Expert Wants Nuclear Plants Taken 'Off the Table' in Cyber-Warfare

The central control room for the Unit One and Unit Two reactors of the Fukushima Dai-ichi nuclear power plant.

The central control room for the Unit One and Unit Two reactors of the Fukushima Dai-ichi nuclear power plant. Toru Yamanaka/AP

Bruce McConnell says nuclear information security is a "signature security issue of the information age."

One U.S. cybersecurity expert is arguing that world nations should jointly pledge they will spare civil nuclear facilities from computer attacks for humanitarian reasons.

Bruce McConnell co-authored a January 2014 report for the EastWest Institute that describes nuclear information security as a "signature security issue of the information age," decrying that the topic has received too little attention. "There is a moral and political judgment to be made about humanitarian impacts, even in wartime, of potential release of large amounts of radiation by attacking targets like a nuclear power station," he contends.

McConnell held various cybersecurity-related jobs during his roughly four-year tenure at the Department of Homeland Security. He left government service last year to join the New York office of the EastWest Institute as a senior vice president and manager of the think tank's Cooperation in Cyberspace Program.

The recommendation to formulate an international agreement for banning technological assaults onnuclear facilities aligns with conventional wisdom that attackers' capabilities will always be a step ahead of virtual defenses, McConnell told Global Security Newswire in a May 13 telephone interview. Critical infrastructure -- including nuclear-power facilities -- is especially vulnerable if its operational control systems can be accessed from the Internet, as is increasingly the case.

He called the 2012 cyber-attack on Saudi Arabia's national oil company Aramco a "scare." While the hackers failed to affect the company's core production processes, the attack played out dangerously close to the intersection of routine business systems and those applications governing an industrial plant's physical operation.

At the same time, McConnell is careful not to overstate the threat as it exists today, saying a true atomic disaster brought about by hacking could be "dire" but is unlikelyHe argues that a mix of policy decisions and regulations should be crafted today to ensure atomic facilities are "off the table" in future conflicts.

Edited excerpts of the interview with McConnell follow:

GSN: How vulnerable are U.S. nuclear power plants to cyber-attacks? And what about facilities worldwide?

McConnell: The answer is somewhat counterintuitive. In general, what we find is that the United States tends to be an early adopter in terms of using information technology in industrial control systems and industrial applications. … The source of vulnerability is related to how much of the nuclear operation is connected and dependent upon IT. So, if you have older facilities that are less connected and … located somewhere where there is less aggressive use of IT in industrial spaces … they may be less vulnerable.

The probability of release of radioactive material through a combined physical cyber-attack is relatively low. So, we try not to join the chorus of hype here and say, "The sky is falling," because it's actually pretty hard to have a release of radioactive material. So, it's a low-probability event. It's almost impossible, I think, just through cyber; you'd have to add some physical aspect to it.

I would say that neither U.S. nor European [nor] other foreign nuclear facilities are particularly vulnerable from the standpoint of a dire release of radioactivity. But if you think about the risk -- a function of threat, vulnerability and consequences -- in this case it's the consequences that make the risk higher, not so much the vulnerability. Although vulnerabilities exist, and there are people, obviously, and threats who would like to take advantage of them.

GSN: What determines the degree to which nuclear facilities are at risk of cyber-attacks?

McConnell: There are two ways of attack. One way is through the business systems, which are generally connected to the Internet. So, the example here would be the Saudi Aramco attack. It was a scare. We've seen other cases where business systems have been used to get into operational systems, which have been less well publicized.

In the old days, there was a rule in the utility industry never to connect your business systems to your control systems, because of just that problem. And this was even before the Internet. But economics has [changed] that, and now you can do maintenance remotely … and save a lot of money and be more efficient. But you also introduce more vulnerability. It's the connection to the business system, in general, that opens up a whole host of generic vulnerabilities that create the potential for havoc.

The other way is what we saw in Stuxnet, which is where the control systems were not connected to the outside world. So, there the malware was introduced through -- and we don't know the details -- a combination of physical means, maybe a thumb drive, and very sophisticated … techniques that allow you to get in that way. …

That was a more cumbersome process. The kind of physical way of doing it, whether it's through a thumb drive or somebody on the inside, takes more art form, a more sophisticated, better resourced attacker. But it's also a possibility.

