specialized in defending industrial control systems. Nuclear facilities can also anonymously share reports of cyberattacks against them in order to raise awareness of threats while protecting their reputations. The researchers also suggest that nuclear facilities promote “good IT hygiene,” including practices such as changing the factory default passwords on equipment, and making certain that there are manual backups for critical systems in the event of a failure.