Cyber security at nuclear facilities: US-Russian joint support needed

In April 2016, operators at the Gundremmingen nuclear power plant in Germany discovered two computer viruses, W32.Ramnit and Conficker. The viruses had attacked office computers, removable drives, and visualization software used to move nuclear fuel rods. Fortunately, all critical systems at the plant were isolated from the Internet, and the viruses only caused “some disruption,” according to International Atomic Energy Agency (IAEA) Director Yukiya Amano. He said, however, that the issue of cyber attacks on nuclear facilities “should be taken very seriously.”

The 2016 incident is not an isolated case. The nuclear industry encounters cyber threats on a daily basis, and it is only a matter of time until control systems are compromised.

Cyber security is obviously a controversial topic in US-Russian relations. The political climate, including Edward Snowden’s revelations in 2013 and Russian interference in the 2016 US presidential election, has made the cyber domain a no-go zone for discussion. Cooperative efforts and confidence-building measures that were discussed in 2013 are long forgotten. Nevertheless, both states face an ongoing need to address this emerging threat and to work against third parties—such as terrorist groups—before a large-scale incident occurs. A scientific partnership focused on the civilian nuclear industry is a potential way to restart a cyber security dialogue in the future.

The United States and Russia have worked extensively, both bilaterally and multilaterally, on the enhancement of nuclear security domestically and globally. It has always been one of a few topics on which both states could find common ground. Assisting other countries, especially nuclear newcomers, by building capacity in the nuclear cyber security field can be the first step toward bilateral talks on this issue.

Cyber security at nuclear facilities. Cyber attacks are never entirely virtual, because they can have direct impacts on physical and human infrastructure. A malicious intrusion into control systems at a nuclear power plant, for instance, could cause a radiological accident or an intentional release of radioactive material. In a worst-case scenario, interference with the command and control of nuclear weapons could lead to unprecedented consequences, such as an unauthorized missile launch.

Civilian nuclear facilities require thousands of digital systems to support their operation. Software patches and updates are even more challenging than routine maintenance, and tech support usually comes from a single vendor. Contrary to popular belief, a computer system that is isolated from unsecured networks (or “air-gapped”) is not immune to cyber attacks, which can come from a compromised supply chain or from insiders. The Stuxnet computer worm, for example, destroyed about 1,000 Iranian centrifuges between 2009 and 2010, despite the fact that critical systems were air-gapped. The worm spread to these systems from infected USB thumb drives.

A number of states lack stringent requirements or national policies to protect nuclear facilities from cyber attacks. This is a dangerous situation, considering the growing number of incidents: for instance, the SQL Slammer worm that infected the Davis-Besse nuclear power plant in Ohio in 2003, the 2014 attack at the Korea Hydro and Nuclear Power plant that resulted in the leak of 10,000 workers’ personal details, and the 2015 intrusion into Supervisory Control And Data Acquisition (SCADA) systems of the Ukrainian power grid that caused outages for several hours. These cases not only show that security practices are in need of further improvements, but also reinforce a negative image of the nuclear industry.

Building a cyber framework by supporting other states. As leading powers in the nuclear domain, the United States and Russia play a special role in preventing an act of nuclear terrorism. Their long history of relations in this field has contributed to protecting and securing nuclear material around the world. Examples include a number of agreements on nuclear weapons control, lab-to-lab cooperation, the Megatons to Megawatts program, the Warhead Safety and Security Exchange agreement, and the Plutonium Production Reactor Agreement. The nuclear partnership continued to evolve until the recent deadlock over issues ranging from Ukraine to Syria.

Because of the renewed tensions, many agreements are collapsing or being revoked. Abandoning bilateral relations in the nuclear field sends worrying signals to other states. Fortunately, the United States and Russia still agree on curtailing Kim Jong-un’s nuclear ambitions, and there is still a glimpse of hope that the Iran nuclear deal will not be dismantled.

Building on previous nuclear cooperation, the US and Russia can enhance cyber nuclear security in other states where possible. By doing so, they can improve international security and facilitate the use of clean energy. Examples of potential activities and projects include:

• Establishing a set of minimum standards or recommendations to help assess cyber personnel qualifications at newly built plants. Russia, for example, provides a national educational program for nuclear cyber security, while the United States has various training and certification programs for cyber security specialists working in the critical infrastructure sector. Protecting computer systems at a nuclear facility is a complicated task, and a country with no experience in the field can lack trained human capital.
• Joint research on new developments in the field of computer security. For example, blockchain technology, originally developed to secure transactions made with the Bitcoin currency, is being introduced into the energy sector. Guardtime, a cyber security firm, is currently providing blockchain solutions to protect nuclear power plants in Great Britain and recently became one of the contractors chosen to protect the energy sector in the United States.
• Creating a communication link between Russian and US Computer Emergency Response Teams. This can provide coordination during large-scale incidents.
• Technical exercises during scientific workshops. Such activities, led by the United States and Russia, can complement IAEA training and enhance the agency’s manuals. For instance, workshops can target topics such as patch management, detection of supply chain vulnerabilities, and the development of “human firewalls” to reduce the risk of human error. Working together on educational and training projects can help address pressing nuclear security challenges around the world and facilitate collaboration between Russian and US scientists.

A small step forward. The current political environment that surrounds cyber issues leaves slim prospects for a US-Russian dialogue. New developments in offensive cyber capabilities exacerbate the situation. Cyber weapons are perfect tools for an aggressor: They can damage critical infrastructure remotely and untraceably, with no casualties for the aggressor, at any given time. Bearing in mind the potential for a nuclear disaster triggered by a cyber attack, it would be beneficial for the United States and Russia to establish some sort of connection through support of other countries.

It is easy to overlook small cases, such as the malicious software discovered at the Gundremmingen plant last year, but they are evidence of the greater dangers that cyber attacks pose to nuclear facilities. A future incident could turn out to be a large-scale event, perhaps even one with irreversible consequences.

The United States and Russia have the best techniques for addressing these unique challenges. A cooperative exchange of expertise with other nations would be a small step toward stronger international security and a better-trained workforce in nuclear energy. Cyber defense is evolving, but so is the offense. The risks of nuclear terrorism are real. That is why the international community needs stronger policies to prevent terrorist groups from using cyber weapons.