Cyberattacks are on the rise. The past year alone has witnessed some of the most spectacular data breaches in history, among them the hacking of Sony and the Office of Personnel Management (OPM).
Most cybersecurity experts predict that as the economy becomes ever more digitalized, the frequency of cyberattacks, and the cost they incur, will continue to balloon. Zurich Insurance Group has estimated that the total cost of cyberprotection could exceed the economic benefit of the Internet by 2019.
The stakes of cybersecurity often go beyond the mere monetary, as when credit card numbers are stolen, and the invasion of privacy, as in the case of Sony and Ashley Madison. A new report by the London-based NGO Chatham House warned that the civilian nuclear facilities, chiefly power plants, could be the target in the next wave of cyberterrorism.
“As older equipment in existing facilities reaches the end of its working life and needs replacement, comparable equipment is no longer manufactured or available, and so it is gradually being replaced with newer hardware (and software) that has more digital features,” the report states. “These new digital systems have been conceived without adequate security protection, making them ‘insecure by design.'”
A number of sources were used for the report, including “industry practitioners, policymakers and academics” and IT experts who had worked at nuclear facilities, most of them anonymously.
The report lays out a number of new vulnerabilities that could afflict nuclear facilities during the digital transition: the loss of redundant, independent fail-safes; opening a backdoor to the reactor protection system via virtual private networks; malware via USBs that are implanted on-site; undocumented connections to the Internet; or by employees using their personal devices at work (a common practice) that happen to be infected.
In a theoretical worst-case scenario, hackers could indirectly induce a nuclear meltdown by going after the facility’s power source.
“Attacks on the offsite power supply and the on-site backup system could create some of the effects that occurred following the 2011 earthquake and tsunami at Fukushima Daiichi,” the report states. “Although multiple failures of the many safety features at modern nuclear power plants would also need to occur at the same time as that loss of offsite power and the disruption of standby generators.”
But some industry insiders believe the safety features are sufficient. Rizwan Uddin, a professor at the University of Illinois’s Department of Nuclear, Plasma, and Radiological Engineering, dismissed a cyberinduced Fukushima-type scenario as unlikely.
“If the offsite gets terminated, then the reactors have internals mechanisms that can cool the reactor,” Uddin said in a phone interview. “Unless they can simulate the Fukushima flood to knock out the internal diesel generators, there are parts of the safety system that will work.”
A cyberattack would never be able to sabotage the innermost layer of a nuclear facility’s security, the reactor safety system, because it will always be placed “out of the cyber realm,” inaccessible by Wi-Fi or USB attacks, Rizwan said.
Rizwan, who oversees a project that performs simulations of cyberattacks on nuclear facilities, is also optimistic about the defenses afforded to the outer layers of nuclear power plants.
“We are testing the number of attacks that can come in and how many of these attacks we can identify and catch,” Rizwan said. “The preliminary results show that the systems are fairly safe, very safe.”
At the behest of regulatory bodies, nuclear power plants have proceeded with extreme, perhaps excessive, caution when adopting digital control systems.
“Ten years ago, there was a huge push … to switch from analog to digital, but in the next five or ten years, not one has switched,” Rizwan said. “The Nuclear Regulatory Commission … is being very, very careful, they wanted to have a complete backup of the analog system maintained for an extended period of time.”
And the backups work. The infection of the Ohio-based Dave-Besse nuclear power plant by the Slammer virus in 2003, cited prominently in the Chatham report, disabled the facility’s main reactor-core monitors for nearly five hours, but never posed a risk due to the existence of an analog copy. The plant was also offline at that time.
Rizwan doesn’t rule out the risk of an effective cyberattack — ”the number can never be zero”—but is confident that the industry has put enough care and caution into making sure the digital transition is a smooth one. Still, he thinks that reports like the one by Chatham, as sensationalistic as they are, spurs the nuclear power industry and regulators to be disciplined.
“I like these reports, they keep everyone on their toes,” Rizwan said.