In preparing its latest global ranking of nuclear security risks, NTI for the first time asked basic questions about regulations addressing how to protect nuclear facilities from cyberattacks. "What we have observed is what I call enormous unevenness on the global stage to address this issue," said Page Stoutland, the group's vice president for scientific and technical affairs and one of the report's authors. The United States and other nations with developed programs often had regulatory safeguards, he said, while countries now developing nuclear programs were less likely to have formal policies in place.
The report is based on a review of publicly available information by the group, so it does not take into account classified measures that may be in place. And just because certain precautions are not required, that doesn't necessarily mean nuclear facilities aren't taking steps to defend themselves against cyberattacks.
But that isn't enough for Stoutland. "In our view it's still important that a country have some level of regulation for us to have any confidence that is actually happening," he said.
The U.S. nuclear industry sees the threat of cyberattacks as very real, but the current risk of a major incident here as very low, said William Gross, a senior project manager for engineering at the Nuclear Energy Institute. "We've been doing this for a long time, and we take this very seriously," he said.
Nuclear power plants in the United States keep their systems disconnected from the Internet or use hardware that separates business computer systems at plants from those that control nuclear operations to protect them from being attacked through the Web, according to the institute. In a report released last year, the Department of Homeland Security said that "[n]othing suggests that a cyber attack executed through the Internet could cause a nuclear reactor to malfunction and breach containment."
However, some research suggests the nuclear power industry at home and abroad remains at risk to digital attacks. A 2013 CNN report claimed that security researchers discovered connections to the command and control systems of nuclear power plants accessible online. And a report last year by London-based think tank Chatham House said there appears to be an "element of denial" among nuclear power plant operators about cybersecurity risk.
"Often, nuclear facilities will have undocumented connections to the internet" that could provide a way for malicious hackers to infect their systems, the Chatham House report said. The issue may be compounded, according to the group, by a lack of disclosure in the nuclear industry when cyberattacks occur that makes it hard to judge the true scope of the problem and could leave the industry with a false sense of security.
However, there are a few significant cyber incidents involving nuclear power plants we do know about. In 1992, a programmer at a Lithuanian nuclear plant was arrested on charges that he sabotaged its computer systems -- highlighting the potential for threats from insiders who don't need to go through the Internet to get to computer systems.
In 2003, computers at the Davis-Besse nuclear power plant in Ohio were infected by a computer worm dubbed "Slammer." The worm disabled the software interface employees used to monitor system safety for almost five hours. Luckily, the reactor had been offline due to unrelated problems since the year earlier and there was an analog backup system not affected by the infection.
And in 2008, a Georgia nuclear power plant went into emergency shutdown for 48 hours due to a cyber incident. This wasn't an attack, but an issue caused when a contractor installed a software update on one computer that reset the the data on a control system. That caused the system to incorrectly believe that the plant didn't have enough water to cool its nuclear fuel rods and triggered the safety precaution. The situation showed that even without a malicious actor, increased reliance on software and interconnected systems can come with new risks.
But nuclear power has always come with a certain amount of risk. And just like squirrels seem to currently be a bigger threat to our electrical grid than hackers, the most recent major incident involving a power plant had to do with a natural disaster: Japan's 2011 Fukushima plant disaster caused by a tsunami.
In fact, there is just one cyber campaign involving nuclear facilities reported to have caused physical damage -- an attack on Iranian nuclear facilities by malware known as Stuxnet thought to have been jointly developed by the United States and Israel: The malware destroyed nearly 1,000 of Iran’s 6,000 centrifuges — machines used to enrich uranium.
But according to Stoutland, the nuclear industry as a whole has more work to do to help prevent problems in the future. "Even those facilities in countries that are very aware of these issues and working very hard on these issues are struggling to play catch up," he said.