Prepare for the Inevitable: Emerging Cyber Risks to Nuclear Facilities

Background

Many existing technologies that we take for granted are vulnerable to cyberattack and increasingly so; for example GPS – a guidance system on which so many depend – is at risk of cyberattacks due to weak signal strength.¹ Note: Kate Murphy, “America Has a GPS Problem,” The New York Times (January 3, 2021) https://www.nytimes.com/2021/01/23/opinion/gps-vulnerable-alternatives-navigation-critical-infrastructure.html; Jodi Helmer, “DOD, Transportation Considers Backups for Vulnerable GPS,” FedTech (May 17, 2022) https://fedtechmagazine.com/article/2022/05/dod-transportation-consider-backups-vulnerable-gps As nuclear reliance on digital systems increases and systems become ever more complex, the vulnerable attack surfaces and thus possible threat vectors also increase.² Note: Debra Decker and Kathryn Rauhut, “Prioritizing Actions for Managing Cybersecurity Risks,” Stimson Center (February 6, 2020) https://www.stimson.org/2020/prioritizing-actions-for-managing-cybersecurity-risks Past threat approaches have not subsided, with methods like honeypots and spearfishing -“social engineering” – still working for hackers to steal credentials and gain access. While organizations can train staff to prevent these attacks, new technologies offer more sophisticated threat approaches that cannot be easily mitigated by training.

The Threat

Some new technologies are becoming more easily available and even mainstream. The development of new communication approaches presents additional challenges.

• AI: Artificial intelligence can be used to perfect social engineering-based attacks or scan for unpatched systems and other vulnerabilities. Zero-click attacks, which can install malware without the victim clicking any link, are hard to avoid.³ Note: “What is Zero-Click Malware, and How do Zero-Click Attacks Work,” Kaspersky (Accessed February 14, 2022) https://www.kaspersky.com/resource-center/definitions/what-is-zero-click-malware Organizations may use AI to find their own vulnerabilities, but malicious actors can also use AI for similar purposes and more, like helping to develop Deep Fakes.
• Deep Fakes: Hollywood has been using tools to create special effects for many years, but now the public can, too, with potentially devastating consequences if used to create disinformation about a nuclear incident or to confuse response. Deep fakes can be made from a video tutorial; making good ones does take skill but is not necessarily costly.⁴ Note: Richard Goodwin, “How to Make Deep Fake Video: A Guide & Warnings,” Know Your Mobile (September 1, 2021) https://www.knowyourmobile.com/user-guides/how-to-make-deep-fake-video-a-guide-warnings
• New Internet Infrastructure: We have already seen the vulnerability of the existing internet system to attacks on cables, satellites, and GPS. These are basic methods of communication and response that are already being challenged. However, recent developments present new challenges. Organizations’ greater reliance on the cloud means protections against cloud failures need to be planned.⁵ Note: Twain Taylor, “7 Biggest Cloud Outages of the Past Year,” TechGenix (February 11, 2022) https://techgenix.com/7-biggest-cloud-outages-services-2021/ The rollout of 5G and its security presents new challenges for the U.S. and its hardware suppliers.⁶ Note: “A 5G Strategy for Next-Generation Nuclear Energy,” Partnership for Global Security (Accessed February 14, 2022) https://partnershipforglobalsecurity.org/a-5g-strategy-for-next-generation-nuclear-energy/ And the energy sector’s adoption of virtual/augmented reality also raises question marks about cybersecurity.⁷ Note: Charles McLellan, “What is the Metaverse, and Who Will Build It?” ZDNet (October 12, 2022) https://www.zdnet.com/article/what-is-the-metaverse-and-who-will-build-it/
• Communications:
  • Fast, Fake Information Sharing: One of the biggest challenges to a coordinated response to a nuclear/radiological incident is the fast dissemination of false news, even if it was not perpetrated by an intended bad actor. The public shares information faster than official government agencies do – presenting an immense problem, as misinformation can spread six times faster on social networks.⁸ Note: Carols Varrasco-Farre, “How to Spot Fake News on Your Social Networks,” World Economic Forum (August 11, 2020) https://www.weforum.org/agenda/2022/08/how-to-spot-fake-news-on-your-social-networks/
  • Malicious Actor Information Sharing and Marketing: Encrypted communication technologies like WhatsApp and Signal, along with the use of virtual private networks (VPNs), allow for a level of privacy in planning and executing attacks that many intelligence services find hard to penetrate. Private citizens and the bad guys are both somewhat protected from surveillance tools. Tor, a browser that hides IP addresses, was notorious for being a favored part of the Dark Web and information sharing among malevolent actors, and some bad actors are brazenly becoming more open about selling their hacking skills and approaches, from ransomware to phishing.⁹ Note: Pierluigi Paganini, “Caffeine, a New Phishing-as-a-Service Toolkit Available in the Underground,” Security Affairs (October 11, 2022) https://securityaffairs.co/wordpress/136953/cyber-crime/caffeine-phishing-platform.html.
  • Everything Else: Internet-connected wearables from watches to glasses to shoes are hard to track and may enter what is supposed to be a secure environment. The prevalence of connections – Internet of Things (IoT) and Operational Technology (OT) like industrial control devices and medical devices – makes it hard to identify and map all possible risks to vital response services.¹⁰ Note: Vedere Labs, ”The Riskiest Connected Devices in Enterprise Networks,” Forescout Blog (October 12, 2022) https://www.forescout.com/blog/the-riskiest-connected-devices-in-enterprise-networks/ Within this complicated and diverse web of connections, trusted partners – from suppliers to law firms – can expose nuclear organizations to risks as partners’ levels of security are hard to fully vet.

