Nuclear safetyIf South Korea’s nuclear plant staff are vulnerable, then so are the reactors

By Alan Woodward

Published 24 December 2014

Does it matter that a South Korean nuclear plant was hacked and plans of the complex stolen? As it is South Korea that’s the subject of this latest attack, everyone tends to assume it must have had something to do with North Korea. With a target as sensitive as a nuclear power plant, not unreasonably people are asking if safety could be compromised by a cyberattack. Could hackers cause the next Chernobyl or Three Mile Island? This points to an important and infrequently discussed problem, the vulnerability of critical national infrastructure. Cyber-attacks like these are a great way of levelling the playing field: why invest in massively expensive nuclear weapons program if you can simply shut down your enemies’ power, gas, water, and transportation systems? Increasingly more and more infrastructure is connected to the Internet, with all the security risks that entails.

Claude Shannon, who many consider the father of modern information theory, wrote a paper in 1949 in which he pointed out that security should never be based upon your enemy’s ignorance of how your system is built. This is known today as the mantra: “There is no security through obscurity.” Does it matter, then, that a South Korean nuclear plant was hacked and plans of the complex stolen? That rather depends on what happens next.

As it is South Korea that’s the subject of this latest attack everyone tends to assume it must have had something to do with North Korea. With a target as sensitive as a nuclear power plant, not unreasonably people are asking if safety could be compromised by a cyber attack. Could hackers cause the next Chernobyl or Three Mile Island? The South Korean authorities have sought to reassure the public, making it clear that no “core systems” — those computers that control the reactor and safety systems — were compromised.

If it was North Korea — and there is no evidence it was — then one might imagine it was actually the technical details and blueprints of a modern nuclear reactor that was the intended target. But sadly there is secondary security implication: the plans reveal the role of the human operators in running the reactor, and when it comes to hacking into critical infrastructure it is people that are the weakest link.

Weakest link in the chain
For example, when Iran’s nuclear reprocessing plant at Natanz was hacked with the infamous Stuxnet virus, it should not have been possible as the computers affected were not connected to the outside world. There was a very distinct “air gap” maintained between the reactor computer controllers and any other network. But that air gap was relatively easy to bridge, by leaving USB sticks where curious people would find them, plug them in, and transfer the virus to the systems.