GSN: Are there indications that terrorists seek to hack nuclear facilities?

McConnell: It's certainly plausible. It's a good research question whether there are public domain writings that say, "We would really like to take down a nuclear plant." But all the elements are there. From the standpoint of intent, creating a small accident would create a big effect if you got a release of radioactive material. Even the scare that there might be a danger of release would be an effective attack by a terrorist who is trying to create terror. I don't actually know the answer. I can't point to somebody who said they want to do this. But it's certainly plausible that they would.

It gets to the issue of capability and intent in a given threat. And in this case, as in most other cases of cyber terrorism, where there is intent, there is not as much capability today. I think the conventional wisdom is that it's a matter of time before capability becomes available, and there will be a race between hardening some of these sites and the capabilities of the terrorists.

GSN: What are the regulatory mechanisms for minimizing the risk of a successful cyber-attack?

McConnell: Domestically, of course, there is the Nuclear Regulatory Commission. They are very aware of cyber issues. Their regulations are quite strict. If you look across the spectrum of critical infrastructure and cyber regulation, the two that are at the highest level are financial services and nuclear. There are some pretty high standards.

What I would point out in this regulatory environment is that you can regulate people and require them to protect themselves, but as it is true with all things cyber, you'll never get 100 percent protection. So, what we're calling for in our report [with co-author Greg Austin] is rather than -- certainly people should protect their systems -- but we're proposing that [nation-]states take the step of saying they're not going to do this. There are some things that are not a good idea to attack for public-good reasons, if you will. And this is an example of that.

GSN: Do you see a blind spot in regulation that has yet to be covered?

McConnell: I think that the regulation side, or what providers and owners of these facilities [do], is pretty good. I don't think there are any big blind spots for the major ones. I haven't looked carefully at health applications and manufacturing of X-ray devices and things like that. The health industry is fairly under-regulated in cyber, so I would imagine there are some gaps there. But I don't know that the risk is as great as it would be in the area that we're looking at. ... But that's more of an impression.

GSNWhat is the role of the nuclear industry to secure facilities against cyber-attacks?

McConnell: Well, it's the industry's assets, so they need to protect them. The problem with industry -- and particularly critical infrastructure -- is that unless there's a regulation in place, the public utility commissions generally don't allow the costs. If you're a regulated industry, you can't go out and say, "We're going to make a big investment in cybersecurity." You have to get that through the local [public utility commission]; that's a problem. That's why it's handy for the national regulator, at least in the United States, to do this.

These firms are proactive, and they're acting responsibly. But again, no individual firm can afford to make the investments to protect against a seriously well funded attacker.

In general, investment among companies in cybersecurity is not what it should be. Creating the willingness to pay is a long process. They're aware of the problem, but do they take action? More so now, but not enough yet.

GSN: You have proposed the creation of an international response center for nuclear information security incidents, based on proposals by U.S. and Russian specialists. How would that work?

McConnell: The International Atomic Energy Agency is the expert body on the international stage that has the ability to make a difference here if something is going to be done multilaterally. That's where you would set up such a center. You'd have people in it from various countries, and they would all have phone numbers and internet addresses of partners and industry representatives, and if something happened, that's where you would go to get help.

GSN: Is it realistic to bank on people's "moral and political judgment," as you call it, in the proposal to make nuclear facilities off-limits for cyber-attacks?

McConnell: You have to start somewhere, right? I mean, this would require countries to agree not to do this. But they've agreed to not attack hospitals in conventional warfare. So there is precedent for this. They have agreed not to attack civil aviation by technological means.

I think it's practical. We just need to get the conversation started. And there is an interest in setting up more comprehensive norms. What we're trying to say is, in addition to that top-down comprehensive approach, why don't we just start by taking a few things off the table. So I think it's absolutely realistic.

GSN: Given past U.S.-Russian expert cooperation on the issue, has the Ukraine crisis had an effect on the conversation?

McConnell: Two things: Just the overall distraction of the Ukraine crisis has made conversations with the Russians more difficult, only because there's a lot of extra stuff going on. But we continue to discuss and work with the Russians on cybersecurity matters from here. But I think the officials channels have been strained by the unpleasantries in the Ukraine, so I think that has set back official conversations around this.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.