Skip to main content

Cybersecurity and the Nuclear Industry

June 7, 2017

Author:

Monirangsey Touch

Nuclear facilities are among the most highly secured type of critical infrastructure in the U.S. However, as analog systems and instruments are becoming obsolete, the nuclear industry is starting to implement new digital systems throughout its facilities. In order to lower the risks of physical and cyber-attacks, nuclear facilities are adopting strict protection policies and practices.

Despite the implementation of these safety measures, digital instruments and computer-based systems associated with the physical protection system and the control systems inside facilities are still vulnerable. Creating air-gaps and standalone systems is somewhat ineffective when it comes to protecting nuclear facilities against complicated and targeted cyber-attacks. Cyber-attacks on nuclear power plants and their control systems could expedite the theft of usable nuclear materials and malicious acts by adversaries.

The Problem

Growing digitization and reliance on computer-based systems in physical protection and nuclear material accountancy and control systems presents an ever more likely target for cyber-attacks. Critical safety and security systems at all nuclear facilities are isolated from the Internet and are either using air-gaps or “robust hardware-based isolation devices” to ensure security.[1] These devices are being installed throughout the facilities to eliminate potential external threats. However, the growing sophistication of cyber threats brings the effectiveness of these defensive strategies into question. Malevolent actors and organizations remain capable of disabling physical protection systems and control systems.

For example, Stuxnet infected the Iranian nuclear facilities and disrupted the industrial control systems, disabling the facilities’ centrifuges in 2009.[2] Stuxnet illustrated the possibility of targeting isolated devices, air-gapped facilities, and accomplishing high-level destruction. Stuxnet demonstrated that a driven adversary with sufficient resources and funding can cause damage to nuclear facilities through a cyber-attack, even in places where it seems impossible.

Laws and Regulations

The Nuclear Regulation Commission (NRC) has issued numerous orders to operating power reactor licensees, requiring them to increase security measures and capabilities to protect their systems and infrastructure from “insider terrorist attack, airborne and land-based assaults.”[3] In the last decade, there has been a rise in the number of security breaches as criminal organizations and state-sponsored hackers continue to use cyberspace to inflict destruction and disorder in nuclear facilities. Following the terrorist attacks of September 11, 2001, the nuclear sector began addressing cybersecurity regulations. The emergence of sophisticated cyber threats was also a catalyst for the improvement of cybersecurity and the enactment of stringent security measures.

Immediately after September 11, 2001, the NRC issued Order EA-02-026, also known as the “Interim Safeguards and Security Compensatory Measures for Nuclear Power Plants.” This initial order required all licensees to create specific strategies and guidance to “minimize and mitigate fuel damage, and action to minimize radiological release.”[4] It sets up the foundation for future security measures and guidelines. As cyberspace continues to grow, the NRC is continually enacting and enforcing strict laws, covering different areas including the protection of different digital equipment and systems.

The progression of computer technologies, software, and the emergence of complex malware and viruses require nuclear facilities and agencies to impose more rules, relating to the protection of digital systems. The protection of computer-based systems against cyber threats is a priority for many nuclear power plants.

As nuclear facilities dependence on digital technology grew, the NRC issued CFR 73.54, or the “Protection of Digital Computer and Communication Systems and Network” Order. This particular order requires a “high assurance” of protection of digital computer and communication systems associated with safety and security functions.[5] It requires licensees to protect all systems and networks from threats that can potentially impact the operation of the facilities. The order was created after seven years of security enhancement and lessons learned while implementing various and past regulations.

In addition to CFR 73.54, the “Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities” Order, also recognizes that nuclear facilities need to focus on the protection of computer-based systems associated with physical protection and nuclear material accounting and control.[6] Computer-based systems are crucial elements of the physical protection system as well as the control system. If these computer-based systems are compromised by malicious actors, the other protection and control systems would be at risk as well. [7]

International Cooperation

Nuclear cyber threat is a global challenge that requires cooperation between national and international agencies and between different nation states, especially those with nuclear programs. Cyber threats undermine the security of a facility’s operations and the management of nuclear materials. Despite all of the regulations and guidelines created by different agencies and governments, most parts of the world are still unaware of the potential of nuclear destructiveness and cyber risks.[8] Currently, there is no inclusive international mechanisms or regulations aimed at regulating cyberspace at the international level.[9]

Due to the increasingly sophisticated nature of cyber threats, there is an immense need for cooperation between states and international and regional organizations. There are some mechanisms for this cooperation. Various international organizations work with governments and different industries to come up with innovative practices to mitigate current and future threats. International conferences and the Nuclear Security Summit brings in different voices and perspectives, allowing member states to share information and knowledge derived from their national nuclear security regimes. The first three Nuclear Security Summits (Washington, D.C. in 2010, Seoul in 2012, and Hague in 2014) helped to create a more effective international cooperative framework to support nuclear security.[10]

International conferences created knowledge sharing platforms, where states are encouraged to share best practices and experiences. International organizations play an important role in ensuring peace and cyber cooperation between different states. Also, these organizations are providing hands-on training in cybersecurity to their member states.[11] They also assist states with developing guidance for implementing different cybersecurity measures and practices.[12]

States cannot do this alone. Effective cooperation and communication between governments and organizations are necessary. States with nuclear programs need to work together to set international policies and guidelines for cybersecurity in nuclear facilities. In order to get ahead of the evolving cyber threat, continuous collaboration between various governments, regulators, and international organizations should be prioritized. The steps that governments have taken are not sufficient in comparison to the rapidly growing cybersecurity challenge.

