After an episode of the hit television show “24” aired a few years ago depicting a cyber attack on a nuclear power plant causing a reactor meltdown, the Nuclear Regulatory Commission released a statement explaining: “Fox Television’s … ‘24’ program” airs “a plot centered around the use of a ‘black box’ that could remotely operate all 104 U.S. nuclear power plants via the Internet. For the record, there is no such black box or suitcase for controlling nuclear power plants. Control systems at the plants are not accessible via the Internet.”
A recent report by the U.S. Department of Homeland Security’s Office of Cyber and Infrastructure Analysis (DHS OCIA) echoed the NRC’s earlier sentiment that nuclear power plants are protected from cyber attacks because of their isolation. In a report titled “Nuclear Reactors, Materials, and Waste Sector Cyberdependencies,” issued October 6, 2015, DHS concluded: “Nothing suggests that a cyber attack executed through the Internet could cause a nuclear reactor to malfunction and breach containment.” DHS went on to note that it would be difficult to introduce a threat into the plant control systems using portable media, explaining that “[n]uclear power reactors have comprehensive safeguards that protect control system safety and security and prevent the misuse of portable media (e.g., Universal Serial Bus [USB] devices) and portable equipment (e.g., maintenance laptops) from circumventing these protections.”
Of course, the nuclear sector is not without its vulnerabilities, and there have been a handful of cyber compromises in the global nuclear sector in recent years. For example:
- Perhaps the most well-known incident is the Stuxnet worm attack against the Iranian nuclear weapons program. The worm is believed to have targeted specific components used in the Iranian centrifuge cascades and destroyed nearly a thousand centrifuges at Iran’s uranium enrichment facility in Natanz. It was introduced through a USB flash drive.
- In April 2016, the press reported that a German nuclear power plant had been infected with computer viruses, but that they appeared not to have posed a threat to the facility’s operations because it was isolated from the internet. The viruses were discovered at the Gundremmingen plant, in a computer system retrofitted in 2008 with data visualization software associated with equipment for moving nuclear fuel rods. Malware was found in 18 removable data drives, mainly USB sticks, in office computers maintained separately from the plant’s operating systems.
- In January 2003, the Slammer worm infected computer systems at the Davis-Besse nuclear power plant in Ohio. The worm traveled from a consultant’s network to the corporate network of FirstEnergy Nuclear Operating Company, the licensee for Davis-Besse, then to the process control network for the plant. The traffic generated by the worm clogged the corporate and control networks and for nearly five hours plant personnel could not access the Safety Parameter Display System (SPDS). Because Slammer did not affect analogue readouts, plant operators could still get reliable data. While Davis-Besse had a firewall protecting its corporate network from the wider internet, and its configuration would have prevented a Slammer infection, a consultant had created a connection behind the firewall to his office network, which allowed the worm to bypass the firewall and infect FirstEnergy’s corporate network.
Despite these few examples, the DHS OCIA report concluded that the layered defenses used in the nuclear power industry are quite effective in protecting critical digital assets and preventing anyone without unescorted access from initiating a cybersecurity incident affecting these systems. If pre-existing undetected vulnerabilities or compromises in the digital equipment or software create a problem, alternative means are available for accomplishing safety and security functions. Specifically, the report concluded:
- U.S. nuclear power reactor safety systems must have at least two independent means to (1) keep the reactor coolant pressure boundary intact; (2) shut down and maintain the plant in a safe shutdown condition; and (3) ensure no radioactive release occurs in excess of federal limits.
- There are multiple ways to read critical plant operational parameters, and all operators are trained to rely on more than one indicator to make decisions in operating a plant. Several systems would need to be compromised to sabotage the plant.
- If a single nuclear power reactor goes offline, the electric grid could manage the loss of supply in most circumstances. Under peak loads, the worst cascading effect might be temporary rolling blackouts.
With respect to personnel with unescorted access, the report concludes that the most likely threat vectors for a cyber attack include the intentional or unintentional insider using portable devices and media (e.g., USB flash drive). Industry standards and regulations are designed to protect against these threats, according to the report, and companies can reduce their risk by ensuring appropriately robust processes and procedures to protect key equipment, and technical controls, such as physically blocking unused ports, as additional measures of protection. For example, a nuclear power plant’s Physical Security Plan, required under the NRC’s regulations in 10 CFR 73.55, includes requirements for an “insider mitigation program” (IMP).
The NRC has also endorsed Nuclear Energy Institute (NEI) 03-01, "Nuclear Power Plant Access Authorization Program,” which provides an approach for an IMP acceptable to the NRC. The IMP includes many elements of other NRC-required programs, such as the Behavioral Observation Program, Access Authorization Program, Fitness-For-Duty Program, and the Cyber Security Program. Compliance with these program requirements and industry “best practices” mitigates risk from an insider threat .