Nuclear Facilities Face Typical Security Challenges

17 November 2015

Amethyst’s Mark Chown investigates

 

Any type of security event at a Nuclear Facility can have very grave consequences, but an event that compromises the operation of the IT systems that control the industrial equipment is probably going to be viewed as critical.  It would therefore be easy to assume that cyber security at all nuclear facilities is well managed and of the highest order, ably meeting the cyber challenges that many less critical organisations routinely encounter. 

However, when Chatham House undertook an 18 month project to review cyber security across the international nuclear industry which culminated in an enlightening report {1}  published in October 2015, it suggested that the nuclear industry is encountering a number of challenges of which most, if not all, will be familiar to other sectors.

The authors, led by Caroline Baylon, recognise that the nuclear environment may have traditionally relied upon an air-gapped architecture, a model that has been eroded with the increasing interconnectivity of industrial systems to the corporate network and the outside world.  However,  even when interconnectivity is minimised, the authors reference the potential ease with which a nuclear facility, even if truly air-gapped, can be compromised citing the propagation of the Stuxnet worm in 2010. 

The Stuxnet code was reportedly introduced onto an Iranian nuclear plant IT system using a USB stick.  The code had been developed to deliberately target and compromise a specific make and model of control system which resulted in the partial destruction of around 1,000 nuclear centrifuges.

The trend for increasing interconnectivity of nuclear industrial systems is representative of the change in many organisation’s IT architecture where Digital, Cloud and Mobility have forced a move away from a fortress network topology.  This transition from a relatively simple architecture where security was focused on the network perimeter to complex homogenous system with multiple access points has been, and still is, a challenge to secure effectively.  These type of risks are known and common across industry; the difference is the potential impact and the increased risk of using legacy industrial systems that were not designed to combat today’s cyber threats.

The report also discusses the changing and increasing threat to nuclear facilities and the growth in availability of exploit kits to those wanting to do harm.  This also mirrors what is being played out in society in general and whilst the threat actors and motivation may differ for less critical industries, all organisations are increasingly vulnerable due to the commoditisation of cyber hacking tools.

As you read through the report, there are many other familiar themes that will resonate across  industry including:

The Human Factor – nuclear plant personnel not fully understanding the risks

The Insider Threat – infiltration of the workforce by potential attackers

Limited Collaboration – a reluctance by nuclear bodies to share incident data and collaborate in the cyber realm

                Insufficient Cyber Investment – Cyber Security spend is not considered a priority

                Cyber Risk Assessment – Potentially inadequate and an underestimate

                Cultural challenges – Friction between security and operational personnel

                Incident Response – Lack of preparedness

                Insecure by design – Legacy industrial control systems were never designed with security in        mind

                Supply Chain – vulnerabilities could be introduced by the Supply Chain

There are some identified challenges that whilst not unique to the nuclear industry, are more pronounced or critical due to the nuclear setting, but overall it appears that nuclear industry now finds itself thrust into the same cyber arena that most organisations have encountered for a number of years albeit with more determined threat actors and far more worrying outcomes.

{1} The Chatham House Report can be accessed here:

https://www.chathamhouse.org/publication/cyber-security-civil-nuclear-facilities-understanding-risks

 

Contact us for more information


<< Back to Latest News items