Expert Wants Nuclear Plants Taken 'Off the Table' in Cyber-Warfare

One U.S. cybersecurity expert is arguing that world nations should jointly pledge they will spare civil nuclear facilities from computer attacks for humanitarian reasons.

Bruce McConnell co-authored a January 2014 report for the EastWest Institute that describes nuclear information security as a "signature security issue of the information age," decrying that the topic has received too little attention. "There is a moral and political judgment to be made about humanitarian impacts, even in wartime, of potential release of large amounts of radiation by attacking targets like a nuclear power station," he contends.

McConnell held various cybersecurity-related jobs during his roughly four-year tenure at the Department of Homeland Security. He left government service last year to join the New York office of the EastWest Institute as a senior vice president and manager of the think tank's Cooperation in Cyberspace Program.

The recommendation to formulate an international agreement for banning technological assaults onnuclear facilities aligns with conventional wisdom that attackers' capabilities will always be a step ahead of virtual defenses, McConnell told Global Security Newswire in a May 13 telephone interview. Critical infrastructure -- including nuclear-power facilities -- is especially vulnerable if its operational control systems can be accessed from the Internet, as is increasingly the case.

He called the 2012 cyber-attack on Saudi Arabia's national oil company Aramco a "scare." While the hackers failed to affect the company's core production processes, the attack played out dangerously close to the intersection of routine business systems and those applications governing an industrial plant's physical operation.

At the same time, McConnell is careful not to overstate the threat as it exists today, saying a true atomic disaster brought about by hacking could be "dire" but is unlikely. He argues that a mix of policy decisions and regulations should be crafted today to ensure atomic facilities are "off the table" in future conflicts.

Edited excerpts of the interview with McConnell follow:

GSN: How vulnerable are U.S. nuclear power plants to cyber-attacks? And what about facilities worldwide?

McConnell: The answer is somewhat counterintuitive. In general, what we find is that the United States tends to be an early adopter in terms of using information technology in industrial control systems and industrial applications. … The source of vulnerability is related to how much of the nuclear operation is connected and dependent upon IT. So, if you have older facilities that are less connected and … located somewhere where there is less aggressive use of IT in industrial spaces … they may be less vulnerable.

The probability of release of radioactive material through a combined physical cyber-attack is relatively low. So, we try not to join the chorus of hype here and say, "The sky is falling," because it's actually pretty hard to have a release of radioactive material. So, it's a low-probability event. It's almost impossible, I think, just through cyber; you'd have to add some physical aspect to it.

I would say that neither U.S. nor European [nor] other foreign nuclear facilities are particularly vulnerable from the standpoint of a dire release of radioactivity. But if you think about the risk -- a function of threat, vulnerability and consequences -- in this case it's the consequences that make the risk higher, not so much the vulnerability. Although vulnerabilities exist, and there are people, obviously, and threats who would like to take advantage of them.

GSN: What determines the degree to which nuclear facilities are at risk of cyber-attacks?

McConnell: There are two ways of attack. One way is through the business systems, which are generally connected to the Internet. So, the example here would be the Saudi Aramco attack. It was a scare. We've seen other cases where business systems have been used to get into operational systems, which have been less well publicized.

In the old days, there was a rule in the utility industry never to connect your business systems to your control systems, because of just that problem. And this was even before the Internet. But economics has [changed] that, and now you can do maintenance remotely … and save a lot of money and be more efficient. But you also introduce more vulnerability. It's the connection to the business system, in general, that opens up a whole host of generic vulnerabilities that create the potential for havoc.

The other way is what we saw in Stuxnet, which is where the control systems were not connected to the outside world. So, there the malware was introduced through -- and we don't know the details -- a combination of physical means, maybe a thumb drive, and very sophisticated … techniques that allow you to get in that way. …

That was a more cumbersome process. The kind of physical way of doing it, whether it's through a thumb drive or somebody on the inside, takes more art form, a more sophisticated, better resourced attacker. But it's also a possibility.

GSN: Are there indications that terrorists seek to hack nuclear facilities?

