October 7, 2015 By Douglas Bonderud 3 min read

Nuclear facilities are now a critical facet of the American utility market. According to the Nuclear Energy Institute (NEI), these facilities generated almost 20 percent of U.S. electricity through 2014, with 99 reactors in use across the country. Owing to the volatile nature of the materials and processes in any nuclear plant, companies have developed excellent physical safety and security procedures.

But as noted by a new Chatham House report based on interviews with 30 industry experts, cybersecurity risk is underestimated at nuclear facilities, leaving these critical producers open to cyberattacks. If plants are breached, what’s the fallout?

The Myth of Air

A recent SecurityWeek article discusses some of the reasons for this lack of nuclear cyber readiness. The biggest problem? A belief that air-gapped systems effectively curtail the risk of cyberattack. The idea here is that since potentially vulnerable points such as industrial control system (ICS) software are often isolated from the Internet, there’s little chance they could be compromised by attackers. The Chatham report, however, found that many nuclear facilities use technology such as virtual private networks (VPNs) to forge outside-facing connections — and in some cases, plant operators aren’t even aware they exist.

Risk assessment is also problematic. The nuclear industry doesn’t have a set of unified guidelines for measuring such risk, and the infrequency of cyber incident disclosures often provides a false sense of security. And according to the report, “very few” plants actually take steps — such as installing software patches, for example — to mitigate security risks. What’s more, most are reliant on perimeter defenses alone to stop attackers, which hasn’t been successful for retail, finance, manufacturing or other energy companies.

Culture also plays a role. As noted by Dark Reading, nuclear operations and IT staff don’t always get along. Operations employees are focused on preventing accidental nuclear incidents, while IT professionals focus on curtailing intentional damage. Add in a different set of employment standards for regular staff and IT teams and it’s not surprising to see that cybersecurity isn’t making headway.

In sum: Nuclear facilities are protected only by myth and miscommunication. And that’s a problem.

Big Boom

How big a problem, exactly? According to the Chatham report, there are a number of worrisome possibilities. For example, cyberattacks targeting a facility’s turbine-cooling water supply could derail its energy production for days or weeks. There’s also the risk of a simultaneous physical/cyberattack designed to force a plant offline. Think of the physical breach as a kind of distracting distributed denial-of-service (DDoS) tactic: With nuclear plants focused on repelling attackers on the ground, cybercriminals could sneak behind the lines and cause havoc.

The most disturbing possibility? Attackers could compromise both the off-site backup power supply and on-site backup system. Coupled with the failure of in-plant safety features, the result could be a nuclear incident of Fukushima-like proportions. While this is not a likely scenario, the lacking cybersecurity environment presents an opportunity for motivated cybercriminals to compromise plants during a natural disaster and cause widespread chaos.

Closing the Gap

A recent Energy Live News showcased the disparity between the nuclear industry’s public face and the reports of Chatham’s 30 anonymous security experts, positioning nuclear facilities as “leading in cybersecurity due to its collaborative skills.” While this may be the ultimate goal, the current state of cybersecurity is one of fragmentation, assumption and cross-purposes. The result is a tempting target for motivated nation-states or disgruntled hacktivists.

Preventing fallout from cyberattacks is possible if plants recognize three basic truths: First, their industry is not immune to cybersecurity risk, whether it’s air-gapped or not; second, reassessment of all cyber defenses is crucial, along with a real accounting of threat likelihood; lastly, ops and IT professionals must learn to get along. Despite vastly different routes, they’re headed for the same destination: a secure nuclear future.

More from

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today