February 16, 2016
Once the stuff of dramatic headlines in an increasingly digitized world, cyber attacks today have become alarmingly routine. From the banking and aviation industries to governments around the world, cyber hackers have compromised security systems, gained access to top-secret information and caused billions of dollars worth of damage. The malicious Stuxnet computer worm unleashed against Iran in 2010, made it clear that even nuclear programs are vulnerable to cyber sabotage.
Yet despite ample evidence that cyber attacks are on the rise, many states have far too few protections in place – and the consequences could be catastrophic.
The 2016 NTI Nuclear Security Index, published in January, found that 20 nations with significant stockpiles of weapons-usable nuclear materials or certain types of nuclear facilities such as power plants have no laws or regulations to protect against cyber attacks at nuclear facilities. Just 13 of the 47 countries assessed for their cybersecurity efforts received perfect scores. However, even among those high-scoring nations, significant security gaps remained, such as a no clear inspection procedures to ensure compliance with their cyber security laws or regulations.
The world’s failure to develop effective cyber protections and defenses in this area has not resulted in a catastrophe, so far. However, Dr. Page Stoutland, vice president of scientific and technical affairs at NTI, thinks such luck is unlikely to continue unless cyber security efforts improve dramatically.
“Today, not only is the cyber threat increasing, but nuclear facilities are becoming increasingly digitized, particularly as new nuclear facilities are built,” he says. “As a result, the possibility of a major safety or security incident is becoming more acute.”
If the threat of cyber attack is so urgent, why are countries so far behind?
The Challenges of Cyber Security
The ever-evolving complexity of digital systems – such as those in nuclear facilities – is a major hurdle to defending against cyber attacks. Today, nuclear facilities rely upon hundreds of automated digital systems, many of which are built upon legacy systems that were designed well before today’s cyber threats emerged.
Meanwhile, barriers to cyber attacks continue to fall.
“Today, cyber-criminals don’t have to be cyber geniuses,” says Alan Brill, senior managing director at Kroll, a leading information and intelligence management company. On the black market, hackers can be hired and entire computer networks can be rented in order to execute attacks. Thanks in part to these plug-and-play technologies, demand for cyber-criminals continues to grow. “Criminal organizations and terrorist groups, not to mention nation-state operators, are actively recruiting [hackers] and seem to have great success,” says Brill.
Charting a Path Forward
Within the nuclear industry, the expert knowledge needed to counter the growing cyber threat is in short supply, says Stoutland. The relatively few cyber-nuclear experts that do exist are concentrated in the United States and a few other countries. This means that most countries—including many seeking nuclear power—simply do not have in-country expertise in this field. Governments, international organizations such as the International Atomic Energy Agency, and nuclear operators are working to strengthen cyber security at nuclear facilities, but much more is needed.
- Countries must strengthen relevant laws and regulations so that cyber security is required at nuclear facilities, and assessments must be performed to ensure implementation.
- Nuclear facilities must look at cyber security from a strategic point of view, and embed cyber security in the processes and procedures so that it’s treated on par with nuclear safety.
- Given the global technical capacity challenges, mechanisms must be developed to allow countries and facilities to share expertise so that there are no weak links when it comes to cyber defense.
Experts agree the time for action is now. The threat of cyber attack will continue to grow as the world becomes increasingly reliant upon digital systems.
“There is no easy answer to the cyber threat,” says Stoutland, “but given the potential consequences, policy makers and political leaders must do more.”