Technical vulnerabilities | - Relying on ‘security by obscurity’. This involves assuming that an information and communication technology (ICT) system is distributed at too small a scale to have well-known vulnerabilities that can be exploited. This approach is particularly common in older nuclear power plants with bespoke or rare industrial control systems.
- Using software built on insecure foundations and requiring frequent patches or updates.
- Relying on software that has reached the end of its supported lifespan and can no longer be updated.
- Being insufficiently aware of the risks of data breaches in general management software such as human resources systems; such breaches can expose sensitive data on personnel.
|
Personnel-related and physical vulnerabilities | - Insider threats, e.g. personnel stealing or leaking information for financial gain or retribution.
- Adversaries or criminals targeting power plant personnel either as infiltration vectors or as victims.
- Disruption or interception of communications between nuclear power plants, operators and regulators, potentially disrupting the reliability of the energy grid.
- Interference (by a cyber operation) with a nuclear power plant’s controls, potentially causing physical damage or – in an extreme case – leading to radiation release.
|
Sector-wide and cultural vulnerabilities | - Insufficient awareness of cybersecurity.
- Insufficient numbers of qualified cybersecurity personnel in the nuclear industry.
- A general assumption that the nuclear industry ‘takes security seriously’ and therefore is already covering all bases when it comes to cybersecurity.
|
A significant limiting factor when assessing past cases of cyber operations targeting nuclear power plants is the lack of publicly available information on such incidents. This can reflect concerns on the part of operators, regulators and governments about the release of sensitive data, and about the potential for revelations of cybersecurity failures to reduce public trust in nuclear energy. However, publicly known past examples of cyber operations against civil nuclear infrastructure cover a range of scenarios. One of the earliest-known incidents was in 2003, when the Slammer worm infiltrated the management and operational information and communication technology (ICT) systems of the Davis-Besse nuclear power plant in the US. Slammer was able to access the power plant’s system through an IT consultant’s infected device. While this was an accident, it exemplifies how malicious actors could go about engineering an attack.
Two other well-researched examples are the 2010 Stuxnet worm attack in Iran, and the 2014 hack of a South Korean nuclear power operator, Korea Hydro and Nuclear Power Co., Ltd (KHNP). These two examples show the range of harms that cyber operations can cause, from the theft of sensitive data to physical damage. The Stuxnet example was extraordinary in the extent of the damage it caused, whereas the KHNP example is more typical of other cyber operations against nuclear power plants. What both have in common is that the attackers were alleged to be states: Israel and the US in the case of the Stuxnet attack on Iran’s nuclear facilities; and North Korea in the case of KHNP.
Stuxnet remains one of the most famous intentional cyber operations targeting nuclear infrastructure. The operation sought to disrupt operations at Iran’s Natanz nuclear enrichment facility. Stuxnet was a computer worm targeting supervisory control and data acquisition (SCADA) systems. Once inside the industrial control system, the worm caused the control software to accelerate rotation of the centrifuges to the point of physical damage. This makes it one of the only examples of a cyber operation having caused physical damage.
KHNP, South Korea’s state-run nuclear power operator, was targeted in December 2014. In this cyber operation, sensitive information was stolen, including blueprints for reactors, electrical flow charts and personal details of employees. One of the hackers’ goals was to undermine public trust in the safety of the nuclear power plant. But the South Korean government said that the hackers had not managed to access any control systems.
iii. Impact of cyber operations
As the Stuxnet episode shows, cyber operations have the potential to cause tangible damage to physical assets. The impact of a cyber operation targeting civil nuclear infrastructure can be as wide-ranging as the theft of sensitive information, the loss of access to or control over monitoring and control software, operating difficulties, or – in the worst-case scenarios – reactor shutdown or difficulties controlling nuclear storage, for example through loss of access to external power sources for cooling. There is only a small possibility that a cyber operation would cause loss of control over a nuclear reactor to the point of meltdown or a significant release of radiation. This is because nuclear power plants have other redundant safety features such as back-ups for cooling. However, the potential impacts if a meltdown or major radiation release did occur could be very significant, including deaths or long-term health problems among nuclear power plant workers or members of the public exposed to radiation, as well as long-term environmental damage and contamination.
A cyber operation targeting a nuclear facility also has the potential to disrupt the electric grid. States that have nuclear power plants often rely on nuclear power to provide a reliable baseload of energy to their electric grid. This dependency is increasing as countries transition away from fossil fuels. A stable baseload is required for a steady availability of energy throughout the day. However, not all types of energy generation offer a uniform power supply over the course of a day. Solar and wind power rely on certain environmental conditions for optimal performance. On a rainy or windless day, for example, other forms of energy generation must make up for the lack of solar- or wind-generated power. Nuclear energy, in contrast, can always generate power. If an electric grid became unreliable because nuclear power was unable for some reason to provide a reliable baseload – for example, as a result of a cyber operation – this could disrupt many aspects of daily life. Affected areas could include economic activity, the functioning of government, transport links, healthcare facilities and other critical public services. This in turn could cause elevated levels of distress in the population, and even excess deaths if healthcare functions were compromised. Given that many countries are considering nuclear energy due to increasing energy demand and a desire to transition away from fossil fuels, it is now all the more critical to ensure that new nuclear power plants and new reactor types are designed with cybersecurity in mind.
iv. Changing risks through changes in technology
The following section explores two emerging technological developments and their impacts on the risk landscape for civil nuclear infrastructure. The first is the evolution of nuclear reactor technologies themselves, as well as their increased distribution through the advent of small modular reactors (SMRs) and microreactors. The second is the rise of artificial intelligence (AI), in terms of both its increasing capabilities and widening usage. AI could lower the barrier to malicious cyber operations by making tools for cyber intrusions more accessible and affordable for a wider range of actors, including potential hackers or cybercriminals.
