Let's Keep Hackers Out of Our Nuclear Facilities

Here are some ways to prevent cyber-attacks on nuclear facilities worldwide.

The revelation in 2010 that a digital worm called Stuxnet had been used to damage a thousand centrifuges in Iran's nuclear enrichment programme made it clear that nuclear operations worldwide are likewise vulnerable to serious cyber-attack.

Up to that point, if nuclear operators had thought of cyber-security at all, most were thinking in terms of protecting sensitive and proprietary data. That is clearly important and vital to nuclear security, but the possibility that state or non-state actors might harness the controls in a nuclear facility deserves more than the scant attention it has received until recently. And much more can be done than is being done now.

SCADA (supervisory control and data acquisition) systems are particularly vulnerable to deliberate cyber-attacks. These could be for reconnaissance, poaching operational information to use in a cyber- or physical attack at a later date, or compromising the networks to leave the door open - again, digital or physical - to future attackers.

Such assaults on nuclear power plants could cause widespread power losses or even an uncontrolled release of ionizing radiation. One-off attacks are possible, but so are simultaneous attacks that could trigger armed intrusions at the same facilities or on other critical infrastructure, such as banking systems.

These scenarios are most likely during conflict between states, but terrorist groups might also succeed in a limited attack of this nature.

A recent report published by Chatham House highlighted these concerns. Besides the Stuxnet attack, it describes a cyber-theft at a Korean facility in December 2014 in which reactor blueprints and electrical flow charts were stolen. The earliest well-known incident took place in 1992 when a technician at a Lithuanian nuclear power plant introduced a virus into the industrial control system with the stated intention of demonstrating cyber-dangers. Other reported incidents are equally sobering: one expert cited estimates that some 50 major incidents have affected nuclear industrial control systems. And that is in addition to the now-routine daily attacks targeting operational data.

But all is not lost. Several relatively simple actions could prevent such attacks from succeeding or at least limit the damage. For example, many facility operators erroneously believe that their sites are "air-gapped" (completely isolated from the internet), which is rarely true. This faith is a major vulnerability. The industry could take immediate steps such as training in cyber-security and increasing employees' understanding of the danger from unauthorized internet connections. Plants could ban personal devices from control rooms and block USB ports on their equipment. They could hold regular integrated exercise drills with nuclear plant personnel and cyber-security personnel to develop common understandings and practices. At the very least they can mandate basic cyber-hygiene, such as requiring a change to manufacturers' default passwords on equipment and regular password updates.

At a broader level, nuclear operators could do a better job in sharing confidential information with others in the industry and with governments and law-enforcement agencies. In turn, governments should establish a facility within the national Computer Emergency Response Teams (CERTs) specializing in industrial control systems, and also develop regulatory approaches to cyber-security at nuclear facilities. They could allocate more resources to the International Atomic Energy Agency (IAEA) to assist in formulating recommendations and providing technical assistance for developing countries on ways to respond to cyber-security threats.

The cyber-security threat to nuclear facilities demands an organizational response. Leaders from the boardroom to the control room must be fully aware of cyber-risks and their management. Future facilities must incorporate cyber-security by design, including authentication and encryption technologies right from the drawing board, building in redundancy for resilience. Both the nuclear industry and its regulators need to engage with cyber-security experts on a continuing basis, installing robust policies and action plans to deal with the technical, managerial and cultural shortfalls that contribute to the current risky situation that cyber-attacks pose.

The nuclear industry already has regulatory systems and international guidance frameworks in place. The Nuclear Security Summit process - which will hold its fourth meeting in Washington DC at the end of March - and the role of the IAEA in combining nuclear security and nuclear safety are existing mechanisms that can give this important issue the attention it urgently deserves. The time to act is now.

The views expressed above are the author's own.

This post is part of a blog series produced by The Huffington Post and Carnegie Corporation of New York about issues related to the 2016 Nuclear Security Summit. World leaders will gather in Washington, D.C., on March 31-April 1 to address the threat of nuclear terrorism and steps toward creating a global nuclear-security system to prevent it. To view all of the posts in the series, visit here. Join the conversation on Twitter at @CarnegieCorp, #NSS2016.