The risk of a major cyberattack on the nuclear industry is rising, potentially leading to blackouts or even meltdowns, researchers say.
The 2010 Stuxnet worm's infiltration of Iran's nuclear program was the most dramatic cyberattack the nuclear sector has ever seen. But it was not the only one. In one case in 2003, the Slammer worm infected the Davis-Besse nuclear power plant in Ohio, leaving reactor core safety data unavailable for nearly five hours. In another example from 2014, hackers stole blueprints of at least two nuclear reactors and other sensitive data from Korea Hydro and Nuclear Power Co., then demanded money from the company in exchange for not releasing potentially important files.
Although the 2011 nuclear disaster at Fukushima was not the result of a cyberattack, that catastrophe nevertheless underscored what the grave consequences of disrupting a nuclear power plant can be. To shed light on what risks the nuclear industry now faces from cyber-threats, researchers at Chatham House, part of the the Royal Institute of International Affairs in London, conducted in-depth interviews of 30 nuclear industry experts and convened three expert roundtables on nuclear cyber-security over the course of 18 months.
The results, detailed on 5 Oct., were alarming, says study lead author Caroline Baylon, a research associate at Chatham House. “I didn't expect to find as many vulnerabilities as I did,” she says. “The nuclear industry is not mature at all when it comes to cyber-security—it's barely starting to deal with the issue.”
“A cyberattack that takes two or three nuclear power plants offline could definitely cause major blackouts in the United States,” says Baylon. “And if you look at a country like France, where 60 to 70 percent of its power comes from nuclear, a cyberattack could be even more serious.”
For instance, the researchers found that the conventional belief that all nuclear facilities are “air-gapped,” or isolated from the public Internet, is a myth. In recent years, many nuclear facilities have developed some form of Internet connectivity so nuclear plants can transmit data to, say, the head offices of those nuclear facilities, or to government regulatory agencies. The 2003 infection of the Davis-Besse nuclear plant with the Slammer worm happened when the malware spread over virtual private networks (VPN) connecting the nuclear plant with the home laptop of an engineer working for a subcontractor.
Even when nuclear facilities are air-gapped, this safeguard can be overcome with nothing more than a flash drive. This was the most likely route by which the Stuxnet worm infected the Iranian nuclear program.
In addition, nuclear plant personnel typically do not understand cyber-security procedures, often because the procedures are not clearly written. Furthermore, nuclear plant personnel often do not regularly practice cyber-security procedures in drills.
The researchers note that the nuclear industry adopted digital systems relatively late. One reason involved regulatory restrictions; another involved the very high costs of running nuclear plants, which meant that equipment in nuclear facilities is often kept in service for decades instead of replaced regularly. Baylon and her colleagues suggest the nuclear industry’s delay in adopting digital systems resulted in a lower level of cybersecurity experience than is the case in other industries. They also suggest the nuclear industry's longstanding focus on physical safety and protection may have contributed to less attention to cybersecurity.
In light of these findings, the researchers propose a number of recommendations to improve nuclear cybersecurity. For example, they suggest that governments can establish computer emergency response teams specialized in defending industrial control systems. Nuclear facilities can also anonymously share reports of cyberattacks against them in order to raise awareness of threats while protecting their reputations. The researchers also suggest that nuclear facilities promote “good IT hygiene,” including practices such as changing the factory default passwords on equipment, and making certain that there are manual backups for critical systems in the event of a failure.
The worst-case scenario the researchers analyzed—a cyberattack that triggered the release of radioactive material—may not be an immediate threat. “Such an attack is on the level of states against states, such as the U.S. and Russia and the U.K, which have a sort of gentleman's agreement to not attack each others' nuclear power plants,” Baylon says. “Almost no state wants to open that can of worms right now, although with rogue states like North Korea, no one ever knows what they might do.”
“For me, the really scary scenario is when a well-financed terrorist group like ISIS meets a hacker-for-hire company like the kind seen in Russia that may be extremely sophisticated and not have a lot of ethics,” Baylon says. "We need to address the cyber-security vulnerabilities in the nuclear sector immediately.”
Charles Q. Choi is a science reporter who contributes regularly to IEEE Spectrum. He has written for Scientific American, The New York Times, Wired, and Science, among others.