Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Cyber Security Risk Underestimated at Nuclear Facilities: Report

The nuclear industry still doesn’t fully understand the risk posed by cyberattacks, according to a new report published on Monday by Chatham House.

The report, focusing on cybersecurity at civil nuclear facilities, is based on interviews with 30 industry practitioners, academics and policymakers from the U.K., Canada, the U.S., Ukraine, Russia, Japan, France and Germany.

The nuclear industry still doesn’t fully understand the risk posed by cyberattacks, according to a new report published on Monday by Chatham House.

The report, focusing on cybersecurity at civil nuclear facilities, is based on interviews with 30 industry practitioners, academics and policymakers from the U.K., Canada, the U.S., Ukraine, Russia, Japan, France and Germany.

The 2010 Stuxnet attacks aimed at nuclear facilities in Iran clearly demonstrated the threat posed by cyberattacks. However, the 18-month study conducted by Chatham House shows that the nuclear sector is falling behind other industries, despite the important steps taken recently by the International Atomic Energy Agency (IAEA).

Nuclear Plant  Cyber Security

While nuclear facilities are well prepared when it comes to physical security and safety, the fact that they are increasingly relying on digital systems means they are exposed to a new type of threat they must be prepared to face, namely attacks from cyberspace.

 

Related: Attend the 2015 ICS Cyber Security Conference

The existence of numerous vulnerabilities in industrial control system (ICS) software could make nuclear facilities an easy target for malicious actors. While many believe that the risk of damaging cyberattacks is low in the case of organizations in charge of critical infrastructure because important systems are air gapped (i.e. isolated from the public Internet), Chatham House says this is just a myth in the case of nuclear facilities.

The study has found that many nuclear facilities use virtual private networks (VPN) and other types of connections, and operators might not be aware of their existence.

Advertisement. Scroll to continue reading.

One of the main challenges identified by Chatham House is related to risk assessment, which can be inadequate and may result in reduced cyber security budgets. Experts believe guidelines are needed to accurately assess and measure the risk so that boards and CEOs will understand what is at stake.

One of the factors that leads to underestimating risk is the infrequency of cyber security incident disclosures, which may cause the nuclear industry to believe that it’s not the target of cyberattacks. There is only limited communication between the nuclear and other industries, and between cyber security companies and vendors, which is also a point of concern, the report shows.

There are also a series of cultural challenges when it comes to securing nuclear facilities, including the fact that operational technology (OT) engineers have difficulties communicating with information technology (IT) engineers, the lack of cybersecurity procedures and training, and a reactive approach to cybersecurity. All of these issues suggest that nuclear facilities are not prepared to detect and address attacks, Chatham House determined based on the interviews it conducted.

As for technical challenges, the report names the “insecurity by design” of industrial control systems, the problem of applying patches due to compatibility issues that could result in downtime, and supply chain vulnerabilities.

“The nuclear industry as a whole needs to develop a more robust ambition to take the initiative in cyberspace and to fund the promotion and fostering of a culture of cyber security, determining investment priorities and ensuring that sufficient and sustained funding is allocated to effective responses to the challenge. It also needs to establish an international cyber security risk management strategy and encourage the free flow of information between all stakeholders,” Chatham House said in its report. “This will require the industry to develop appropriate mechanisms and coordinated plans of action to address the technical shortfalls identified, as well as to find the right balance between regulation and personal responsibility.”

Related: Learn More at the ICS Cyber Security Conference

Related: Alerts Issued for Zero-Day Flaws in SCADA Systems

Related: Vulnerabilities Found in Several SCADA Products

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...