Nuclear power plants are ripe for hacking due to a ‘culture of denial,’ new study warns

( Following the Fukushima nuclear disaster in March 2011, there were calls throughout the industry to tighten safety standards at all atomic power plants around the world. However, according to a new review of the industry, cyber security was apparently not high on the list.

As reported by the UK’s Financial Times, nuclear power plant managers are engaged in a “culture of denial” about the risks of cyber attack, as many have failed to take adequate measures to protect themselves from hacking, the review found.

While there has been a focus on physical security and boosting safety generally, that has left a number of plants vulnerable to cyber hacking, said a report by think tank Chatham House, which named 50 incidents globally of which very few have been made public.

The findings come from an 18-month research effort including 30 interviews with senior atomic officials at plants and in governments in the U.S. and UK, Germany, Japan, France, Ukraine and Canada.

“Cyber security is still new to many in the nuclear industry,” said Caroline Baylon, the report’s author. “They are really good at safety and, after 9/11, they’ve got really good at physical security. But they have barely grappled with cyber.”

The report also notes that officials describe the nuclear power industry as being “far behind” other industrial segments when it comes to protecting themselves from digital assaults.

Baylon said a “culture of denial” existed at a number of nuclear plants, with a typical response from atomic engineers and other officials being that since their systems are not connected to the Internet, it would be difficult to penetrate them.

“Many people said it was simply not possible to cause a major incident like a release of ionizing radiation with a cyber attack . . . but that’s not necessarily true,” Baylon said, as reported by the Financial Times.

She went on to explain how operating systems and back-ups that give power to the reactor cooling processes could indeed be compromised, which could then trigger an incident (explosion and reactor meltdown) like that which occurred at Fukushima, the worst nuclear accident since Chernobyl in the former Soviet Union in 1986.

In fact, dozens of nuclear power plants’ control systems are accessible via the Internet, though many operators believe in a persistent “myth” that their stations are “air-gapped with physically separated computer networks,” the report states.

Researchers who conducted the study pointed to a 2003 incident at the Davis-Besse Plant in Ohio; there, an engineer accessed the plant from home using a laptop via an encrypted VPN connection. His home computer was infected with the nuisance self-replicating “slammer” worm. When he connected, the Trojan infected the nuclear plant’s computer system, which caused a key safety control system to be stymied with traffic from the worm and trip.

Another incident in 2006 at Browns Ferry in Alabama was more serious. There, a key safety system was also overwhelmed by network traffic but it almost led to a meltdown.

Also, the report notes an incident in 2008 at the Hatch plant in Georgia to demonstrate how plants can be vulnerable to digital disruptions. Though it wasn’t an actual attack, when a contractor sent a routine patch to a business network system, a shutdown occurred.

Despite these instances, however, many plant managers are still not taking the threat seriously, Baylon said.

“It would be extremely difficult to cause a meltdown at a plant or compromise one but it would be possible for a state actor to do, certainly,” Baylon said, according to the Financial Times. “The point is that risk is probability times consequence. And even though the probability might be low, the consequence of a cyber incident at a nuclear plant is extremely high.”

Have you ‘liked’ on Facebook? Click here!

You can monitor breaking stories about hacking and cyber attacks at

See also:




comments powered by Disqus