Why does UK new Cyber Security Strategy overlook threats to nuclear installations?

Today the Government published its  84-page National Cyber Security Strategy (https://www.gov.uk/government/publications/national-cyber-security-strategy-2016-to-2021

It contains several  general mentions of Critical National Infrastructure, one background picture of Sellafield, but nothing specific on nuclear at all.... here is what they might have included:

Nuclear security concerns – how secure is the nuclear industry?

Overview of report

This report has been developed by Dr David Lowry, former Director of the European Proliferation

Information Centre in London and a senior research fellow with the Institute for Resource and

Security Studies in Cambridge, USA,

​

13. Cyber security concerns

Computer systems that help operate nuclear reactors and their safety equipment are isolated from

the internet to protect against outside intrusion. However, the nuclear industry takes measures to

ensure that its nuclear plants are protected from cyber attacks, which in this context is

defined as all efforts to disrupt, deny, degrade, distort or destroy electronic information that

organisations rely upon, store, process and generate.

Although the September 11 terrorist attacks had no cyber component, the nuclear energy industry

took the initiative following those events to implement a cyber security program. The industry

formed a task force, which developed comprehensive guidelines for protecting against cyber

vulnerabilities. The NRC endorsed the industry guidelines in 2005. By May 2008, all operating

nuclear plants had implemented the guidelines voluntarily.

The NRC security rule issued in 2009 required enhancements to cyber security at nuclear power

plants. All companies that operate nuclear plants or seek to license new plants have developed

and submitted plans for cyber security, including requirements pertaining to individuals who have

electronic means to interfere with plant safety, security or emergency preparedness functions or

critical equipment that supports those functions. (36)

To give a recent example of how cyber attacks can be used against the nuclear industry is the

example of Stuxnet‘. This was a malware program widely believed to have been created by the US

and Israel, which infected a Russian nuclear power plant, according to cyber security expert

Eugene Kaspersky.

Speaking at the Canberra Press Club in Australia in 2013, Kasperksy recounted a story from ―the

Stuxnet time “when a friend of his working in an unnamed nuclear power plant reported that the

plant‘s computers were “badly infected by Stuxnet”. Kaspersky criticized government departments

responsible for engineering cyber-attacks, saying: “They don‘t understand that in cyberspace,

everything you do - it‘s a boomerang: it will get back to you.”

The Stuxnet virus was first discovered in June 2010 and was found to specifically target industrial

control systems manufactured by Siemens. The initial target of the virus is widely thought to have

been the centrifuges used in Iran‘s uranium enrichment program. The country‘s then-President,

Mahmoud Ahmadinejad confirmed in November 2010 that Stuxnet had ―”managed to create

problems for a limited number of our centrifuges.”

Although the goal of the virus was extremely specific, its method of proliferation was indiscriminate

and the code has since been found on computers across the world. According to a report from the

New York Times in 2012, the US administration chose to continue cyber-attacks against Iran even

after the existence of Stuxnet became public. (38)

Discussing the use of cyber-warfare by nation states, Kaspersky said: ―They don‘t understand that

it‘s possible to shut down power plants, power grids, the international space station. They don‘t

know what to do.”

Kaspersky also claimed that even the International Space Station (ISS) is not immune to viruses,

although he did not indicate that it was Stuxnet that had made its way onboard. ―”the space guys

from time-to-time are coming with USBs, which are infected,” said Kaspersky. ―I'm not kidding. I

was talking to Russian space guys and they said, 'yeah, from time-to-time there are viruses on the

space station.‘

Although this may sound alarming it is not unprecedented. In 2008, NASA admitted that a virus

designed to steal passwords had found its way on to the Windows laptops being used on the ISS.

"This is not the first time we have had a worm or a virus," said NASA spokesman Kelly Humphries

at the time. "It‘s not a frequent occurrence, but this isn‘t the first time."

The virus in question only affected computers used by astronauts for non-essential business such

as email and science experiments, and is widely thought to have been brought on board – as

Kaspersky suggests – with an infected USB stick.

The scale of the problem with cyber security and the nuclear industry is laid bare in a January 2016

report published by the Nuclear Threat Initiative. The study notes that as many as twenty countries

with significant atomic stockpiles or nuclear power plants have no government regulations requiring

minimal protection of those facilities against cyber attacks.

The study considered whether any cyber-protections are required by law or regulation at nuclear

facilities, and whether cyber attacks are included in the assessments of potential threats to the

security of those installations. One question asked whether there were mandated drills and tests to

assess responses to a cyber assault, rather than just a physical attack on the facilities. Amongst the

twenty countries of concern were Argentina, China, Egypt, Israel, Mexico and North Korea.