Any sense of total security from air-gapped systems is a false one. Cyber-attacks persist, including from capable State actors.¹¹ Note: Just one recent example: https://www.cisa.gov/uscert/ncas/alerts/aa22-110a The possibility for blended cyber-physical attacks and for possible multiple attack schemes, particularly from insider and diversionary threats, are real.¹² Note: Matthew Bunn, “Scenarios of Insider Threats to Japan‘s Nuclear Facilities and Materials — and Steps to Strengthen Protection,“ NAPSNet Special Reports (November 2, 2017) https://nautilus.org/napsnet/napsnet-special-reports/scenarios-of-insider-threats-to-japans-nuclear-facilities-and-materials-and-steps-to-strengthen-protection/
Cyber incidents are inevitable, and vital systems are not impenetrable. Given new technologies and systems, including in communications and the advent of deep fakes, an otherwise benign incident or manageable attack can turn into a cascading, systemic risk. A comprehensive approach to the management of safety/security/safeguard risks becomes even more important.

The Answer

Coordinated and practiced responses need to be scrupulously and imaginatively yet realistically developed and exercised – inside and across a facility with owners/managers and employees, including contract staff, as well as with responders, officials, the media and the public. Scenarios must be developed that address risks emerging from new technologies and their application, as well as from hybrid events. The varied concerns of stakeholders need to be understood, e.g., medical personnel require fast access to those potentially injured while safety officials may delay access to ensure the safety and security of a site. Trusted relationships need to be developed before an incident. Tested and truly trusted communication channels and messages/patterns need to be established. Reactions during an emergency situation should be measured enough so that fake voices, images, videos and messages are not accepted. In addition, backups of plans and contacts should be backed up again – offline.¹³ Note: United Kingdom National Cyber Security Centre, “Guidance: Mitigating Malware and Ransomware Attacks,” February 13, 2020. https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks Then after-action reports should be produced to quickly address areas where responses need to be improved. Scenarios should be reviewed and updated on a regular basis and when information appears on new risks. Full collaborative exercises should be undertaken on a regular basis, with tabletop exercises carried out when smaller adjustments might need to be made.

The Challenges

Some managers/employees may not see the value in planning for what they consider a low probability risk, let alone developing and exercising around high-consequence, complex scenarios. They may fear that bringing attention to low-probability risks serves to highlight the risk itself and can stoke fear in the public who may not appreciate the industry’s defense-in-depth approach. Explaining the range of new, emerging risks must help inspire engagement in the full process of scenario development, design, and exercise and must provide assurance to stakeholders that together they can manage incidents well, if they are practiced collaboratively. Involving a myriad of stakeholders and experts in scenario development can inspire not only broader thinking about risks but also buy-in to the eventual exercise and an honest after-action report.

