The threat of cyberattacks on nuclear power plants and other nuclear facilities is substantial and growing, according to a report this week by a prominent industry group.
Experts at the Nuclear Industry Summit, gathered in Washington, say attackers are becoming more skillful and dangerous, meaning companies, governments and regulators must make cybersecurity an industry-wide priority.
"Cyberattacks on nuclear facilities have happened,” said Anno Keizer of the Nuclear Industry Summit, who is vice chair of the working group on managing cyberthreats. “It is not a fantasy; it is not a hypothetical situation; it's what happens in real life and which we need to manage in real life. We have also seen that the consequences of an attack can be substantial, both in damaging equipment and disturbing the services that the company delivers to society."
A cyberattack against Korea Hydro and Nuclear Power in South Korea saw hackers steal and release information, Keizer says, in what published reports say might have been a bid to raise public concern about the nuclear industry.
Other attacks on non-nuclear, major industrial targets also raise concerns. An attack on Ukraine's electric grid left thousands of people without power. That attack used a "sophisticated" program called BlackEnergy that targeted industrial control systems, according to the report.
Hackers also caused "massive physical damage" to a German steel mill by taking over control processes and blocking the company's efforts to shut down the facility.
Experts at the Nuclear Industry Summit say hackers focus on systems that control industrial and safety processes in important industrial facilities because that is the key to causing chaos and damage.
The most successful publicly known cyberattack on a nuclear facility saw malware cause serious damage to production equipment at an Iranian plant that was enriching nuclear materials. The virus was called Stuxnet, and apparently prompted the facility's centrifuges to spin out of control and break down.
Computer security experts say the Stuxnet incident shows how a determined hacker can overcome cyber protection efforts by taking advantage of vulnerable employees.
In this case, small thumb drives, or small data storage devices, loaded with the virus were scattered in areas near the targeted facility. Apparently, someone picked up one and, curious about its contents, put it in a computer that controlled production processes.
Like many nuclear facilities, the Iranian one was protected against cyberattack by an "air gap," meaning critical computer systems are isolated, and have no physical connection with computers that are connected to the Internet, which are used for routine communication, billing and research. With no connection to the outside world, critical computers were mistakenly thought to be safe from hacking attacks.
Ryan Kalember, of the cybersecurity firm Proofpoint, says, "The lesson from that is that people are always the weak link in the [cybersecurity] chain."
In a Skype interview, he says it has proven very difficult to persuade computer users to follow basic safety precautions like not clicking on attachments from unknown emails, or inserting thumb drives from unknown sources.
Cybersecurity expert Patrick Peterson says that while nuclear facilities are targets, they are heavily protected from physical attacks and technical faults, which makes it harder for hackers to successfully attack them, and limiting the damage done if a hacker actually manages to hijack industrial control systems.
In a Skype interview, Peterson said that means the likelihood of an attack causing a radiation leak are "very low." He says there is a stronger possibility that hackers could disrupt the power grid.
Pros, cons of older plants
Carl Herberger, of cyber protection company Radware, says aging U.S. nuclear power plants may have some cyber vulnerabilities because so many of them were built before cyberattacks were common, and defenses were routine. Companies can certainly find and fix these problems.
In a Skype interview, he says the old programs may also have a level of protection because they are so obscure that hackers may have trouble figuring them out.
‘Very, very, very ingenious’
The Nuclear Industry Summit study says the industry must change from a culture focused on following rules to one that seeks out vulnerabilities in the creative and original ways more often seen in hackers. The authors also call for expanding cooperation between companies and countries as they try to fend off attacks.
Cybersecurity expert Christopher Smith of the SAS company says one technique for fighting back is to track how data is flowing on the computer network, and look for deviations from typical user behavior.
In a Skype interview, he said hackers are becoming "very, very, very ingenious" and quickly refining their attacks. According to Smith, when defense technology takes one step forward, the attackers might move three steps forward in their attack methodology.
That is a major concern, according to a nonprofit nuclear watchdog group called the "Nuclear Threat Initiative," which says the number of cyberattacks on nuclear targets is expanding "exponentially." NTI is made up of an international group of experts in technical, policy and other nuclear-related issues.