The nuclear industry still doesn’t fully understand the risk posed by cyberattacks, according to a new report published on Monday by Chatham House.
The report, focusing on cybersecurity at civil nuclear facilities, is based on interviews with 30 industry practitioners, academics and policymakers from the U.K., Canada, the U.S., Ukraine, Russia, Japan, France and Germany.
The 2010 Stuxnet attacks aimed at nuclear facilities in Iran clearly demonstrated the threat posed by cyberattacks. However, the 18-month study conducted by Chatham House shows that the nuclear sector is falling behind other industries, despite the important steps taken recently by the International Atomic Energy Agency (IAEA).
While nuclear facilities are well prepared when it comes to physical security and safety, the fact that they are increasingly relying on digital systems means they are exposed to a new type of threat they must be prepared to face, namely attacks from cyberspace.
Related: Attend the 2015 ICS Cyber Security Conference
The existence of numerous vulnerabilities in industrial control system (ICS) software could make nuclear facilities an easy target for malicious actors. While many believe that the risk of damaging cyberattacks is low in the case of organizations in charge of critical infrastructure because important systems are air gapped (i.e. isolated from the public Internet), Chatham House says this is just a myth in the case of nuclear facilities.
The study has found that many nuclear facilities use virtual private networks (VPN) and other types of connections, and operators might not be aware of their existence.
One of the main challenges identified by Chatham House is related to risk assessment, which can be inadequate and may result in reduced cyber security budgets. Experts believe guidelines are needed to accurately assess and measure the risk so that boards and CEOs will understand what is at stake.
One of the factors that leads to underestimating risk is the infrequency of cyber security incident disclosures, which may cause the nuclear industry to believe that it’s not the target of cyberattacks. There is only limited communication between the nuclear and other industries, and between cyber security companies and vendors, which is also a point of concern, the report shows.
There are also a series of cultural challenges when it comes to securing nuclear facilities, including the fact that operational technology (OT) engineers have difficulties communicating with information technology (IT) engineers, the lack of cybersecurity procedures and training, and a reactive approach to cybersecurity. All of these issues suggest that nuclear facilities are not prepared to detect and address attacks, Chatham House determined based on the interviews it conducted.
As for technical challenges, the report names the “insecurity by design” of industrial control systems, the problem of applying patches due to compatibility issues that could result in downtime, and supply chain vulnerabilities.
“The nuclear industry as a whole needs to develop a more robust ambition to take the initiative in cyberspace and to fund the promotion and fostering of a culture of cyber security, determining investment priorities and ensuring that sufficient and sustained funding is allocated to effective responses to the challenge. It also needs to establish an international cyber security risk management strategy and encourage the free flow of information between all stakeholders,” Chatham House said in its report. “This will require the industry to develop appropriate mechanisms and coordinated plans of action to address the technical shortfalls identified, as well as to find the right balance between regulation and personal responsibility.”
Related: Learn More at the ICS Cyber Security Conference
Related: Alerts Issued for Zero-Day Flaws in SCADA Systems
Related: Vulnerabilities Found in Several SCADA Products
