Many nuclear power plants around the world are not well prepared to defend against cyber attacks, according to a report from international think tank Chatham House.
Researchers in the report studied cyber defenses in nuclear plants worldwide for 18 months. They concluded that plant infrastructure was “insecure by design” because of their age. Digital systems have been adopted later in the nuclear industry than in other sectors.
The industry’s focus has also been on physical security and safety, which means less focus has been on cybersecurity, the report said. One such incident was the Stuxnet worm, which was a computer virus that had infiltrated computers at the Bushehr nuclear power plant in Iran in 2010.
Some industry-wide challenges the report spells out include the infrequency of cyber security incident disclosure at nuclear plants, which makes it difficult to assess the true extent of the problem and lead personnel to believe there are fewer incidents; limited cybersecurity standards and communication between cybersecurity companies and vendors; potential insufficient spending on cybersecurity; and fewer resources in developing countries to invest in cybersecurity.
There are also cultural and technical challenges, such as a lack of integrated cybersecurity drills between nuclear plant personnel and cybersecurity personnel, reactive instead of proactive approaches and supply chain vulnerabilities.
Some recommendations the report makes are to assess the risk and attract more investment in cyber defenses, engage in robust dialogue between engineers and contractors to raise awareness of the risks, develop guidelines to measure risks in the nuclear industry, and implement rules not already in place to promote good IT “hygiene” in nuclear facilities.
Subscribe to Nuclear Power International magazine