A new report reveals that civilian nuclear facilities are not paying adequate attention to developing "cyber security readiness". According to the executive summary of "Cyber Security at Civil Nuclear Facilities: Understanding the Risks", the Royal Institute of International Affairs at well known think tank Chatham House conducted in-depth interviews with 30 industry practitioners, policy-makers, and academics over the past year in an effort to understand the intersection of physical security and cyber security at civilian nuclear facilities. This report in part responds to the growing concern among some that hackers and terrorists could launch a digital attack against a nuclear facility, thereby threatening the public with radiation should a meltdown occur and/or potentially undermining popular confidence in civilian nuclear energy.
“Cyber security is still new to many in the nuclear industry,” said Caroline Baylon, the report’s author. “They are really good at safety and, after 9/11, they’ve got really good at physical security. But they have barely grappled with cyber.”
Through their interviews, researchers at Chatham House uncovered a number of "major challenges" confronting civilian nuclear facilities. One of the key problems identified in the report is the conventional belief that civilian nuclear facilities are protected against digital attacks as a result of their networks being air-gapped, or isolated from the public web. This perspective was proved false in 2010 when Stuxnet, a computer worm whose attack vectors were recently discovered to still be viable via the use of the vulnerability CVE-2015-0096, caused physical damage to the centrifuges at Iran's Natanz nuclear facilities after being introduced via the use of a USB device. Other challenges include the following:
- A lack of training as well as communication breakdowns between engineers and security personnel means that personnel at nuclear facilities are not adequately knowledgeable about cyber security risks.
- Many facilities adopt reactive and not proactive approaches to cyber security, which means that a nuclear facility might not detect an attack (if at all) until it is already under way.