Stuxnet was a wake up call for the nuclear industry, according to Andrea Cavina, nuclear security professional at Coresecure.org.
“When I started work at the International Atomic Energy Agency (IAEA) in 2006 there was no specific focus on computer security,” he told the (ISC)2 Security Congress, Europe, the Middle-East and Africa 2015 in Munich.
Cavina was tasked with drafting the first good practice guide on cyber security, the only person working part-time at the IAEA on cyber security.
“But everything changed in 2011 when Stuxnet hit the headlines, and now there are five people working full-time on cyber security,” he said.
Stuxnet was the first known example of “weaponised” malware, in the sense that it was directed at a specific target, it was extremely complex and its payload was destructive.
Cavina said that, although there is no element of cyber security unique to the nuclear industry, attacks are typically highly targeted and there is no possibility of risk transfer.
The industry also shares some challenges of other highly regulated industries where there is little opportunity for maintenance and downtimes.
“Consequently the nuclear industry has to deal with a lot of legacy equipment and has few opportunities to update software,” said Cavina.
Potential cyber attacks include competitors seeking technological advantage, hacktivists aiming to shame or discredit nuclear operators, transnational crime organisations seeking to profit from blackmail and extortion, nation states seeking to disrupt operations at a time of war and non-state actors such as terror groups seeking to cause disruption and damage.
“But it is these last two categories of attacker that set the nuclear industry apart,” said Cavina.
Nuclear plants unprepared for attack
In October 2015, international affairs thinktank Chatham House published a report that said most nuclear power plants around the world are not well prepared for cyber attacks.
The report said many of the control systems used for nuclear plants, including those in the UK, are not well protected and are “insecure by design”. The report was based on an 18-month study of cyber defences in nuclear power plants around the world.
However, Cavina said that, because of the national impact of cyber attacks on nuclear plants and the recognition that nuclear operators are unlikely to be able to defend against the highest level of cyber attacks alone, there is close co-operation with state-level cyber security experts and access to state-level threat intelligence.
“At this level, state support is essential. There is no way for nuclear operators to manage threats like Stuxnet beyond normal risk analysis,” he said.
The approach, said Cavina, should be to prioritise safety and security to ensure that, if systems fail, they fail safely and securely.
Another strategy is to collaborate with regulators to ensure compliance is as sensible and effective as possible in raising security efficiency for nuclear operators.
“Like the nuclear industry, any regulated industry should also work to create a voluntary code of conduct that seeks to anticipate future regulations,” said Cavina.
As yet unpublished research shows that many countries are still in transition, he said. They are still in the process of writing cyber security regulations for their nuclear operators and there are no single authorities for co-ordinating cyber security in the industry.
Global resistance to cyber security
“Where regulations do exist, the research shows that inspections are still lagging; that buy-in from managers is still a challenge; and physical security is still much stronger than cyber security, because there is resistance to new ideas and ways of thinking about security,” said Cavina.
Many physical security procedures and protocols are still in the process of being translated into cyber terms, he said. The challenge is that, unlike traditional military weapons, new cyber attack tools are being produced at an extremely fast rate.
According to Cavina, security for Scada systems and programmable logic controllers (PLCs) is a key emerging playing field in cyber security.
“We are likely to see some interesting exploits in the coming years,” he said.