Lack Of Nuclear Power Plant Security Measures Pose Risks

This post is also available in: עברית (Hebrew)

A study of the information security measures at civilian nuclear energy facilities around the world found a wide range of problems at many facilities that could leave them vulnerable to attacks on industrial control systems—potentially causing interruptions in electrical power or even damage to the reactors themselves. The study found that many nuclear power plants’ systems were “insecure by design” and vulnerable to attacks that could have wide-ranging impacts in the physical world—including the disruption of the electrical power grid and the release of “significant quantities of ionizing radiation.”

The researchers found that many nuclear power plant systems were not “air gapped” from the Internet and that they had virtual private network access that operators were “sometimes unaware of.” And in facilities that did have physical partitioning from the Internet, those measures could be circumvented with a flash drive or other portable media introduced into their onsite network—something that would be entirely too simple given the security posture of many civilian nuclear operators. The use of personal devices on plant networks and other gaps in security could easily introduce malware into nuclear plants’ networks, the researchers warned.

The security strategies of many operators examined in the report were “reactive rather than proactive,” meaning that there was little in the way of monitoring of systems for anomalies that might warn of a cyber-attack on a facility. An attack could be well underway before it was detected. And because of poor training around information security, the people responsible for operating the plants would likely not know what to do.

These issues, combined with a lack of regulation, may lead to an underestimation of risk by nuclear operators and result in a lack of budgeting or planning for reducing the risk of attack.

Subscribe to our newsletter.