Chatham House warns of growing risk of ‘serious cyber attack’ on nuclear facilities

A new report from think tank Chatham House (Cyber Security at Civil Nuclear Facilities: Understanding the Risks) warns that as nuclear facilities are becoming more reliant on “digital systems, commercial off-the-shelf software and internet connectivity”, they are becoming “more susceptible to cyber attack”.

And with this increased susceptibility comes “the potential – even if remote – for the release of ionizing radiation”.

Lack of executive awareness

The nuclear sector is less likely to disclose cyber security incidents because of “national security sensitivities … leading nuclear industry personnel to believe that cyber attacks are less of a threat than is actually the case.”

Moreover, as a late adopter of digital technologies the “nuclear industry as a whole is currently struggling to adapt” and there is a “lack of executive-level awareness of the risks involved”.

Among the report’s specific findings is the fact that many nuclear facilities now have VPNs and undocumented Internet connections, meaning they are not air-gapped as many facility operators believe, and that even where there are air gaps, “this safeguard can be breached with nothing more than a flash drive”.

Known cyber security incidents at nuclear facilities

The cyber threat is not merely theoretical, either. The report lists a number of known cyber security incidents at nuclear facilities over the last 25 years:

  • Ignalina nuclear power plant, Lithuania (1992) – A technician “intentionally introduced a virus into the industrial control system … in order to highlight the cyber security vulnerabilities of such plants”.
  • Davis-Besse nuclear power plant, Ohio (2003) – The Slammer worm infected the supervisory control and data acquisition (SCADA) system, disabling the safety parameter display system (SPDS) for almost five hours.
  • Browns Ferry nuclear power plant, Alabama (2006) – A malfunction of both reactor recirculation pumps and the condensate demineralizer controller meant Unit 3 had to be manually shut down to avoid a meltdown.
  • Hatch nuclear power plant, Georgia (2008) – An engineer installed a software update on the plant’s business network, which in turn reset the plant’s control system so that data between the two systems could synchronise. The safety system, interpreting “the temporary zero value of the water level to mean that there was insufficient water to cool the reactor core,” put Unit 2 into automatic shutdown for 48 hours.
  • Natanz nuclear facility and Bushehr nuclear power plant, Iran – Stuxnet (2010) – The Stuxnet worm, probably spread via infected USB drives, infected two nuclear facilities in Iran, “partially destroying around 1,000 centrifuges at Natanz.” An unnamed Russian plant was also affected by Stuxnet at about the same time.
  • Korea Hydro and Nuclear Power Co. commercial network, South Korea (2014) – Using a phishing email, hackers gained access to the commercial network of the company that operates 23 of South Korea’s nuclear reactors. Stolen blueprints and manuals for two reactors were leaked via Twitter, and extortion threats were made, demanding that the company shut down three reactors.

Without wishing to sound needlessly alarmist, the possibility of a nuclear incident because someone neglected to implement proper cyber security controls does exist, and the threat is increasing significantly: in May, Dell reported that attacks on critical infrastructure – including nuclear facilities – had doubled year-on-year.

Identifying your vulnerabilities before criminals do

Yukiya Amano, director of the International Atomic Energy Agency (IAEA), told the IAEA’s first international conference in May that:

“Computers play an essential role in all aspects of the management and safe and secure operation of nuclear facilities, including maintaining physical protection. It is vitally important that all such systems are properly secured against malicious intrusions.”

Vulnerabilities common to off-the-shelf software, CMS platforms, applications and plugins are being discovered and exploited all the time by opportunistic criminal hackers who use automated scans to identify targets. This means that every Internet-connected organisation is at risk – not just nuclear facilities. Whatever your industry, making sure you close security gaps and fix vulnerabilities as soon as they become known is essential to keeping your networks secure and your corporate information safe.

Many opportunistic attacks could easily be prevented by simple housekeeping. If you’re concerned about your organisation’s susceptibility to attack, we recommend using a penetration test to determine your attack surface so that remedial measures can be taken.

Penetration testing is an essential component of a best-practice approach to information security, such as that set out in the international standard ISO 27001, which addresses people, processes and technology.

IT Governance’s penetration testing services provide a prioritised set of results as standard, making the remediation process easier for clients, and reducing their long-term exposure to vulnerabilities. Vulnerabilities are presented in an easily comprehensible dashboard and ranked by importance according to the Common Vulnerability Scoring System (CVSS) – an industry standard. Critical vulnerabilities are reported to clients as soon as they are discovered and suggestions for remediation are provided so that clients can react in a timely and appropriate manner.

IT Governance is a CREST-accredited penetration testing service and a PCI QSA (Qualified Security Assessor), and is qualified to conduct vulnerability scans and penetration tests to ensure your compliance with standards including the PCI DSS and ISO 27001.

For more information on IT Governance’s penetration testing packages, please click here >>