McConnell: It's certainly plausible. It's a good research question whether there are public domain writings that say, "We would really like to take down a nuclear plant." But all the elements are there. From the standpoint of intent, creating a small accident would create a big effect if you got a release of radioactive material. Even the scare that there might be a danger of release would be an effective attack by a terrorist who is trying to create terror. I don't actually know the answer. I can't point to somebody who said they want to do this. But it's certainly plausible that they would.

It gets to the issue of capability and intent in a given threat. And in this case, as in most other cases of cyber terrorism, where there is intent, there is not as much capability today. I think the conventional wisdom is that it's a matter of time before capability becomes available, and there will be a race between hardening some of these sites and the capabilities of the terrorists.

GSN: What are the regulatory mechanisms for minimizing the risk of a successful cyber-attack?

McConnell: Domestically, of course, there is the Nuclear Regulatory Commission. They are very aware of cyber issues. Their regulations are quite strict. If you look across the spectrum of critical infrastructure and cyber regulation, the two that are at the highest level are financial services and nuclear. There are some pretty high standards.

What I would point out in this regulatory environment is that you can regulate people and require them to protect themselves, but as it is true with all things cyber, you'll never get 100 percent protection. So, what we're calling for in our report [with co-author Greg Austin] is rather than -- certainly people should protect their systems -- but we're proposing that [nation-]states take the step of saying they're not going to do this. There are some things that are not a good idea to attack for public-good reasons, if you will. And this is an example of that.

GSN: Do you see a blind spot in regulation that has yet to be covered?

McConnell: I think that the regulation side, or what providers and owners of these facilities [do], is pretty good. I don't think there are any big blind spots for the major ones. I haven't looked carefully at health applications and manufacturing of X-ray devices and things like that. The health industry is fairly under-regulated in cyber, so I would imagine there are some gaps there. But I don't know that the risk is as great as it would be in the area that we're looking at. ... But that's more of an impression.

GSN: What is the role of the nuclear industry to secure facilities against cyber-attacks?

McConnell: Well, it's the industry's assets, so they need to protect them. The problem with industry -- and particularly critical infrastructure -- is that unless there's a regulation in place, the public utility commissions generally don't allow the costs. If you're a regulated industry, you can't go out and say, "We're going to make a big investment in cybersecurity." You have to get that through the local [public utility commission]; that's a problem. That's why it's handy for the national regulator, at least in the United States, to do this.

These firms are proactive, and they're acting responsibly. But again, no individual firm can afford to make the investments to protect against a seriously well funded attacker.

In general, investment among companies in cybersecurity is not what it should be. Creating the willingness to pay is a long process. They're aware of the problem, but do they take action? More so now, but not enough yet.

GSN: You have proposed the creation of an international response center for nuclear information security incidents, based on proposals by U.S. and Russian specialists. How would that work?

McConnell: The International Atomic Energy Agency is the expert body on the international stage that has the ability to make a difference here if something is going to be done multilaterally. That's where you would set up such a center. You'd have people in it from various countries, and they would all have phone numbers and internet addresses of partners and industry representatives, and if something happened, that's where you would go to get help.

GSN: Is it realistic to bank on people's "moral and political judgment," as you call it, in the proposal to make nuclear facilities off-limits for cyber-attacks?

McConnell: You have to start somewhere, right? I mean, this would require countries to agree not to do this. But they've agreed to not attack hospitals in conventional warfare. So there is precedent for this. They have agreed not to attack civil aviation by technological means.

I think it's practical. We just need to get the conversation started. And there is an interest in setting up more comprehensive norms. What we're trying to say is, in addition to that top-down comprehensive approach, why don't we just start by taking a few things off the table. So I think it's absolutely realistic.

GSN: Given past U.S.-Russian expert cooperation on the issue, has the Ukraine crisis had an effect on the conversation?

McConnell: Two things: Just the overall distraction of the Ukraine crisis has made conversations with the Russians more difficult, only because there's a lot of extra stuff going on. But we continue to discuss and work with the Russians on cybersecurity matters from here. But I think the officials channels have been strained by the unpleasantries in the Ukraine, so I think that has set back official conversations around this.