The threat to digital systems at the country's nuclear power plants is considerable, but the sector is better prepared to defend against potentially devastating cyberattacks than most other utilities, according to government and industry officials and experts.
Cyberattacks have been an increasing source of concern in recent years but the threat was highlighted in July by the first discovery of malicious code specifically formulated to target the systems that direct the inner operations of industrial plants. To date the malware is thought to have infected more than 15,000 computers worldwide, mostly in Iran, Indonesia and India.
The issue is critically important for new nuclear power facilities that would be built in the United States and throughout the world as control rooms would employ digital systems to operate the plants. Those state-of-the-art instruments and systems make them targets for hackers.
A U.S. Nuclear Regulatory Commission spokeswoman declined to say whether there have been any cyber strikes against the nation's nuclear power sector. Security events, including a computer-based attack at an energy facility, would be "sensitive information" and therefore not released to the public, she said.
There have been no cyberattacks to date on U.S. nuclear facilities, according to Doug Walters, vice president of regulatory affairs at the Nuclear Energy Institute, a policy organization of the nuclear power and technologies industry.
Cyberattacks are "no different from other military activities, in that power grids are a normal target for guerrillas and militaries. It's something they usually try to attack if they get into a conflict," James Lewis, a senior fellow at the Center for Strategic and International Studies, said during an interview last week.
Nuclear power plant owners and operators "have been encouraged for a long time to think about security and to put a lot more effort into it than most civilian enterprises," he told Global Security Newswire. "The question is how vulnerable are they so someone using remote access to send damaging commands and I think the answer is they're not particularly vulnerable."
Lewis said experts know other nations, possibly including China and Russia, have conducted reconnaissance for potential weak spots in the U.S. power grid and "we don't know what they left behind."
"People with nuclear power plants ought to be and thus are, more careful about this because it's easier in the imagination to envision what happens if a hacker gets into a nuclear power plant," said Martin Libicki, a senior management scientist at RAND Corp. "If I get into a coal-fired power plant, the worst I'm going to do is cause a blackout. If I get into a nuclear power plant, I can cause a Chernobyl.
"I'm not sure that's true but you can imagine how that might play in out in the media and politically," he added.
The safety and control systems that operate nuclear power plants are isolated from the Internet and are protected against outside invasion. Yet in some cases, those operating systems and other critical infrastructure are decades old and not completely separated from computer networks used to manage administrative systems. Those gaps provide potential gateways for hackers to insert viruses, malicious codes and worms.
As much as 85 percent of the nation's critical infrastructure is owned and operated by private companies, ranging from nuclear power plants to transportation and manufacturing systems. Atomic energy facilities are a tantalizing target for digital sabotage because a meltdown could result in a major radiological event.
In all, the nuclear industry has spent roughly $2.2 billion during the last decade on enhancements to prevent physical or cyber breaches, according to Walters. Those funds paid for security upgrades to meet U.S. Nuclear Regulatory Commission requirements, including vehicle barriers, cameras, bullet resistant enclosures and other new technologies, he said.
That figure also included expenditures for additional security officers, the number of which has increased by about 60 percent "across the fleet."
Shortly after the Sept. 11 terrorist attacks, the regulatory commission, the agency with oversight of the country's atomic energy plants, put out a series of orders requiring its 104 licensees to enhance their overall security efforts, including physical protection, personnel reliability and cyber defense, Walters said. A year later the commission for the first time ordered that cyberattacks be added to the list of threats sites must be able to defend against.
In March 2009 the commission unveiled a rule that required power plants to complete cyber security plans that would protect against a "design basis threat," according to Rich Correia, head of the agency's Security Policy Division. The plans would be amendments to the utility licenses to operate the reactors.
Design basis threat is "pretty much what the commission has determined what a private security force should be able to defend against," Correia said. "Since power plants are run by private entities, we couldn't expect them to defend against, say, a nation state."
The directive describes what actions site operators must take to identify and protect "critical digital assets," computer systems and components key to the protection of the plant that, if harmed, could produce a radiological incident, he added. A critical system is identified as any that performs or is relied on for plant safety, security and emergency preparedness; provides a pathway to a system that could be used to compromise, attack, or degrade those functions; supports systems that if compromised could adversely impact those defenses; or protects against any of those cyberattacks.
"In essence, we're making sure that we have a shield up around the plant beyond normal firewalls that would protect against a cyberattack," Walters said last week.
Licensees submitted their cybersecurity blueprints for the country's 65 nuclear power plants for commission review in November 2009, Correia told GSN. The agency hopes to have the plans approved by next spring.
Power plant operators would then implement the programs, and the regulatory commission's four regional offices would begin inspections to verify they were being used as designed, he said.
Correia said his division is in continuous contact with the commission's threat assessment branch, which evaluates intelligence information from various government agencies, to make any changes to the perceived cyber danger.
The commission also has put together a "mock adversary force" to test power plants' digital preparedness as part of the overall NRC site inspection process, he added. The agency conducts "force on force" exercises at facilities to challenge their physical security assets. The mock enemy's mission might include action against digital systems and components.
The U.S. nuclear power industry also is well positioned to address the evolving threat because of its size, according to Lewis. The sector only has 104 reactors at 65 plants, compared to thousands of electrical utilities. Those companies are often too small to spend money to examine the cybersecurity or so large that it is glossed over, he said.
"Does it mean [the atomic energy sector is] totally invulnerable? No," Lewis told GSN. "But if you're an opponent you're going to ask yourself, 'Gosh, there's so many easy targets, why should I go after hard targets when I can pretty much get the same bang for the buck with a lot less effort?'"
Walters said the industry has been "fairly proactive" on the issue even without the NRC orders, noting the Nuclear Energy Institute formed a task force in 2002 to develop cybersecurity guidelines, which received the regulatory agency's blessing. That guidance delineated cybersecurity protection measures that should be installed on certain plant systems.
The institute also has established a nuclear sector council that meets with Homeland Security Department officials on a quarterly basis to address potential security concerns, he said.
"With the requirements we have in place and with licensees knowing what they need to do in terms of security controls … we are in very good shape in terms of protecting against cyber attacks," according to Walters.
The Future of Cybersecurity
Officials and experts agreed the country has begun to pay more attention to cybersecurity over the last several years. However, more could be done to counter the ever-evolving threat to the nation's power grid, including nuclear reactors.
"If it was up to me, I would mandate that the electrical generation and distribution be provably disconnected from the [Internet]," Libicki said. He predicted that entities would argue that such a move would prove too costly.
Walters said nuclear plants are different from other utilities because many of their safety systems are already detached from the Web.
"For a nuclear plant, when you're talking about controls and the systems for safety, those things are really confined to the sites and there's no output to the Internet. There are inherent safeguards that exist," he told GSN.
Lewis predicted it would take time to secure some of the nation's power networks because "they were never designed to be secure.
"We will just have to think; we can't afford to replace everything at once," he added.
Correia described cybersecurity in the nuclear realm as an "ongoing process" that would require continuous observation of what is happening within cyber space so that facilities could respond to developing threats.
"Licensees have to be able to react to it quickly, to adjust their cyber plans . . . to defend against it if there's an attack," he said.