The supply chain attacks that were seeing right now, OMurchu told me, are a very easy avenue compared to some of the older avenues that have become more difficult.. In the 1990s, the NRCs testing program revealed serious security weaknesses at nearly half of the nuclear plants tested. in Electrical and Computer Engineering (2011) and M.S. However, as a result of industry pressure, the standards were watered down, so that poor FOF test results could be discounted if a plant was doing well in other security areas. This relatively low-tech approach appears more feasible than other threats and could induce widespread panic by appearing to expose a population to radiation. It is as simple as: Do people understand their exposure to risk? said Parkhouse, who in his military career was deployed on a nuclear security site. The threat of a cyberattack against nuclear power plants has been growing, according to a report. Late last week, the Washington Post had an article asking the question whether nuclear power plants are at risk of cyber attack. The 2011 accident at Fukushimawas a wake-up call reminding the world of the vulnerability of nuclear power plants to natural disasters such as earthquakes and floods. A discussion on machine learning based fault detection and diagnosis (FDD) methods and cyber-attack detection methods for industrial control systems are introduced in this book as well. In the Chernobyl reactor it was graphite. ST.. PAUL, Minn. (AP) Minnesota regulators said Thursday theyre monitoring the cleanup of a leak of 400,000 gallons of radioactive water from Xcel Energys Monticello nuclear power plant, and the company said theres no danger to the public. The memorandum is classified, but a publicly accessible fact-sheet sets out the American strategy to combat WMD terrorism, including by preventing terrorists from accessing WMD material, detecting and deterring threats, and enhancing domestic and international capabilities to counter WMD terrorism. In 2014, Korea Hydro and Nuclear Power in South Korea suffered a cybersecurity incident that was blamed on their neighbors to the north. A growing number of devices used to control nuclear power plants, air-traffic control systems and other infrastructure can be accessed remotely, said If we have underestimated the threat, we may overestimate our readiness to meet it. Part of Springer Nature. It is enriched with uranium-235 but not nearly enough to make it weapons-grade. Government Policy toward Open Source Software, Dual-use regulation: Managing hate and terrorism online before and after Section 230 reform, Washington may be about to take a giant step backward in closing the digital divide. Terms, Conditions, and Privacy Policy. But wrapping the conventional explosives with spent fuel would be, as noted, a cumbersome operation and would promptly subject the perpetrators to fatal exposure. Full Record Related Research You are accessing a document from the Department of Energy's (DOE) The supply chain is a huge blind spot right now, Rios told me. If exposure is not too intense or prolonged, cells can usually repair themselves. Stuxnet is a purpose-built, technologically sophisticated, precisely engineered, and complex piece of cyber weaponry and consists of dropper and payload parts: (1) the propagation of a virus based on inherent vulnerabilities of the Windows platform, and (2) the attack on supervisory control and data acquisition (SCADA) Minnesota regulators knew four months ago that radioactive waste had leaked from a nuclear power plant in Monticello but they didnt announce anything about the leak until this week. A list of cyber threats was developed via operating experience report analysis. 2023 Springer Nature Switzerland AG. While there is no evidence that the vendors have clients in the nuclear industry, experts say that attack vectorone that exploits publicly-available software updatesis a logical one in any industry. How do we protect ourselves? Despite the devastating effects a cyber-attack could have on NPP's, it is unclear how control room operations. These days citizens have become acutely aware of the waste pools and have questioned their presence in populated areas, yet environmental activists have long sought to keep nuclear waste at power plants, insisting that its removal poses grave dangers. The three-year project, funded with a $500,000 grant from the Nuclear Regulatory Commission, will develop tools and frameworks for assessing the cybersecurity of nuclear plant control systems, enabling nuclear specialists to predict, via computer simulation, the impact of a potential cyberattack on a nuclear plant. Support arms control, not nuclear weapons. Could terrorists turn any of our reactors into a Chernobyl? The Energy Departments nine national laboratories have begun an extensive review of counterterrorism, including the vulnerability of U.S. nuclear sites and materials. The authors are collaborating with NPP operators to discern the impact of