Risk of serious cyberattack on nuclear infrastructure growing, independent policy institute finds

The risk of a serious cyberattack on global civil nuclear infrastructure is growing, as facilities become ever more reliant on digital systems and make increasing use of commercial ‘off-the-shelf’ software, according to a new report from Chatham House, a London, United Kingdom-based independent policy institute.

The report, released on Monday, found that “the infrequency of cyber security incident disclosure at nuclear facilities makes it difficult to assess the true extent of the problem and may lead nuclear industry personnel to believe that there are few incidents.” In addition, the trend to digitization, when combined with a lack of executive-level awareness of the risks involved, means that nuclear plant personnel may not realize the full extent of their cyber vulnerability and are thus inadequately prepared to deal with potential attacks.

The report, titled Cyber Security at Civil Nuclear Facilities – Understanding the Risks, was compiled from a literature review; interviews with industry practitioners, policy makers and academics; a series of expert roundtable workshops at Chatham House; and soliciting feedback from industry experts at international conferences. Interviews were conducted with 30 practitioners working on cyber security and on nuclear issues in fields ranging from industry to government, international organizations and academia. A variety of countries participated, including the United States, U.K., Canada, France, Germany, Japan, Ukraine and Russia, as well as representatives of major international organizations, including the IAEA and the European Network and Information Security Agency.

Besides the infrequency of cyber security incident disclosure, Chatham House also found a paucity of regulatory standards, as well as limited communication between cyber security companies and vendors, are also of concern. “This suggests that the industry’s risk assessment may be inadequate; as a consequence, there is often insufficient spending on cyber security,” the report noted.

Another finding was that the conventional belief that all nuclear facilities are ‘air gapped’ – isolated from the public internet – is a myth. “The commercial benefits of Internet connectivity mean that a number of nuclear facilities now have VPN connections installed, which facility operators are sometimes unaware of.”

Search engines can readily identify critical infrastructure components with such connections, the report went on to say, adding that even when facilities are air gapped, this safeguard can be breached with “nothing more than a flash drive. Reactive rather than proactive approaches to cyber security contribute to the possibility that a nuclear facility might not know of a cyber attack until it is already substantially under way.”

In the light of these risks, the report outlines a blend of policy and technical measures that it said are required to counter the threats and meet the challenges. Recommendations include the following:

• Developing guidelines to measure cyber security risk in the nuclear industry, including an integrated risk assessment that takes both security and safety measures into account;

• Engaging in robust dialogue with engineers and contractors to raise awareness of the cyber security risk, including the dangers of setting up unauthorized Internet connections;

• Implementing rules, where not already in place, to promote good IT hygiene in nuclear facilities (for example to forbid the use of personal devices) and enforcing rules where they do exist;

• Improving disclosure by encouraging anonymous information sharing and the establishment of industrial CERTs (Computer Emergency Response Teams); and

• Encouraging universal adoption of regulatory standards.