Worldwide civilian nuclear infrastructure is woefully underprepared for the likelihood of a cyberattack, according to a new report from researchers at Chatham House, a London-based think-tank. As facilities become more reliant on digital systems and off-the-shelf software, and as top-level awareness of cybersecurity threats stagnates, a serious event seems foretold.
"Recent high-profile cyber attacks, including the deployment of the sophisticated 2010 Stuxnet worm, have raised new concerns about the cyber security vulnerabilities of nuclear facilities," begins an executive summary of the report. "As cyber criminals, states, and terrorist groups increase their online activities, the fear of a serious cyber attack is ever present."
"This is of particular concern because of the risk—even if remote—of a release of ionizing radiation as a result of such an attack," the summary continues. "Moreover, even a small-scale cyber security incident at a nuclear facility would be likely to have a disproportionate effect on public opinion and the future of the civil nuclear industry."
Some part of the problem is that nuclear facilities have often delayed implementation of digital control systems, usually the result of regulatory requirements. This lateness means that nuclear facility operators have less experience when it comes to cybersecurity. For decades, they've focused on physical, real-life security, while digital defenses languished. You're probably not going to get a bomb near a reactor core, but malicious code is another story.
The second part of the problem has to do with off-the-shelf software, according to the report. It's much cheaper to buy pre-built systems, but this opens up new possibilities for hacker infiltration.
"Hacking is becoming ever easier to conduct, and more widespread: automatic cyber attack packages targeted at known and discovered vulnerabilities are widely available for purchase," the Chatham researchers write. "Advanced techniques used by Stuxnet are now known and being copied; and search engines can readily identify critical infrastructure components that are connected to the internet."
The paper highlights several barriers faced in fixing the whole mess. One is a lack of incident reporting—operators at different facilities are not always aware of attacks on other facilities. This is further enabled by a general lack of regulatory requirements regarding cybersecurity. Developing countries may have even fewer requirements on top of being at increased risk due to a lack of resources. Staff at nuclear facilities are, moreover, often ill-prepared for cyber threats due to lack of training, poor communication between nuclear engineers and security personnel, and an executive-level disinterest in or obliviousness to non-physical dangers.
The technical challenges outlined include:
Many industrial control systems are 'insecure by design', since cyber security measures were not designed in from the beginning.
Standard IT solutions such as patching are difficult to implement at nuclear facilities, mainly owing to concern that patches could break a system and because of the commercial need to reduce plant downtime.
Supply chain vulnerabilities mean that equipment used at a nuclear facility risks compromise at any stage.
Most of the report's recommendations involve just, you know, doing the opposite of everything above. They range from pushing increased regulation to anonymous incident reporting to banning the usage of personal electronic devices in control rooms. None of it is very surprising.
Organizational inertia is a hell of a thing though. If history is any guide, it will take more than recommendations to see real change. It will take an actual disaster.