Today the Government published its 84-page National Cyber Security Strategy (https://www.gov.uk/government/publications/national-cyber-security-strategy-2016-to-2021
It contains several general mentions of Critical National Infrastructure, one background picture of Sellafield, but nothing specific on nuclear at all.... here is what they might have included:
Nuclear security concerns – how secure is the nuclear industry?
Overview of report
This report has been developed by Dr David Lowry, former Director of the European Proliferation
Information Centre in London and a senior research fellow with the Institute for Resource and
Security Studies in Cambridge, USA,
13. Cyber security concerns
Computer systems that help operate nuclear reactors and their safety equipment are isolated from
the internet to protect against outside intrusion. However, the nuclear industry takes measures to
ensure that its nuclear plants are protected from cyber attacks, which in this context is
defined as all efforts to disrupt, deny, degrade, distort or destroy electronic information that
organisations rely upon, store, process and generate.
Although the September 11 terrorist attacks had no cyber component, the nuclear energy industry
took the initiative following those events to implement a cyber security program. The industry
formed a task force, which developed comprehensive guidelines for protecting against cyber
vulnerabilities. The NRC endorsed the industry guidelines in 2005. By May 2008, all operating
nuclear plants had implemented the guidelines voluntarily.
The NRC security rule issued in 2009 required enhancements to cyber security at nuclear power
plants. All companies that operate nuclear plants or seek to license new plants have developed
and submitted plans for cyber security, including requirements pertaining to individuals who have
electronic means to interfere with plant safety, security or emergency preparedness functions or
critical equipment that supports those functions. (36)
To give a recent example of how cyber attacks can be used against the nuclear industry is the
example of Stuxnet‘. This was a malware program widely believed to have been created by the US
and Israel, which infected a Russian nuclear power plant, according to cyber security expert
Speaking at the Canberra Press Club in Australia in 2013, Kasperksy recounted a story from ―the
Stuxnet time “when a friend of his working in an unnamed nuclear power plant reported that the
plant‘s computers were “badly infected by Stuxnet”. Kaspersky criticized government departments
responsible for engineering cyber-attacks, saying: “They don‘t understand that in cyberspace,
everything you do - it‘s a boomerang: it will get back to you.”
The Stuxnet virus was first discovered in June 2010 and was found to specifically target industrial
control systems manufactured by Siemens. The initial target of the virus is widely thought to have
been the centrifuges used in Iran‘s uranium enrichment program. The country‘s then-President,
Mahmoud Ahmadinejad confirmed in November 2010 that Stuxnet had ―”managed to create
problems for a limited number of our centrifuges.”
Although the goal of the virus was extremely specific, its method of proliferation was indiscriminate
and the code has since been found on computers across the world. According to a report from the
New York Times in 2012, the US administration chose to continue cyber-attacks against Iran even
after the existence of Stuxnet became public. (38)
Discussing the use of cyber-warfare by nation states, Kaspersky said: ―They don‘t understand that
it‘s possible to shut down power plants, power grids, the international space station. They don‘t
know what to do.”
Kaspersky also claimed that even the International Space Station (ISS) is not immune to viruses,
although he did not indicate that it was Stuxnet that had made its way onboard. ―”the space guys
from time-to-time are coming with USBs, which are infected,” said Kaspersky. ―I'm not kidding. I
was talking to Russian space guys and they said, 'yeah, from time-to-time there are viruses on the
Although this may sound alarming it is not unprecedented. In 2008, NASA admitted that a virus
designed to steal passwords had found its way on to the Windows laptops being used on the ISS.
"This is not the first time we have had a worm or a virus," said NASA spokesman Kelly Humphries
at the time. "It‘s not a frequent occurrence, but this isn‘t the first time."
The virus in question only affected computers used by astronauts for non-essential business such
as email and science experiments, and is widely thought to have been brought on board – as
Kaspersky suggests – with an infected USB stick.
The scale of the problem with cyber security and the nuclear industry is laid bare in a January 2016
report published by the Nuclear Threat Initiative. The study notes that as many as twenty countries
with significant atomic stockpiles or nuclear power plants have no government regulations requiring
minimal protection of those facilities against cyber attacks.
The study considered whether any cyber-protections are required by law or regulation at nuclear
facilities, and whether cyber attacks are included in the assessments of potential threats to the
security of those installations. One question asked whether there were mandated drills and tests to
assess responses to a cyber assault, rather than just a physical attack on the facilities. Amongst the
twenty countries of concern were Argentina, China, Egypt, Israel, Mexico and North Korea.
