New rules to guide nuclear power plants in reporting cyber aggression against their networks released Friday by the Nuclear Regulatory Commission (NRC), one day after President Obama said the U.S. isn’t doing enough to protect critical infrastructure like power grids from cyber attacks.
“This rule establishes new cyber security event notification requirements that contribute to the NRC’s analysis of the reliability and effectiveness of licensees’ cyber security programs and plays an important role in the continuing effort to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat,” said a notice of pending publication in the Federal Register.
A majority of nuclear power plants around the world are not prepared to withstand cyberattacks, according to a study released by London-based international policy think tank Chatham House.
Most nuclear power plants are “insecure by design” and the reporting of cyber incidents infrequent at best, means facilities potentially encounter far more cyber aggression than personnel are aware, according to the study.
Study authors also found links on the Internet to “isolated” plant networks, some of which ended up indexed by search engines, making them potentially identifiable weak points for hackers. Personnel in charge of those networks were frequently unaware of the links.
That all debunks the fact nuclear power plants are \safe from hackers because control systems lie on air-gapped networks, or computers not connected to the Internet. The report also points out the Stuxnet worm, reportedly developed in secret and deployed by the U.S. and Israel to sabotage Iran’s nuclear program, was able to inflict significant physical damage on Iranian nuclear centrifuges by infiltrating the plant’s air-gapped network via USB drives.
“As cyber criminals, states and terrorist groups increase their online activities, the fear of a serious cyber attack is ever present,” the study said. “This is of particular concern because of the risk – even if remote – of a release of ionizing radiation as a result of such an attack. Moreover, even a small-scale cyber security incident at a nuclear facility would be likely to have a disproportionate effect on public opinion and the future of the civil nuclear industry.”
The report further found a breakdown in communication between plant engineers and information technology engineers charged with maintaining cyber security. As a result, plant engineers often fail to grasp cyber security best practices, with on-site training focusing on reactive rather than preventative measures.
On Thursday President Obama declared November “Critical Infrastructure Security and Resilience Month,” a follow-up to October’s “National Cybersecurity Awareness Month.”
“By some estimates, we are currently underinvesting in our infrastructure by hundreds of billions of dollars each year,” Obama said in a White House proclamation Thursday. “Not only is it a threat to our national security, but failing to maintain and strengthen our infrastructure also jeopardizes our economic growth and closes doors of opportunity for all our citizens.”
On Tuesday the Senate successfully passed the Cybersecurity Information Sharing Act, which, along with granting companies legal immunity to share cyber threat data with DHS, gives the department more authority to repel cyber attacks on federal agencies, sets new standards for cyber security best practices at federal agencies and speeds up the rollout of “Einstein” — the government’s automated cyber threat detection and repellant system.