Nuclear Cyber Hacking

Bethany Chaffin
February 24, 2016

Submitted as coursework for PH241, Stanford University, Winter 2016

Introduction

Fig. 1: Nuclear power plant. (Source: Wikimedia Commons)

The threat of cyber attacks on civil nuclear facilities around the world is on the rise. The trend towards digitalization of nuclear facilities (like the one shown in Fig. 1), combined with a lack of awareness among nuclear power plant personnel of the risks involved, means that these personnel are often unprepared to defend against a potential cyber attack. [1] Although the nuclear power industry is the most highly regulated industry sector in the U.S. (from a cybersecurity standpoint), many experts believe that existing regulations are insufficient to effectively protect against attacks.

Recent High-Profile Cyber Attacks

In 2009, a malicious computer program was manually uploaded into a nuclear power plant in Iran, taking control and causing the self-destruction of over 1000 machines involved in nuclear materials production. The computer worm, known as "Stuxnet," infected 14 industrial sites in Iran, one of which was a uranium enrichment plant. Stuxnet could pass itself along to any computer running Windows by way of a simple USB drive, unbeknownst to the computer's human operators. This worm has the potential to destroy systems other than nuclear power plants including railways, water supplies, and power grids. Although no one has officially claimed responsibility for the creation of Stuxnet, leaks to the press strongly suggest that it was the result of collaboration between Israel and the U.S. [2]

Later, in 2012, a variant of Stuxnet was discovered that could exchange data between any devices using Bluetooth. This file, known as Flame, was meant merely to spy on people, while Stuxnet was meant to destroy large-scale systems. Flame spread across computers by disguising itself as an update of the Windows system on that computer, a behavior requiring a supercomputer and dozens of scientists, and thus was nearly impossible to detect when deployed. [2]

Current U.S. Cybersecurity Regulations

Many companies have yet to invest in updating industrial controls to prevent against cyber attacks, and in 2013 congress cited high costs for companies as a reason for blocking a bill that would require better security practices. However, there have been efforts in recent years to increase standards of cybersecurity practices among U.S. companies as well as elsewhere around the world. U.S. nuclear power plants have also taken the following measures to protect against cybersecurity threats: using "air gaps" to isolate control systems from the internet, implementing strict controls regarding the use of portable media (e.g., USB drives), heightening defenses against insider threats, and maintaining the effectiveness of cybersecurity controls. [3]

In addition, the Cybersecurity Act of 2015 permits network operators to take three kinds of steps to enhance cybersecurity: monitoring the network, operating defensive measures, and sharing information with others. [4]

Recommendations for Cybersecurity Reform

Despite the progress in recent years towards enhanced cybersecurity measures on the part of the U.S. government and private companies, more steps can be taken to prevent potential cyber attacks of nuclear power plants. Several recommendations include: developing guidelines to measure cybersecurity risk, raising awareness of cybersecurity risks among engineers and contractors, eliminating the setup of unauthorized internet connections in nuclear facilities, and encouraging universal adoption of regulatory standards. [4]

© Bethany Chaffin. The author grants permission to copy, distribute and display this work in unaltered form, with attribution to the author, for noncommercial purposes only. All other rights, including commercial rights, are reserved to the author.

References

[1] N. Falliere, L. Murchu, and E. Chien, "W32 Stuxnet Dossier," Symantec Corp., February 2011.

[2] D. Kushner, "The Real Story of Stuxnet," IEEE Spectrum 53, No. 3, 48 (2003).

[3] S. Karnouskos, "Stuxnet Worm Impact on Industrial Cyber-Physical System Security," Proc. 37th Conference on IEEE Industrial Electronics Society, IEEE 6120048, 7 Nov 11.

[4] N. Lee, Counterterrorism and Cybersecurity, 2nd Ed. (Springer, 2015), pp. 249-286.