Can a Cyber Attack Turn into a Nuclear Attack?
12.05.19 | Thursday | Nofit Amir
A cyber-attack on a nuclear power plant in India, confirmed a month ago, seems to have opened the discussion on the potential of a cyber attack to cause mayhem in nuclear facilities (whether they be civilian or military).
The malware infiltrated the nuclear power plant’s administrative system and apparently did not affect the control apparatus. While the control apparatus is “air-gapped” – a point emphasized by the plant’s statement admitting the attack – the “air gap” strategy is far from impenetrable. Air gapping means that the control system is not connected to the business network of the nuclear plant or the Internet.
However, air gaps have several failings:
- The human factor: insiders can intentionally insert malware into computers through infected USB flash drives (this was probably the case in the famed Stuxnet cyber attack, which caused substantial damage to Iran’s nuclear program),
- New technologies may be able to “jump” the air gap,
- Computers run on software and software updates which can themselves be infected prior to uploading.
An attack on a nuclear plant’s administrative networks is not as harmful as a direct attack on the control apparatus. Yet it does pose an indirect risk. For instance, data gained on nuclear workers may expose them to manipulation. After all, it’s the inside job that is the nuclear industry’s darkest nightmare.
While the Nuclear Regulatory Commission (NRC) audits U.S. nuclear power plants to heighten preparedness towards cyber attacks, its latest report, published in June 2019, cites two ways in which this preparedness ought to be improved:
- Security experts at nuclear plants should have a higher focus on cyber security and be trained accordingly (currently they have plenty on their plate in addition to cyber security),
- Performance measures to analyze cyber security preparedness need to be developed.
With nuclear plants making their appearance in countries that have had no previous experience handling them – such as Jordan, Saudi Arabia and Turkey – concerns regarding cyber security increase. India has had 50 years of experience India has had 50 years of experience in managing nuclear power plants and has nonetheless fallen prey to a limited cyber attack – what might happen in countries that are just starting out?
A regional nuclear catastrophe could easily have global implications: A cyber attack with a bloody price tag would probably result in a weighty counter-response. Computer modeling of nuclear threats shows that a nuclear altercation between India and Pakistan, for instance, would have widespread global impact.
Radiation Protection Raises the Response Level in the Case of an Emergency
So what is the takeaway? Cyber attacks are a given of modern-day life, happening regularly and with growing ingenuity in a wide array of industries. If nuclear facilities create quickly evolving defense systems (that go far beyond air gapping), they’ll be much less vulnerable to cyber nuclear attacks, though a risk will always remain. Prevention is best but might not always be possible due to countless forms of human ingenuity. Thus raising preparedness through response plans that enable nuclear workers to counter a cyber attack as it occurs is essential. Response plans should also include radiation protection for nuclear workers responding to a potential nuclear emergency. Deployment of the StemRad 360 Gamma radiation shield will significantly increase that level of protection by safeguarding their most vulnerable organs and tissue, thus significantly decreasing their vulnerability to Acute Radiation Sickness (ARS) and ensuing death.
Most importantly, it is crucial that a “what was is what will be” approach is never allowed to take hold in a nuclear facility. That approach is a danger in itself as it motivates potential cyber warriors to search for ways to breach defense systems.
Writes content for StemRad’s website, social media, and newsletter. She is an advocate with over twenty years of experience of writing high-end content in academic and industrial settings.