Late last week, the Washington Post had an article asking the question whether nuclear power plants are at risk of cyber attack. The article was keyed to a much lengthier, detailed report from the Nuclear Threat Initiative (a non-profit associated with The Economist, and chaired by former US Senator Sam Nunn). The short version of the report is that at least twenty different countries that have nuclear power facilities or nuclear weapons material “do not even have basic requirements to protect nuclear facilities from cyber attacks.’ [To be clear, the main focus of the report is on physical security of nuclear plants and material against theft and sabatoge. This is the first report from the NTI to add an assessment of cyber risk.]
I suppose that the report reflects a nice meme of today’s discourse. After all, an attack on a Chinese nuclear facility was the opening crisis in the recent movie Blackhat (a movie that did its best to misrepresent the practice of cybersecurity in as many ways as possible).
Nonetheless, I find the report a bit disappointing. The NTI assessment is based on a legal and policy analysis, not a practical examination of actual vulnerability. Thus the report’s cyber assessment is based on the following questions:
- Do domestic laws, regulations, or licensing requirements require nuclear facilities to have protection from a cyber attack?
- Do domestic laws, regulations, or licensing requirements require nuclear facilities to protect critical digital assets from a cyber attack?
- Does the state consider cyber threats in its threat assessment or design basis threat for nuclear facilities?
- Does the regulator require a performance-based program, which includes tests and assessments?
Based on this criteria, thirteen states (including the US, Russia, Taiwan and even Belarus) have the maximum cyber security score. But are they really safe?
Not that you can really tell. As I’ve said, the NTI report it is mostly a legal and policy assessment which gives us little insight into practical aspects of cyber vulnerability, even in the 13 states that score high on the assessment matrix. More to the point, nuclear plants have many pathways of illicit access. As even the report implicitly acknowledges with its emphasis on theft and sabatoge, an insider threat is much greater than a cyber attack — and in a world of limited resources, defenders must address the more likely pathways of attack first.
In addition, the nuclear power domain is very heterogenous. There aren’t many similarities (if any) between the SCADA control systems in China and those in the US, or between either of those and Belarus. So the attack surface of nuclear plants is highly variable. And it seems to me that the presence or absence of law and policy are secondary questions to the much larger one of cyber practice. In that regard the report may be on to something — though it seems to miss the point a bit. The real challenge is one of awareness — to have the nuclear industry integrate cybersecurity practices into its culture of physical security and safe operations. But that point is buried in the report and doesn’t surface into the scare-mongering headlines of newspaper reports.
Bottom line: cybersecurity is hard, detailed work. It involves culture, training, engineering as well as law and policy. Starting at the top is probably the wrong place to begin.