By Debra Decker and Kathryn Rauhut:
Are nuclear facilities vulnerable to attack and sabotage? Perhaps more than you might think.
The attackers knew what they needed – the nuclear plant’s instrumentation and control systems design and configuration, vendor specifications, and networking diagrams. To get into the offsite office building where that information was stored, they placed modified software into the building’s off-the-shelf security system, manipulated the card reader to the target office’s entry door so that any magnetic stripe would get in, and altered the security office’s console monitor to display an innocent still shot of a secure door. They entered the office after hours and obtained the needed information.
Now so-informed, the attackers built a plant mockup. They had already determined the plant’s cooling systems would be their target. With some spear phishing and social engineering of the plant’s security manager, they learned the plant’s security protocols and its biometric and badging systems. They targeted a site-access worker, copied his unprotected RFID card, elevated his plant access and lowered the biometric match required. Replicating the worker’s ID with the attacker’s photo was easy. Then that attacker entered the protected security layer around the plant, navigated to a place where he could find access to servers, and inserted a USB device into part of the control system. The device was able to spoof the operator display and alarms and to modify the software manipulating the cooling flow and the flow meters. The attacker installed a delay and only later, when safely away from the plant, stopped the cooling system equipment. No alarms were triggered.
The failure of the cooling system used to steam the turbines caused a local blackout– or maybe it was worse. With capacity low in some areas, the blackout could be more widespread. Or worse still, if all back-up cooling were cut off and any dual-monitoring cut, spent fuel pools could erupt in a major fire spewing radioactive material – leading to mass area evacuations and trillions of dollars in losses.
This is only a hypothetical, based on elements of an attack demonstrated at a recent international nuclear meeting. The scenario is both easier and harder to do – depending on where the plant is located. While access points for USB devices are blocked in some countries’ nuclear plants, no standards for this exist internationally. Twenty states with weapons-usable nuclear materials and/or nuclear facilities score a zero for cyber security – having no mandatory cybersecurity protections or assessments, according to a report from the Nuclear Threat Initiative. Chatham House noted similar cyber issues. And there is little need to enter an authority’s offices to obtain personnel and plant data. Someone can simply ask or hack for it. The sharing/theft of proprietary information is not uncommon. And hackers in 2014 got information on nearly 11,000 employees at Korea Hydro and Nuclear Power as well as on plants’ cooling systems. Critical infrastructures are regular cyber targets, and access ID cards are not always returned.
The Role Industry Can Play in Improving Security
Although some are cutting nuclear power reliance, others are embracing it in Europe and elsewhere. It is a stable non-carbon baseload source of electricity. Based on our research, many in the industry are worried about security issues, including what is getting built into new plants or into software and hardware upgrades of existing plants. This issue is increasingly important with the drive for plant efficiencies and digitalization as analog systems become obsolete. And nuclear facilities are indeed terrorist targets. Sabotage of a plant or theft and use of materials would make good theater – al-Qaeda knew this and ISIS knows this. Yet what we don’t know is how to address that threat and reduce our nuclear vulnerabilities across all nuclear facilities and related materials transport.
The annual London symposium of the World Nuclear Association will be held this week, the week of September 11. New leadership in the United Kingdom has put off its approval of a major new nuclear power facility – Hinkley Point – that had as lead investors/builders Electricite de France (EDF) and China General Nuclear Power (CGN) . The question is whom can you trust with critical national facilities? Even the US and others have restrictions on Chinese participation in certain critical industries. Many are watching as EDF and CGN will participate in the industry meetings. The bigger issue is the lack of good industry standards and ways to verify compliance with those.
Some industry leaders there will be trying to develop a broader consensus around industry’s role in improving security going forward. Especially with the end of the Obama-initiated nuclear security summits, most of the responsibility for driving security falls to international organizations like the International Atomic Energy Agency (IAEA) and national regulators. Industry is more agile than national and international bureaucracies and can help develop best operating standards, including ones that can be part of new plant designs – such as Hinkley Point. That agility in developing standards and good approaches to managing fast-emerging security risks is indeed what is needed – and the public should demand it. Industry needs to do more than simply seek invitations into the halls of the IAEA and other institutions to be part of their plays. Industry needs to be proactive on its own in addressing critical risks and invite in the IAEA and others to participate. Otherwise, our power plants risk being part of a production few want to see.
Debra Decker is a Senior Advisor at the Managing Across Boundaries initiative at the Stimson Center. Kathryn Rauhut is a Nonresident Fellow, based in Vienna, for the Managing Across Boundaries initiative.