7 Oct (NucNet): The greatest cyber security issue facing the nuclear industry is that many in the sector do not fully understand the risks and the industry needs to be “more robust” on taking the initiative in cyberspace and funding effective responses to the challenge, a report by an independent UK-based think-tank says.
The report on cyber security at civil nuclear installations, published by Chatham House, says the industry does not seem to be prepared for a large-scale cyber security emergency and needs to invest in counter-measures and response plans. It says developing countries are “particularly vulnerable” to cyber attacks at nuclear facilities.
The report warns that even a small-scale cyber security incident at a nuclear facility would be likely to have a disproportionate effect on public opinion and the future of the civil nuclear industry.
Certain characteristics of the sector, such as associated national security sensitivities, make disclosure of cyber security incidents that have occurred less likely, leading nuclear industry personnel to believe that cyber attacks are less of a threat than is actually the case, the report says.
The sector’s limited collaboration with others leaves it unable to learn from those with greater cyber security readiness. Furthermore, the rapid evolution of the threat means that regulatory standards are currently inadequate.
“This suggests that the industry’s risk assessment may be inadequate; as a consequence, there is often insufficient spending on cyber security,” the report says.
Guidelines are needed to assess and measure the risk as accurately as possible. The report says guidelines will help chief executive officers and company boards understand what is at stake, and provide them with “a clear economic rationale to invest in cyber security”.
The development of “cyber insurance” may be an important tool for promoting the development of cyber risk guidelines, the report says.
The French government has been carrying out a study on the question of cyber insurance and an early conclusion is that to succeed, a key need is the accurate calculation of that risk based on metrics agreed between insurers and the insured, the report says.
The report says: “What underwriters need is an understanding of the risk and that really comes down to, do organisations have the right people in the right places, with the right authorities, to make the right decisions and have the right policy and operational structures in place?”
An expert in industrial control systems told the report’s authors that insurance may also make cyber security more commercially attractive by providing necessary financial incentives, in the form of lower premiums, to persuade owner-operators to invest in them.
The director of a UK-based cyber security company told the authors that if an insurance company tells an owner-operator that their insurance premium would be very high because they don’t have adequate cyber security measures, the owner-operator might just conclude, ‘if I spend $100,000 on cyber security measures, I can save $200,000 on the insurance premium’.
The nuclear industry as a whole needs to develop “a more robust ambition” to take the initiative in cyberspace and to fund the promotion and fostering of a culture of cyber security, determining investment priorities and ensuring that sufficient and sustained funding is allocated to effective responses to the challenge.
It needs to establish an international cyber security risk management strategy and encourage the free flow of information between all stakeholders, the report says.
The report also highlights some important areas for future research. Given that developing countries have been found to be particularly vulnerable, their specific needs should be assessed so that resources can be allocated more efficiently to combating the particular risks identified.
The apparent lack of preparedness for a large-scale cyber security emergency, particularly one that occurs outside normal working hours, suggests that scenario-based planning studies and exercises would lead to a better understanding of how a situation might unfold in a crisis – and to the development of effective response plans across the industry.
In June 2015 International Atomic Energy Agency director-general Yukiya Amano said an international response is needed to tackle the global threat posed by criminals and terrorists bent on launching cyber attacks against nuclear facilities.
Mr Amano said reports of actual or attempted cyberattacks had become “an almost daily occurrence” around the world and “the nuclear industry has not been immune”.
He said staff responsible for nuclear security should know how to repel cyber attacks and to limit the damage if systems are penetrated. The IAEA is doing what it can to help governments, organisations, and individuals adapt to evolving technology-driven threats from “skilled cyber adversaries”.
The Chatham House report says notwithstanding important recent steps taken by the IAEA to improve cyber security across the sector, the nuclear energy industry currently has less experience in this field than other sectors
Background: The Nature Of The Threat
The Chatham House report says recent high-profile cyber attacks on nuclear facilities have raised new concerns about the vulnerability of nuclear power plants.
In 2010, the emergence of the Stuxnet worm heralded the advent of a new era in cyber warfare. In a cyber attack on the Natanz nuclear enrichment facility and Bushehr nuclear power plant in Iran, the Stuxnet worm caused the partial destruction of around 1,000 centrifuges. This was the most highly sophisticated publicly known cyber attack on a nuclear facility to date, demonstrating an unprecedented level of technical capabilities.
On a lesser scale, South Korea’s state-run nuclear operator was the subject of a cyber attack in December 2014 which saw the theft of sensitive information, including the blueprints of at least two nuclear reactors and electrical flow charts.
As early as 1992, a technician at the Ignalina nuclear power plant in Lithuania intentionally introduced a virus into the industrial control system. He claimed this was in order to highlight the cyber security vulnerabilities of such plants, although this did not stop the police from arresting him. It also illustrates the dangers of the insider threat – in this case little harm was caused, but someone with malicious intent could have provoked a serious incident.
‘Cyber Security at Civil Nuclear Facilities: Understanding the Risks’ is online: http://bit.ly/1WMyOBj