The development of SMRs and microreactors provides an opportunity to increase energy security in areas where a traditional, larger nuclear power plant might be too difficult or expensive to build. In comparison to traditional nuclear infrastructure, which tends to take decades to plan and build, SMRs or microreactors could be deployed more quickly in areas where there is a significant energy need. Some SMRs are designed to be transported or deployed offshore, making them potentially more versatile than traditional nuclear power plants.The IAEA is aware of over 80 different SMR designs and concepts that are at different stages of development and implementation. As of early 2024, five SMR designs were under construction or operating.
The operating and monitoring software used in SMRs and microreactors will be less bespoke than in some older models of nuclear power plant. Indeed, one of the selling points of the newer designs is that SMRs and microreactors are easier to run, given that staff are more likely to be familiar with the operating software. Likewise, one of the purported advantages of SMRs and microreactors is that it is possible to control several reactors remotely at the same time. In some cases, SMRs and microreactors are intended to be operated fully remotely, without any staff on site. This increases the requirements for software solutions that are cloud-based or connected to the internet.
Cybersecurity is typically a consideration in the design of newer reactors in a way that has not been the case with traditional nuclear power plants, as older plants were developed at a time when cybersecurity standards did not yet exist or were just emerging.
The risk landscape around such designs is mixed. On the one hand, newer reactors are designed to be fundamentally safer and more secure from a cybersecurity point of view. Cybersecurity is typically a consideration in their design in a way that has not been the case with traditional nuclear power plants, as older plants were developed at a time when cybersecurity standards did not yet exist or were just emerging. In this way, some vulnerabilities might be removed at the design stage by drawing on cybersecurity best practice.
On the other hand, the fact that SMRs are less bespoke than many more traditional reactor designs, and in many cases are connected to the internet, makes them more likely to have cyber vulnerabilities. In turn, this makes newer reactors more of a target for opportunistic cybercriminals. Security solutions such as ‘air gapping’ (which means not connecting critical parts of the control system to the internet) are often not possible in such cases due to the requirement for remote access.
In addition, increased deployment of SMRs and microreactors could create novel risks. First, if there are more reactors overall, the risk of any one reactor falling victim to a cyber operation increases. Another risk stems from the construction supply chain. Many companies are likely to be involved in the production of parts for these reactors. It is unclear whether such parts will consistently be designed with cybersecurity principles in mind. Therefore, the security of the supply chain could become very difficult to guarantee in its entirety. The IAEA is working with SMR designers to ensure that all new designs meet stringent safety standards for reactor and fissile-material safety. But ensuring the cybersecurity of the supply chain for SMRs and microreactors could present additional challenges, because a wide range of hardware manufacturers and software developers might all be suppliers for the same SMR or microreactor project. This highlights how important – and difficult – it will be for manufacturers to audit and monitor their supply chains for cybersecurity.
In addition to these inherent risks, it is envisaged that many SMRs and microreactors will be deployed in countries that may have lower cybersecurity capacity to begin with. Such countries might struggle to ensure the additional cybersecurity requirements of nuclear reactors. The IAEA provides guidance on how to ensure a high standard of cybersecurity for nuclear reactors. However, as implementation is down to national governments, standards can vary according to the awareness and capacity of each government or operator.
As mentioned, adding to the civil nuclear industry’s risk of exposure to malicious cyber operations is the fact that hacking is arguably getting easier. Hacking tools are more widely available, and the emergence of AI-assisted programming tools may lower the barrier to entry for cybercriminals. Vulnerable sectors such as CNI could thus be targeted by a wider range of criminals who previously may not have been able to use cyber tools.
b. Specific threats and risks in conflict
Russia’s seizure of the Zaporizhzhia nuclear power plant in Ukraine, combined with the fighting that has gone on around the plant, has increased international awareness of the security risks that can arise when civil nuclear infrastructure is caught up in conflict. While nuclear power plants and other civil nuclear facilities are not specifically designed to operate in war zones, such facilities have several layers of physical safety built in to protect reactors and hazardous materials from kinetic threats. However, the combination of physical and cyber operations increasingly seen in modern warfare creates a new type of threat – one potentially able to overwhelm a limited operating staff, or to create a diversion enabling unauthorized access to nuclear materials.
This vulnerability could be exploited by combatants, or by a non-combatant criminal group that might be interested, for example, in stealing fissile materials or sensitive information about a nuclear facility. The IAEA has identified ‘insider threats’ as one particular vector through which cyber operations against nuclear power plants could be facilitated. The reduction in staff numbers at Zaporizhzhia, combined with the chaos of the Russian occupation, could increase the likelihood of unauthorized actors gaining access to the site. Among other things, it is difficult for a smaller staff to keep track of the comings and goings of visitors to a nuclear facility.
While the situation at the Zaporizhzhia plant is unusual, this is not the first time that a nuclear reactor has been caught up in the middle of a war. The Vinca research reactor in Serbia was a source of much concern during the Yugoslav Wars (1991–2001). Research staff at the Vinca Institute for Nuclear Science requested IAEA support in 1995, as they feared that highly enriched uranium fuel at the facility could be stolen amid high levels of political unrest in the country. The IAEA carried out several inspections between 1995 and 1999 to ensure the safety of the facility and assist staff. If nuclear reactors become more widespread in the future, for example due to the use of SMRs and microreactors, the risk of reactors being caught up in conflict will increase.