Civil nuclear facilities worldwide at risk of cyber attack

The nuclear industry is still unprepared to respond cyberattacks exposing civil nuclear facilities worldwide at risk of cyber attacks.

Civil nuclear facilities worldwide are privileged targets for cyber attacks, according to a new report published this week by the Chatham House.

The Stuxnet attack that targeted Iranian nuclear facilities demonstrated the risks for cyberattacks, for the first time a threat from the cyberspace could cause real damages in the real world.

The 18-month study analyzes cybersecurity at civil nuclear facilities, the survey is conducted interviewing 30 industry practitioners, academics and policymakers from the U.K., Canada, the U.S., Ukraine, Russia,  France, Germany and Japan.

According to the study conducted by Chatham House, the nuclear industry is falling behind other industries when facing cyber security.

“The nuclear industry is beginning – but struggling – to come to grips with this new, insidious threat,” said Patricia Lewis, research director of Chatham House’s international security programme.

However the threat to nuclear facilities is evolving, it is becoming even more digital and it is exploiting new attack vectors.

“Cyber criminals, state-sponsored hackers and terrorists were all increasing their online activity, it said, meaning that the risk of a significant net-based attack was “ever present”. Such an attack on a nuclear plant, even if small-scale or unlikely, needed to be taken seriously because of the harm that would follow if radiation were released.” states the BBC.

Nuclear facilities worldwide have reached a high level of physical security and safety, but are still too exposed to the cyber threats despite the important steps taken recently by the International Atomic Energy Agency (IAEA).

At the first international conference organized by the International Atomic Energy Agency in June, Yukiya Amano, director of the IAEA, said both random and targeted attacks were being directed at nuclear plants.

“Staff responsible for nuclear security should know how to repel cyber-attacks and to limit the damage if systems are actually penetrated,” Amano said in a keynote

The digital component of civil nuclear facilities worldwide is growing even more enlarging the surface of attack of this critical infrastructure. The core of civil nuclear facilities is represented by SCADA systems and industrial control systems (ICSs), but most of them are affected by numerous vulnerabilities that could be exploited by attackers to cause serious damage.

Unfortunately, many experts consider the threat of a major cyber attack at low risk because critical components in nuclear facilities are air gapped (i.e. isolated from the Internet), but Chatham House confirmed that this is a wrong.

“However, it said, this so-called “air gap” between the public internet and nuclear systems was easy to breach with “nothing more than a flash drive”. It noted that the destructive Stuxnet computer virus infected Iran’s nuclear facilities via this route.” continues the BBC.

The study has found that in many nuclear facilities the systems are accessible via virtual private networks (VPN), but some cases operators might not be aware of their existence.

When dealing technical challenges, the Chatham House study names the “insecurity by design” of industrial control systems, highlighting the difficulties in patching vulnerable systems. A patch could cause serious compatibility issues and in the worst scenarios the deployment could result in downtime and compromise the operation of the entire facility. vulnerabilities.

“The nuclear industry as a whole needs to develop a more robust ambition to take the initiative in cyberspace and to fund the promotion and fostering of a culture of cyber security, determining investment priorities and ensuring that sufficient and sustained funding is allocated to effective responses to the challenge. It also needs to establish an international cyber security risk management strategy and encourage the free flow of information between all stakeholders,” Chatham House said in its report. “This will require the industry to develop appropriate mechanisms and coordinated plans of action to address the technical shortfalls identified, as well as to find the right balance between regulation and personal responsibility.”

One of the principal problems approaching cyber security of  nuclear facilities is the risk assessment, it is often inadequate and results in the wrong evaluation of expenditure in defense measures against cyber threats. It is crucial to be able to accurately assess and measure the risk in order to have the commitment of executives.

It is not easy to disclose an incident, in many cases the threats go undetected for a long period of time, in other cases they will never be uncovered. The perception of the risks related to a major cyber attack is low, the hack of an ISC system is wrongly considered a rare event.

According to the study of Chatham House, the lack of cyber security policies, procedures and training makes the situation worse, the operators at nuclear facilities are not prepared to detect and respond cyber attacks.

Enjoy the Report!

Pierluigi Paganini

(Security Affairs – civil nuclear facilities, cyber security)