The nuclear energy industry has had a fraught year. Well…I mean, haven’t we all…But still, it’s pleasantly surprising to see such a looming giant begin to wither and fall. The nuclear power industry is failing, as evidenced not only by the alarming reports of fraud, corruption, and other fiascos that occurred at multiple nuclear facilities over the course of 2020, but also by the numbers that prove renewables are simply better for ALL of our futures – not just the nuclear business moguls our taxpayer dollars so generously continue to bail out.
If you’ve seen Chernobyl or heard of Fukushima, you know about the potential for absolutely devastating accidents that can occur when it comes to an operating nuclear power plant. Something we think about perhaps much less often is the potential for intentional devastation through hacking of a nuclear operation system. The Union of Concerned Scientists has pointed to specific threats to consider regarding how a massive cyberattack would impact US nuclear energy infrastructure:
- So far there have been no reports that the Nuclear Regulatory Commission (NRC), the agency that oversees the safety and security of US nuclear power plants, or any nuclear plants themselves, have been affected. The NRC once had a contract with SolarWinds, whose Orion software has been identified as a major vector of the attack, but apparently terminated it in 2011. However, the US Cybersecurity and Infrastructure Agency reported that Orion was not the only attack vector.
- Fortunately, it is highly unlikely that malevolent actors today could directly cause a severe accident at a US nuclear power plant because the instrumentation and control systems for the most important safety systems are primarily analog (non-digital) relics of the era decades ago when these plants were built.
- Even so, nuclear plants do have many digital systems that must be protected because they may have an indirect impact on plant safety—for example, the communication systems used by security officers. The NRC requires nuclear plant owners to protect such critical digital systems from cyberattack. In particular, there must be separation between a nuclear plant’s business systems, which are connected to the Internet, and any digital systems involved in reactor operations.
- Still, access to the business systems could be very useful to adversaries—for instance, they could obtain data revealing personal information about plant personnel and use it for blackmail. Moreover, even isolated systems need software updates, so if sophisticated malware is not detected by the scans a nuclear plant uses before loading updates on those systems, they could also become infected.
- The Nuclear Energy Institute, the industry’s chief lobbying group, has been fighting for years to reduce the scope of digital systems that plant owners have to protect under the NRC’s rules, including those that might protect against reactor shutdowns that could cause grid failures. The attack underway is a stark reminder that cybersecurity defenses at critical infrastructure facilities such as nuclear plants should be strengthened, not weakened.
- The NRC has still not yet completed its first round of inspections to confirm full compliance of nuclear plants with its cybersecurity rule, which was instituted more than ten years ago.