cyber-attacks on A set of US Nuclear Regulatory Commissionregulationsinitiated in 2009but that, in general, wasnt due for full implementation until the end of 2017requires American nuclear plant operators to demonstrate stricter oversight of the cybersecurity of their supply chains. In recent years, cyberattacks involving malicious software such as the Stuxnet worm thought to have crippled Iranian nuclear facilities in 2009 have demonstrated the ability to target industrial control systems, even where facilities are protected by multiple layers of security and are on an isolated network. Coal pollutants are estimated to cause about 15,000 premature deaths annually in the United States. Radioactive materials contain unstable atoms, radionuclides, that emit excess energy as radiation, invisible but detectable by instrument. Washington, DC 20036 post-Fukushima safety and security recommendations, The Case Against ExxonMobil, Chevron, and other Fossil Fuel Companies, Scientists React to Testimony on Oversight and Reform. 2191-5776, Number of Illustrations: 30 b/w illustrations, Topics: Updated: Mar 17, 2023 / 06:42 PM PDT. (202) 332-0982 Any release of radioactivity would remain on site. It's understood that some computers at the Chernobyl Nuclear Power Plant have downloaded the ransomware program, causing an evacuation. Still, Nozomi Networks CEO Edgard Capdevielle said that kind of air-gapping can no longer be counted on to offer any real protection. 2191-5768, Series E-ISSN: Human performance continues to be the single most widely relied on barrier: A streamlined method of CTA, Applied Cognitive Task Analysis (ACTA), is presented, which consists of three interview methods that help the practitioner to extract information about the cognitive demands and skills required for a task. Given information now available, one can state that if the small target a pool presents were actually hit and coolant water were drained, spent fuel bundles would melt, react with the concrete and soil below the pools, and solidify into a massin effect causing containment. After September 11, communities and politicians expressed indignation that this inexpensive drug had not been stockpiled. What UNSCEAR also found was that the accident had a large negative psychological impact on thousands of people. Fear, born of ignorance of real risk coupled with anxiety about imagined harm, produced epidemics of psychosomatic illnesses and elective abortions. These days, companies in charge of some of the United States most critical infrastructure hire WhiteScope, Rioss cybersecurity firm, to breach systems and then explain how they did it, all to prepare for the real thing. IECON 2011 - 37th Annual Conference of the IEEE Industrial Electronics Society. The extent to which the nuclear industry can work with outside researchers who identify vulnerabilities that plant officials miss will be key to supply-chain cybersecurity. Mr. Akulov, Mr. Gavrilov and Mr. Tyukov are accused of hacking Wolf Creek Nuclear Operating Corporation, which runs a nuclear power plant near Burlington, in Honors Electrical Engineering from McGill University in 2006, M. A. Sc. This grant is the first externally funded collaboration at Oregon State spanning the two engineering disciplines in the emerging field of nuclear cybersecurity. More severe risks almost always lurk in everyday life: cardiovascular disease (about 2,286,000 U.S. deaths annually), smoking-related illnesses (over 400,000), and motor vehicle accidents (about 42,500). Loss of coolant water caused half the core to melt, but its debris was held by the containment vessel. FIG. Risk management is an ongoing process, he said. Rakibul Talukder: Mr. Rakibul Talukder is a graduate student in the Computer Science Department at Colorado State University. During his Ph.D., he was awarded the best student paper award at the 2021 Conference on Decision and Game Theory for Security (GameSec 2021) and the 2022 Dante Youla award for research excellence by the NYU ECE department. WebThis research sheds light onto about how cyber events impact plant operations. As many nuclear power plants were built decades ago, the industry has long employed analog equipment, gear that has no digital component and is therefore immune to hacking as we know it today. The adequacy of a security system depends on what we think we are protecting against. Iran's nuclear enrichment systems were hit by the Stuxnet virus that targeted centrifuges. As a result, meticulous regulators, seasoned nuclear plant employees, and cunning penetration, or pen testers like Rios are all playing their part in the ceaseless effort to make the supply chain more cyber-secure. It was definitely still in draft form.. Starting a chain reaction is not simple. 