A new report has warned of the danger of cyber-threats to nuclear facilities around the world, notably how an act of cyber-sabotage could “produce a similar release of radiation” to Fukushima.
The report, the Nuclear Security Index: Building a Framework for Assurance, Accountability and Action, was released by the Nuclear Threat Initiative (NTI), a nonprofit which monitors the security of nuclear facilities worldwide. It is unambiguous in its findings: “A cyber attack against a nuclear facility could facilitate the theft of nuclear materials or an act of sabotage leading to a catastrophic radiation release. Yet most states are not effectively prepared to deal with this emerging threat.”
While much of global public infrastructure could be said to be open to cyber-attack, the report details the multiple ways in which cyber-threats could pose a nuclear danger of catastrophic proportions.
If a wilful hacker were to compromise the access control systems of a nuclear facility, it could allow someone to sabotage or steal nuclear material. Someone could also compromise the accounting systems of a nuclear facility, hiding the theft of nuclear material. Or, perhaps the most worrying of these threats, notes the report: “Reactor cooling systems could be deliberately disabled, resulting in a Fukushima-like disaster.”
The NTI are certainly not the first to issue these kinds of warnings. Chatham House conducted its own study into the cyber-security of nuclear facilities, saying “as cyber-criminals, states and terrorist groups increase their online activities, the fear of a serious cyber-attack is ever present. This is of particular concern because of the risk – even if remote – of a release of ionising radiation as a result of such an attack.”
The report points to the fact that many countries, though they are looking at and developing nuclear technology, lack the regulatory and technological capacity to make sure that it's safe. Since 2012, 17 countries with weapons-grade nuclear materials have updated their laws to bring cyber-security to nuclear facilities, but many have not.
Of the 47 countries that the report surveyed, 20 “do not even have basic requirements to protect nuclear facilities from cyber attacks.” These include China, Iran, Italy, Argentina, North Korea, Italy, Algeria, Spain, Uzbekistan, Mexico and Indonesia.
To this end, the report makes several recommendations for those individual states. Firstly, that governments have to including cyber-risks within the national threat assessment. Secondly, strengthening physical security for nuclear materials and facilities to protect against theft and sabotage is a requirement.
States, the report recommends, should refrain from starting nuclear energy programmes before an effective nuclear security regime is established, and independent regulatory agencies should be established to watch over the cyber-security of that state's nuclear facilities.
Tony Dyhouse, a man with a long history in industrial control systems and current knowledge transfer director at the Trustworthy Software Initiative, told SCMagazineUK.com that while the threat to nuclear facilities is, according to Dyhouse, “very large”, the UK is well equipped to deal with them.
And while the world nuclear has a particular way of causing mass public panic, cyber-security threats to nuclear power will not always be overt. While state actors may try to steal data, ideological warriors like the so-called Islamic State may be interested in causing real damage.
Dyhouse added: “We're lucky in the UK, this was realised very early.” He said nuclear and industrial regulators work with all critical industry in the UK and understand these specific dangers. And the industry, too, is “well aware of the threat" and can fall back on the government for support if needed.
“The problem as is so often the case with cyber-security is getting those concerns to board level." In the grand scheme of things, says Dyhouse, “we are better than most.”