As nuclear power establishes itself as an ever more important source of energy for nations across the world, cybersecurity risks are also becoming increasingly menacing, according to a new report by UK think tank Chatham House.
The Sellafield nuclear power plant (NPP) debacle was a conspicuous case of nuclear cybersecurity going awry.
The site on the English coast has been hacked multiple times by actors with close ties to Russia and China since 2015, but the incidents were “consistently covered up by senior staff”, the Guardian reported last December.
According to the Guardian, information and data on Sellafield’s most sensitive activities could have been fed back to foreign parties through “sleeper malware” that has lurked in the background of its computer systems for as long as ten years.
While Sellafield is used primarily as a nuclear waste and decommissioning site, rather than for active nuclear production, the site has the world’s largest stores of plutonium, a highly reactive metal used to make nuclear weapons. It also contains a set of emergency planning documents that detail the steps the UK Government would take should the country come under foreign attack, meaning foreign hackers could have accessed the “highest echelons of confidential material at the site”.
The case therefore illustrated how not only energy security, but national security can be comprised by nuclear cybersecurity threats.
According to Chatham House’s ‘Cybersecurity of the civil nuclear sector’ report, there are several reasons the nuclear power industry is particularly vulnerable to cybersecurity breaches.
An unprepared and oblivious industry
Firstly, a lot of the existing nuclear power infrastructure is dated and does not possess up-to-date cybersecurity technology.
Chatham House notes that, currently, many nuclear plants rely on software that is “built on insecure foundations and requiring frequent patches or updates” or “has reached the end of its supported lifespan and can no longer be updated”. The think tank pointed out that civil nuclear industries are thus playing catch up with other critical national infrastructure (CNI) industries when it comes to cybersecurity.
The fact that nuclear infrastructure is considered to be CNI also makes it an attractive target for hackers. As demonstrated by the Sellafield incident, nuclear sites can have implications beyond energy, including national security. Foreign actors could target another state’s nuclear industry to not only jeopardise the state’s energy security but also gain a military advantage, says Chatham House.
Another vulnerability highlighted by the report is the industry’s reliance on ‘security by obscurity’. Hubristic systems managers have often neglected adequate security measures due to the assumption that ICT (information and communication technology) systems in older NPPs are too small-scale to have well-known vulnerabilities that can be exploited.
The SMR threat
The Chatham House report also details how the uptake of small modular reactors (SMRs) could lead to increased cybersecurity risks.
Due to their diminutive size, SMRs can be deployed in disparate areas that lack the physical conditions necessary for the deployment of large-scale energy infrastructure. The inherent versatility of the advanced technology has made it popular among governments across the world as they seek to widen access to more forms of renewable energy.
However, SMR-centred nuclear infrastructure would look different to that of traditional reactors, requiring different security measures.
For one, there will be a larger number of SMRs in more locations due to their easily deployable nature. It might not be practical to have staff at each site, with operators instead opting to run the facility by a central computer system without human presence. Increased reliance on cloud systems to run infrastructure is bound to enhance the cybersecurity risks, Chatham House says.
Furthermore, SMRs present additional supply chain pinch-points for cybersecurity, as the materials for SMRs tend to be prefabricated by a larger number of varying suppliers than in traditional nuclear plants, according to Chatham House.
Combination of cyber and physical threats
Chatham House notes that while NPPs are not designed to operate in war zones, they do have several layers of physical safety built in to protect reactors from kinetic threats. However, physical threats combined with cybersecurity breaches could create far more menacing risks for plant operators that could overwhelm operating staff and enable unauthorised access to nuclear materials.
For instance, in Serbia during the Balkan wars of the 1990s, this combination of threats was realised at the Vinca research reactor, where research staff feared that highly enriched uranium fuel could be stolen. The International Atomic Energy Agency (IAEA) was forced to carry out several inspections between 1995 and 1999. The plant was saved, but for some time the threat nearly escalated into catastrophe.
More recently, the Zaporizhzhia NPP has raised similar concerns. Since November 2022, Russia has controlled the NPP, which sits on the front line of Russian-occupied Ukraine. “Reckless attacks” on the power plant have “significantly increased the risk of a major nuclear accident”, Rafael Mariano Grossi, director-general of the IAEA, told the UN Security Council in April, although Russia and Ukraine have accused each other of carrying out the attacks.
Where does the industry go from here?
While no single legal regime addresses cyber threats to nuclear infrastructure, international law can provide safeguards against what is often a cross-border threat.
Chatham House recommends that states “develop strategies to both enhance the enforcement of international law in cyberspace and ensure accountability for unlawful cyber operations, including those targeting civil nuclear facilities”. Such strategies could include reforming existing treaties or laws to address cyber-nuclear, establishing an international cybersecurity management strategy and creating national computer emergency response teams specialised in industrial control systems.
With states rushing to grapple with rapaciously evolving cyber technologies, nuclear regulators may have their work cut out safeguarding the digital side of their industry. As the world becomes increasingly digitalised, and more reliant on decentralised, cloud-based systems, it is fair to expect cybersecurity to become a pressing issue for regulators in the near future.