Facing up to the cyber threat to nuclear power plants

Paul Boughton

New research suggests that some nuclear power plants are underprepared for cyber attack

Many of the world’s nuclear power plants are not well prepared to defend themselves against cyber attacks, according to a report from international think tank Chatham House.

The report says that risk of a serious cyber attack on civil nuclear infrastructure is growing, as facilities become ever more reliant on digital systems and make increasing use of commercial ‘off-the-shelf’ software. The report finds that the trend to digitisation, when combined with a lack of executive-level awareness of the risks involved, means that nuclear plant personnel may not realise the full extent of their cyber vulnerability and are thus inadequately prepared to deal with potential attacks.

Down to specifics

Specific findings include the conventional belief that all nuclear facilities are ‘air gapped’ (isolated from the public internet) is a myth. The commercial benefits of internet connectivity mean that a number of nuclear facilities now have VPN connections installed, which facility operators are sometimes unaware of.

Search engines can readily identify critical infrastructure components with such connections. Even where facilities are air gapped, this safeguard can be breached with nothing more than a flash drive.

The report also flags up that supply chain vulnerabilities mean that equipment used at a nuclear facility risks compromise at any stage.

A lack of training, combined with communication breakdowns between engineers and security personnel, means that nuclear plant personnel often lack an understanding of key cyber security procedures.

Reactive rather than proactive approaches to cyber security contribute to the possibility that a nuclear facility might not know of a cyber attack until it is already substantially under way.

In the light of these risks, the report outlines a blend of policy and technical measures that will be required to counter the threats and meet the challenges.

Recommendations include developing guidelines to measure cyber security risk in the nuclear industry, including an integrated risk assessment that takes both security and safety measures into account.

Engaging in robust dialogue with engineers and contractors to raise awareness of the cyber security risk, including the dangers of setting up unauthorised internet connection is another recommendation.

Implementing rules, where not already in place, to promote good IT hygiene in nuclear facilities (for example to forbid the use of personal devices) and enforcing rules where they do exist is also high on the list of recommended actions.

Finally, improving disclosure by encouraging anonymous information sharing and the establishment of industrial CERTs (Computer Emergency Response Team) is key – as is encouraging universal adoption of regulatory standards.

Products to protect

A US-based software company says that the increase in cyber attacks targeting power generation plants has happened at an explosive rate. It has been confirmed that advanced persistent threat actors have penetrated into the networks of an American-based nuclear power plant and successfully installed malware to command and control computers located at the nuclear generation plant. Attacking and understanding the generation aspect of the grid is critical for the adversary, and using cyber means is the most effective way for them to accomplish those goals. Coal, fossil, hydro, nuclear, solar, wind, or whatever the generation plant uses is being targeted by cyber attacks.

MalCrawler is a next-generation cyber security product that detects, analyses and destroys malware targeting critical infrastructure. MalCrawler is designed to help protect assets such as power generation from devastating ICS malware, and its makers claim it is the only tool that can determine the presence of malware-targeting ICS devices.

Recent Issues