The FINANCIAL — The first indication that something was amiss came at 9 a.m. on Saturday, January 25, 2003. Workers at the Davis-Besse nuclear power plant, in Ohio, noticed a slowdown in applications on the corporate WAN.
Little did they know a worm called SQL Slammer was hammering the network. And things were about to get worse. By 4 p.m. the malware had gotten into the systems used to control the reactor, according to Cisco.
The Safety Parameter Display System, which tells operators about the state of the plant, blinked off at 4:50 p.m. Twenty-three minutes later the Davis-Besse Plant Process Computer crashed. Fortunately, the reactor itself was offline for repairs. It took several hours to restore the systems.
An isolated case? Sadly not. Davis-Besse was one of the first cyber-related events suffered by a nuclear power plant, but is not the only one.
Although firm numbers are hard to come by, nuclear plants around the world have suffered at least half a dozen significant IT breaches in recent years.
These include the Stuxnet malware that targeted and damaged a fifth of the nuclear centrifuges in Iran and a hacker who stole plant blueprints in Korea.
The dangers are growing every day, says the U.K.’s Royal Institute of International Affairs (‘Chatham House’) in a report called Cyber Security at Civil Nuclear Facilities.
“The cyber security risk is growing as nuclear facilities become increasingly reliant on digital systems and make increasing use of commercial ‘off-the-shelf’ software, which offers considerable cost savings but increases vulnerability to hacking attacks,” it says.
What should plant operators do to meet this challenge? Here are six measures recommended by Chatham House, plus one from an independent source.
1. Assess the cyber risks and opportunities.
Chatham House believes the nuclear industry should develop guidelines to measure cyber-security risks, because not knowing the size of the problem makes it difficult for security vendors to invest in sector-specific protection.
Promoting cyber insurance, along with risk assessment, could be “an effective way to drive the process of implementing change,” it says.
2. Address human factors in cyber security.
“Those controls that rely on human actions and require human interaction are the most prone to failure,” says Jane LeClair, senior advisor at Excelsior College’s National Cybersecurity Institute.
“Shortfalls in human performance can be addressed through continuous staff training, reinforcement of performance standards and continuous monitoring of the effectiveness of cyber controls currently in place.”
3. Share information.
One of the problems in cyber-securing nuclear power plants is the paucity of data concerning the threats they face. Plant operators are understandably concerned about admitting to cyber attacks, but keeping quiet does little to deal with the challenge.
Chatham House says it is important for regulators to reassure plant operators that they will not be penalized for owning up to security breaches.
4. Develop international policy.
The nuclear industry already has a good record of international cooperation and this should be extended to cover cyber security. The most obvious body to lead this is the International Atomic Energy Agency, which already lays down the guidelines for physical security in plants.
5. Improve communications.
One barrier to improved cyber security is that the people who built most of the world’s nuclear power plants did so before the concept of ‘cyber crime’ even existed.
Today there is still not much common ground between nuclear technicians and IT experts, which makes it hard for both sides to work together on protection.
6. Strive for security by design.
In the United States, LeClair says: “Most information and control system cyber security defensive controls are described in the Nuclear Energy Institute Cyber Hardening standards and National Electric Reliability Council standards.
“The technical and operational safeguards are fairly robust and when implemented properly provide very strong levels of multi-layered protections.”
7. Watch out for data integrity.
As parts of power plants become integrated into the Internet of Things there is a pressing need to make sure operators can track the integrity of their data, says Jason Hart, vice president of cloud solutions at the digital security firm Gemalto.
“The breaches to date, such as Stuxnet, have all been about integrity,” he says. “How do you make sure your data has not been tampered with by a manufacturer, a consumer, a user, a cloud host, or a third-party developer?”