170 likes | 184 Views
A cyber attack on a nuclear facility could have devastating consequences. This article discusses the cyber threat to nuclear facilities, using the Stuxnet case as a case study. It highlights the lack of regulations requiring cybersecurity at nuclear facilities and the need for progress in this area. The article concludes with suggestions on how to move forward and improve response capabilities.
E N D
HITTING THE ‘SNOOZE’ BUTTON ON NUCLEAR SECURITY:The Cyber Threat to Nuclear Facilities Alexandra Van Dine Program Associate, Scientific and Technical Affairs Nuclear Threat Initiative vandine@nti.org (202)454-7758
A cyber attack on a nuclear facility could have devastating consequences
Cyber attacks on critical infrastructure are not unprecedented…
Stuxnet: A Case Study • Precision cyber weapon targeted on Natanz, an Iranian uranium enrichment facility • Air-gapped, secret until 2002 • Impacted Siemens programmable logic controllers specifically • Physically affected and damaged spinning centrifuges
But I don’t have an illegal nuclear weapons program— why should I care?
It’s not just Iran… Takeaway: 20 of 47 countries with weapons-usable nuclear materials or significant nuclear facilities have zero regulations requiring cybersecurity at nuclear facilities
TARGET INTENT WEAPON Bottom Line: in the future, a less secure, higher-consequence facility could be attacked by an adversary intending to cause harm with a far less discriminate weapon.
Cyber threat exacerbated by several factors TECHNICAL VULNERABILITIES INSUFFICIENT RESPONSE CAPABILITY LACK OF HUMAN CAPACITY CURRENT STATE OF AFFAIRS
What is preventing progress? Complexity of Digital/Physical Systems Compliance Mindset Uneven Distribution of Limited Human Capacity Bureaucratic Inertia Cost Bridging Technical/Policy Language Gap
How can we move forward? Improve response capabilities at home and abroad Build global human capacity in this area Rethink existing principles and best practices Consider disruptive technological solutions
Has Stuxnet motivated any reforms in facility security? • Some recent movement on regulations • Not necessarily a product of Stuxnet • Implementation not yet adequate • Relevant areas not always covered (e.g. nuclear materials accounting) • Facility security measures have not kept pace with the threat • Laptops, flash drives • Digital systems • Inadeqate security measures (e.g., firewalls, airgaps, antivirus) • Outdated safety analyses
A variety of nuclear systems are vulnerable to cyber attacks with physical consequences • Physical Protection • Theft • Sabotage • Power Generation • Sabotage • Radiation release • Fuel Processing • Theft • Sabotage • Materials Accountancy • Theft • Diversion
NTI Engagement • National laboratories • Regulators (U.S. & Int’l) • Operators • IAEA • Academia • Silicon Valley