Cybersecurity in Nuclear Industry: Protecting Digital Technologies and Information

Digital technologies are currently integrated into almost all aspects of nuclear installation operation. These technologies are integrated into nuclear safety systems, nuclear material accounting and control systems, as well as emergency response support systems. Cybersecurity is based on protecting the information technology systems and operational process systems against cyberattacks.

In most cases, a cyberattack is an intentional breaking of a computer system with malicious intent by either states or non-governmental entities, including terrorist organizations.

Cyberattacks use vulnerabilities in computer systems and networks, or deceive users to gain unauthorized access, leading to data and system manipulation or destruction.

Cyberattacks typically take one of three forms:

1. confidentiality attacks are attacks to gain access to restricted information.
2. integrity attacks that alter, manipulate, or compromise data and computer systems.
3. availability attacks that deny or limit access of legal owners to their data.

Cyberattacks are most dangerous when they threaten the critical national infrastructure from power and water supply to the transport networks and healthcare.

A significant part of threats exists due to the increasing digitalization of services, changing nature of technologies, complexity of information transmission chains and low awareness of cybersecurity.

The critical systems may contain vulnerabilities and weaknesses that developers and users are unaware of and that can be used by hackers, and sometimes by government entities, to change system codes and gain privileged, unauthorized access.

Types of cyberattacks

Phishing is a fraudulent method of obtaining confidential information: usernames, passwords, credit card data, etc. Essentially, it is the act of forcing someone to click on a link that either allows the attacker to access personal information or downloads malware onto the user’s device.

Phishing attacks often work by masking malicious messages as the ones coming from a trusted organization, such as a bank or a provider of telephone communication services.

Malware is a general term that allows an attacker to use, destroy or compromise one or more computers or computer networks. Forms of malware include ransomware programs that block legal users from accessing computers and files by encrypting data. A ransom is usually demanded to restore the affected files or systems. Ransomware has been one of the most prevalent types of cyberattacks during the COVID-19 pandemic.

Spyware allows the user to track someone else’s activity on computers, mobile phones and other devices by secretly transmitting data from the victim’s device back to the malware controller.

Trojan is a virus that resembles legitimate software but actually performs hidden and harmful functions. Once installed, Trojan can also install other types of malicious software.

Viruses are files that can spread between other files on computer and have the ability to replicate. They can display teasing messages, steal data or give hackers control of computer. Viruses are often attached to other programs or hidden codes that automatically run when certain types of files are opened, such as the ones in phishing emails.

Distributed denial of service (DDoS) is an attack, during which multiple compromised computer systems attack a target such as a server, website or other network resource to disrupt the flow of traffic and cause a denial of service to users of a target resource.

History of cyberattacks on nuclear facilities

The prospect of commissioning more different type NPPs, many of which are related to digital technologies, makes cybersecurity of the civil nuclear infrastructure more important than ever.

A significant limiting factor in assessing past cyber operations against nuclear power plants is the lack of publicly available information on such incidents. There is certainly concern among operators, regulators and governments about the disclosure of sensitive data and information on cybersecurity failures, as such information reduces public confidence in nuclear energy.

However, known past examples of cyber operations against civilian nuclear infrastructure cover a range of scenarios. One of the earliest known incidents occurred in 2003, when the Slammer virus penetrated the control and operational information and communications technology (ICT) systems of the Davis-Besse Nuclear Power Station in the United States. Slammer was able to gain access to the power plant system through an infected device belonging to an IT consultant. Although this was an accident, it is an example of how intruders can attack.

Two other well-studied examples are the Stuxnet virus attack on Iran in 2010 and the hacking of South Korean nuclear power operator Korea Hydro and Nuclear Power Co., Ltd (KHNP) in 2014. These two examples demonstrate the range of harm that cyber operations can cause from the theft of sensitive data to physical damage. The Stuxnet example was extraordinary in the scale of the damage it caused, while the KHNP example is more typical for other cyber operations against nuclear power plants. What both have in common is that the attackers were allegedly states: Israel and the United States in the case of the Stuxnet attack on Iran’s nuclear facilities; and North Korea in the case of KHNP.

