Nuclear plants facing cyber threat

The report is the culmination of an 18-month research project designed to uncover the link between cyber security and nuclear security.

It draws on expert opinion from 30 nuclear industry representatives worldwide and focuses on the major threats that could have the most impact on a plant’s industrial control systems (ICS).

The current nuclear fleet is not digital and has no embedded software meaning it would be impossible to defeat reactor protection systems

NIA chief executive Keith Parker

Findings within the report warn that the likelihood of a serious cyber attack on a nuclear power plant is growing due to an increasing reliance on digital systems and “off-the-shelf” software.

Certain issues are arising because there is a “conventional belief” that a nuclear plant’s control systems are “air-gapped” – or isolated from the internet – but the report says this is not the case, potentially exposing plants to attack.

To date, there have been only a handful of known cyber security incidents at nuclear facilities.

Of the several examples raised in the think-tank’s study, the Stuxnet worm that attacked two nuclear plants in Iran in 2010 is perhaps the most notorious.

Believed to have been developed by the US and Israeli governments, Stuxnet took out roughly 1,000 centrifuges in an effort to cripple Iran’s nuclear weapons programme.

Stuxnet is designed to infect computers running Microsoft Windows operating systems. The worm then takes advantage of the computer system’s vulnerabilities and essentially checks to see if that computer is connected to a Siemens Step 7 SCADA (supervisory control and data acquisition) system.

According to the Chatham House study, the ICS found in operational nuclear facilities - such as SCADA systems - are “insecure by design” because cyber security measures were not initially considered in their design phase.

To combat this, the report calls on the nuclear industry to now promote the importance of “security by design” so that “future generations of industrial control systems incorporate security measures during the initial conception phase”.

The report also highlights the need for a number of “cultural challenges” within the nuclear industry.

Nuclear plant personnel often “lack an understanding” of cyber security procedures as the documentation produced by cyber security personnel is not in a language that is clear to them, the report suggests.

This is coupled with inadequate and often insufficient cyber security training, with the report finding “a lack of integrated cyber security drills between nuclear plant personnel and cyber security personnel” as a major issue.

To handle the “human factor”, the report outlines several recommendations including more robust dialogue to raise awareness of cyber security risk and the establishment of rules – such as banning personal devices from control room and better password security – to be enforced via independent verification methods and technical measures.

Responding to the study, Nuclear Industry Association (NIA) chief executive Keith Parker said cyber security is a major priority for power station operators. 

“All of Britain’s power stations are designed with safety in mind and are stress-tested to withstand a vast range of potential incidents,” Parker said.

”The current nuclear fleet is not digital and has no embedded software meaning it would be impossible to defeat reactor protection systems.”