Most nuclear power plants around the world are not well prepared for cyber attacks, according to a report by international affairs think tank Chatham House.
Many of the control systems used for nuclear plants, including those in the UK, are not well protected and are “insecure by design” said the report, which was based on an 18-month study of cyber defences in nuclear power plants around the world.
The UK is leading cyber security in the international critical national infrastructure community, David Willacy, manager of digital risk and security at energy operator National Grid, told a Cyber Security Summit in London in July 2015.
“But there is still a desperate need for real cultural change in the energy sector in the UK and elsewhere. Those in the energy sector need to realise they are no longer just engineering companies, but that they are IT engineering companies, because power networks are now completely reliant on IT to operate, and that security is only as good as the weakest link,” he said.
A key finding of the report was that the infrequency of cyber security incident disclosure at nuclear facilities makes it difficult to assess the true extent of the problem and may lead nuclear industry personnel to believe there are few incidents.
Another key problem identified by the Chatham House Project on Cyber and Nuclear Security is that many nuclear plants are under the illusion that it is impossible for hacker to get at core systems.
This belief is based on the fact that internal networks at nuclear plants are typically air-gapped or physically isolated from the internet.
However, the researchers pointed out in a blog post in March 2105 that theStuxnet worm was able to cause physical damage to Iran’s nuclear centrifuges in 2010, despite the control system at Iran’s uranium enrichment plant being air-gapped as the worm was introduced via infected USB devices.
“Air-gapping may indeed lead to complacency on cyber security if it is thought to offer complete invulnerability,” the blog post said.