Nuclear sector ‘does not understand cybersecurity threats’

The nuclear industry is an attractive target for threat actors ranging from ransomware extortionists to state representatives to anti-nuclear activists.

But despite the obvious threat, this key sector “lacks a full understanding of cybersecurity risks” and lacks “effective resilience strategies”, warns a report by think tank Chatham House.

The independent policy institute said the growing reliance on nuclear power in countries around the world had made considering cybersecurity risks “more critical than ever”, highlighting that more than 20 countries, including the US, UK and Canada, recently pledged to triple their nuclear power capacity by 2050 to meet net-zero emissions targets.

Chatham House also warned that nuclear plants in war zones such as Ukraine face increased “vulnerability to cyber as well as physical attacks,” while the adoption of new technologies such as small modular reactors (SMRs) will increase the likelihood of nuclear facilities “becoming targets in conflict situations.” We’re already seeing a version of this scenario play out in Russia’s attack on the Ukrainian plant in Zaporozhye.

“The development of nuclear capabilities brings with it new challenges, particularly in the area of ​​cybersecurity,” Chatham House wrote. “Cyber ​​operations targeting civilian nuclear systems have been reported worldwide. Such operations pose significant risks, with potential harms including information theft, equipment failure, energy supply disruption, environmental damage, and health impacts. These risks are common in both peacetime and conflict.”

In its report, the think tank addresses one of the most pressing questions: could a cyberattack trigger a nuclear catastrophe that (we predict) would irradiate vast swaths of the earth and cause death on a terrifying scale?

Fortunately, the answer is something like, “Probably not.”

“The consequences of a cyber operation targeting civilian nuclear infrastructure could be as wide-ranging as the theft of confidential information, loss of access to or control over monitoring and control software, operational difficulties or – in the worst case – reactor shutdown or difficulties in controlling nuclear energy storage,” the report reads.

“There is only a small chance that a cyber operation will result in a nuclear reactor losing control to the point of meltdown or a significant release of radiation. This is because nuclear power plants have other redundant safety features, such as backup cooling systems.

“However, the potential impacts if a core meltdown or a major release of radiation were to occur could be very significant, including deaths or long-term health problems among nuclear plant workers or members of the public exposed to radiation, as well as long-term environmental damage and contamination.”

In the case of combined cyber and ground operations, vulnerabilities in nuclear facilities could be exploited “to overwhelm limited operational personnel or create a diversion that allows unauthorized access to nuclear materials.”

The report explains that this is unlikely given the numerous physical security measures in place at facilities, but there are other tangible damages to material resources that cybercriminals can use to paralyze countries and economies.

Communication between plants and operators can be intercepted and disrupted, which can disrupt the operation of electrical grids. As more countries transition to nuclear power, this is a significant vulnerability.

The international think tank is not alone in grappling with cyber threats to nuclear infrastructure. In 2023, the International Atomic Energy Agency (IAEA) hosted a conference with participants from 94 countries to establish better global cybersecurity protocols for nuclear facilities.

The IAEA forecasts that nuclear power capacity will likely double by 2050 to 890 GW(e) from today’s 369 GW(e). This is largely due to countries seeing nuclear power as a reliable, resilient and low-carbon energy source in the face of geopolitical shocks and increasing ESG compliance.

But cybersecurity protocols have not kept up with this rapid growth. Analysts at Chatham House noted that a myriad of factors prevent these measures from evolving as quickly as they should.

The most significant cybersecurity gaps in the civilian nuclear sector include: the use of legacy software, attackers targeting personnel, and a lack of sufficient cybersecurity awareness and cooperation across the sector.

In terms of technical gaps, the nuclear sector still needs to catch up with other important elements of the national infrastructure in terms of modernisation of IT resources.

The siloed regulatory environment governing nuclear facilities means there is no sharing of best practices, and knowledge paths for security leaders in the sector are ad hoc. The report also notes that the sector allows perception to get in the way of transparency, meaning there is little publicly available information on cybersecurity incidents.

Analysts say the disclosure will strengthen trust in working practices.

In addition, analysts have highlighted the difficulty governments face in enforcing cybersecurity standards, as most nuclear facilities are privately run. As artificial intelligence makes cyberattacks easier to carry out, the overall increase in risk levels will also affect the nuclear sector.

But newer reactors are better designed to withstand cyber threats, although the exact levels of security vary by country. Analysts conclude that the threat landscape in the civilian nuclear sector is quite diverse.

There are a number of comprehensive guidelines available to improve the cybersecurity of nuclear reactors. As attacks on critical national infrastructure continue to increase, countries are likely to take them more seriously.