Nuclear power plants, like other critical infrastructure, are more vulnerable than ever to cyber attacks. In recognition of this fact, the Department of Homeland Security and the Federal Bureau of Investigation issued a joint report on nuclear cyber attacks with an urgent amber warning, indicating the second highest level of threat.
The warning may seem to contradict a long held notion that nuclear facilities are secure from cyber intrusion. But the reality is that nuclear facilities today have much more cyber threat exposure due largely to digitalization (see graphic).
As a result, cyber security programs today should take into account that the threat vector has shifted from physical plan attacks to attacks via third parties, social engineering techniques and other innovative methods. Organizations need to implement cyber security measures that integrate with the broader company and provide multiple layers of defense.
"Security is of paramount importance for our clients who own, operate, and build nuclear power plants. Nuclear power plants are becoming increasingly vulnerable to the persistent and sophisticated nature of cyber threats and multitude of infiltration pathways into a plant’s systems. Layers of defense must be carefully designed and well integrated within both the plant and the broader company."
The increasing frequency and magnitude of cyber-crimes, along with new types of threats, drive the need for enhanced cyber security programs to protect nuclear facilities.
“Cyber security is probably one of the most dynamic ongoing maintenance programs that’s required for a nuclear power plant because the environment of threats is constantly changing. And so, you have to constantly reassess what the threats are and then do an assessment to demonstrate whether or not all the safety and security systems you have in place are the right stuff to prevent those threats from actually being successful.”
Today’s nuclear cyber security program needs to be inclusive—that is, builds in all the regulatory, human/organizational, and technical elements—for strong, multilayered defense.
Even though the nuclear industry is highly regulated, the regulations themselves are not necessarily prescriptive. Compliance, therefore, is not just about checking off boxes, but rather involves deliberation and strategy.
In the US, for example, organizations have two pathways towards meeting licensing requirements:
To determine the right regulatory pathway, organizations would do well to assess which one allows them to leverage available resources and capabilities for enhanced security.
Mediating between OT and IT. The cultural divide between nuclear operators (OT) and cyber security (IT) professionals can make communication difficult.
OT engineers are focused on the safe and efficient running of the plant, usually through strict adherence to established processes and systematic safety testing. IT security engineers are brought in to introduce new security measures—a process that likely will alter the established operating procedures to a degree. Sometimes, the new security measures may even be incompatible with existing safety procedures.
These conflicts are real, but can likely be overcome. Mediation—either through an in-house or third-party integrated work team—often helps to clear up misunderstandings and open up communications.
Raising company-wide security awareness. Even after cyber security procedures are implemented, getting the staff to follow procedure may be difficult. The problem can be even more pronounced in a nuclear environment, especially if there is any confusion about how the new security protocols stand vis-à-vis established plant operating procedures.
Joint personnel drills and continuous staff training can help everyone in the organization understand why and how cyber security procedures need to be carried out.
A major technical challenge is that cyber security measures were not designed into industrial control systems when most of the nuclear facilities were first developed in the 1960s and 1970s. But instead of taking an ad hoc approach to “retrofitting” cyber security, organizations need to think more holistically by considering:
Defense in depth. Since many older nuclear facilities do not have security designed right into the control system, it becomes especially important to create multiple layers of defense starting at the network perimeter. The “deeper” the layers of defense—through a combination of robust technical and operational safeguards—the harder it would likely be for potential attackers to access the system and cause lasting damage.
Security by design. Every major systems upgrade provides an opportunity for operators to adopt cyber security by design, such as deploying authentication and encryption tools in their industrial control systems and networks. They can also collaborate with IT vendors and try to eliminate backdoors in critical equipment via penetration and fuzz testing. IT vendors might also perform deep scanning of programmable field devices firmware—and maybe even disclose the field devices’ source code to the operators.