Regulators Defend Nuclear Cybersecurity After Damning Report

U.S. regulators are downplaying independent researchers’ warnings that civilian nuclear plants are gravely underprepared for potential cyber attacks. A recent report from a respected European think tank described a “culture of denial” within the nuclear industry generally, and offered specific criticisms of the United States. Its findings have rattled many in the energy and cybersecurity arenas.

The research from London-based Chatham House says the “risk of a serious cyber attack on civil nuclear infrastructure is growing, as facilities become ever more reliant on digital systems and make increasing use of commercial ‘off-the-shelf’ software.”

Regulators dismissed the threat, saying U.S. nuclear facilities are taking adequate steps to prevent a potentially catastrophic digital assault. The Nuclear Regulatory Commission criticized the Chatham House report’s findings in a statement provided to Morning Consult:

“The report is based on generalizations and hearsay and made no apparent effort to research the extensive work done by the NRC to ensure its nuclear power plant licensees take appropriate actions against the cyber threat,” the statement said. “The NRC has been very forward-leaning on cyber security issues, and as a result the nuclear power industry is probably better protected than any other sector of our critical infrastructure.”

Chatham House’s findings are the result of 18 months of research and more than 30 interviews with senior officials at nuclear facilities around the world. It draws broad conclusions about the industry globally but makes specific reference to the Unites States several times.

The report is particularly critical of U.S. regulations. “The guidance issued by the Nuclear Regulatory Commission (NRC) is not sufficient to protect against the cyber security threat,” the authors wrote. “Even if a nuclear facility were to implement all of the measures in the ‘Reg Guide’ — a guide that helps interpret regulations and gives guidance on how to comply with them — a number of major cyber security vulnerabilities would remain.”

The findings are causing concern among industry experts such as Scott DePasquale, chairman of Rhode Island’s Cybersecurity Commission, which assesses cybersecurity infrastructure and activities in the state.

“The Chatham House report is probably right that not enough is being done to prevent an attack,” said DePasquale, who is also chairman and chief executive officer of Utilidata, a firm that uses real-time data to address issues in the energy sector. “Stakeholders are taking it seriously, but I think they have a false sense of security because they think it’s so improbable. They’re not treating it with enough urgency. When it comes to nuclear, even the smallest risk is a really big deal. Securing these facilities is essential because if a breach happens it could be catastrophic.”

The U.S. regulations governing cybersecurity at nuclear facilities were developed in the wake of the Sept. 11 terrorist attacks and formalized in 2009. They are performance-based, meaning they don’t specify rigid methods but instead focus on general security targets. Nuclear plants are implementing the measures in two phases, the second of which is scheduled for completion in 2017.

The NRC is due to begin inspections on the first phase in the coming months. In a blog post this week, James Andersen, head of the NRC’s Cyber Security Directorate, defended the agency’s action on cybersecurity. “The NRC has been very forward-thinking in developing cyber security requirements for nuclear power plants,” he said. “The cyber threat is always evolving, and so is our approach.”

Nuclear power plants can be vulnerable to a digital attack in two ways. They can be infiltrated by outside hackers through public internet connections. They can also be attacked by rogue actors inside the facilities using hardware like a thumb drive. The latter scenario was the case in the 2010 ‘Stuxnet’ malware attack which reportedly destroyed several nuclear centrifuges in Iran.

The most important safety and security systems in nuclear facilities are supposed to be “air-gapped,” meaning isolated from any hardwire or wireless internet connection. But this may not always be the case, according to DePasquale. “If anyone thinks systems running critical infrastructure are totally air-gapped, they’re wrong,” he said.

DePasquale’s view is consistent with the Chatham House report, which says “the conventional belief that all nuclear facilities are ‘air gapped’ is a myth.”

The larger risk, though, comes from individuals who have access to nuclear facilities. “Stuxnet proved these data systems can be compromised,” said DePasquale. “Most of the security programs in place still can’t prevent an individual actor with a thumb drive.”

The threat is evolving as quickly as the technology, analysts say. Of particular concern are terrorist organizations like ISIS. “State actors have an aversion to pushing the button because that’s an act of war,” said DePasquale. “But terror organizations like ISIS know how to use cyber tools more efficiently. They will pull the trigger, and they can do it relatively cheaply.”

The Chatham House report acknowledges that the United States has done quite a bit to secure nuclear facilities against digital threats. But it says more needs to be done. “In the United States, there have been some promising recent initiatives to encourage nuclear plant personnel to work with cyber security personnel in order to agree on which assets are cyber critical and need to be prioritized for protection, but more such efforts are needed.”

This is an area that by its nature requires fluid regulation. To stay on top of fast-moving technological developments, NRC’s efforts are multifaceted. The agency is developing cyber requirements for fuel cycle facilities and said it will soon publish a new regulation requiring nuclear plant licensees to notify the agency quickly in the event of certain cyber attacks.

DePasquale says regulators are probably be more worried than they let on. “To their credit, no one wants to be the one shouting ‘Fire!’ and scare the public,” he said. “There is more of a sense of urgency within the federal government and stakeholders than public comment would have you believe.”