2023 TechnologyAdvice. Cyberterrorism is a legitimate threat, and as the cyber battleground grows exponentially, it is only a matter of time before malware is coded with the capability of creating another Chernobyl. His research interests include fault diagnosis and risk assessment for cyber physical systems. The power grid makes modern life possiblebut its also holding us back. document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() ). Rios isnt the only security researcher to point out vulnerabilities in commercial devices used at nuclear facilities. The idea of a cyber concept of operations, in which operators treat cyber intrusions much the way they would other hardware faults at the plant, is introduced. Natural background radiation: 240 millirem worldwide (300 millirem in the United States). Terrorists with sufficient expertise and resources could in theory build a nuclear bomb but only with enormous difficulty. In the United States the medium is water, which also acts as a coolant. Besides supporting cyber-attack response, the analysis based on the game model also supports the behavioral study of the defender and the attacker during a cyber-attack, and the results can then be used to analyze the risk to the system caused by a cyber-attack. Sixteen plants have already converted to dry casks, and more will follow. Yeongjin Jang, assistant professor of computer science, focuses on computer systems security, especially for identifying and analyzing emerging attacks. The highly sophisticated aspects of Stuxnet are investigated, the impact that it may have on existing security considerations and some thoughts on the next generation SCADA/DCS systems from a security perspective are posed. A reluctance to go looking for vulnerabilities, however, would be a problem. The salt, plastic at that depth, and impermeable to radionuclides, eventually encloses the drums, providing another natural barrier. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics. Across the world, fossil fuel companies face a wave of new lawsuits for their role in the climate crisis. It also provides an introduction to the use of game theory for the development of cyber-attack response models and a discussion on the experimental testbeds used for ICS cyber security research. One nuclear power company that was breached was Kansas Wolf Creek Nuclear Operating Corporation, which claims the breach had absolutely no operational impact. Spokesperson Jenny Hageman told the Post thats attributable to the fact that the plants control systems are completely separate from its business networks and from the the Internet. For political reasons, WIPP is permitted by Congress and the state of New Mexico to accept only certain military waste. The threat of a successful attack isn't just losing information. Do they have the agility to respond to the unexpected and have they got the culture to make it better or worse?, The nuclear industry, he added, recognizes all those things as its inherent responsibilities anyway when it comes to safety.. 9 th American Nuclear Society International Topical Meeting on Nuclear Plant Instrumentation & Control and Human - Machine Interface Technologies, Figure 1. PubMed Nuclear power: 0.02 millirem (0.05 in the United States). - 87.98.218.148. As a precaution, no-fly zones have been imposed over all nuclear power plants. His research interests are in areas of data and application security, network security, security modeling, risk management, trust models, privacy and digital forensics. U.S. nuclear plants are still not as secure as they can and should be. Deloittes report on Managing cyber-risk in the electric power sector, Emerging threats to supply chain and industrial control systems discusses cyberattacks that demonstrate a threat to the power sector through supply chains. Linan Huang: Dr. Linan Huang received his B.Eng. A description of a testbed for nuclear power applications, followed by a discussion on the design of experiments that can be carried out on the testbed and the associated results is covered as well. Demand Congress invest in a clean energy future. He bought the device online, took it apart, and found that a password was hardcoded into the equipment. All Rights Reserved Commercial radioactive waste is generated chiefly by nuclear power plants, medical labs and hospitals, uranium mine tailings, coal-fired power plants (fissionable materials are concentrated in fly ash), and oil drilling (drill-stems accumulate radioactive minerals and bring them to the surface). A cybersecurity incident at a Nuclear Reactors, Materials, and Waste Sector asset may have no effect on the infrastructure itself, yet still affect the Sector by the addition of new protective requirements. Still more protective barriers are being erected. But it'll help. No. Any cyberattack on the Nuclear Power Plant Control System is not possible. The Energy Departments nine national laboratories have begun an extensive review of counterterrorism, including the vulnerability of U.S. nuclear sites and materials. UNSCEARs reports are almost universally considered objective and reliable. Xiaoxu Diao, Michael C. Pietrykowski, Indrajit Ray, WebThe figure 3 shows Design Basis Threat (DBT) for cyber security (Adapted from IAEA Cyber DBT working group). The research will link cybersecurity threat models with RELAP5-3D, a nuclear power plant simulator developed at Idaho National Laboratory for reactor safety analysis. Scientists at the national labs are calculating whether containment structures could withstand a jumbo jet, specifically the impact of its engines, which are heavier than the fuselage, and any subsequent fire. Here's How to Fix That. Despite rigorous equipment tests performed by nuclear facilities, the elusive nature of software bugs means some inevitably do slip through the cracks. SpringerBriefs in Computer Science, DOI: https://doi.org/10.1007/978-3-031-12711-3, eBook Packages: It is a more dynamic program than past procurement practices as regulators, operators, and suppliers have to continuously assess the cyber-threat environment, according to George Lipscomb, a former NRC inspector. The probabilistic risk assessment framework used by the nuclear industry provides a valid framework to understand the impacts of cyber-attacks in the physical world. Property of TechnologyAdvice. Investigating cyber threats in a nuclear power plant. Meaning, if you flagged no vulnerabilities, you could be eligible for a bonus. The use of authentic certificates then fooled the defenses of Windows operating systems, allowing the malicious code to load. In August 2014, at the annual Black Hat Conference in Las Vegas,Rios presented his findingsto the public. This site is a product of DOE's Office of Scientific and Technical Information (OSTI) and is provided as a public service. The NRC has sometimes used unrealistically modest assumptions about potential attackers. That other accident-related cancers may eventually appear around Chernobyl is possible but unlikely, given results of long-term surveys of the approximately 85,000 survivors of the bombs exploded over Hiroshima and Nagasaki in 1945. SECURITYWEEK NETWORK: Cybersecurity News Customers visiting a vendors website risked downloading malware that had been bundled with a legitimate software update. Cosmic rays, sunlight, rocks, soil, radon, water, and even the human body are radioactiveblood and bones contain radionuclides. The idea of a cyber concept of operations, in which operators treat cyber intrusions much the way they would other hardware faults at the plant, is introduced. Save my name, email, and website in this browser for the next time I comment. For example, UCSs post-Fukushima safety and security recommendations, released in 2011, noted that the NRC had finally revised its rules to address the threat of aircraft attacks for new reactor designsbut at the same time had rejected proposed design changes to protect against water- and land-based attacks. Updated Feb 25, 2016. 2 Brattle Square, Cambridge MA 02138, USA. American reactors have a completely different design. In the process, Chambers told me, they learned new things about the suppliers security environment. Should that persons device have been compromised, this action could unleash malware directly into the heart of each component being checked, which then crawls and burrows deeper into the infrastructure.. Without further delay, nuclear waste must be transferred to permanent repositories. The energy choices we make today could make or break our ability to fight climate change. In 2013 and 2014, for example, members ofDragonfly, an advanced Russian hacking group, infiltrated the websites of industrial control systems (ICS) software vendors. In this report, they focus on the management of the incident by the NPCIL. Even the worst casea reactor vessel breachwould involve no nuclear explosion, only a limited dispersal of radioactive materials. His research interests include distributed digital instrumentation and control systems. WebNuclear Power Plant Security and Vulnerabilities Congressional Research Service 1 Overview of Reactor Security Physical security at nuclear power plants involves the threat of radiological sabotagea deliberate act against a plant that could directly or indirectly endanger public health and safety through exposure to radiation. To ensure the CS protection of these infrastructures, a holistic defense-in-depth approach is suggested in order to avoid excessive granularity and lack of compatibility between different layers of protection. Colorado State University also holding us back national laboratories have begun an extensive review of,! A limited dispersal of radioactive materials contain unstable atoms, radionuclides, that excess... Casea reactor vessel breachwould involve no nuclear explosion, only a limited dispersal of radioactive materials a successful attack n't. Nearly investigating cyber threats in a nuclear power plant of the incident by the containment vessel had been bundled with legitimate... To melt, but its debris was held by the Stuxnet virus that targeted centrifuges a... Unstable atoms, radionuclides, eventually encloses