How Well is the Nuclear Industry Protected From Cyber Threats?
By James Conca
There was a cyberattack on the Kudankulam Nuclear Power Plant in Tamil Nadu, India, in September. The nuclear plant’s administrative network was breached in the attack, but it did not cause any operational, safety or critical damage.
Kudankulam plant officials stated that Kudankulam and other Indian nuclear power plants “are stand alone and not connected to outside cyber network and Internet. Any cyberattack on the Nuclear Power Plant Control System is not possible.”
Get started on your cybersecurity degree at American Military University.
Well…this is kind-of-true. True, the cyberattack can’t be accomplished electronically from the outside, but humans can physically get around that by hand-carrying in malware on a flash drive, tablet or portable computer. Or use vendor-required software updates that are compromised. Or let subcontractors in to work on various systems where they have access to the isolated network.
So complacency is the biggest threat, as manifested in the official statement above.
Physically isolating a computer or network from the Internet is called an air gap. An air gap is the concept of physically isolating critical computers or networks from unsecure networks (such as the public Internet).
In theory, devices on either side of this gap are unable to communicate, making an air gap an attractive option for securing the most important networks. In practice, security inspections often find unintended network connections to systems that are meant to be isolated. Evidence of malware infections on air-gapped computer systems are often discovered years after the initial infection.
So air gaps can be effective against unsophisticated and untargeted cyber threats — but not against targeted attacks from within. Worse, they often create a sense of complacency making it possible for a targeted attack perpetrated by a determined, well-resourced adversary to succeed.
This last point is front and center in the 2016 report on cyber threats to nuclear facilities, by the Nuclear Threat Initiative. NTI points out that targeted attacks go beyond network connections and generally leverage “witting or unwitting humans, or a long and difficult-to-defend supply chain, to deliver the attack.”
These are pertinent to the Kudankulam attack. It’s been suggested that the Kudankulam attack was by the North Korean DTRACK virus, customized for Kudankulam itself, thus indicating an inside job. North Korea has a large presence in India.
The figure above shows that the number of cyberattacks against nuclear facilities has significantly increased since 2000.
Kudankulam is the biggest nuclear power plant in India, with two 1,000 MW Russian VVER pressurized water reactors. In collaboration with Russia, the plant is adding four more reactors of the same size which will make Kudankulam Nuclear Power Plant one very large power source, producing over 47.4 billion kWhs per year. It should be protected better.
The Fissile Materials Working Group’s more recent report also notes that organizations must transfer data into and out of their operational networks for a variety of reasons, and these are all pathways for attacks.
New data has to enter even an air-gapped operational network to update its software and hardware. Most famously, the Stuxnet attack penetrated Iran’s air-gapped Natanz uranium enrichment facility in just this way. And the facility was well defended and isolated from the Internet.
If an organization allows flash drives and USB keys to enter and exit their operational technology network, then data diodes, firewalls or switches have no capability to stop them.
Organizations also allow hardware, e.g. computers, iPhones, etc., to enter and exit their operational technology network as part of facility and operations vendor maintenance. Commercial off-the-shelf software, that an organization does not really own, can be compromised.
Some use a laser data-diode in one direction, but still have a need for data to go the other direction and thus there is always some access allowed by someone.
The David Besse nuclear power plant is a good example of a facility that was air-gapped. However, a secondary support connection that bypassed the cybersecurity countermeasures, allowed facility systems to be compromised by the Slammer Worm. Fortunately, no safety systems were affected.
To try to get ahead of the threat, NTI identified four overarching priorities, as well as specific actions, that if implemented would dramatically reduce the risk of damaging cyberattacks on nuclear facilities.
They include: 1) Institutionalize cybersecurity, 2) Mount an active defense, 3) Reduce complexity, and 4) Pursue transformation. It is worth perusing their report for the details of these priorities. It is critical that these priorities be implemented by coordinated actions among government, industry and regulators.
The figures above show the number and types of nuclear facilities in each country around the world (see legend for explanation). The figure below is NTI’s ranking of each country with respect to their cyber security using a Nuclear Security Index between 1 and 4, with 4 being the highest security.
The figure highlights the important gap in cybersecurity at nuclear facilities. Too many countries require virtually no security measures at nuclear facilities to address the threat posed by cyber criminals or malicious actors.
While these worries are justified, it is not coincidental that no bad effects have occurred. America’s nuclear plants are still one of the best protected of all systems from cyber threats.
Unlike other industries, the nuclear power industry conducts regular briefings, and receives quarterly classified briefings on cyber and physical threats, with the FBI and the DHS to discuss threat assessments, to strategize on guarding against them and to maintain situational awareness.
The nuclear industry does not use firewalls to isolate these systems, but use hardware-based data diode technologies developed for high assurance environments, like the DOD. Updating software and equipment using portable devices, have strict restrictions. Outside laptops and thumb drives cannot be used without serious scrubbing, if at all.
Companies who file for an application to operate a nuclear reactor have to submit a cybersecurity plan to NRC, and all new plant designs must do this as well.
New nuclear plant designs, like those at the new small modular reactor company NuScale Power in Oregon, have developed advanced cybersecurity systems along with their new safety and operational systems in order to guard against just this problem. They are also compliant with the NIST Cyber-Security Framework.
A key feature of the NuScale design is that it employs a defensive security architecture with multiple layers of protection against Internet cybersecurity threats. NuScale’s platform implements a Field Programmable Gate Array technology that has non-microprocessor systems – they do not use software and are not vulnerable to Internet cyber-attacks.
Their nuclear plant doesn’t rely on computers or software to provide plant safety. NuScale reactors can safely shut themselves down and cool themselves for an indefinite period of time without the need for computer or human actions, without AC or DC power, and without the need for additional water.
So they are different from existing fleets in this regard. And almost all new reactor designs around the world are incorporating these sorts of features.
Therefore, while there is a definite need not to be complacent and to keep ahead of the rapidly-evolving cyber threats, there is no need to freak out.
As Sam Nunn at NTI puts it, “From the Stuxnet attacks on the Natanz uranium enrichment facility in Iran, to the hack of Korea Hydro and Nuclear Power in South Korea, to disturbing revelations of malware found on systems at a German nuclear power plant—demonstrates that the current approach to cybersecurity at nuclear facilities is not equal to the challenge.”
Keep in mind that the global Internet is still developing its immune system. It is essential that we develop organism-like evolving cyber immune defenses if we are to feel secure in this new cyber age. Google’s Project Zero has formed an elite cyber SWAT team that is cruising the net like white blood cells.
So don’t spend sleepless nights worrying about hacking of our nuclear power plants.
More worrisome is the potential hacking of our grid.
Even more worrisome is the ongoing hacking of our democracy.