Oct 8, 2015


Securityintelligence - Nuclear facilities are now a critical facet of the American utility market. According to the Nuclear Energy Institute (NEI), these facilities generated almost 20 percent of U.S. electricity through 2014, with 99 reactors in use across the country. Owing to the volatile nature of the materials and processes in any nuclear plant, companies have developed excellent physical safety and security procedures.

But as noted by a new Chatham House report based on interviews with 30 industry experts, cybersecurity risk is underestimated at nuclear facilities, leaving these critical producers open to cyberattacks. If plants are breached, what's the fallout?

The Myth of Air

A recent SecurityWeek article discusses some of the reasons for this lack of nuclear cyber readiness. The biggest problem? A belief that air-gapped systems effectively curtail the risk of cyberattack. The idea here is that since potentially vulnerable points such as industrial control system (ICS) software are often isolated from the Internet, there's little chance they could be compromised by attackers. The Chatham report, however, found that many nuclear facilities use technology such as virtual private networks (VPNs) to forge outside-facing connections — and in some cases, plant operators aren't even aware they exist.

Risk assessment is also problematic. The nuclear industry doesn't have a set of unified guidelines for measuring such risk, and the infrequency of cyber incident disclosures often provides a false sense of security. And according to the report, "very few" plants actually take steps — such as installing software patches, for example — to mitigate security risks. What's more, most are reliant on perimeter defenses alone to stop attackers, which hasn't been successful for retail, finance, manufacturing or other energy companies.

Culture also plays a role. As noted by Dark Reading, nuclear operations and IT staff don't always get along. Operations employees are focused on preventing accidental nuclear incidents, while IT professionals focus on curtailing intentional damage. Add in a different set of employment standards for regular staff and IT teams and it's not surprising to see that cybersecurity isn't making headway.

In sum: Nuclear facilities are protected only by myth and miscommunication. And that's a problem.

Please read on at: