Cyberattack on Nuclear Facilities Could Cause Radiation Leak: Report

Nuclear power plants are at increasing risk of cyberattacks which could ultimately lead to radiation leaks, according to a new report.

The report, by U.K.-based international affairs thinktank Chatham House, also points out that the so-called "air gap" between public internet and internal systems at nuclear facilities can be breached with "nothing more than a [USB] flash drive." This was exemplified by the Stuxnet worm in 2010, which caused centrifuges to fail at Iran's main nuclear facility and was blamed by Tehran on the U.S. and Israel.

In a worst-case scenario, says the report, cyberattacks could lead to a release of ionizing radiation with potentially disastrous impacts on local populations. Caroline Baylon, cybersecurity research associate at Chatham House and the report's lead author, says such a breach could lead to similar consequences as those seen after the Fukushima disaster four years ago in Japan.

In March 2011, an earthquake and tsunami hit the Fukushima plant on Japan's east coast, causing three nuclear meltdowns and forcing the evacuation of more than 160,000 residents from nearby towns in the worst nuclear disaster since Chernobyl in 1986.

"The threat [of such a large-scale] attack isn't immediate," says Baylon, "but if we let the situation continue, what's it going to be like in three or four years? This is the time when we need to be investing in the issue."

The report, which looked at nuclear facilities around the world over an 18-month period, highlighted a number of areas where improvements are required to protect the industry from the "ever-present" threat posed by state-sponsored and independent hackers. A comprehensive set of guidelines measuring cybersecurity risk should be developed and nuclear facilities must be encouraged to admit attacks anonymously, say the report's authors, who believe disclosure of such attacks is limited due to concern about reputation damage.

Baylon says that something as simple as employees installing a personal device onto a nuclear facility's internal network could open it up to attacks. "Let's say the people in the plant want to install a router so they can check their emails. That might all of a sudden open up a vulnerability," she says. Baylon also points to the use of virtual private networks (VPNs)—which open up connectivity to a facility's internal network to outsiders, such as contractors monitoring the performance of their equipment in the facility—as opening a loophole which hackers could exploit.

The BBC reported research carried out for the study showed that U.K. nuclear plants are not well-protected from the threat of cyberattack, since the industry has only recently converted to digital systems. A spokesperson for the Office for Nuclear Regulation (ONR), the U.K. government agency responsible for nuclear safety and security at British facilities, told Newsweek that the ONR accepted "the thrust of the recommendations" in the report. "Cyber risks are always developing and no one can afford to be complacent. In addition to our robust inspection regime, ONR is constantly reinforcing the importance of cybersecurity to senior figures across the U.K. nuclear industry," the spokesperson says.

Keith Parker, chief executive of the Nuclear Industry Association, which represents hundreds of companies in the U.K.'s civil nuclear sector, said in a statement: "All of Britain's power stations are designed with safety in mind and are stress-tested to withstand a vast range of potential incidents." Parker added that the U.K.'s current fleet of nuclear power stations has no embedded software, which he said means "it would be impossible to defeat reactor protection systems."

Experts have previously called for the U.K. government to protect its cybersecurity budget in the next defence spending review, expected in late 2015, in order to increase protection of critical infrastructure from cyberattacks. In 2011, the U.K.'s previous coalition government committed £650 million ($987 million) in new investment in its national cybersecurity programme across the course of four years, which was boosted by a further £210 million ($319 million) in 2013 to cover investment up to 2016.