September 3, 2018
The cyber threat has expanded exponentially in recent years. A series of damaging, high-profile attacks has made headlines around the world, and recent attacks against banking and commerce systems, private companies, and governments highlight the growing gap between the threat and the ability to respond to or manage it.
Like all critical infrastructure, nuclear facilities are not immune to cyberattack. That reality is particularly worrisome, however, given the potentially catastrophic consequences of a cyberattack on a nuclear facility. Such an attack could facilitate the theft of nuclear materials or an act of sabotage. For example, facilities’ access control systems could be compromised, allowing the unauthorized entry of persons seeking to obtain nuclear materials or to damage the facility. Accounting systems could be manipulated so that the theft of materials goes unnoticed. Reactor cooling systems could be deliberately disabled, potentially resulting in a Fukushima-like disaster.
The pace of cyberattacks, including those involving nuclear facilities, has accelerated in recent years. For example, in 2016, three publicly known cyberattacks or attempts on information systems at nuclear facilities occurred at: the University of Toyama’s Hydrogen Isotope Research Center in Japan; the Gundremmingen Nuclear Power Plant in Germany; and one incident that affected both the Nuclear Regulatory Commission and the Department of Energy in the United States. In 2017, the Wolf Creek Nuclear Station in Kansas had its business systems compromised in a series of attacks targeting the energy sector.
Government authorities and facility operators are struggling to keep pace with this new threat, and national and international guidance is still evolving. As this edition of the NTI Index highlights, some countries are making progress while many others are not. Furthermore, countries with new nuclear programs face additional challenges. Not only do those countries need to establish appropriate regulatory systems, they also must attract or train cyber-nuclear experts, who are in short supply globally.
Looking forward, cyber risks to critical infrastructure (including nuclear facilities) will continue to grow, and much more work is needed to address the threat. Nuclear facilities must be protected from dangerous attacks through a combination of technology and expertise, and governments must provide assistance by sharing threat information and surge capacity provided by skilled computer emergency response teams who specialize in responding to computer security incidents.
For more information about NTI’s cyber-nuclear security program, visit http://www.nti.org/cyber.