In April, a German company announced that it had suffered a cyber attack. This is not shocking. As retired Marine Gen. James Cartwright has said, there are two realities for companies today: “You’ve either been hacked and [are] not admitting it, or you’re being hacked and don’t know it.”
But this attack was on a nuclear power plant. And the malware found inside the plant allowed hackers to access sensitive plant information from afar.
This is not the first cyber attack against a nuclear facility. In December 2014, South Korea’s nuclear operator was hacked, and the infamous Stuxnet virus attacked Iran’s Natanz facility between 2009 and 2011.
Stuxnet illustrated the art of the possible in the cyber-nuclear space. This malware defeated security systems, jumped airgaps (which disconnect networks from the internet) and, most importantly, caused physical consequences. Stuxnet’s aim was limited—break centrifuges. But what if hackers had more catastrophic ambitions?
Well-resourced hackers can achieve physical consequences at nuclear facilities with cyber attacks, possibly resulting in theft of nuclear material or sabotage. For example, surveillance systems or keycard readers could be disrupted, allowing thieves to enter a facility, steal nuclear material, and depart uninterrupted. A sophisticated cyber attack could even cut power to cooling systems, resulting in a Fukushima-like meltdown.
Several factors exacerbate this threat. Increased reliance on digital controls and technological vulnerabilities across the nuclear enterprise increase opportunities for attackers. What little human capacity exists in this area tends to be concentrated in the United States, Europe, and Russia, leaving most facilities around the world without the expertise they need to prevent or respond to attacks.
Additionally, countries are unprepared at the regulatory level. The NTI Nuclear Security Index found that 20 out of 47 countries with weapons-usable nuclear materials or nuclear facilities score zero on cybersecurity. This means that these countries do not even require that nuclear facilities be protected from cyber attack.
This is a global problem—a serious cyber attack at a nuclear facility anywhere would have consequences worldwide. Recent steps, including a joint cybersecurity commitment at the 2016 Nuclear Security Summit and International Atomic Energy Agency efforts are a good start, but more must be done. Leaders and experts must rethink the current approach to cybersecurity at nuclear facilities, invest in relevant training, and improve (or in some cases, develop) national and international response capabilities.
This threat will not wait—neither should the international community.
Alexandra Van Dine is a program associate with the scientific and technical affairs team at the Nuclear Threat Initiative (NTI), where she works on the NTI Nuclear Security Index and NTI’s cyber projects. She joined NTI after serving as a Herbert Scoville Jr. Peace Fellow there. Ms. Van Dine presented work on cyber security at nuclear facilities at the 2015 PONI Summer Conference at Los Alamos National Laboratory and the 2016 PONI Capstone Conference at U.S. Strategic Command. She has been published in the U.N. Dispatch and Just Security. Prior to NTI, Ms. Van Dine held positions with the U.S. Department of Defense, the Belfer Center for Science and International Affairs, U.S. Senators John Kerry and William “Mo” Cowan, and Massachusetts Governor Deval Patrick. She graduated from Georgetown University with a B.S. in Foreign Service, majoring in International Politics and Security Studies. She earned honors on her thesis and was awarded the J. Raymond Trainor Award for outstanding academic achievement in International Politics.
The views expressed above are her own and do not necessarily reflect those of the Nuclear Threat Initiative, Center for Strategic and International Studies, the Project on Nuclear Issues, the U.S. government or any of its agencies.