Cybersecurity has been in the news a lot lately. In the past few years, there have been thefts of customer records from major corporations as well as government institutions. The interference of Russia in the 2016 U.S. presidential election via hacking emails from the Democratic side really generated a lot of headlines.
A very serious but under-publicized concern is the possibility of cyberattacks on U.S. critical infrastructure such as public utilities and communications systems. One of the biggest worries about infrastructure is the possibility that hackers could gain control of the operational software of a nuclear power plant and sabotage the operation.
Some analysts believe that a cyberattack combined with a physical attack on a nuclear power plant could result in the release of radiation or the release or theft of fissile materials. Even the penetration of non-operational IT systems at a nuclear power plant could result in adverse publicity for the nuclear industry and a loss of public support for nuclear power.
The Nuclear Threat Initiative (NTI) is a non-profit organization that was created in 2001 for the purpose of “preventing catastrophic attacks and accidents with weapons of mass destruction and disruption including nuclear, biological, radiological, chemical or cyber.” (Wikipedia) The NTI has catalogued around twenty-four “cyber” incidents since 1990. About a dozen of those were considered to be of “malicious intent.”
In one of the malicious attacks, it is believed that in December of 2014, North Korea stole the blue prints for one of South Korea’s nuclear power plants along with estimates of possible radiation exposure for people living nearby in case of an accident or sabotage.
Another malicious attack took place in Japan between November 2015 and June 2016. Hackers posing as university students sent malicious emails to researchers at the University of Toyama Hydrogen Isotope Research Center in order to obtain access to the computers at the research center. They went on to steal almost sixty thousand files including research on the Fukushima disaster.
Any catalog of cyber attacks in the U.S. nuclear industry will inevitably be incomplete. The U.S. Nuclear Regulatory Commission requires nuclear plant operators to report events that threaten “the safety, security functions, or emergency preparedness of the plant.” This does not include non-critical IT systems which are generally easier to access. If nuclear power plants are looking to boost security, they cannot afford to leave out the non-critical IT systems.
Fortunately, most of the power plants in the U.S. are so old that they employ analogue control systems that would be difficult to hack because they are not accessible from the Internet. In addition, the NRC has been improving regulatory requirements for U.S. nuclear plant cybersecurity. On the other hand, many nuclear power plant systems are being upgraded to include digital components which may reduce their cybersecurity.
In early 2007, engineers at the Idaho National Laboratory gave a demonstration called “Aurora” to U.S. energy regulators and industry representatives. They showed the attendees how only twenty-one lines of computer code could seriously damage a big generator. For some of the industry representatives, this was a wakeup call about the dangers of cyberattacks on their nuclear power plants.
In 2009, the Stuxnet attack inserted what is called a computer worm into Iran’s nuclear enrichment facility at Natanz which destroyed a thousand centrifuges. The facility’s computers were physically disconnected from the Internet but the attackers were able to smuggle a USB thumb drive into the facility in order to inject the worm. The U.S. and Israel were suspected of devising and carrying out the attack. The computer worm the attackers used was very sophisticated and utilized four different vulnerabilities in the Natanz computers to take over heavily protected industrial controls. This incident convinced many in the nuclear industry that there needed to be stronger regulation and investment in cybersecurity.
Cybersecurity experts in the U.S. and abroad are now being proactive. Groups of hackers are invited to deliberately attack test systems in order to reveal vulnerabilities in cybersecurity. Governments and private companies are collaborating in such exercise in order to improve nuclear cybersecurity.
