Outdated management views on security practices lead to nuclear power plants being unprotected in the face of hackers

Oct 5, 2015 11:52 GMT  ·  By

Nuclear power plants are deploying modern systems into their architecture but are still run by managers with an outdated view on cyber-security.

This is the conclusion a recent Chatham House report came to, after interviewing 30 nuclear power experts from 30 countries that deploy such systems in their national grid.

The study has found out that, even if nuclear power plants are supposed to be "air gapped" systems, in recent years, technology and the Internet have caught up with them, and most of the time these facilities have VPN connections deployed, and in some cases, sensitive equipment can be found online with tech search tools like Shodan.

In the cases where the system is truly air gapped, the study also shows poor security practices that easily allow infection via USB or flash drives.

Additionally, the globalization of the manufacturing industry also means that most of a nuclear power plant's components arrive at the building site or at the power plant after previously going through countless of intermediaries, at which point malware infections can easily take place.

As always, management is to blame for the wrong approach towards cyber-security

The situation is made even worse by the fact that most personnel in these facilities do not communicate with each other, and management seems to ignore cyber-security measures following an outdated security model put in place in the 60s and 70s.

"Reactive rather than proactive approaches to cyber security contribute to the possibility that a nuclear facility might not know of a cyber attack until it is already substantially under way," a quot from the report says.

This is highlighted in the report by a series of seven past incidents that showcased how insecure power plants can really be.  

Power Plant Year Incident outcome
Past nuclear power plant incidents
Ignalina, Lithuania 1992 A technician intentionally introduced a virus into the industrial control system to highlight security vulnerabilities.
David-Besse, USA 2003 Slammer worm infection in the plant's Microsoft SQL 2000 database server.
Browns Ferry, USA 2006 Excess network traffic produced a malfunction of both the reactor recirculation pumps and the condensate demineralizer controller, which were also connected to the same network.
Hatch, USA 2008 A software update causes a general power plant shutdown.
Natanz and Bushehr, Iran 2010 The Stuxnet infected both the Natanz nuclear facility and the Bushehr nuclear power plant in Iran, partially destroying around 1,000 centrifuges at Natanz.
Unknown location, Russia 2010 Eugene Kaspersky, founder and CEO of Kaspersky Lab, said that a power plant in Russia was also affected by the Stuxnet worm.
Korea Hydro and Nuclear Power Co., South Korea 2014 Using phishing emails, hackers infiltrated and stole data from the commercial network of Korea Hydro and Nuclear Power Co., which operates 23 of South Korea’s nuclear reactors.

Some of these incidents go back even before the era of widespread Internet usage, which also comes to support the study's findings.

It is quite obvious that there is a need to reevaluate the current state of security measures inside power plants, but as always, in these cases, bureaucracy and sensitive international relations stand in the way of progress.

The full Chatham House report is quite an interesting read. Take a look at it yourself.