A report from the international affairs think tank, Chatham House, found that there is a growing risk of a "serious cyber attack" on nuclear power plants around the world. The think tank warned that the facilities were at risk due to the dated control infrastructure built into the computers, citing that it was "insecure by design".
In 2010 Iran became the victim of such an attack when it’s nuclear enrichment facilities were hit by Stuxnet. The worm infected computers; causing the nuclear centrifuges to malfunction and destroy themselves. Stuxnet allegedly destroyed one fifth of all of Iran’s centrifuges and set back the country’s nuclear programme several years.
The worry is that a combination of a lack of updated infrastructure alongside a sharp rise in the number of attacks by cyber criminals, state-sponsored hackers and terrorists means that the risk of an attack is “ever present”.
There is a myth that computer systems in power plants are immune from conventional cyber attacks due to the fact that they are isolated from the mainstream internet - known as ‘air gapped’. However, the air gap can be easily bypassed by something as simple as a flash drive, for which it is almost impossible to protect against if in the hands of a particularly motivated employee with sufficient security clearance.
Even the UK's nuclear plants and infrastructure are not well protected or prepared because the industry had converted to digital systems relatively recently. This increasing digitisation and growing reliance on commercial software is contributing to the risks faced by the nuclear power industry. Chatham House stressed the importance of security measures, saying; "even a small-scale cyber security incident at a nuclear facility would be likely to have a disproportionate effect on public opinion and the future of the civil nuclear industry".
The findings from Chatham House are undoubtedly worrying but it is not a cause for hysteria just yet. After all, the rigidity of the existing security network keeps potentially damaging breaches at bay for now. However, we must ask; can cyber terrorists actually kill people? This is a question that has been addressed in an article by David Di Domenico, Managing Director of IQ Analytics, and can be found here.
As the threat of a major cyber breach increases, the Information Systems Security Association (ISSA) have predicted there are anywhere between 300,000 and 1,000,000 vacant cyber security positions worldwide. How long will it be before we are without the cyber talent to keep the hackers at bay?