lolloj - Fotolia

Most nuclear plants not prepared for cyber attack, says Chatham House

The cyber threat to nuclear facilities is indicative of the threat to much of all critical infrastructure, says cyber security expert Alan Woodward

Most nuclear power plants around the world are not well prepared for cyber attacks, according to a report by international affairs think tank Chatham House.

Many of the control systems used for nuclear plants, including those in the UK, are not well protected and are “insecure by design” said the report, which was based on an 18-month study of cyber defences in nuclear power plants around the world.

The UK is leading cyber security in the international critical national infrastructure community, David Willacy, manager of digital risk and security at energy operator National Grid, told a Cyber Security Summit in London in July 2015.

“But there is still a desperate need for real cultural change in the energy sector in the UK and elsewhere. Those in the energy sector need to realise they are no longer just engineering companies, but that they are IT engineering companies, because power networks are now completely reliant on IT to operate, and that security is only as good as the weakest link,” he said.

A key finding of the report was that the infrequency of cyber security incident disclosure at nuclear facilities makes it difficult to assess the true extent of the problem and may lead nuclear industry personnel to believe there are few incidents.

Another key problem identified by the Chatham House Project on Cyber and Nuclear Security is that many nuclear plants are under the illusion that it is impossible for hacker to get at core systems.

This belief is based on the fact that internal networks at nuclear plants are typically air-gapped or physically isolated from the internet.

However, the researchers pointed out in a blog post in March 2105 that the Stuxnet worm was able to cause physical damage to Iran’s nuclear centrifuges in 2010, despite the control system at Iran’s uranium enrichment plant being air-gapped as the worm was introduced via infected USB devices. 

“Air-gapping may indeed lead to complacency on cyber security if it is thought to offer complete invulnerability,” the blog post said.

Hackers can worm their way into nuclear infrastructure networks

Despite this reliance on air-gapping, the Chatham House researchers found evidence of links to the public internet on nuclear infrastructure networks that were unknown to those in charge.

The researchers also found that search engines had indexed these links, making it easy for would-be attackers to find ways into the networks of nuclear plants.

As a result, the latest report said the risk of a serious cyber attack is “ever present” and growing.

The digitisation of systems and increasing reliance on commercial software is increasing the risks to the nuclear industry, the report said.

More than two-thirds of all advanced cyber attacks in the UK are targeted at the energy, education and financial services sectors, according to a recent report by security firm FireEye.

The Chatham House report calls for an improvement in the defence of nuclear facilities against cyber attack, especially against large-scale attacks that take place outside office hours.

The nuclear industry is beginning – but struggling – to come to grips with this new, insidious threat,” Chatham House research director for international security Patricia Lewis, told the BBC.

The report said a lack of regulatory standards, as well as limited communication between cyber security companies and suppliers, are also of concern.

This suggests the industry’s risk assessment may be inadequate; as a consequence, there is often insufficient spending on cyber security. 

Developing countries may be particularly at risk, because they have even fewer resources available to invest in cyber security, the report said.

The report noted that nuclear plant personnel (who are operational technology engineers) and cyber security personnel (who are information technology engineers) frequently have difficulty communicating.

Nuclear plant personnel often lack an understanding of key cyber security procedures, the report said, because documents produced by cyber security personnel do not communicate these procedures in language that is clear to them.

The report found that training at nuclear facilities is often insufficient and that reactive rather than proactive approaches to cyber security contribute to the possibility that a nuclear facility might not know of a cyber attack until it is already substantially under way.

The report recommends that the nuclear industry:

  • Develop a more robust ambition to match or overtake its opponents in cyberspace;
  • Fund the promotion and fostering of cyber security in the industry;
  • Establish an international cyber security risk management strategy;
  • Develop co-ordinated plans of action to address the technical shortfalls identified, such as in patch management;
  • Include all stakeholders in the organisational response.

Time to modernise critical national infrastructure with effective cyber defences

Raj Samani, chief technology officer for Europe at Intel Security, said it is important to move forward towards the modernisation of critical national infrastructure.

“The efficiencies are essential in supporting our modern society,” he told Computer Weekly.

“Therefore, we have to implement the appropriate safeguards to protect these environments in a threat landscape that is evolving and threat actors that are becoming considerably better resourced and skilled,” said Samani.

Europol consultant, cyber security expert and visiting professor at Surrey University Alan Woodward said the cyber threat to nuclear facilities is indicative of the threat to much of all critical infrastructure.

“In the case of nuclear power plants, the potential for damage to others, not just the installation, is what makes this particular threat of huge concern. However, I fear other installations may be just as vulnerable, and could cause as big a risk. Imagine a water treatment plant where a hacker caused too much of a treatment chemical to be added, or a gas storage facility where pressures were tampered with, leading to an explosion.

“Both have happened by accident in the past, leading to widespread damage, so we know what a deliberate attack might result in,” he said.

According to Woodward, the Chatham House report is particularly shocking because most people assume that nuclear facilities, with their potential for damage in case of failure, will have the highest safety built-in.

“Unfortunately, people are still forgetting the cyber dimension when it comes to threat modelling,” he said.

Read more about critical infrastructure

Read more on IT for utilities and energy