Challenges to establishing greater cybersecurity
Although there has been some progress in developing enhanced cybersecurity measures across the nuclear industry, the fact remains that national responses and private-industry-led protection from cyberthreats at nuclear facilities remain fragmentary. The 2016 Nuclear Security Index,13 published by the Nuclear Threat Initiative (NTI), demonstrated this inconsistent global approach to cybersecurity programmes at nuclear facilities by measuring highly divergent national cybersecurity frameworks.14 A 2015 joint academic–industrial study15 assessing national cybersecurity initiatives in the nuclear industry also noted this inconsistency. A categorization methodology grouped cybersecurity methods at state level into three modes of operation: a well-defined and institutionalized management, such as those in place in Germany16 and the US;17 a more fragmented and less formalized approach, but one still implementing multiple initiatives overseen by competent authorities, as found in Russia;18 and ultimately a sporadic and ad-hoc approach to cybersecurity with little impact within nuclear plants, as found in South Africa.19
Analyses conducted by industry and the academic sphere on best practices in cybersecurity share the principle that proactively addressing computer vulnerabilities is crucial to the better protection of systems.20 From an IT engineer’s perspective, patching is a reliable method of improving a system’s security against cyberthreats. Software patching, which originated when digital technology was in its infancy, is a sequence of defensive reactions, protecting vulnerabilities discovered in software. However, divergent approaches to system updates within nuclear facilities, caused by conflicting priorities and cultural divides between operational technology engineers and their IT counterparts, has diminished the potential gains that may be made from those updates.21 Even when compromises between nuclear facility personnel are achieved, patching at nuclear plants presents unique challenges.22
Divergent approaches to system updates within nuclear facilities has diminished the potential gains that may be made from those updates
Furthermore, although software updates are designed to close security loopholes, they may also alert attackers to system vulnerabilities. A National Academy of Sciences workshop on cyber resilience observed that by comparing old software with updated versions, hackers might be able to identify the vulnerability being patched and attack systems that have not yet updated their software.23 In conjunction with the constant evolution of viruses and worms, the protracted upgrade cycle of cybersecurity at nuclear facilities is incompatible with the critical need for expeditious software upgrades to close security gaps. Aggravating this concern is the reality that legacy products are vulnerable to discontinued manufacturer support due to obsolescence and might also be incompatible with newer software updates.24
Cybersecurity at nuclear facilities is also exacerbated by a technical mélange of systems and equipment, including legacy analogue infrastructure. While the rudimentary hardwiring installed in nuclear plants built in the 1960s, 1970s and 1980s provided little flexibility to system operators, it perversely reduced the scope for hackers to subvert systems.25 As legacy analogue systems at nuclear plants are progressively replaced by digital systems, ‘protection by antiquity’ is becoming a less viable defence measure.
Since many nuclear facilities started pursuing better integration of Supervisory Control and Data Acquisition (SCADA) systems – which are control systems that rely on human–machine interface (HMI) – with field devices and HMI computers in the 1990s, the wholescale incorporation of ‘off the shelf’ hardware and software, such as Windows or Linux, from a limited number of vendors26 has become commonplace. This practice provides plant operators with greater cost savings and efficiency,27 but at the expense of facilitating the rise of ‘insecure by design’ nuclear facilities, as programmable code can be altered by hackers to change the function of a device. The relatively recent inclusion of digital systems on new builds and Internet of Things (IoT) applications,28 intermingled within an industry that still operates piecemeal analogue systems, reflects the inability of the nuclear industry to establish a consensus on technical unanimity. This approach is the antithesis to the successful maintenance of the safety culture, which is of paramount concern to the industry.
It remains a possibility that a successful cyberattack might disrupt the supply of power to the national grid, but the likelihood of this is somewhat mitigated by the reality that for such an outcome to occur, multiple safety features would have to fail simultaneously. For an industry that is so susceptible to criticism – both in terms of public image and its high potential to cause harm – it should be a priority to address the significant shortcomings in contemporary cybersecurity given the profusion of malicious actors, the variability of regulatory standards, and the existing principles governing the nuclear industry’s safety and security measures.