The civilian nuclear power plant infrastructure internationally is at risk for a cyber attack due to known internet-related vulnerabilities, a lack of training and only reacting to potential threats, according to the London-based think tank Chatham House.
Cyber Security at Civil Nuclear Facilities: Understanding the Risks, which is based on an 18 month-long project conducted in 2014-15, listed a series of industry, cultural and technical challenges that have to be overcome to bring the nuclear power plant computer systems up to standard.
“The cyber security risk is growing as nuclear facilities become increasingly reliant on digital systems and make increasing use of commercial ‘off-the-shelf' software, which offers considerable cost savings but increases vulnerability to hacking attacks,” the report stated.
The first technical issue brought up by Chatham House is that the idea that all nuclear plants are “air gapped” or not directly connected to the internet is incorrect. The researchers found web connections in several facilities operating and by using a standard search engine someone can identify critical plant components. Even facilities that are properly air-gapped can be breached by an inside human source using a flash drive.
Compounding the potential vulnerability through the web, the report noted that many of a plant's industrial components are insecure by design because cyber security issues were not a problem when they were built. Plants are also loath to install security patches due to a fear the software could cause some other problem, the report noted.
The cultural problems uncovered by the report covered a wide range of issues from training to a lack of understanding and communication between the plant's engineering staff and its cyber security personnel.
“Cyber security training at nuclear facilities is often insufficient. In particular, there is a lack of integrated cyber security drills between nuclear plant personnel and cyber security personnel,” the report stated.
Even when a facility has the proper personnel in place there is often a disconnect between these staffers and those who run the plant.
“Nuclear plant personnel, who are operational technology engineers, and cyber security personnel, who are information technology engineers, frequently have difficulty communicating, which can lead to friction. In many cases the problem is exacerbated by the off-site location of cyber security personnel,” Chatham House said.
When the think tank looked at nuclear plant security from an industry-wide perspective it found several troubling problems. Topping the list a lack of regulatory standards, limited communication between the plants and their vendors and that plants infrequently disclose cyber security incidents.
The Chatham House researchers closed the report with several recommendations, including developing a more robust ambition to match or overtake its opponents in cyberspace and thereby take the initiative, focusing its resources on critical elements of the nuclear fuel cycle and funding the promotion and fostering of cyber security within the industry, aiming to encourage a sectoral-level approach, from the highest levels down to the individual.
Researches also recommended establishing an international cyber security risk management strategy, engaging in robust dialogue with engineers and contractors to raise awareness of the cyber security risk, and developing coordinated plans of action to address the technical shortfalls.