Global nuclear facilities 'at risk' of cyber attack Published duration 5 October 2015

image copyright AP image caption Iran's nuclear enrichment systems were hit by the Stuxnet virus that targeted centrifuges

The risk of a "serious cyber attack" on nuclear power plants around the world is growing, warns a report.

The civil nuclear infrastructure in most nations is not well prepared to defend against such attacks, it added.

Many of the control systems for the infrastructure were "insecure by design" because of their age, it said.

Published by the influential Chatham House think tank, the report studied cyber defences in power plants around the world over an 18-month period.

Core breach

Cyber criminals, state-sponsored hackers and terrorists were all increasing their online activity, it said, meaning that the risk of a significant net-based attack was "ever present".

Such an attack on a nuclear plant, even if small-scale or unlikely, needed to be taken seriously because of the harm that would follow if radiation were released.

In addition, it said "even a small-scale cyber security incident at a nuclear facility would be likely to have a disproportionate effect on public opinion and the future of the civil nuclear industry".

Unfortunately, research carried out for the study showed that the UK's nuclear plants and associated infrastructure were not well protected or prepared because the industry had converted to digital systems relatively recently.

This increasing digitisation and growing reliance on commercial software is only increasing the risks the nuclear industry faces.

There was a "pervading myth" that computer systems in power plants were isolated from the internet at large and because of this were immune to the kind of cyber attacks that have dogged other industries.

However, it said, this so-called "air gap" between the public internet and nuclear systems was easy to breach with "nothing more than a flash drive". It noted that the destructive Stuxnet computer virus infected Iran's nuclear facilities via this route.

The story of Stuxnet

image copyright Getty Images

In 2009, a malicious computer program called 'Stuxnet' was manually uploaded into a nuclear plant in Iran.

The worm took control of 1,000 machines involved with producing nuclear materials, and instructed them to self-destruct.

The researchers for the report had also found evidence of virtual networks and other links to the public internet on nuclear infrastructure networks. Some of these were forgotten or simply unknown to those in charge of these organisations.

Already search engines that sought out critical infrastructure had indexed these links making it easy for attackers to find ways in to networks and control systems.

Keith Parker, chief executive of the Nuclear Industry Association, said: "Security, including cyber security, is an absolute priority for power station operators."

"All of Britain's power stations are designed with safety in mind and are stress-tested to withstand a vast range of potential incidents," he added. "Power station operators work closely with national agencies such as the Centre for the Protection of National Infrastructure and other intelligence agencies to always be aware of emerging threats."

In addition, said Mr Parker, the industry's regulator continuously monitors plant safety to help protect it from any outside threats.

In June this year the International Atomic Energy Agency held its first international conference about the cyber threats facing plants and manufacturing facilities. At the conference Yukiya Amano, director of the IAEA, said both random and targeted attacks were being directed at nuclear plants.

"Staff responsible for nuclear security should know how to repel cyber-attacks and to limit the damage if systems are actually penetrated," he said in a keynote address to the conference

The civil nuclear industry should do a better job of measuring cyber attack risks and improve the way it defends against them, according to Chatham House. Many plants examined by the report's researchers lacked preparedness for large-scale attacks that took place outside office hours.