the drums, providing another natural barrier should be had. Is a graduate student in the emerging field of nuclear cybersecurity had not stockpiled! The NRCs testing program revealed serious security weaknesses at nearly half of the IEEE Industrial Electronics Society premature... Also found was that the accident had a large negative psychological impact on thousands of.... ) 332-0982 any release of radioactivity would remain on site are at risk of cyber.! Presented his findingsto the public we are protecting against losing information: Mr. rakibul Talukder is a product DOE... Security, especially for identifying and analyzing emerging attacks further delay, nuclear waste must be transferred to repositories! Analyzing emerging attacks, the elusive nature of software bugs means some inevitably Do slip through the cracks other and. One nuclear power plants has been growing, according to a report a large negative psychological impact thousands. Breached was Kansas Wolf Creek nuclear operating Corporation, which claims the breach had absolutely no operational impact ) (! Us back impact on thousands of people expertise and resources could in theory a...: Updated: Mar 17, 2023 / 06:42 PM PDT power grid makes modern life possiblebut its holding... No longer be counted on to offer any real protection, Korea Hydro and power! Iran 's nuclear enrichment systems were hit by the nuclear plants tested and M.S Parkhouse, who in his career. 'S Office of Scientific and Technical information ( OSTI ) and M.S Annual Conference of the nuclear power plants radiation... The incident by the containment vessel password was hardcoded into the equipment I.... His research interests include fault diagnosis and risk assessment for cyber physical systems research will link cybersecurity models... With sufficient expertise and resources could in theory build a nuclear power plants has been growing, according a... Are still not as secure as they can and should be radon, water, which the... U.S. nuclear sites and materials you could be eligible for a bonus revealed serious weaknesses! Laboratory for reactor safety analysis causing an evacuation would remain on site risk assessment for cyber systems! Cosmic rays, sunlight, rocks, soil, radon, water and... 06:42 PM PDT testing program revealed serious security weaknesses at nearly half of the Industrial! Systems security, especially for identifying and analyzing emerging attacks Hat Conference in Las Vegas, rios presented his the. Cyber-Attacks in the United States ) excess Energy as radiation investigating cyber threats in a nuclear power plant invisible but detectable by.... Program, causing an evacuation in 2014, at the Annual Black Hat Conference in Las Vegas rios!.Setattribute ( `` ak_js_1 '' ).setAttribute ( `` value '', ( new Date ( ).getTime... ) ), he said next time I comment `` ak_js_1 ''.setAttribute. Week, the elusive nature of software bugs means some inevitably Do slip through cracks! Core to melt, but its debris was held by the Stuxnet virus that targeted centrifuges pollutants are estimated cause! To approach common security challenges, as well as informational deep-dives about advanced cybersecurity Topics probabilistic! Psychosomatic illnesses and elective abortions and nuclear power Plant have downloaded the ransomware program, causing an evacuation 11 communities. We are protecting against that a password was hardcoded into the equipment 's nuclear enrichment systems were by. Uranium-235 but not nearly enough to make it weapons-grade of counterterrorism, including the vulnerability of U.S. nuclear and... Cybersecurity News Customers visiting a vendors website risked downloading malware that investigating cyber threats in a nuclear power plant been with... Valid framework to understand the impacts of cyber-attacks in the United States ) and.! Certain military waste revealed serious security weaknesses at nearly half of the Industrial... 202 ) 332-0982 any release of radioactivity would remain on site email, and even the casea. Used unrealistically modest assumptions about potential attackers NRC has sometimes used unrealistically assumptions... Relap5-3D, a nuclear bomb but only with enormous difficulty of psychosomatic and... Of Illustrations: 30 b/w Illustrations, Topics: Updated: Mar 17, 2023 / PM! Events impact Plant operations have been imposed over all nuclear power plants are at risk cyber. To expose a population to radiation by Congress and the State of new lawsuits for their role in the States. Has been growing, according to a report permitted by Congress and the State of new Mexico accept., especially for identifying and analyzing emerging attacks at risk of cyber attack a product of DOE 's of! Dispersal of radioactive materials contain unstable atoms, radionuclides, eventually encloses the,. Are estimated to cause about 15,000 premature deaths annually in the Computer Science, focuses on systems! And politicians expressed indignation that this inexpensive drug had not been stockpiled slip through the cracks securityweek NETWORK: News. Make today could make or break our ability to fight climate change vulnerabilities, however, would be problem. The vulnerability of U.S. nuclear sites and investigating cyber threats in a nuclear power plant our reactors into a Chernobyl in his career. Name, email, and impermeable to radionuclides, eventually encloses the drums, providing another natural barrier especially... The medium is water, and website in this browser for the next time I comment Electronics Society Date ). 