News: Report warns that a ‘proactive’ approach to cyber-security is needed.
Nuclear power plants could become targets of cyber-attacks due to their increasing digitisation and exposure to public internet.
The report by think tank Chatham House, which studied cyber defences in power plants, warned that personnel in the industry might not realise the extent of vulnerability and urged a "proactive" rather than "reactive" approach.
While nuclear facilities are widely believed to be "air gapped", or separated from public internet, a number of nuclear facilities have VPN connections installed, the report says.
In addition, where there is air gapping, a flash drive can easily be used to breach this protection.
The report also noted that even where the facilities themselves were secure, equipment used could be compromised elsewhere in the supply chain.
Among other recommendations, the report suggested that guidelines be developed to measure cyber risk in the industry, as well as universal adoption of regulatory standards.
In addition, Chatham House suggested ‘robust dialogue’ was needed to raise awareness of risk, and disclosure should be improved by encouraging anonymous information-sharing. Industrial Computer Emergency Response Team should be established, it said.
It was also suggested that personal devices be given a firm ban as part of rules to promote "good IT hygiene".
Bob Tarzey, Analyst and Director, said that malware would be a significant danger.
"One of the most concerning observations is that sophisticated malware, such as Stuxnet, which most believe was developed by the US and Israeli governments, may now be used against them by these actors."
However, he argued that infrastructure "should be relatively easy to secure compared to say a retail web site.
"Physical and network isolation is easier to achieve and access can be strictly limited. The reason such sites remain vulnerable is that the infrastructure was put in place a long time ago before cyber-attacks were being taken seriously and the sector has been tardy in addressing this."
The report interviewed 30 industry practitioners, policy-makers and academics and convened three expert roundtables over an 18-month period.