Nuclear facilities are now a critical facet of the American utility market. According to the Nuclear Energy Institute (NEI), these facilities generated almost 20 percent of U.S. electricity through 2014, with 99 reactors in use across the country. Owing to the volatile nature of the materials and processes in any nuclear plant, companies have developed excellent physical safety and security procedures.
But as noted by a new Chatham House report based on interviews with 30 industry experts, cybersecurity risk is underestimated at nuclear facilities, leaving these critical producers open to cyberattacks. If plants are breached, what’s the fallout?
The Myth of Air
A recent SecurityWeek article discusses some of the reasons for this lack of nuclear cyber readiness. The biggest problem? A belief that air-gapped systems effectively curtail the risk of cyberattack. The idea here is that since potentially vulnerable points such as industrial control system (ICS) software are often isolated from the Internet, there’s little chance they could be compromised by attackers. The Chatham report, however, found that many nuclear facilities use technology such as virtual private networks (VPNs) to forge outside-facing connections — and in some cases, plant operators aren’t even aware they exist.
Risk assessment is also problematic. The nuclear industry doesn’t have a set of unified guidelines for measuring such risk, and the infrequency of cyber incident disclosures often provides a false sense of security. And according to the report, “very few” plants actually take steps — such as installing software patches, for example — to mitigate security risks. What’s more, most are reliant on perimeter defenses alone to stop attackers, which hasn’t been successful for retail, finance, manufacturing or other energy companies.
Culture also plays a role. As noted by Dark Reading, nuclear operations and IT staff don’t always get along. Operations employees are focused on preventing accidental nuclear incidents, while IT professionals focus on curtailing intentional damage. Add in a different set of employment standards for regular staff and IT teams and it’s not surprising to see that cybersecurity isn’t making headway.
In sum: Nuclear facilities are protected only by myth and miscommunication. And that’s a problem.
Big Boom
How big a problem, exactly? According to the Chatham report, there are a number of worrisome possibilities. For example, cyberattacks targeting a facility’s turbine-cooling water supply could derail its energy production for days or weeks. There’s also the risk of a simultaneous physical/cyberattack designed to force a plant offline. Think of the physical breach as a kind of distracting distributed denial-of-service (DDoS) tactic: With nuclear plants focused on repelling attackers on the ground, cybercriminals could sneak behind the lines and cause havoc.
The most disturbing possibility? Attackers could compromise both the off-site backup power supply and on-site backup system. Coupled with the failure of in-plant safety features, the result could be a nuclear incident of Fukushima-like proportions. While this is not a likely scenario, the lacking cybersecurity environment presents an opportunity for motivated cybercriminals to compromise plants during a natural disaster and cause widespread chaos.
Closing the Gap
A recent Energy Live News showcased the disparity between the nuclear industry’s public face and the reports of Chatham’s 30 anonymous security experts, positioning nuclear facilities as “leading in cybersecurity due to its collaborative skills.” While this may be the ultimate goal, the current state of cybersecurity is one of fragmentation, assumption and cross-purposes. The result is a tempting target for motivated nation-states or disgruntled hacktivists.
Preventing fallout from cyberattacks is possible if plants recognize three basic truths: First, their industry is not immune to cybersecurity risk, whether it’s air-gapped or not; second, reassessment of all cyber defenses is crucial, along with a real accounting of threat likelihood; lastly, ops and IT professionals must learn to get along. Despite vastly different routes, they’re headed for the same destination: a secure nuclear future.