Fostering Human Development

In order to tackle this issue at the national level, the nuclear industry needs to first emphasize the importance of including cybersecurity in its safety regulations. Due to the industry’s late adoption of digital systems, there is a gap in cybersecurity at nuclear facilities. One of the challenges of addressing cyber threat is the shortage of technical expertise in the cyber-nuclear sector. The lack of experts with specific knowledge of digital control systems in the nuclear industry make this issue even more complicated. The nuclear industry needs to build the capacity of its security personnel and operators. Likewise, highly skilled cybersecurity personnel should also have knowledge of the nuclear industry’s best practices. In order to enhance computer security in nuclear facilities, security personnel and operators need appropriate training about the different types of threats that exist and how to better defend against them.

International conferences create spaces and opportunities for these experts to share and learn about computer security and the nuclear practices. The different programs use for educating or training personnel can be crucial.[13] In 2015, during the International Conference on Computer Security in a Nuclear World held in Vienna,  the International Atomic Energy Agency (IAEA) teamed up with a group of international computer security experts to do a computer security demonstration. The demonstration illustrated how malicious actors could navigate through isolated networks to disable physical protection systems and then take over control systems. These experts are key actors when it comes to protecting critical systems in nuclear facilities from cyber-attacks.

Conclusion

Despite the high-level of regulation over nuclear facilities, protecting critical systems against evolving cyber threats is challenging. Computer-based systems improve reliability and operating performance, but they increase vulnerabilities. Air gaps and isolating devices had been widely accepted as effective defensive strategies; however, that changed after Stuxnet. Although no catastrophic damage has resulted from a cyber-attack against a nuclear facility, the Stuxnet attack illustrated the capabilities of new cyber tactics. The nuclear industry needs to do a better job at measuring cyber-attack risks and improving its defensive strategy. The facilities are unprepared for targeted and large-scale attacks. In order to create an effective nuclear security program, the nuclear industry needs to prioritize human capacity development and international cooperation.

Endnotes

[1] Nuclear Energy Institute. “Cyber Security for Nuclear Power Plants.” Nuclear Energy Institute. July 2016. Accessed April 15, 2017.

[2] Szoldra, Paul. “A New Film Gives a Frightening Look at How the US Used Cyberwarfare to Destroy Nukes.” Business Insider. July 7, 2016. Accessed April 18, 2017.

[3] USNRC. “Frequently Asked Questions About NRC’s Response to the 9/11 Events.” The United States Nuclear Regulatory Commission. April 5, 2016. Accessed April 19, 2017. 

[4] USNRC. “Issuance of Order for Interim Safeguards and Security Compensatory Measures for Nuclear Plants.” The United States Nuclear Regulatory Commission. February 25, 2002. Accessed April 17, 2017. 

[5] U.S. Nuclear Regulatory Commission. “73.54 Protection of Digital Computer and Communications Systems and Networks.” United States of America Nuclear Regulatory Commission. December 2, 2015. Accessed April 12, 2017. 

[6] International Atomic Energy Agency. “Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities (INFCIRC/225/Revision 5).” IAEA Nuclear Security Series No. 13 (2011): 22. Accessed April 17, 2017. 

[7] “Cybersecurity at Nuclear Facilities: National Approaches.” University of Applied Sciences: Institute for Security and Safety. Accessed April 17. 

[8] Ibid.

[9] Hasan, Mahmudul. “International Cybersecurity Cooperation.” Modern Diplomacy. November 13, 2016. Accessed April 22, 2017. 

[10] Nuclear Security Summit. “Past Summits.” Nuclear Security Submit. Accessed April 18, 2017. 

[11] Dine, Alexandra Van and Michael Assante. “Outpacing Cyber Threats: Priorities for Cybersecurity at Nuclear Facilities.” NTI Building a Safer World. Accessed April 17, 2017. 

[12] Ibid, p. 19.

[13] Quevenco, Rodolfo. “Secure Computer Systems Essential to Nuclear Security, Conference Finds.” International Atomic Energy Agency. June 8, 2015. Accessed April 17, 2017. 

This publication was made possible in part by a grant from Carnegie Corporation of New York. The statements made and views expressed are solely the responsibility of the author.