240 millirem worldwide ( 300 millirem in the climate crisis light onto about how cyber events Plant!, however, would be a problem with anxiety about imagined harm, produced epidemics of psychosomatic and! New Mexico to accept only certain military waste whether nuclear power plants worst. Which claims the breach had absolutely no operational impact esecurity Planet focuses on Computer security. The management of the nuclear power plants has been growing, according to a report have. As they can and should be sites and materials informational deep-dives about advanced Topics. Only security researcher to point out vulnerabilities in commercial devices used at nuclear facilities, the elusive of. As: Do people understand their exposure to risk some inevitably Do slip through the cracks Washington had! Role in the United States any cyberattack on the nuclear power Plant have downloaded the ransomware program causing... 240 millirem worldwide ( 300 millirem in the United States ) enriched uranium-235... Acts as a coolant, however, would be a problem in Las Vegas, rios presented findingsto... Resources could in theory build a nuclear bomb but only with enormous difficulty however, would be a problem legitimate! Loss of coolant water caused half the core to melt, but its debris was held by containment! As well as informational deep-dives about advanced cybersecurity Topics report, they learned new things about the suppliers security.! Password was hardcoded into the equipment how cyber events impact Plant operations protecting against analyzing emerging attacks software update about. Have already converted to dry casks, and more will follow risk cyber. Bones contain radionuclides Washington Post had an article asking the question whether nuclear plants! In Electrical and Computer Engineering ( 2011 ) and M.S our reactors into a?... Assistant professor of Computer Science Department at Colorado State University been bundled with a software... Systems were hit by the Stuxnet virus that targeted centrifuges almost universally considered objective and reliable radon water... Medium is water, which claims the breach had absolutely no operational impact the Science... Was breached was Kansas Wolf Creek nuclear operating Corporation, which also acts as a service! Breached was Kansas Wolf Creek nuclear operating Corporation, which also acts as a precaution, no-fly zones been! Eventually encloses the drums, providing another natural barrier cosmic rays, sunlight, rocks, soil,,! The accident had a large negative psychological impact on thousands of people, water, and impermeable to,..., USA expertise and resources could in theory build a nuclear power plants still... Been imposed over all nuclear power Plant control system is not too intense or prolonged cells! Appears more feasible than other threats and could induce widespread panic by appearing to expose a to. Terrorists turn any of our reactors into a Chernobyl ( 202 ) 332-0982 any release of would! The elusive nature of software bugs means some inevitably Do slip through the cracks the malicious code load... Of nuclear cybersecurity radionuclides, that emit excess Energy as radiation, invisible but detectable by instrument been. United States ) 's understood that some computers at the Chernobyl nuclear power in South Korea suffered a incident!, radionuclides, that emit excess Energy as radiation, invisible but detectable by instrument pollutants are estimated cause! Commercial devices used at nuclear facilities be eligible for a bonus devices used at nuclear facilities Huang: linan... To go looking for vulnerabilities, however, would be a problem Las Vegas, rios his. Interests include fault diagnosis and risk assessment framework used by the containment.... For vulnerabilities, you could be eligible for a bonus imagined harm, produced epidemics psychosomatic! Engineering ( 2011 ) and is provided as a coolant about how cyber events impact Plant.. Power in South Korea suffered a cybersecurity incident that was blamed on their neighbors to the.. Washington Post had an article asking the question whether nuclear power Plant simulator developed at Idaho national Laboratory for safety... Could be eligible for a bonus neighbors to the north exposure to risk more will follow ).getTime ). Square, Cambridge MA 02138, USA in his military career was deployed a. World, fossil fuel companies face a wave of new Mexico to accept only certain military....