Stuxnet remains one of the most notorious intentional cyber operations targeting the nuclear infrastructure. The operation was intended to disrupt operations at Iran’s Natanz nuclear weapons enrichment facility. Stuxnet was a computer virus that targeted supervisory control and data acquisition systems (SCADA). After getting inside the industrial control system, the virus caused the control software to speed up the rotation of centrifuges to the point of physical damage. This makes it one of the few examples of a cyber operation causing damage.

South Korea’s state nuclear power operator KHNP was sanctioned in December 2014. The cyber operation stole sensitive information, including reactor diagrams, electrical flow charts and employees’ personal data. One of the hackers’ goals was to undermine public confidence in NPP safety. But the South Korean government stated the hackers failed to gain access to any interaction systems.

Impact of military actions on cybersecurity

Russia’s seizure of the Zaporizhzhia nuclear power plant in Ukraine combined with hostilities surrounding the plant have raised international awareness of safety risks that can arise when civilian nuclear infrastructure is drawn into conflict. Although nuclear power plants and other civilian nuclear facilities are not designed to operate in war zones, such facilities have several levels of physical security built in to protect reactors and hazardous materials against kinetic threats. However, the combination of physical and cyber operations increasingly common in modern warfare creates a new type of threat that is potentially able to overwhelm limited operational personnel or create a diversionary maneuver that enables unauthorized access to nuclear materials.

This vulnerability can be used by criminal groups interested, for example, in stealing nuclear materials or confidential information on a nuclear installation. Decreasing the number of personnel at the Zaporizhzhia NPP combined with the chaos of the russian occupation may increase the probability that unauthorized entities will gain access to the installation.

Although the situation at Zaporizhzhia NPP is unusual, it is not the first time a nuclear reactor is at the epicenter of the war. The Vinca research reactor in Serbia was a source of great concern during the Yugoslav Wars (1991–2001). Scientists at the Vinch Institute of Nuclear Sciences addressed the IAEA for support in 1995 because they feared that the highly enriched uranium fuel at the installation could be stolen amid the high level of political disturbances in the country. In 1995 – 1999, the IAEA carried out several inspections to ensure the safety of the installation and assist personnel. If nuclear reactors become more common in the future, for example through the use of small modular reactors (SMRs) and microreactors, the risk of reactors being involved in a conflict will increase.

What does the IAEA say?

The IAEA plays a leading role in supporting the Member States in developing timely international guidelines on nuclear security related to computer security. Regulation should apply to the information technology systems, industrial control systems and physical protection systems used in the nuclear industry.

Back in 2015, the IAEA presented a hypothetical cyberattack scenario that envisaged coordinated online attacks on both the competent authority and nuclear power plant. At the same time, the methodologies that an adversary could use in such a computer security attack were presented, and how he could take advantage of seemingly isolated but unprotected networks, such as video surveillance cameras (CCTV) and Bluetooth devices, in order to gain access to the local networks, disable physical protection measures and ultimately compromise the instrumentation and control and the control systems at the nuclear power plant.

Any similar attack can be mitigated using best practices, recommendations and guidelines provided by the IAEA through the published international standards.

NPP cyberattack protection program

In 2023, the Nuclear Regulatory Commission (NRS) revised the recommendations for the nuclear reactor cybersecurity programs. All owners of nuclear reactors should be acquainted with these recommendations and confirm that their cybersecurity programs meet the specified requirements for assets requiring protection. The updated guideline takes into account new technologies and lessons learned from operational experience since the NRC Cybersecurity Program was first published in 2010.

Assets requiring protection are the digital computer and communication systems, as well as supporting systems and equipment that, if compromised, would adversely affect nuclear facility functions important to safety, protection and emergency preparedness.

The new document clarifies the types of cyberattacks that require notification to the NRC, the deadlines for such notifications, how licensees should make notifications and how they should submit subsequent written reports to the NRC.

The document also clarifies the challenges revealed in checking the cybersecurity stages and includes additional information gained resulting from documenting the international and national cybersecurity attacks.

Among other things, it requires nuclear power plants to document the process as part of their cybersecurity plans in order to describe how they have achieved the “high confidence” that the digital computer and communication systems and networks are adequately protected against cyberattacks.

Cyberattack protection measures

It is difficult to identify a clear global leader in cybersecurity, as different countries have their own strengths and approaches. Here are a few countries that are often named as leaders in this area:

The US is home to many leading cybersecurity companies and has experience in combating cybercrime and cyberwarfare. The US nuclear industry’s cybersecurity measures are also considered exemplary.

