Evolving threats

Although there has been unprecedented progress in the security of nuclear materials and facilities over the last decade, the cyber threat has increased. Cyberspace provides a new opportunity for determined adversaries to wreak havoc at nuclear facilities—possibly without ever setting foot onsite.

Cyberattacks could be used to facilitate the theft of nuclear materials or an act of sabotage that results in radiological release. A successful attack could have consequences that reverberate around the world and undermine global confidence in civilian nuclear power as a safe and reliable energy source.

Given the risk and the stakes, a new report from the Nuclear Threat Initiative (NTI) calls for governments and industry to increase their focus on the cyber threat. The report says nuclear operators as well
as national and international organisations have “recognised the challenge” and have begun to accelerate their efforts to strengthen cybersecurity at nuclear facilities. However, it warns that the rapidly evolving cyber threat, combined with the proliferation of digital systems, makes it difficult to get ahead of the threat.

Regional risks

For the first time in 2016, the NTI Nuclear Security Index assessed how countries are protecting their nuclear facilities against cyber threats, and the non-profit, non-partisan NTI says the results were troubling.

The Index posed four questions about cybersecurity at nuclear facilities in 47 countries with 1kg or more of weapons-usable nuclear materials or facilities that, if sabotaged, could result in radiological release. Nuclear facilities included power reactors, research reactors, reprocessing facilities, and wet spent fuel storage facilities.

The questions were:

• Does the country require nuclear facilities to be protected from cyberattack?
• Does the country require nuclear facilities to identify critical digital assets? 
• Does the country incorporate cyber threats into its design basis threat or other threat assessment?
• Does the country require performance-based testing of its cybersecurity measures? 

Scoring was based on publicly available laws and regulations, and did not measure implementation. A high score does not necessarily translate to ideal security— although it suggests how seriously a given country takes the cyber threat.

According to NTI the results show that too many countries require “virtually no security measures” at nuclear facilities to address the threat posed by cyber criminals or malicious actors. Although some countries have been taking steps to strengthen cybersecurity requirements at nuclear facilities, through passing new laws and regulations or updating existing ones, many countries lack these crucial frameworks.

Meeting the challenge

The NTI report – ‘Outpacing Cyber Threats: Priorities For Cybersecurity At Nuclear Facilities’ – provides a list of 23 publicly disclosed cyber incidents at nuclear facilities since 1990. The report cites multiple events, from the Stuxnet attacks on the Natanz uranium enrichment facility in Iran between 2009 and 2010, to the hack of Korea Hydro and Nuclear Power in South Korea in December 2014, to more recent revelations of malware found on systems at a German nuclear power plant (see box) as evidence that the current approach to cybersecurity at nuclear facilities is “not equal to the challenge.”

In an effort to get ahead of the threat, the NTI assembled an international group of technical and operational experts with backgrounds in computer security, nuclear safety systems, nuclear engineering, industrial control systems, and nuclear facility operations. This group was asked to identify the core elements of a new strategy, focusing on those elements that would have the greatest possible effect.

Over 12 months, the group identified four overarching priorities, as well as specific actions, that if implemented it says would “dramatically reduce” the risk of damaging cyberattacks on nuclear facilities. Similar concepts are being put to use elsewhere, and NTI believes that, either alone or in combination, they would provide considerable leverage on the threat posed to nuclear facilities. Taken together, the priorities represent a new approach to getting ahead of the urgent and evolving cyber threat. Implementing them will be a multiyear effort and will not be easy, but the risk is far too great to accept the status quo.

Four priorities

Institutionalise cybersecurity

The report notes that implementation of robust processes and practices is essential for the effective management of complex systems and is at the heart of quality management programmes. But is says that given the rapidly evolving cyber threat, such practices are “generally not yet in place” for cybersecurity in nuclear facilities. Nuclear facilities should learn from and actively integrate the practices employed by safety and physical security programmes.

Governments and regulators should work to develop and implement regulatory frameworks, perhaps drawing on lessons learned from progress made in nuclear safety and physical security, that promote the institutionalisation and ongoing improvement of cybersecurity at nuclear facilities. Efforts should be made to draw talented people into the cyber-nuclear field by investing in education and training and providing incentives to take jobs in this critical security sphere.