Due to the secrecy surrounding military nuclear facilities, the report found it impossible to determine
the levels of cyber protection used to protect nuclear weapons in the nine countries known to
possess them. The report concluded that President Obama‘s global initiative to sweep up loose
nuclear material, which will be the subject of his third and final nuclear security summit meeting this
March, has slowed substantially.
The CEO and former Chairman of the US Committee on Armed Service, Sam Nunn, commented:
―I believe it is fair to say that today we are at a crossroads on nuclear security. When the 2016
Nuclear Security Summit opens, leaders will have important questions to answer: Will they take the
difficult steps needed to better protect against nuclear theft, attack, and sabotage? Will they work
together to build the global architecture needed to protect against catastrophic nuclear terrorism?
Will they sustain the momentum that the summit process created? Because the consequences of an
act of nuclear terrorism would reverberate around the globe, leaders also have an obligation to work
together. We are in a race between cooperation and catastrophe, and the world’s leaders must run
In considering the United States’ perfect‘ cyber security score in the NTI report, Dr Edwin Lyman,
Senior Scientist of the Union of Concerned Scientists commented that the US Nuclear Regulatory
Commission (NRC) does not require nuclear fuel production facilities, some possessing bombusable
materials, to have comprehensive programs to protect against cyber attack. The NRC is
working on such a rule, but it may not be in place for years. Meanwhile, the Nuclear Energy Institute,
the United States nuclear industry‘s chief trade association, questions the need for such a
requirement, maintaining that voluntary industry efforts will suffice. The institute has also petitioned
the NRC to weaken cyber security rules already on the books for nuclear power plants. Dr Layman
argues the US Government cannot lecture other nuclear states on such matters unless it resolves
The Spring 2016 issue of Cyber Security Review (pa 59-64) discusses how the Israeli government remotely disabled the radar system that protected a secret Syrian nuclear facility using a cyber attack in Operation Orchid. (“Apoc@(SIC)lypse: the end of the antivirus. When the antivirus is the threat., before destroying it in an aerial attack using bomber aircraft. (The Silent Strike: How Israel bombed a Syrian nuclear installation and kept it secret;”http://www.newyorker.com/magazine/2012/09/17/the-silent-strike; The New Yorker, September 17, 2012) Annals of War September 17, 2012
13. Chatham House cyber and nuclear security study
The independent UK think-tank Chatham House published its own study on international cyber
security and nuclear security at civil nuclear facilities in October 2015. It also concluded that the risk
of a serious cyber attack on civil nuclear infrastructure is growing, as facilities become ever more
reliant on digital systems and make increasing use of commercial ‗off-the-shelf‘ software.
The report found that the trend to digitization, when combined with a lack of executive-level
awareness of the wider risks involved, could lead to nuclear plant personnel being unaware of the
full extent of their cyber vulnerability. They could then be inadequately prepared to deal with potential
Specific findings included:
· The conventional belief that all nuclear facilities are ‗air gapped‘ (isolated from the public internet)
is a myth. The commercial benefits of internet connectivity mean that a number of nuclear
facilities now have VPN (virtual private network) connections installed, which facility operators
are sometimes unaware of.
· Search engines can readily identify critical infrastructure components with such connections.
· Even where facilities are air gapped, this safeguard can be breached with nothing more than a
· Supply chain vulnerabilities could mean that equipment used at a nuclear facility risks
compromise at any stage.
· A lack of training, combined with communication breakdowns between engineers and security
personnel, means that nuclear plant personnel often lack an understanding of key cyber security
· Reactive rather than proactive approaches to cyber security contribute to the possibility that a
nuclear facility might not know of a cyber attack until it is already substantially under
In the light of these risks, the report outlines a blend of policy and technical measures that will be
required to counter the threats and meet the challenges:
· Developing guidelines to measure cyber security risk in the nuclear industry, including an
integrated risk assessment that takes both security and safety measures into account.
· Engaging in robust dialogue with engineers and contractors to raise awareness of the cyber
security risk, including the dangers of setting up unauthorized internet connections.
· Implementing rules, where not already in place, to promote good IT hygiene in nuclear facilities
(for example to forbid the use of personal devices) and enforcing rules where they do exist.
· Improving disclosure by encouraging anonymous information sharing and the establishment of
industrial CERTs (Computer Emergency Response Team).
· Encouraging universal adoption of regulatory standards.
Everyone should alarmed by these specific findings and we should strongly encourage the UK and international
nuclear industry, with support from government and the nuclear regulators, to urgently implement the
recommendations of the Chatham House report.
there is a lack of clarity in the nuclear sector to the threats from cyber systems.
(source: NFLA Briefing No 140 Nuclear security )