Is the nuclear industry protected from cyberattacks?
It the current world situation, it seems that nuclear power plants, like any other critical infrastructure, are more vulnerable than ever to cyberattacks. The situation is rather dim – it is indicated that this is the second-highest level of threat.
The usual long-held notion was that the nuclear industry is highly protected from cyber intrusion. But, the situation has changed nowadays mainly due to digitalization – there is rather much more cyber threat exposure.
The threats have shifted from psychical plan attacks to attacks via third parties and other innovative methods. Due to that, nuclear organizations need to integrate with the broader companies and to provide several layers of defense.
Today’s nuclear cybersecurity programs have to be all-inclusive – to build in all the elements – including the regulatory, technical and human/organizational ones. This is the way to provide multi-layered defense systems.
What made such a stir and ensued panic was the nuclear attack on a power plant in India last year, in which a malware infiltrated the nuclear administrative system but did not affect the control apparatus. It seemed that the “air gap” strategy is far from impenetrable. What is air gapping? It is a situation in which the control system is not connected to the business network of the nuclear plant or the Internet. However, this system has several flaws: the human factor is the first one since insiders can intentionally insert malware into computers through any infected USB, then any kind of new technologies may be able to “jump” the air gap, and finally, computers run on software and any new software updates may be infected before uploading.
Every attack on the nuclear plant’s administrative network poses an indirect risk. For instance, data gained about nuclear workers may expose them to some kind of manipulation.
According to the Nuclear Regulatory Commission, there are two ways in which nuclear power plants can prepare:
- Security experts at nuclear organizations should have a higher focus on cybersecurity and should have the needed amount of training
- The performance measures which analyze cybersecurity preparedness need to be highly developed.
There are countries around the world in which nuclear power plants made or are to make the appearance for the first time. For example, India has had 50 years of experience in managing nuclear organizations yet fallen prey to the cyberattack, so the real question is: how would all the new countries cope with threats? Furthermore, any kind of big nuclear cyber attack can also have a global impact.
What is the solution? It is true that the cyberattacks are growing every day and are happening even on a daily basis but the nuclear facilities should have the quickly evolving defense systems too. They should prepare through response plans that would enable nuclear workers to fight the attack if needed, through response plans. What do those plans include? First of all, radiation protection. The level of protection should be that high that the most vulnerable organs and tissues should be protected first. If it is done like this, it will lower the vulnerability to Acute Radiation Sickness and possible death.
There is also a major issue of whether or not are the countries prepared for the attacks. As seen in the India case, this question must be raised. According to cybersecurity major Symantec, India is among the top three countries in the world after the US and China when it comes to phishing and malware attacks. What is wrong in this case is that Indians still prefer to use pirated software. And it is a widely known notion that hackers exploit vulnerabilities in the software and without the frequent patches that the developers send – any kind of computer will be a sitting duck.
Furthermore, most of the Indian companies do not invest in quality people yet rather lean on anti-viruses only, so it is a big fault in itself. The companies lack a proper cybersecurity framework – and even if they have one – there is a constant need for training and awareness.
Estonia, for example, has quite a few lessons to offer. It is one of the most digitalized countries in the world, and all government services are delivered online, with almost 99% of the banking transactions are done digitally. In 2007, a DDoS attack happened to 58 Estonian websites. The only way was for the country to cut itself off from the rest of the Internet, and it worked well as a way of defense. Since then, Estonia has built strong intrusion detection and protection systems, put in a place a central system for monitoring, reporting and resolving cyber incidents, etc. It also became proactive in cybersecurity.
This a wise lesson for many countries and organizations, including India.
Every organization should invest in building a good security infrastructure, a good system that will work in any kind of situation and be prepared to carry with any kind of attack. It is not a guarantee that cyberattacks if they happen, may not damage the nuclear organizations, but it is a proper strategy to fight them off and to reduce potential high risks.