There have been a lot of stories lately in the press about the danger of cyberattacks on critical U.S. infrastructure. Chatham House, an international think-tank, issued a report over a year ago that gave details on fifty different incidents of hacking at nuclear power plants in different countries. The author of the report criticized the nuclear industry and said that many nuclear facilities are in denial about the need for enhanced cyber security. The report said that the nuclear industry is "far behind" other industrial sectors in improving cyber security.
Some in the nuclear industry take comfort in the claim that no hacking at a nuclear power plant could result in the release of dangerous radiation or radioactive materials. The report calls this idea into question.
Another reason that the nuclear industry gives for a lack of concern is the fact that their control computers are not connected to the internet and so would not be vulnerable to an online attack. Investigators have found out that despite when the operators may think about there being "air-gap" separation between their computers and the Internet, many nuclear control computers actually are accessible to the Internet. The critics also point out that there are other ways that an infection can be delivered.
There was an incident in 2003 at the Davis Bessie nuclear power plant in Ohio which involved an engineer accessing the plants computers from his laptop through a virtual private network connection (VPN) from his home. When he connected his laptop to a nuclear power plant's computers, a computer worm that had infected his laptop, uploaded itself and caused a critical safety system to overload and shutdown. This is a concrete example of the possibility that a cyber attack on a nuclear power plant could compromise critical safety systems that could lead to a serious accident at the plant. In 2006, a computer at Browns Ferry nuclear power plant in Alabama overloaded and nearly caused a meltdown. In 2008, a contractor uploaded a routine patch update to the control system of the Hatch nuclear power plant in Georgia which triggered a shutdown of the reactor.
In addition to cyber attacks from viruses there are also dangers from inadequate password protection for the control computers. Some have no passwords and other have default passwords like "1234". This means that someone could easily log into a control computer and cause mischief with plant operations that could lead to serious accidents.
After the recent terrorist attack in Paris, there was evidence that the same group was planning on infiltrating a nuclear facility in Belgium. A guard had his identification stolen. There were Belgians involved with the terrorists who had nuclear training and could have caused serious problems if they gotten into the plant and accessed the control computers.
Another problem is that companies that own and operate nuclear facilities are opening more remote access portals into plant control computers in order to collect data on plant operations for the purpose of operational analysis and increasing efficiency. These portals could be used by cyber terrorists.
Computer and nuclear contracted technicians often bring their own computers into a nuclear power plant in order to carry out their tasks. Any of these external computers could be infected and could introduce dangerous viruses into the control computers. Such external computers are routinely connected to the plants computer and left unattended overnight.
Yukiya Amano, the Director of the International Atomic Energy Agency just announced the attack. Amano said, "This is not an imaginary risk. The issue of cyber-attacks on nuclear-related facilities or activities should be taken very seriously. We never know if we know everything or if it's the tip of the iceberg."
Of all public infrastructure, nuclear power plants are some of the most dangerous and most vulnerable. Cyber security must be taken seriously and enhanced before an attack endangers millions of Americans.
