As governments and industries try to understand the ever-evolving landscape of cyber threats to civilian nuclear power plants, it is becoming clear that property and information are not the only assets at stake. Public confidence is also at risk.
The steady stream of news about massive hacking of government and corporate systems has stoked public anxiety over how protected we truly are in the face of a cyber adversary. Companies in many sectors of the economy are feeling pressure to showcase that they have done all they can to implement reasonable cybersecurity measures to reduce system vulnerabilities.
We are seeing an ominous trend of cyberattacks targeting critical infrastructure, intended not only to inflict large losses but also to disrupt daily life and sow public discord. Hacks of the Ukrainian power grid last year caused multiple blackouts. A cyber attack on the industrial control system of a German steel mill resulted in what one report called “massive physical damage.” Cyber security experts fear that these are nascent versions of the future of warfare and terrorism.
Earlier this year, the Saudi Arabia Computer Emergency Response Team issued a warning about the resurgence of a variant of the Shamoon virus that in 2012 attacked Saudi Aramco, the world’s largest oil company, deleting data from thousands of its computers. Targeting large-scale, high-profile companies that provide critical services to the public could be a test bed for more complex and nefarious attacks in the future.
The world has already seen, for example, what a sophisticated attack on a nuclear facility could do. The Stuxnet virus damaged thousands of centrifuges at Iran’s Natanz enrichment facility, impeding Iran’s ability to operate its nuclear program.
While Stuxnet is one of the most technically complex malware developed to date, other actors – both state and non-state – could eventually conduct similar cyberattacks across the digital supply chain.
Less sophisticated incidents include the Slammerworm that found its way into Ohio’s Davis-Besse Nuclear Power Station in 2003 and the theft of nuclear facility blueprints from Korea Hydro and Nuclear Power Co. in 2014. Cyberattacks can increasingly be contracted out. The commoditization of malware lowers the barriers of entry for those less technically capable.
Even a large-scale cyberattack that does not result in a radiological release can still cause catastrophic third-party damages, posing a legal conundrum for the nuclear power plant operator. Without a radiological release, existing international nuclear liability regimes – which hold the operator strictly liable but generally limit the amount it has to pay – would not apply. In such a scenario, the operator could find itself navigating a situation outside the scope of the liability regimes, potentially facing negligence charges for not properly securing the facility’s information technology systems. Moreover, such an incident would inflict profound damage to the facility’s reputation and undercut the nuclear industry’s argument that nuclear is a responsible and clean energy source.
To maintain public trust, the nuclear industry – facility operators in particular – must take the initiative to demonstrate sufficient due diligence in effectively defending their systems from an attack. This does not necessarily involve investing in a new cybersecurity widget or spending a great deal more on operations. Rather, industry should strive for good governance and be transparent with the public on how it is doing.
Good governance means not only that facilities meet baseline compliance with domestic regulatory frameworks, but also that they strive above and beyond compliance. The nuclear industry needs to show that it fosters a strong security culture and continuously reassesses whether good cybersecurity policies are integrated at all levels of the workforce.
Numerous cybersecurity frameworks have been developed at national and international levels – for example, the U.S. National Institute of Standards and Technology (NIST) and the European Union’s Network and Information Systems (NIS) Directive – as well as international guidelines on cybersecurity in nuclear facilities. An industry-led governance approach to security could go a long way toward proving that companies are taking the problem seriously rather than merely answering to compliance checklists.
Top-down good governance from company executives – and the security culture that it begets – is critical to reducing human error and process failures typically attributed to the lack of employee understanding of cyberthreats, as well as preventing malicious insider threats. During the 2016 Nuclear Industry Summit, several companies proposed a potential industry-led framework to demonstrate good governance. Many industry leaders have expressed support to build upon this initial draft. The nuclear industry should continue to champion the development of a good governance framework and engage the public on its adoption by building this security initiative into their corporate social responsibility reports.
There is no magical equation to determine what is enough cybersecurity. There is no way any organization can perfectly protect its computers and control systems from all kinds of cyberthreats. But it is crucial that industry strive for the best defenses and management approaches.
It is in industry’s best interest to adopt a governance framework that demonstrates due diligence. While the public may not necessarily care about the intricacies of a nuclear reactor’s cybersecurity policies, people will pay attention to the decision-making processes that ensure that the facility remains secure and provides uninterrupted power to communities.
At a time of growing public distrust in civilian nuclear power and a great yearning for retribution when things go awry, industry responsibility is no longer measured by mediocrity and minimum standards, but by excellence and accountability.