Due to the secrecy surrounding military nuclear facilities, the report found it impossible to determine

the levels of cyber protection used to protect nuclear weapons in the nine countries known to

possess them. The report concluded that President Obama‘s global initiative to sweep up loose

nuclear material, which will be the subject of his third and final nuclear security summit meeting this

March, has slowed substantially.

The CEO and former Chairman of the US Committee on Armed Service, Sam Nunn, commented:

―I believe it is fair to say that today we are at a crossroads on nuclear security. When the 2016

Nuclear Security Summit opens, leaders will have important questions to answer: Will they take the

difficult steps needed to better protect against nuclear theft, attack, and sabotage? Will they work

together to build the global architecture needed to protect against catastrophic nuclear terrorism?

Will they sustain the momentum that the summit process created? Because the consequences of an

act of nuclear terrorism would reverberate around the globe, leaders also have an obligation to work

together. We are in a race between cooperation and catastrophe, and the world’s leaders must run

faster”.

In considering the United States’ perfect‘ cyber security score in the NTI report, Dr Edwin Lyman,

Senior Scientist of the Union of Concerned Scientists commented that the US Nuclear Regulatory

Commission (NRC) does not require nuclear fuel production facilities, some possessing bombusable

materials, to have comprehensive programs to protect against cyber attack. The NRC is

working on such a rule, but it may not be in place for years. Meanwhile, the Nuclear Energy Institute,

the United States nuclear industry‘s chief trade association, questions the need for such a

requirement, maintaining that voluntary industry efforts will suffice. The institute has also petitioned

the NRC to weaken cyber security rules already on the books for nuclear power plants. Dr Layman

argues the US Government cannot lecture other nuclear states on such matters unless it resolves

this issue.

The Spring 2016 issue of Cyber Security Review (pa 59-64) discusses how the Israeli government remotely disabled the radar system that protected a secret Syrian nuclear facility using a cyber attack in  Operation Orchid. (“Apoc@(SIC)lypse: the end of  the antivirus. When the antivirus is the threat., before destroying it in an aerial attack using bomber aircraft. (The Silent Strike: How Israel bombed a Syrian nuclear installation and kept it secret;”http://www.newyorker.com/magazine/2012/09/17/the-silent-strike; The New Yorker, September 17, 2012) Annals of War September 17, 2012

 

13. Chatham House cyber and nuclear security study

The independent UK think-tank Chatham House published its own study on international cyber

security and nuclear security at civil nuclear facilities in October 2015. It also concluded that the risk

of a serious cyber attack on civil nuclear infrastructure is growing, as facilities become ever more

reliant on digital systems and make increasing use of commercial ‗off-the-shelf‘ software.

The report found that the trend to digitization, when combined with a lack of executive-level

awareness of the wider risks involved, could lead to nuclear plant personnel being unaware of the

full extent of their cyber vulnerability. They could then be inadequately prepared to deal with potential

attacks.

Specific findings included:

· The conventional belief that all nuclear facilities are ‗air gapped‘ (isolated from the public internet)

is a myth. The commercial benefits of internet connectivity mean that a number of nuclear

facilities now have VPN (virtual private network) connections installed, which facility operators

are sometimes unaware of.

· Search engines can readily identify critical infrastructure components with such connections.

· Even where facilities are air gapped, this safeguard can be breached with nothing more than a

flash drive.

· Supply chain vulnerabilities could mean that equipment used at a nuclear facility risks

compromise at any stage.

· A lack of training, combined with communication breakdowns between engineers and security

personnel, means that nuclear plant personnel often lack an understanding of key cyber security

procedures.

· Reactive rather than proactive approaches to cyber security contribute to the possibility that a

nuclear facility might not know of a cyber attack until it is already substantially under

way.

In the light of these risks, the report outlines a blend of policy and technical measures that will be

required to counter the threats and meet the challenges:

· Developing guidelines to measure cyber security risk in the nuclear industry, including an

integrated risk assessment that takes both security and safety measures into account.

· Engaging in robust dialogue with engineers and contractors to raise awareness of the cyber

security risk, including the dangers of setting up unauthorized internet connections.

· Implementing rules, where not already in place, to promote good IT hygiene in nuclear facilities

(for example to forbid the use of personal devices) and enforcing rules where they do exist.

· Improving disclosure by encouraging anonymous information sharing and the establishment of

industrial CERTs (Computer Emergency Response Team).

· Encouraging universal adoption of regulatory standards.

 

Everyone should alarmed by these specific findings and we should  strongly encourage the UK and international

nuclear industry, with support from government and the nuclear regulators, to urgently implement the

recommendations of the Chatham House report.

 

there is a lack of clarity in the nuclear sector to the threats from cyber systems.

(source: NFLA Briefing No 140 Nuclear security )

​