Nuclear power stations underestimate risk of cyber attack

Nuclear installations must be prepared for physical and cyber attacks. [Tim Collins/Flickr]

Protecting nuclear installations may appear to be a largely physical issue, but Chatham House has published a report highlighting the growing cyber threat to the nuclear industry. Journal de l’Environnement reports

In a 50 page report, Chatham House (officially known as the Royal Institute of International Affairs) explained how the risks faced by the operators of nuclear power stations, enrichment facilities and other nuclear installations grow in line with the digitalisation of the sector.

No system is an island

For the report’s authors, Caroline Baylon, David Livingstone and Roger Brunt, the common perception that nuclear installations are isolated from the public internet is a “myth”. Many nuclear installations have private networks installed, sometimes without the knowledge of the operator, and search engines can identify parts of the infrastructure that are connected to the internet. For a hacker, finding and exploiting the weaknesses of certain systems can be fairly simple.

The report’s authors also warned of the risks of underestimating the cyber risk posed by lax security on internal systems. In 1992, a technician at the Ignalina power station in Lithuania introduced a virus into the control system of one of the two RBMK reactors (the type at the Chernobyl power station).

More recently, in January 2003, a virus from the First Energy Nuclear company’s computer system infected the computers at the Davis Besse nuclear power station in Ohio. For five hours, the operators of the American power station were unable to access data on the pressure and temperature within the reactor. Fortunately it was not active at the time.

>> Read: ‘Game of drones’ highlights France’s nuclear vulnerability

Iranian enrichment plant

But the most famous example of a cyber-attack in the nuclear sector is still the infection of the computer systems at Iran’s Natanze enrichment plant and Bushehr nuclear power station by the Stuxnet worm in the 2000s. Supposedly developed by Israeli and American specialists to slow down Iran’s nuclear enrichment programme, this virus sabotaged Iran’s enrichment facilities in what was made to look like a series of accidents.

Is France ready for an attack?

Philippe Dupuy, the head of safety for nuclear installations at the French Institute for Radiological Protection and Nuclear Safety (IRSN), told the Journal de l’Environnement that he saw “only generalisations and nothing new” in the Chatham House report. He did acknowledge that the threats described were real, but he insisted France was prepared. “The legislation exists, the requirements are strong, and so are the computer systems, the software and the networks,” Philippe Dupuy said.

This may be true, but the Chatham House report also highlighted the unwillingness of the nuclear industry to recognise the cyber risk. It is easy for nuclear operators to assume they are sheltered from attack by the fact that their computer systems are, ostensibly, isolated and specific to the nuclear industry.

The International Energy Agency (IEA) has also tried to increase awareness of the cyber risk in the nuclear sector. In 2011, the IEA published a very basic guide to computer security at nuclear facilities, but the message was not well received by everyone, and it is currently being revised.

This article appeared on EURACTIV France.

Subscribe to our newsletters