With recent intrusions into corporate computer systems of companies that own nuclear facilities, the threat of cyber attacks against U.S. nuclear power plants is more urgent. Though hackers do not appear to have made their way into plant operations, in at least one instance, they gained user names and passwords from plant engineering staff, and it could be just the beginning of more significant intrusions.
A June report jointly issued by the U.S. Department of Homeland Security and the FBI outlined these attacks. The Wolf Creek Nuclear Operating Corp., operators of the Wolf Creek nuclear power plant near Burlington, Kan., was identified as one of the companies whose corporate systems were penetrated. Among other tactics, hackers sent plant engineers emails with attached resumes, impersonating job applicants. When opened, the Microsoft Word documents enabled attackers to capture the recipients’ network credentials.
“Humans present a significant vulnerability if not trained well,” said David Zahn, general manager of the cybersecurity business unit of PAS, a company that develops security software for the kinds of industrial control systems used in power-generating plants.
However, critical infrastructure protection (CIP) regulations developed by the North American Electric Reliability Corp. (NERC) call for the segregation of corporate and plant operations computer networks from each other—and operations networks from the internet—which might have kept hackers out of Wolf Creek plant operations. However, the events could suggest the need for NERC to increase controls on “low assets,” such as generation operators’ corporate networks.
“[Because] low assets under NERC CIP are exempt from most compliance requirements, these actually have greater risk,” he said. “They lack security controls you’d see with medium or high assets.”
The growing age of the U.S. nuclear generating fleet is often seen as an advantage when it comes to their cybersecurity. The Wolf Creek station, for example, began commercial operation in 1985, when floppy disks were still the information-storage media of choice. With only minimal internet exposure, these plants offer very few points of entry for hackers to exploit.
“It is the old ‘security by obscurity’ argument,” Zahn said. “If legacy is an effective security control, then why were hackers targeting those systems? Which group better understands true cyber-asset risk—the security-by-obscuritists or the hackers? I would place money on the hackers having better insight on where they will have greater success.”
Even the purposeful segmentation—sometimes called an “air gap”—between corporate and operational networks that the NERC’s CIP rules call for isn’t enough to protect generation assets from intrusion. A nuclear plant of any age incorporates thousands of sensors, actuators and other digital devices from multiple manufacturers that are networked to their supervisory control and data acquisition systems. Some of these now might use wireless communications, which could mean they have an IP address and could be exposed in a hacking attack.
“Basic cybersecurity practices dictate a defense-in-depth strategy in which layers of protection reduce risk to acceptable levels,” Zahn said. “At the heart of this strategy is the ability for plants to answer basic questions, such as what assets do I have, where are my vulnerabilities, and has an unauthorized change occurred.”
Electric utility executives are concerned about the safety of their generation, transmission and distribution plants and networks. In its 2017 “State of the Electric Utility Survey,” Utility Dive found the combination of cyber and physical security to be the most pressing issue for executives. This is up from sixth place in 2015 and 2016.
As frightening as the concept of an outside operator gaining control of one or more nuclear power plants is, these facilities aren’t the only vulnerabilities in the United States electrical system. The results of any such attack could be devastating to human lives and the economy. In 2015, insurer Lloyd’s of London issued a report that concluded a widespread attack on the U.S. power grid could result in losses ranging from $243 billion, all the way up to $1 trillion, in the most damaging scenarios.
It’s not only the electricity infrastructure itself that poses such risks to electricity supplies. As natural gas has gained prominence, pipeline networks could also be in hackers’ crosshairs. In New England, for example, natural gas is the area’s favored heating fuel and supplies about 50 percent of the region’s electricity generation. Taking any of the constrained pipeline activity out of action in, say, mid-January, when demand is at its highest, could be devastating to residents and businesses.
“Critical infrastructure is in the cross-hairs of attackers, regardless of what fuel is being transported,” Zahn said. “Cyber is the new battlefront, and the sophistication—as well as the ability—of cyber weapons to impact environment, lives and our economy is ever-increasing.”