The UK has a clear cyber security strategy and is investing in cyber resistance.

Estonia is considered one of the most digital countries in the world and has a strong emphasis on cyber security. The country is known for its innovative solutions in this field and high level of public awareness about cyber threats.

Australia has a clear cyber security strategy and cooperates with other countries and international organizations to combat cybercrime.

Israel is known for its innovative cyber security technologies and advanced military cyber sector. This country has experience in protecting its critical infrastructures against cyberattacks, which makes its knowledge extremely valuable for Ukraine that has been already the third year under powerful cyberattacks by russian state hackers.

The US experience is extremely valuable as for the nuclear safety measures. Every US nuclear power plant has isolated key control systems, that is, the computers and other key equipment related to safety, security and power generation are not connected to the network or the Internet, so the NPPs are protected against any cyberattacks that occur beyond the plant.

Strict control is exercised over the use of portable media and equipment. Flash drives, removable hard drives, laptops used to interact with NPP equipment should be scanned for viruses and given permission to be used for a specific task. This step excludes a cyberattack such as Stuxnet that was spread via portable media.

The enhanced protection against internal hazards is also conducted. Training programs have been improved and people working with digital equipment at nuclear power plants are subject to enhanced safety inspection, training related to cybersecurity and monitoring of network equipment behavior.

Measures to effectively counteract cyberattacks at NPPs include maintaining equipment specified in the facility configuration management program, as well as controlled modernization of equipment. Cybersecurity impact analysis is performed before modernization of the relevant equipment. The effectiveness of cybersecurity controls is periodically assessed and improvements are made where necessary. Vulnerability assessment is conducted to ensure support for equipment cyber security.

As for national threats, the experience of Israel is close to us precisely because of the confrontation with geopolitical challenges and threats. The constant fight against russian cyberattacks stimulates the development of advanced technologies in Ukraine for the protection of infrastructure and data.

Experts see several steps that will bring Ukraine closer to Israel in terms of the level of protection against cyberattacks:

• increase investments into cybersecurity: Ukraine needs significant resources to develop cybersecurity, including investments into the research and development, education and training of experts.
• develop cyber resistance: Ukraine should develop a clear cybersecurity strategy and invest in protecting its critical infrastructures against cyberattacks.
• cooperate with other countries and international organizations: Ukraine can learn a lot by cooperating with other countries and international organizations in the fight against cybercrime.
• raising awareness of citizens about cyber threats: it is important that Ukrainians know about cyber threats and how to protect themselves from them.

In early July 2024, the Royal Institute of International Affairs better known as Chatham House published a report entitled “Civil Nuclear Sector Cybersecurity: The Threat Landscape and International Legal Protection in Peace and Conflict.” Chatham House is a non-profit, non-governmental organization based in London. The organization aims to analyze and promote understanding of major international issues and current affairs.

The scientists made the following conclusions in their report:

• in the long term, the states should develop strategies aimed both at strengthening compliance with international law in cyberspace and accountability for illegal cyber operations, including those directed against civilian nuclear facilities.
• the states may also need to assess the need to develop new treaties or adapt the valid standards of the international law to comprehensively counter cyber threats in the nuclear sector.

In the investigation, the Chatham House organization proposed different measures to protect against cyber incidents targeting civilian nuclear facilities. These recommendations included:

• development of an international cyber security management strategy, coordinated action plans to eliminate technical deficiencies;
• initiatives to develop cyber security culture among the nuclear community;
• active dialogue between nuclear engineers and contractors to raise awareness of cyber security risks;
• promoting the development of cyber insurance;
• network monitoring;
• facilitating disclosure of vulnerabilities;
• creation of national computer emergency response teams (CERTs) specializing in industrial control systems;
• promoting the of “Safety by Design” Concept;
• steps to ensure sufficient redundancy in digital systems;
• measures to protect the integrity of digital supply chain systems.

Several standards of the international law, both general and specific, apply to cybersecurity in the nuclear sector, but no specific international legal regime protects the civilian nuclear sector against cyber operations or other cybersecurity risks. The task for humanity today is to create such a regime and demand its unconditional compliance from all countries using nuclear energy.

Uatom.org Editorial Board