Nuclear security and safety rely on information technology. Whether that technology is motion detectors around the perimeter of a nuclear power plant or monitoring systems in nuclear reactors, all of these systems play a vital role in keeping nuclear materials safe and secure. Recent events, however, have exposed new threats in the cyber domain that raise troubling questions about the security of nuclear facilities.

How a cyber-attack would strike a nuclear facility depends on the objective—theft of nuclear materials or sabotage. But any attack may target some or all of the following components:

User data, the most vulnerable target in any attack. In Ukraine, hackers used a spear-phishing attack to steal the system administrator’s access credentials. This technique, a common tool used to steal user data, typically sends the user a normal-appearing email, with a malicious attachment or link that transmits user data back to the attacker. This type of attack could allow hackers to remotely access the internal information systems of a nuclear facility, sow confusion, or further infect sensitive systems not connected to the internet.

Industrial control systems controlling a facility. Industrial operations, such as nuclear facilities, are not connected to the internet and run on supervisory control and data acquisition (SCADA) systems. With access to a SCADA system—either through remote-access or through a worm virus–hackers could implant code that would allow them to manipulate systems to their ends. Stuxnet was a highly successful attack because it sent malicious instructions to industrial systems, while reporting no change to the system users. At a nuclear facility, such an attack could cause catastrophic consequences.

Information control. A Denial of Service attack launched to cause confusion or limit the spread of information would effectively shut down an information technology system. In Ukraine, automated telephone calls flooded the switchboard, crippling the power company customers’ ability to report issues. In the United States, the Department of Justice website suffered a distributed denial of service (DDoS) attack, effectively shutting down its largest communication platform to the world. And as the Stuxnet virus became more visible to security experts, a DDoS attack hit industrial security expert email lists, limiting their ability to share data on the new threat.

It’s important to understand that the biggest weakness in these systems is not the computers, but the individuals who operate them. Stuxnet spread by plugging a USB drive that was connected to the internet into a SCADA computer that was not. The Ukraine power outage occurred because someone downloaded an email that stole his information. Encryption and firewalls are critical, but training and basic cyber “hygiene” policies are equally important to protecting critical infrastructure like nuclear facilities. Instituting policies to ensure such requirements for facilities and staff will significantly increase the cyber security of these facilities—and the national security of those countries that enact them.

To address the cyber threat, NTI is taking a fresh look at the overarching framework and strategy that guides cyber security for critical nuclear facilities and systems. cyber work includes:

• Working with a global group of experts in nuclear engineering, cyber security, as well as regulators and technology developers on a set of forward-looking, ambitious principles or “rules of the road” for protecting nuclear facilities from cyber threats.
• Convening policy and military advisors to examine vulnerabilities in nuclear command-and-control systems and define actions needed to reduce the threat.
• Working to strengthen global capacity to respond to a cyber attack on nuclear facilities.