Nuclear facilities around the world face a growing risk of being hit with a "serious cyber attack," due in part to increasing reliance on digital systems, the use of commercial "off-the-shelf" software and a lack of awareness of the risks among top executives, according to a new report from the British think tank Chatham House.
"The cyber security risk is growing as nuclear facilities become increasingly reliant on digital systems and make increasing use of commercial 'off-the-shelf' software, which offers considerable cost savings but increases vulnerability to hacking attacks," reads the report.
The report was written after conducting 18 months of research in which Chatham House interviewed 30 senior nuclear officials at plants and in the government in the United States, United Kingdom, Canada, France, Germany, Ukraine and Japan, according to the BBC.
Nuclear plants have good safety and physical security, especially since Sept. 11, 2001, the report said, but when it comes to cyber security, many still lag far behind security standards.
"The trend to digitization, when combined with a lack of executive-level awareness of the risks involved, also means that nuclear plant personnel may not realize the full extent of this cyber vulnerability and are thus inadequately prepared to deal with potential attacks," the report said.
Carolina Baylon, the report's author, said there was often a "culture of denial" at nuclear plants. Many officials and engineers believe that, since their systems were not connected to the Internet, it would be very difficult for hackers to compromise them, according to the Financial Times.
"There is a pervading myth that nuclear facilities are 'air gapped' — or completely isolated from the public Internet — and that this protects them from cyber attack," wrote Baylon. "Yet not only can air gaps be breached with nothing more than a flash drive (as in the case of Stuxnet), but the commercial benefits of Internet connectivity mean that nuclear facilities may now have virtual private networks and other connections installed, sometimes undocumented or forgotten by contractors and other legitimate third-party operators."
Some officials interviewed for the report said they still use default passwords like "1234" for the computer systems that regulate nuclear processes.
Companies are also increasingly adding digital "backdoors" into facilities to allow for monitoring of systems, and engineers and contractors often bring their own computers into the nuclear plants, sometimes leaving them plugged into the system overnight.
For cost efficiency reasons, vendors are likely to use sub-components that are produced in other countries, making it possible for foreign intelligence agencies to intercept the item in transit and install backdoors or malware, the report said.
Baylong said that such risks are of particular concern due to the possibility that an attack could release ionizing radiation. "Moreover, even a small-scale cyber security incident at a nuclear facility would be likely to have a disproportionate effect on public opinion and the future of the civil nuclear industry."
"It would be extremely difficult to cause a meltdown at a plant or compromise one but it would be possible for a state actor to do, certainly," said Baylon. "The point is that risk is probability times consequence. And even though the probability might be low, the consequence of a cyber incident at a nuclear plant is extremely high."