Including stakeholders, especially the public, in response planning and exercises needs to be carefully considered with well-planned paths to engagement. Recent research on risk communication and engagement provides some cautionary tales on the need to plan holistically and to validate the needs of various stakeholders without adding some, such as the public, as an afterthought.¹⁴ Note: See, for example, Michael Humann, Craig Collie, Kayte Bright, et. al. “Public Engagement During Full-Scale Exercises: Dimensions of Trust and Community Resilience,“ Journal of Contingencies and Crisis Management 30, no. 3 (September 2022): 317-326, https://doi.org/10.1111/1468-5973.12388; Michele Knodt, Cornelia Fraune, Alice Engel, “Local Governance of Critical Infrastructure Resilience: Types of Coordination in German Cities, “Journal of Contingencies and Crisis Management 30, no. 3 (September 2022) 307-316 https://doi.org/10.1111/1468-5973.12386; Vincent T. Covello, “Stakeholder Engagement and Empowerment,“ in Communicating in Risk, Crisis, and High Stress Situations (New Jersey: IEEE Press, 2022). https://onlinelibrary.wiley.com/doi/abs/10.1002/9781119081753.ch5 Different levels of trust exist in different countries and even between communities within the same country.¹⁵ Note: Humann et al. Much depends on prior engagement experiences with the nuclear organization and within/among stakeholders. Assessing baseline levels of trust and mapping relationships can help response managers plan for a successful planning and exercise process.

“Develop more scenario-driven exercises in cyber-incident response management and communications to address the issues of misinformation being fed to the public and the potential sabotage of emergency response efforts.” ~ One of the key recommendations from a Vienna workshop with operators, regulators, insurers, lawyers, and others in late 2019.

Policy Change Needed

Regulators can’t always keep up with changing risks, but governments and others can support owners/managers of critical infrastructures to: demonstrate good governance, assess risks, be prepared, and invest in collaborative exercises. The benefits of good governance and risk management have been demonstrated.¹⁶ Note: Debra Decker, Kathryn Rauhut, “Incentivizing Good Governance Beyond Regulatory Minimums: The Civil Nuclear Sector,” Journal of Critical Infrastructure Policy 2, no. 2 (Fall/Winter 2021): 19-43. The founder and former Executive Director of the World Institute for Nuclear Security Roger Howsley suggests government policy makers, industry groups and regulators “review the existing governance metrics and develop an extended set that specifically address these (evolving cyber) risks and how organisations could use appropriate scenarios during their planning and exercise programmes. These could then be discussed and refined by stakeholder groups.”¹⁷ Note: Correspondence via email with the Stimson Center, 24 October 2022.

The question often is who will pay for this and who will take the lead.

There is no one answer, as each locale may historically be managed differently. In some cases, emergency responders may initiate an exercise while in others a regulator may require one. In yet another case, federal officials may take the lead in assessing baseline preparedness, requiring national exercises and preparing after-action reports.¹⁸ Note: For example, see in the United States: “Backgrounder on Force-on-Force Security Inspections,“ U.S. Nuclear Regulatory Commission (Accessed February 14, 2023); “Exercise of Quad Cities Nuclear Power Station Emergency Plans Set for July 12,“ Illinois.Gov (June 13, 2022), https://www2.illinois.gov/ready/Press/Pages/061322b.aspx; https://www.fema.gov/sites/default/files/documents/fema_2021-national-preparedness-report.pdf; https://www.cisa.gov/cyber-storm-viii-national-cyber-exercise; https://www.cisa.gov/sites/default/files/publications/FINAL-Cyber-Storm-VIII-After-Action-Report-082022.pdf; FEMA, “2022 National Preparedness Report,” U.S. Department of Homeland Security (December 2022) https://www.fema.gov/emergency-managers/national-preparedness#reports; “Cyber Storm VIII: National Cyber Exercise,“ Cybersecurity & Infrastructure Security Agency (Accessed February 14, 2023); “Cyber Storm VIII: After -Action Report,“ Cybersecurity and Infrastructure Agency (August 2022) https://www.cisa.gov/sites/default/files/publications/FINAL-Cyber-Storm-VIII-After-Action-Report-082022.pdf

In any event, governments should:

• Inform nuclear/radiological operators and all responders of the importance of coordinated response planning to evolving cyber/technology incidents.
• Develop innovative ways to demonstrate and thereby convince license holders of the magnitude of the risks involved, e.g., through theatrical performance, demonstrations at conferences, simulations.
• Encourage the use of self-assessment tools provided by the International Atomic Energy Agency and others and support work for continuous improvement and better risk governance.
• Consider requiring regular tabletop/live exercises of associated plans – developed and exercised with stakeholders – with after-action reports and monitored improvement programs.

