Fig. 1: This is an example of a control system at the San Onofre Nuclear Generating Station in 1968. It demonstrates the elaborate system of dials, gauges and colored lights notifies the operators instantaneously of any deviation from normal conditions. The control system is incredibly complex. (Source: Wikimedia Commons) |
2016 brought awareness to many social, political, and technical issues. Yet arguably, one of the biggest revelations of 2016 is how important cyber security is in the technical age. As our lives increasingly move online it is important to understand how to protect our information from malicious actors. Cyber attacks are no longer amateurs testing their skills, they often involve professionals or multiple states on an international level. As President Barack Obama said in his 2015 State of the Union Address, "No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets... We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism." [1] Cyber security is an international policy tool. The nuclear energy sector is no exception. Attacks like the Stuxnet of 2010 and Slammer worm of 2003 demonstrate a history of interest in disturbing this industry. [2,3] Cyber security impacts the ability to manage, access, store and process data received from physical and chemical processes that occur in a nuclear facility. [4] It is important to know the risks and the vulnerabilities of a system, in order to properly protect it. This paper will explore how cyber security plays a role in protecting and disrupting nuclear energy.
An increasing number of control systems for infrastructures like the ones used at a nuclear power station use specialized hardware that is integrated with computer networks. (Fig. 1) The benefit is that it makes management from a remote location significantly easier. The draw is that these systems become vulnerable to an attack over the internet. [5] Consider the Stuxnet worm, it was a 500-kilobyte worm that infected at least 14 industrial sites in Iran, including a enrichment plant. A worm spreads on its own, often over a computer network rather than a virus which relies on an unwitting victim to install it. [6] Cyber threats are much quieter than previous threats, which would typically come in the form of a physical, seeable attack. Code is also reusable. Once a cyber attack is deployed, if it works, malicious actors can easily reuse parts of the code with no monetary loss. Cyber weapons are often easier and cheaper to execute than any other weapon.
The word nuclear is often associated with the word weapon. However, the strength of malicious cyber work could mean that nuclear energy is no longer the weapon, but is the target. One significant issue with nuclear energy in particular is the way the nuclear infrastructure works. The high pressure steam that is produced from the reactor's heat means that even when a reactor shutdown the fuel inside of it still produces decay heat and must be cooled, or the reactor core may melt. [5] Compared to non-nuclear generators, which can be completely shutdown, a cyber attack could create a malfunction of the shutdown, leading to a meltdown. One example of a meltdown was the Three-Mile-Island Meltdown in 1979 (see Fig. 2). Other potential risks at a nuclear facility include: [4]
The risk of disruption in facility operation
damage to physcial facilities
Espionage (commercial and political)
Interference with critical infrastructure that are vital to the nation's economy, security, and health
Potential radiological incident
Erosion of public confidence in nuclear energy
Theft of nuclear or other radioactive material.
Fig. 2: This is the Three-Mile-Island generating station, which suffered a partial meltdown in 1979. The coolers are the larger towers, and the reactors are the smaller dome with round tops. (Source: Wikimedia Commons) |
Information assurance is a constant cycle between hackers looking for vulnerabilities to exploit and the defense patching holes and making their systems tougher to penetrate. This means that the policy and prevention mechanisms must be updates regularly. The methods for protection that worked yesterday may not work tomorrow. This also creates a space for interdisciplinary dialogue and thought collaboration. Nuclear scientists, cyber security professionals, and international policy actors must all work in unison to make adequate decisions to protect nuclear energy, but also the country more generally.
Many things in science are predictable. You can split an atom, it will produce heat, which will generate electricity. This is a fact that has been studied and proven time and time again. Humans are not nearly this predictable. At any moment, if the technology is in place a malicious actor can click a button an unleash a cyber weapon that could be unseen for a long while. Cyber attacks are also cheap for the attacker because the barriers to entry are incredibly low and attribution is often difficult. Therefore, it is necessary to take precautionary measures to keep Nuclear Facilities safe. One solution to this comes from The International Atomic Energy Agency. The IAEA dates back to the 1970s and currently works to protect nuclear and other radioactive materials from malicious acts. Its main objective is to maintain a comprehensive information system that supports effective implementation of the Nuclear Security Plan by assisting the Agency in the prioritization of nuclear security improvements and in the better identification of resources required to implement the plan. [7] One of these outcomes in to improve cybersecurity capabilities at the State and facility level to support the prevention and detection of, and response to, information security incidents that have the potential to either directly or indirectly adversely affect nuclear safety and nuclear security. [8] Further, it is important to have strong methods for attribution in the case of an attack because such an attack could create a conflict between states, potentially one involving nuclear weapons. However, accurate attribution is difficult to achieve due to the many ways to become anonymous over the internet. One effective method to protect a system is to make sure that the code being developed is secure from the start. The less vulnerable the code, the less systems can be manipulated. [4]
As our world rapidly advances and allows technology to play a greater role in our society, the security protocols must also be ready to constantly adapt. The future of nuclear energy is dependent on ensuring it is safe from aggressors. However, a great defense must be a priority. Mitigation of risk is the biggest step to securing a system. The less vulnerabilities that exist, the less likely a malicious actor will be able to penetrate. There are many unique challenges presented by the cyber-nuclear sector and we may never know how to properly mitigate all threats. Therefore, cyber security has become fundamental to the overall security of a nuclear facility. Because the barrier to entry to cyber space is low, it allows many nonstate and small states to participate. [9] Cyber space has grown from a place for curious hackers testing their skills to a place for professionals. We must educate the next generation to understand multidisciplinary problem solving. Ensuring safety of nuclear energy will require the collaboration of many different professionals with expertise in the areas of nuclear reactions, software security, domestic and international policy, and legal framework. As our defenses get stronger, the hackers will get more clever with their attack methods, and vice versa. "Nuclear technologies are the foundation of our future and if we want to continue developing them, we have to manage the risks associated with them. To ensure smooth and secured working processes at nuclear facilities, we must keep pace with the evolution of the cyber security threat." [4]
© Kathryn Bunner. The author grants permission to copy, distribute and display this work in unaltered form, with attribution to the author, for noncommercial purposes only. All other rights, including commercial rights, are reserved to the author.
[1] "State of the Union 2015: Full Transcript," CNN, 20 Jan 15.
[2] J. Grayson, "Stuxnet and Iran's Nuclear Program," Physics 241, Stanford University, Winter 2011.
[3] M. Holloway, "Slammer Worm and David-Besse Nuclear Plant," Physics 241, Stanford University, Winter 2015.
[4] V. Giaurov, "The Cyber-Nuclear Security Threat: Managing the Risks," Vienna Center for Disarmament and Non-Proliferation, January 2017.
[5] B. Kesler, "The Vulnerability of Nuclear Facilities to Cyber Attack," Strategic Insights 10, 15 (2011).
[6] D. Kushner, "The Real Story of Stuxnet," IEEE Spectrum 50, 48 (March 2013).
[7] N. Davis, "Nuclear Security," Physics 241, Stanford University, Winter 2015.
[8] "Nuclear Security Plan 2014-2017," International Atomic Energy Agency, GOV/2013/42-GC(57)/19, August 2013.
[9] J. S. Nye Jr., "Nuclear Lessons for Cyber Security?" Strategic Studies Quarterly 5, No. 4, 18 (Winter 2011).