U.S. nuclear power plants bolster defenses against cyberattacks
if a hacker gets into a nuclear power plant,” said Martin Libicki, a senior management scientist at RAND Corp. “If I get into a coal-fired power plant, the worst I’m going to do is cause a blackout. If I get into a nuclear power plant, I can cause a Chernobyl. I’m not sure that’s true but you can imagine how that might play in out in the media and politically,” he added.
Matishak notes that the safety and control systems that operate nuclear power plants are isolated from the Internet and are protected against outside invasion. Yet in some cases, those operating systems and other critical infrastructure are decades old and not completely separated from computer networks used to manage administrative systems. These gaps provide potential gateways for hackers to insert viruses, malicious codes and worms.
About 85 percent of the U.S. critical infrastructure is owned and operated by private companies, ranging from nuclear power plants to transportation and manufacturing systems. Atomic energy facilities are a tantalizing target for digital sabotage because a meltdown could result in a major radiological event.
In all, the nuclear industry has spent roughly $2.2 billion during the last decade on enhancements to prevent physical or cyber breaches, according to Walters. These funds paid for security upgrades to meet NRC requirements, including vehicle barriers, cameras, bullet resistant enclosures, and other new technologies, he said.
That figure also included expenditures for additional security officers, the number of which has increased by about 60 percent “across the fleet.”
Shortly after the 9/11 attacks, the NRC, the agency with oversight of the U.S. atomic energy plants, put out a series of orders requiring its 104 licensees to enhance their overall security efforts, including physical protection, personnel reliability and cyber defense, Walters said. A year later the commission for the first time ordered that cyberattacks be added to the list of threats sites must be able to defend against.
In March 2009 the commission unveiled a rule that required power plants to complete cyber security plans that would protect against a “design basis threat,” according to Rich Correia, head of the agency’s Security Policy Division. The plans would be amendments to the utility licenses to operate the reactors.
Design basis threat is “pretty much what the commission has determined what a private security force should be able to defend against,” Correia said. “Since power plants are run by private entities, we couldn’t expect them to defend