Some valuable materials and support for good governance of response frameworks to support such efforts can be found at the International Atomic Energy Agency, the World Institute for Nuclear Security and some industry associations.¹⁹ Note: For example, see: Nayana Jayarajan, “IAEA Publication Highlights How EPRIMS Strengthen Countries‘ Preparedness for Emergencies,“ International Atomic Energy Agency (October 11, 2022) https://www.iaea.org/newscenter/news/iaea-publication-highlights-how-eprims-strengthens-countries-preparedness-for-emergencies; ”Arrangements for Public Communication in Preparedness and Response for a Nuclear or Radiological Emergency,” International Atomic Energy Agency (2020) https://www.iaea.org/publications/13517/arrangements-for-public-communication-in-preparedness-and-response-for-a-nuclear-or-radiological-emergency; “Preparation, Conduct, and Evaluation of Exercises for Security of Nuclear and Other Radioactive Material in Transport,“ International Atomic Energy Agency (2018) https://www.iaea.org/publications/12372/preparation-conduct-and-evaluation-of-exercises-for-security-of-nuclear-and-other-radioactive-material-in-transport; “Emergency Preparedness at Nuclear Plants,“ Nuclear Energy Institute (Accessed February 14, 2023), https://nei.org/resources/fact-sheets/emergency-preparedness-at-nuclear-plants
Groups like these need contributions to support their work that benefit not just the license holders but also all of society by ensuring the nuclear industry is safer and more secure.