The nuclear industry should apply lessons learned from industry experiences with safety and physical security. This should include embedding awareness of the importance of cybersecurity throughout the organisation, from the chief executive officer to the most junior employees; developing an implementing processes and practices to ensure cybersecurity, including for example through a graded approach to designing critical systems; and analysis and preparation for emergency response in the event of a cyber incident.

International organisations should support, through international dialogue and definition of relevant best practices, international cooperation and an expanded focus on cybersecurity at nuclear facilities.

Mount an active defence

The report concludes that the static cybersecurity architectures at nuclear facilities are not effective enough on their own to prevent a breach by a determined adversary, nor are they effective enough to respond once a compromise has occurred. Nuclear facilities need to update their prevention and response plans—steps that are essential but that are challenged by the global shortage of technical experts.

The report calls on the nuclear industry to develop active defence capabilities at the facility level, including providing training to boost human capacity, especially in countries with new or expanding nuclear energy programmes. This could include developing mutual- aid agreements or other cross-industry resources to allow facilities to access needed skills. 

On a practical level, the cyber security strategy at a nuclear facility should incorporate the lessons learned from recent attacks on critical infrastructure and be based on the assumption that it is not possible to prevent all cyberattacks before they occur. The ultimate goal would be to develop and implement a capability that allows facility staff members to detect and disrupt cyber intrusions as they happen. Relying on static prevention, such as air gaps, firewalls, and antivirus programs would likely “crumble” in the face of a well-resourced, determined adversary, the report says.

Governments and regulators are called on to enhance cyber expertise within governmental and regulatory bodies, share relevant threat information with industry, consider how to develop and exercise cyber incident response capabilities, and provide additional resources for defence against threats beyond those that facilities could reasonably be expected to handle.

International organisations should facilitate the sharing of threat information where possible and appropriate.

Reduce complexity

Nuclear facilities consist of thousands of digital systems. The security effects of these systems, their functionalities, and how they interact are not always fully understood. Although networks may be initially characterised, this information is not always kept up to date. When it comes to the most critical systems, the best option may be to eliminate digital complexity entirely by transitioning to non-digital solutions.

The report recommends that nuclear facilities should characterise systems, identify excess functionalities and remove them where possible, and work with vendors to develop non-digital systems and products where appropriate. Where complexity must exist, it should be commensurate with the level required to accomplish only the system’s immediate task, and it should be appropriately documented. Those systems performing the most important functions should be engineered to be the least likely to fail.

Governments and regulators should support this initiative with financial, personnel, and research resources. They should facilitate efforts to characterise networks, understand functionalities and interactions, and minimise complexity in critical systems.

International organisations should provide platforms for discussing and developing solutions for reducing complexity.

In some cases it may be appropriate to transition to non-digital systems to greatly reduce the cyber threat (see pursue transformation below).

Pursue transformation

The international community is in the early stages of understanding the magnitude of the cyber threat. In many ways, humans have created systems that are too complex to manage; in most cases, risks cannot even be quantified. As a result, there is a fundamental need for transformative research to develop hard-to-hack systems for critical applications.

Building such robust and secure systems for critical applications will require rigorous software and hardware development, as well as means to assess and verify that trustworthiness and security. This process could take years. The report therefore recommends that researchers should also pursue the development of ‘21st century’ non- digital solutions that would be inherently secure. As existing analogue systems become obsolete they are being replaced with digital systems that offer increased reliability, but also cyber vulnerabilities. The report envisions using modern technology to build high-performance, non-digital solutions for critical safety and security functions.

Governments and regulators should undertake or fund transformative research into the technologies, methods, and approaches that will be necessary to get ahead of the cyber threat. International organisations should foster innovation and continue to think creatively about how to mitigate this threat. They should recruit a variety of voices and perspectives to join the conversation.

The nuclear industry’s role would be to support the efforts of relevant international organisations to continue international dialogue and contribute to the R&D need to improving security.

The report also calls for governments, the nuclear industry and international bodies to strive to boost human capacity across the cyber-nuclear field, especially in countries with new or expanding civil nuclear energy programmes.  

Article based on: Nuclear Threat Initiative (NTI), Outpacing Cyber Threats: Priorities for Cybersecurity at Nuclear Facilities, which was released at the IAEA International Conference on Nuclear Security in Vienna in December 2016.