A new 18-month long Chatham House study, published on October 5, 2015, on the cyber security of nuclear power plants
concluded that the majority of these plants around the world are not prepared to defend themselves against a cyber-attack.
The study found a lack of security protocols at these plants, as many control systems for the civil nuclear infrastructure were “insecure by design.” The report identifies several additional risks, such as a lack of regulatory standards, controls, and proper monitoring which are necessary to maintain secure networks.
It has been believed that keeping the computer systems of these nuclear plants separate from the public internet is enough to consider them protected. However, the report asserts that this gap between the system and the internet is not enough to properly secure the system, and that this “air-gap” can be breeched with “nothing more than a flash drive”. Similarly, many of these cyber networks contain links to the public internet, making the network easily accessible to hackers.
A cyber-attack on these systems can lead to the release of radiation and therefore result in tremendous amounts of danger and harm. The report recommends regular and thorough risk assessments; an increase in training; greater funding to the International Atomic Energy Association (IAEA) to enable more support of developing country nuclear programs; better communication between nuclear and cyber security professionals; and ensuring “security by design” in the inception of control systems. The Chatham House review suggests industry stakeholders work on a strategic level to establish a comprehensive plan to address the problems and mitigate these risks.