Light Dark
October 7, 2015 By Douglas Bonderud 3 min read

Nuclear facilities are now a critical facet of the American utility market. According to the Nuclear Energy Institute (NEI), these facilities generated almost 20 percent of U.S. electricity through 2014, with 99 reactors in use across the country. Owing to the volatile nature of the materials and processes in any nuclear plant, companies have developed excellent physical safety and security procedures.

But as noted by a new Chatham House report based on interviews with 30 industry experts, cybersecurity risk is underestimated at nuclear facilities, leaving these critical producers open to cyberattacks. If plants are breached, what’s the fallout?

The Myth of Air

A recent SecurityWeek article discusses some of the reasons for this lack of nuclear cyber readiness. The biggest problem? A belief that air-gapped systems effectively curtail the risk of cyberattack. The idea here is that since potentially vulnerable points such as industrial control system (ICS) software are often isolated from the Internet, there’s little chance they could be compromised by attackers. The Chatham report, however, found that many nuclear facilities use technology such as virtual private networks (VPNs) to forge outside-facing connections — and in some cases, plant operators aren’t even aware they exist.

Risk assessment is also problematic. The nuclear industry doesn’t have a set of unified guidelines for measuring such risk, and the infrequency of cyber incident disclosures often provides a false sense of security. And according to the report, “very few” plants actually take steps — such as installing software patches, for example — to mitigate security risks. What’s more, most are reliant on perimeter defenses alone to stop attackers, which hasn’t been successful for retail, finance, manufacturing or other energy companies.

Culture also plays a role. As noted by Dark Reading, nuclear operations and IT staff don’t always get along. Operations employees are focused on preventing accidental nuclear incidents, while IT professionals focus on curtailing intentional damage. Add in a different set of employment standards for regular staff and IT teams and it’s not surprising to see that cybersecurity isn’t making headway.

In sum: Nuclear facilities are protected only by myth and miscommunication. And that’s a problem.

Big Boom

How big a problem, exactly? According to the Chatham report, there are a number of worrisome possibilities. For example, cyberattacks targeting a facility’s turbine-cooling water supply could derail its energy production for days or weeks. There’s also the risk of a simultaneous physical/cyberattack designed to force a plant offline. Think of the physical breach as a kind of distracting distributed denial-of-service (DDoS) tactic: With nuclear plants focused on repelling attackers on the ground, cybercriminals could sneak behind the lines and cause havoc.

The most disturbing possibility? Attackers could compromise both the off-site backup power supply and on-site backup system. Coupled with the failure of in-plant safety features, the result could be a nuclear incident of Fukushima-like proportions. While this is not a likely scenario, the lacking cybersecurity environment presents an opportunity for motivated cybercriminals to compromise plants during a natural disaster and cause widespread chaos.

Closing the Gap

A recent Energy Live News showcased the disparity between the nuclear industry’s public face and the reports of Chatham’s 30 anonymous security experts, positioning nuclear facilities as “leading in cybersecurity due to its collaborative skills.” While this may be the ultimate goal, the current state of cybersecurity is one of fragmentation, assumption and cross-purposes. The result is a tempting target for motivated nation-states or disgruntled hacktivists.

Preventing fallout from cyberattacks is possible if plants recognize three basic truths: First, their industry is not immune to cybersecurity risk, whether it’s air-gapped or not; second, reassessment of all cyber defenses is crucial, along with a real accounting of threat likelihood; lastly, ops and IT professionals must learn to get along. Despite vastly different routes, they’re headed for the same destination: a secure nuclear future.

 |  |  |  | 
Douglas Bonderud
Freelance Writer

More from

May 3, 2024

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

May 2, 2024

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

May 1, 2024

New proposed federal data privacy law suggests big changes

3 min read - After years of work and unsuccessful attempts at legislation, a draft of a federal data privacy law was recently released. The United States House Committee on Energy and Commerce released the American Privacy Rights Act on April 7, 2024. Several issues stood in the way of passing legislation in the past, such as whether states could issue tougher rules and if individuals could sue companies for privacy violations. With the American Privacy Rights Act of 2024, the U.S. government established…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature