The UK’s nuclear facilities are at risk of a major cyber-attack, thanks to a lack of awareness among senior executives and an increasing trend towards digitization, according to a new report.
Chatham House spoke to 30 “leading industry practitioners” to compile its report, Cyber Security at Civil Nuclear Facilities: Understanding the Risks.
It pointed to serious deficiencies in the supply chain, meaning equipment at nuclear plants could be compromised at any stage.
Also highlighted were an overly reactive approach to cybersecurity, a lack of staff training, and communication breakdowns between engineers and security personnel.
Facilities aren’t ‘air gapped’ as many believe but connected to the internet, with all the risks this entails, the report continued.
And hackers can easily find critical infrastructure components via a web search.
The report recommended the development of risk assessment guidelines, and the adoption of regulatory standards.
It also suggested that nuclear facilities implement rules promoting good IT hygiene, and that engineers and contractors are educated about cybersecurity risk.
Tony Berning, senior manager at development tools maker OPSWAT, argued that portable media is often used to spread malware across air-gapped systems.
“While imperative to the protection of critical infrastructure, securing portable media devices is not easily done, and there are many requirements that can impact the portable media security policies for operators of critical infrastructure,” he added.
“In many cases, there is no single source for an organization’s portable media security policy, and individual facilities may require unique security policies.”
Berning warned that many of the SCADA and ICS systems which run nuclear plants were built decades ago when cybersecurity wasn’t a major issue.
“To add cybersecurity defenses to these systems is a major task, coupled with the fact that, due to their critical nature, downtime for system upgrades is virtually impossible,” he added.
Berning urged the UK’s nuclear operators to air gap systems or else protect them with firewalls and intrusion prevention systems, and to conduct regular penetration testing.
Rob Miller, senior security researcher at MWR InfoSecurity, argued that increasingly, good security is being driven by people and process, not products.
“A major challenge in this field is making sure security measures are enforced not just by the operators, but at every stage of the supply chain,” he added.
“Often multiple independent integrators and suppliers are relied upon to make key design decisions in building and maintaining the facilities. The reason why issues like flaws in an air-gap come about is because at a key design stage, the engineers did not have the right training to identify and resolve the vulnerabilities.”