Does the U.S. make the grade for nuclear cyber safety?
Armed soldiers patrolling the grounds. Non-essential workers sent home. The aftermath of the Belgium terror attacks includes increased security at Belgium’s nuclear power plants, as investigators find evidence that terrorist may have been plotting a nuclear heist, reported The Guardian.
Four Belgian nuclear plant employees had their access badges revoked, according to Time, after the discovery of surveillance video showing terrorist monitoring of the head of one plant’s research program.
Though investigators worry that ISIS supports might try to steal nuclear weapon materials and concept a destructive dirty bomb, there is another gnawing worry—destructive hackers trying to break their way in to nuclear facilities and cause a nuclear disaster.
“With respect to nuclear facilities in the U.S., Belgium and elsewhere, the potential for cyber attacks is of increasing concern,” Dr. Page Stoutland of the Nuclear Threat Initiative told Archer News.
“Nuclear security and safety rely on information technology,” the Nuclear Threat Initiative said on its website. “Recent events, however, have exposed new threats in the cyber domain that raise troubling questions about the security of nuclear facilities.”
One of the most troubling—whether attackers could use Internet means to get access to the controls that run a nuclear plant and its safety and monitoring systems.
“At a nuclear facility, such an attack could cause catastrophic consequences,” the site said.
Failing grade
The Nuclear Threat Initiative is described as “one of the nation’s leading nuclear nonproliferation watchdogs,” by the New York Times. The group analyzed nuclear cybersecurity in countries around the globe. In its report, it gave Belgium a zero, the lowest possible score.
The U.S. received a 100, the highest score.
“Many countries with nuclear facilities, including Belgium, however, have yet to require cyber security plans at nuclear facilities,” said Dr. Stoutland.
More than a dozen other countries also received a zero, according to the New York Times, including China, Israel, Mexico and North Korea.
“The findings build on growing concerns that a cyberattack could be the easiest and most effective way to take over a nuclear power plant and sabotage it, or to disable defenses that are used to protect nuclear material from theft,” the New York Times reported.
How is the U.S. protecting you?
The U.S. government came up with cybersecurity rules for nuclear facilities in 2009, according to Dr. Stoutland.
“U.S. nuclear plants have cybersecurity controls that provide multiple layers of defense for a range of attack vectors,” said Randy Cleland with Archer Security Group.
One of them—keeping the computer network that runs the plant separate from the computer network that runs the office side.
“The primary defensive control for both nuclear plants and electric grid reliability functions is isolation,” he added.
In the Ukraine power attack in December, hackers were able to cross from the corporate network to the control network and shut down power, Cleland pointed out.
In the infamous Stuxnet attack on Iran’s nuclear program, attackers used USB drives to transfer a computer worm to control systems that had been separated from the corporate network.
U.S. nuclear cybersecurity requirements call for checks of data before it can go into the network that runs the controls, Cleland said.
“Any data moved into highest protected level goes through prescribed rigor to ensure that only desired files—verified and validated—touch cyber assets,” he said.
“U.S. nuclear facilities, as required by the NRC [Nuclear Regulatory Commission] are working very hard to implement their cyber security plans, and the potential for a catastrophic incident is very remote,” said Dr. Stoutland.
Cyber attacks
There have already been successful cyber attacks in the nuclear arena, according to a report from the Stimson Center, a security think tank in Washington, D.C., though they did not cause nuclear disaster.
In Japan in 2014, a nuclear facility employee tried to update a free computer application on a control room computer and ended up with malware, exposing more than 40,000 confidential e-mail messages and training reports, the report said.
The same year, a hacker got into the website of a South Korea nuclear facility operator and found blueprints, floor maps, air-con and cooling system information and personal information on 10,000 workers, according to the report.
“The hacker released five leaks on Twitter and threatened to leak further information unless the reactors were shut down,” the report said.
Cyber attacks in the U.S.
Also in 2014, crooks sent a Nigerian scam email to more than 5,000 employees at the U.S. Nuclear Regulatory Commission, telling them they needed to install system updates that required their login information, the report cited. Eight employees clicked on the link and gave their account information.
Nuclear facilities reported six cyber incidents in 2012, according to the U.S. Department of Homeland Security. Some of them resulted in data theft, said the Stimson Center report.
Older incidents in the U.S. resulted in temporary shutdowns.
In 2003, malware from a consultant’s computer ended up infecting an Ohio nuclear plant’s control network and prevented plant workers from seeing the Safety Parameter Display System for almost five hours, the report said.
An “unapproved software update” on one computer may have spread malware to critical system networks at a plant in Georgia in 2008, forcing a 48-hour emergency shutdown, the report said. This incident occurred in the year before the new NRC cybersecurity requirements in 2009.
Data vs. sabotage
Theft of data, as seen in the more recent cyber attacks, is not good. But experts say a nuclear meltdown would be much worse, and the focus on that kind of cybersecurity is more intense.
“In considering the potential of cyber attacks on nuclear facilities, it is important to distinguish between attacks that could lead to a loss of information, and those that could have physical effects, such as a radiation release,” said Dr. Stoutland.
“While all digital systems are protected, there is particular attention paid to those which could lead to serious physical effects,” he added.
“Some would say that given the recent ISIS activity that it is only a matter of time before we are tested with a real attack,” said Cleland. “This is an industry that has invested heavily in people, resources, and cybersecurity controls to be ready because nuclear safety is the number one priority.”
Worries remain
There are still issues of concern, said Debra Decker, one of the authors of the Stimson Center report.
“There are cyberattacks all the time everywhere,” Decker told Archer News. “What the industry is worried about today is supply chain security.”
For example, suppliers and vendors may not have the same kind of cybersecurity requirements and plans as nuclear facilities.
“What is being built into their instrumentation and control systems as new plants are being built internationally or as our older analog plants become digital?” asked Decker. “Do the suppliers have good insider threat controls?”
Nuclear facilities outside the U.S. may fall short as well, according to Decker.
“The lack of international standards for security is a problem,” she said.
Though the U.S. has cyber experts with nuclear expertise, some other countries lack the skills necessary to safely protect nuclear systems, said Dr. Stoutland.
Summit
Next week, President Obama and more than 50 world leaders will meet in Washington, D.C. for the Nuclear Security Summit, according to Decker, the last of four summits on the issue.
It will be “a push to reduce the risk of the most dangerous materials falling into the wrong hands. It could not come at a better time,” she wrote in a USA Today op-ed piece.
Decker said there is no simple answer to the nuclear security issues at hand, including cybersecurity, but the summit could help countries work together to “quickly improve defenses.”
“Recent events in Belgium underscore the fact that it is an opportunity we can’t afford to miss,” she said.