In April, a German company announced that it had suffered a cyber attack. This is not shocking. As retired Marine Gen. James Cartwright has said, there are two realities for companies today: “You’ve either been hacked and [are] not admitting it, or you’re being hacked and don’t know it.”
But this attack was on a nuclear power plant. And the malware found inside the plant allowed hackers to access sensitive plant information from afar.
This is not the first cyber attack against a nuclear facility. In December 2014, South Korea’s nuclear operator was hacked, and the infamous Stuxnet virus attacked Iran’s Natanz facility between 2009 and 2011.
Stuxnet illustrated the art of the possible in the cyber-nuclear space. This malware defeated security systems, jumped airgaps (which disconnect networks from the internet) and, most importantly, caused physical consequences. Stuxnet’s aim was limited—break centrifuges. But what if hackers had more catastrophic ambitions?
Well-resourced hackers can achieve physical consequences at nuclear facilities with cyber attacks, possibly resulting in theft of nuclear material or sabotage. For example, surveillance systems or keycard readers could be disrupted, allowing thieves to enter a facility, steal nuclear material, and depart uninterrupted. A sophisticated cyber attack could even cut power to cooling systems, resulting in a Fukushima-like meltdown.
Several factors exacerbate this threat. Increased reliance on digital controls and technological vulnerabilities across the nuclear enterprise increase opportunities for attackers. What little human capacity exists in this area tends to be concentrated in the United States, Europe, and Russia, leaving most facilities around the world without the expertise they need to prevent or respond to attacks.
Additionally, countries are unprepared at the regulatory level. The NTI Nuclear Security Index found that 20 out of 47 countries with weapons-usable nuclear materials or nuclear facilities score zero on cybersecurity. This means that these countries do not even require that nuclear facilities be protected from cyber attack.
This is a global problem—a serious cyber attack at a nuclear facility anywhere would have consequences worldwide. Recent steps, including a joint cybersecurity commitment at the 2016 Nuclear Security Summit and International Atomic Energy Agency efforts are a good start, but more must be done. Leaders and experts must rethink the current approach to cybersecurity at nuclear facilities, invest in relevant training, and improve (or in some cases, develop) national and international response capabilities.
This threat will not wait—neither should the international community.