Not with a bang, but a meltdown – Andy Oppenheimer looks at cyber-attacks on nuclear power plants


Attacks by computer hackers on the IT systems of government and commercial organisations have become commonplace, and cybercrime is arguably the fastest growing new crime in the 21st century. Attacking lines of communications and vital infrastructure became a classic military and insurgent tactic in World War II by British Special Operations Executive (SOE) and resistance groups in Europe – and later, terrorist groups, most notably the IRA – set the stage for mass sabotage of infrastructure. With the dawn of digital communications and globalized commerce all countries became inexorably linked and hence, infinitely more vulnerable to infrastructure attack.

And among the most dangerous is a cyber-attack on a nuclear power plant (NPP) or nuclear reprocessing plant such as Sellafield, due to the possible release of radiation from reactors or spent fuel ponds. A cyber-attack by terrorists on NPP systems and back-ups powering reactor cooling systems could trigger a meltdown incident similar to Fukushima Daichi in 2011. According to Director of the International Atomic Energy Agency (IAEA), Gen. Yukiya Amano, in August 2015, “reports of actual or attempted cyber-attacks are now virtually a daily occurrence.”

As a state-launched attack, the Stuxnet worm set back Iran’s nuclear programme in 2009 by instructing 1,000 centrifuges to self-destruct – and has since escaped into programmes in other countries. In March 2015 the South Korean government accused the North Koreans of carrying out cyber-attacks in December 2014 on Korea Hydro and Nuclear Power (KHNP).

Nuclear industry “barely grappled with cyber”

In October 2015 a Chatham House report, Cyber Security at Civil Nuclear Facilities: Understanding the Risks, based on an 18-month study on cyber defences in NPPs, stated that UK’s plants and associated infrastructure “were not well protected or prepared because the industry had converted to digital systems relatively recently.” Based on 30 interviews with senior nuclear officials at plants and in government in Canada, France, Germany, Japan, the UK, Ukraine and the US, the researchers found that risks were compounded by increased digitisation and the industry’s growing reliance on commercial software.

There was a “pervading myth” that computer systems in power plants were isolated from the Internet at large and thought they were immune to the level of cyber-attacks affecting other industries. Virtual networks and other links to the public internet on nuclear infrastructure networks were not known to organization directors. Search engines that sought out critical infrastructure had indexed these links – making it easy for attackers to find ways into networks and control systems.

The report also found the “air gap” between the public Internet and nuclear systems was easy to breach with “nothing more than a flash drive”: Stuxnet infected Iran’s nuclear facilities via this route. Operational NPP technology engineers and cyber security personnel had difficulty communicating and many cyber security personnel were located off site, and many plants lacked preparedness for large-scale attacks outside office hours.

Patricia Lewis, research director of Chatham House’s international security programme, said: “The nuclear industry is beginning – but struggling – to come to grips with this new, insidious threat.” And the report author, Caroline Baylon, added: “Cyber security is still new to many in the nuclear industry. They are really good at safety and, after 9/11, they’ve got really good at physical security. But they have barely grappled with cyber.” There was a “culture of denial” at many nuclear plants, with a standard response from engineers and officials being that because their systems were not connected to the internet, it would be very hard to compromise them.

Accidents will happen…

Past instances of accidental disruption include a 48-hour emergency shutdown in March 2008 in the Hatch NPP near Baxley, Georgia after an engineer installed a software update on a computer designed to synchronize data. According to a report filed with the Nuclear Regulatory Commission, when the updated computer rebooted, it reset the data on the control system, causing safety systems to errantly interpret the lack of data as a drop in water reservoirs that cool the plant’s radioactive nuclear fuel rods. As a result, automated safety systems at the plant triggered a shutdown.

Later that year the US Government Accountability Office (GAO) issued a scathing report about cyber security weaknesses at the Tennessee Valley Authority (TVA), the USA’s largest public power company and operator of three NPPs, including Browns Ferry, Alabama when a key safety system was overwhelmed with network traffic and nearly led to a meltdown in 2006.

The GAO found that TVA’s Internet-connected corporate network was linked with systems used to control power production, and that security weaknesses pervasive in the corporate side could be used by attackers to manipulate or destroy vital control systems. Computers on TVA’s corporate network lacked security software updates and anti-virus protection, and firewalls and intrusion detection systems on the network were easily bypassed and failed to record suspicious activity.

These incidents were eight years ago, with cyberattacks having mushroomed (pun not intended) since then, along with the rise of ISIL (Daesh, ISIS) and continued operations by al-Qaeda, each equally intent on ‘economic jihad’ – the destruction of Western economies. Taking down a NPP with subsequent collapse of systems and meltdown would be high on their list.

The IAEA has issued guidance to NPP operators, and according to Caroline Baylon “It would be extremely difficult to cause a meltdown at a plant or compromise one.” But she adds: “but it would be possible for a state actor to do, certainly. The point is that risk is probability times consequence. And even though the probability might be low, the consequence of a cyber incident at a nuclear plant is extremely high.”