Notes

• 1
  Note: Kate Murphy, “America Has a GPS Problem,” The New York Times (January 3, 2021) https://www.nytimes.com/2021/01/23/opinion/gps-vulnerable-alternatives-navigation-critical-infrastructure.html; Jodi Helmer, “DOD, Transportation Considers Backups for Vulnerable GPS,” FedTech (May 17, 2022) https://fedtechmagazine.com/article/2022/05/dod-transportation-consider-backups-vulnerable-gps
• 2
  Note: Debra Decker and Kathryn Rauhut, “Prioritizing Actions for Managing Cybersecurity Risks,” Stimson Center (February 6, 2020) https://www.stimson.org/2020/prioritizing-actions-for-managing-cybersecurity-risks
• 3
  Note: “What is Zero-Click Malware, and How do Zero-Click Attacks Work,” Kaspersky (Accessed February 14, 2022) https://www.kaspersky.com/resource-center/definitions/what-is-zero-click-malware
• 4
  Note: Richard Goodwin, “How to Make Deep Fake Video: A Guide & Warnings,” Know Your Mobile (September 1, 2021) https://www.knowyourmobile.com/user-guides/how-to-make-deep-fake-video-a-guide-warnings
• 5
  Note: Twain Taylor, “7 Biggest Cloud Outages of the Past Year,” TechGenix (February 11, 2022) https://techgenix.com/7-biggest-cloud-outages-services-2021/
• 6
  Note: “A 5G Strategy for Next-Generation Nuclear Energy,” Partnership for Global Security (Accessed February 14, 2022) https://partnershipforglobalsecurity.org/a-5g-strategy-for-next-generation-nuclear-energy/
• 7
  Note: Charles McLellan, “What is the Metaverse, and Who Will Build It?” ZDNet (October 12, 2022) https://www.zdnet.com/article/what-is-the-metaverse-and-who-will-build-it/
• 8
  Note: Carols Varrasco-Farre, “How to Spot Fake News on Your Social Networks,” World Economic Forum (August 11, 2020) https://www.weforum.org/agenda/2022/08/how-to-spot-fake-news-on-your-social-networks/
• 9
  Note: Pierluigi Paganini, “Caffeine, a New Phishing-as-a-Service Toolkit Available in the Underground,” Security Affairs (October 11, 2022) https://securityaffairs.co/wordpress/136953/cyber-crime/caffeine-phishing-platform.html.
• 10
  Note: Vedere Labs, ”The Riskiest Connected Devices in Enterprise Networks,” Forescout Blog (October 12, 2022) https://www.forescout.com/blog/the-riskiest-connected-devices-in-enterprise-networks/
• 11
  Note: Just one recent example: https://www.cisa.gov/uscert/ncas/alerts/aa22-110a
• 12
  Note: Matthew Bunn, “Scenarios of Insider Threats to Japan‘s Nuclear Facilities and Materials — and Steps to Strengthen Protection,“ NAPSNet Special Reports (November 2, 2017) https://nautilus.org/napsnet/napsnet-special-reports/scenarios-of-insider-threats-to-japans-nuclear-facilities-and-materials-and-steps-to-strengthen-protection/
• 13
  Note: United Kingdom National Cyber Security Centre, “Guidance: Mitigating Malware and Ransomware Attacks,” February 13, 2020. https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks
• 14
  Note: See, for example, Michael Humann, Craig Collie, Kayte Bright, et. al. “Public Engagement During Full-Scale Exercises: Dimensions of Trust and Community Resilience,“ Journal of Contingencies and Crisis Management 30, no. 3 (September 2022): 317-326, https://doi.org/10.1111/1468-5973.12388; Michele Knodt, Cornelia Fraune, Alice Engel, “Local Governance of Critical Infrastructure Resilience: Types of Coordination in German Cities, “Journal of Contingencies and Crisis Management 30, no. 3 (September 2022) 307-316 https://doi.org/10.1111/1468-5973.12386; Vincent T. Covello, “Stakeholder Engagement and Empowerment,“ in Communicating in Risk, Crisis, and High Stress Situations (New Jersey: IEEE Press, 2022). https://onlinelibrary.wiley.com/doi/abs/10.1002/9781119081753.ch5
• 15
  Note: Humann et al.
• 16
  Note: Debra Decker, Kathryn Rauhut, “Incentivizing Good Governance Beyond Regulatory Minimums: The Civil Nuclear Sector,” Journal of Critical Infrastructure Policy 2, no. 2 (Fall/Winter 2021): 19-43.
• 17
  Note: Correspondence via email with the Stimson Center, 24 October 2022.
• 18
  Note: For example, see in the United States: “Backgrounder on Force-on-Force Security Inspections,“ U.S. Nuclear Regulatory Commission (Accessed February 14, 2023); “Exercise of Quad Cities Nuclear Power Station Emergency Plans Set for July 12,“ Illinois.Gov (June 13, 2022), https://www2.illinois.gov/ready/Press/Pages/061322b.aspx; https://www.fema.gov/sites/default/files/documents/fema_2021-national-preparedness-report.pdf; https://www.cisa.gov/cyber-storm-viii-national-cyber-exercise; https://www.cisa.gov/sites/default/files/publications/FINAL-Cyber-Storm-VIII-After-Action-Report-082022.pdf; FEMA, “2022 National Preparedness Report,” U.S. Department of Homeland Security (December 2022) https://www.fema.gov/emergency-managers/national-preparedness#reports; “Cyber Storm VIII: National Cyber Exercise,“ Cybersecurity & Infrastructure Security Agency (Accessed February 14, 2023); “Cyber Storm VIII: After -Action Report,“ Cybersecurity and Infrastructure Agency (August 2022) https://www.cisa.gov/sites/default/files/publications/FINAL-Cyber-Storm-VIII-After-Action-Report-082022.pdf
• 19
  Note: For example, see: Nayana Jayarajan, “IAEA Publication Highlights How EPRIMS Strengthen Countries‘ Preparedness for Emergencies,“ International Atomic Energy Agency (October 11, 2022) https://www.iaea.org/newscenter/news/iaea-publication-highlights-how-eprims-strengthens-countries-preparedness-for-emergencies; ”Arrangements for Public Communication in Preparedness and Response for a Nuclear or Radiological Emergency,” International Atomic Energy Agency (2020) https://www.iaea.org/publications/13517/arrangements-for-public-communication-in-preparedness-and-response-for-a-nuclear-or-radiological-emergency; “Preparation, Conduct, and Evaluation of Exercises for Security of Nuclear and Other Radioactive Material in Transport,“ International Atomic Energy Agency (2018) https://www.iaea.org/publications/12372/preparation-conduct-and-evaluation-of-exercises-for-security-of-nuclear-and-other-radioactive-material-in-transport; “Emergency Preparedness at Nuclear Plants,“ Nuclear Energy Institute (Accessed February 14, 2023), https://nei.org/resources/fact-sheets/emergency-preparedness-at-nuclear-plants