Security Experts:

Countries Unprepared for Attacks on Nuclear Facilities: Report

Many countries are not prepared to handle cyberattacks targeting their nuclear facilities, according to a new report from the Nuclear Threat Initiative (NTI).

NTI is a non-partisan, non-profit organization that focuses on strengthening global security by reducing the risk of use and preventing the spread of chemical, biological and nuclear weapons.

The organization’s third Nuclear Security Index assesses the preparedness of countries when it comes to protecting their nuclear facilities against sabotage and cyber attacks.

The 2010 Stuxnet incident in Iran clearly demonstrated the threat posed by cyberattacks to nuclear facilities. However, according to the 2016 NTI Index, while some countries have started taking steps to protect nuclear facilities against hacker attacks, many still don’t have proper laws and regulations in place.

A cyberattack on a nuclear facility could have serious consequences, as it could be used to facilitate the theft of nuclear materials or to sabotage the facility.

“For example, access control systems could be compromised, thus allowing the entry of unauthorized persons seeking to obtain nuclear material or to damage the facility,” NTI said in its report. “Accounting systems could be manipulated so that the theft of material goes unnoticed. Reactor cooling systems could be deliberately disabled, resulting in a Fukushima-like disaster.”

NTI has determined that of the 24 countries with weapons-usable nuclear materials and the 23 states with nuclear facilities, only 13 deserve the maximum cybersecurity score of 4. These countries are the United States, Canada, the United Kingdom, Australia, Russia, Belarus, Taiwan, Bulgaria, Finland, France, the Netherlands, Switzerland, and Hungary.

On the other hand, 20 countries got the minimum score as they do not have even the basic requirements for protecting their nuclear facilities against attacks from cyberspace. Worryingly, some of the states that scored 0 have been expanding the use of nuclear power.

These scores are based on the answers to a series of questions focusing on a state’s cyber security requirements for nuclear facilities, including protection for critical digital assets, inclusion of cyber threats in threat assessments, and the existence of a performance-based program.

Over the past two years, eight states have passed new laws and regulations or updated existing ones to strengthen cybersecurity requirements, which has resulted in improved scores in the NTI Index. The list includes the United Kingdom, Russia, France, South Africa and Pakistan.

“Given the potential consequences, all states must work aggressively to ensure that their nuclear facilities are protected from cyber attacks. Governments should include the cyber threat within the national threat assessment for their nuclear facilities, and they should put in place a clear set of laws, regulations, standards, and licensing requirements for all nuclear facilities that require protection of digital systems from cyber attacks,” NTI said. “At the facility level, leadership must prioritize cybersecurity, determine potential consequences, and implement a program that ensures that digital assets and networks are characterized and secured and that the security is routinely tested.”

A report released in October 2015 by Chatham House revealed that the global nuclear industry still doesn’t fully understand the risk posed by cyberattacks. The study, focusing on civil nuclear facilities, showed that this sector had fallen behind other industries.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in the United States said earlier this month that of the 295 critical infrastructure incidents reported to the organization in the fiscal year 2015, two percent were recorded in the nuclear reactors, materials and waste sector.

Related: Nuclear Agency's Cybersecurity Center Not Optimized

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.