The nuclear power industry must improve its readiness for cyber-attacks in the face of growing risk, a new report has found.
In an 18-month study which examined nuclear power plants and cyber-incidents worldwide, UK thinkthank Chatham House found that many plants across the globe are unprepared for large-scale cyber-attacks, while such attacks are increasingly likely to occur.
The report, Cyber Security at Civil Nuclear Facilities: Understanding the Risks, said nuclear plant operators are focused primarily on operational safety and the security of their plant’s physical infrastructure, resulting in a “culture of denial” about cybersecurity, which Chatham House said the industry has barely begun to deal with.
The thinkthank’s survey of nuclear plants found risks included aging infrastructure, insecure design, increasing conversion to digital systems, and the growing use of commercial software without taking steps to boost its security – for example, many default passwords were left unchanged. In addition, virtual networks and links to the internet have allowed critical infrastructure-seeking search engines to provide hackers with a way in, while plant operators are often unaware of these vulnerabilities and believe that there is a so-called ‘air gap’ between the public internet and the plant’s network. However, the report called this a "myth".
If an attack does happen, the report found, most nations’ nuclear infrastructure is not well-prepared for the consequences.
And it warned that "even a small-scale cybersecurity incident at a nuclear facility would be likely to have a disproportionate effect on public opinion and the future of the civil nuclear industry".
To mitigate the risks, the report's authors recommended developing cybersecurity guidelines for the nuclear industry, including an integrated risk assessment process that takes into account both security and safety measures; raising awareness in plant engineers, contractors and managers; enforcing and implementing cyber-safety rules; and encouraging universal adoption of regulatory standards.