In testimony this month before the congressional Subcommittee on Cybersecurity and Infrastructure Protection, Patricia Hoffman, Acting Assistant Secretary for the Department of Energy’s Office of Electricity Delivery and Energy Reliability, outlined some of the measures government agencies are taking to protect our energy infrastructure from “significant cyber incidents.” The programs she outlined — information sharing, research and development, physical preparedness, and multi-stakeholder coordination — are all vitally important. But there are additional novel approaches that can be taken to further bolster the cybersecurity of our power system, particularly at the 61 commercially operating nuclear power plants that account for almost 20 percent of the U.S. electricity supply.
America’s nuclear plants have already become targets of cyber-attack, as evidenced by the recent breach of the administrative computer system at the Wolf Creek nuclear plant in Kansas. According to reports, this intrusion was part of a much broader, sophisticated cyber-attack involving over a dozen U.S. electrical power facilities. Such an attack is alarming, as a failed safety system at a nuclear power facility could result in substantial releases of radioactive materials.
The good news is that U.S. federal agencies have taken the question of nuclear power cybersecurity seriously. By law, nuclear control systems are segregated, meaning attackers wishing to manipulate the systems that plants use to operate and produce power would need to infiltrate multiple levels of plant networks, including air-gapped interfaces that are disconnected from the Internet. A successful cyber-attack on a plant’s reactor protection system, which detects potential accident conditions and responds by shutting down the reactor and initiating reactor core cooling, would be yet more challenging, particularly as the vast majority of existing nuclear reactor protection systems still use analog or early digital technology that predates the Internet.
{mosads}Still, despite these safeguards, nuclear power facilities may still be vulnerable to attack on multiple fronts. For example, while penetrating an air-gapped system would be difficult, nuclear plants are not impervious to insider threats; a person working in a plant could put a virus directly into the network, as was demonstrated in the famous case of Stuxnet, when a foreign intelligence agent posing as an employee reportedly used a thumb drive to inject malware into Iran’s centrifuge industrial controls. The sophisticated virus even altered the plant’s digital displays to deceive plant operators into thinking all was normal, even as the virus was causing massive damage to nearly 1,000 centrifuges.
Additional risk lies in the potential for a remote hacker to cripple a plant through its external power source. Ten years ago, the U.S. Department of Homeland Security conducted tests at Idaho National Laboratory demonstrating that large electrical generators and motors could be destroyed remotely by hacking into the digital controls used to open and close electrical switches connected to this equipment. Within a few repetitions of such an attack, smoke emerges and the equipment is destroyed. Meanwhile, state actors already have the proven ability to shut off power grids through cyber-attack, as was demonstrated when suspected Russian hackers shut down power across much of Ukraine in 2015-2016, and many current plants cannot successfully shut down without external power.
Given such risks, it is essential that cybersecurity be top of mind in all decisions related to nuclear power plant design, particularly as the United States will need to replace or retrofit almost all our existing energy infrastructure by the year 2050. The newest designs signal a step in the right direction: four of the newest reactors being constructed in the United States use “passive safety,” where safe shutdown is achieved by disconnecting external electrical power and digital control.
Plant designers also have opportunities to research and design control system interfaces that are more usable and intuitive for human operators. There will always be a role for human operators — just as airplane pilots must supervise their “auto pilot” functions — but automating the quantitative analysis of plant status and streamlining communication in off-normal scenarios will empower operators to place information into context more rapidly and make decisions in a timely fashion. Research has shown that real-time simulators can help by allowing operators to refer to virtual models to detect erroneous information resulting from component failure or data manipulation by cyberattackers. Simulators can also be immensely effective for training operators and optimizing control room design.
Because details about security systems in nuclear plants are classified, it is possible that many of the safety measures noted here are already in place. Regardless of what steps have been taken, industry and government leaders must continue to work together to stay one step ahead of would-be attackers, particularly as they may be state-sponsored actors with unlimited budgets. The Securing Energy Infrastructure Act, introduced earlier this year by Sens. Jim Risch (R-Idaho) and Angus King (I-Maine), notes the need to “safeguard against cyber-attacks by replacing key devices like computer-connected operating systems, which can be vulnerable to cyber-attacks, with less-vulnerable analog and human-operated systems.” This bill called for a pilot program focused on identifying security vulnerabilities in the energy sector, as well a working group comprising both government and industry stakeholders, both of which would support the kind of proactive research that will be needed.
Meanwhile, the nuclear power industry must continue to invest in not only new technology, but also training and human factors, to maximize plant safety and security. By combining technological protections with the intuition and experience of seasoned plant operators, the nuclear industry can provide a fruitful path to enhance the future security of U.S. nuclear plants for decades to come.
Michael Nacht is a professor of public policy and former Aaron Wildavsky Dean at the Goldman School of Public Policy, and previously served as assistant secretary of Defense. Charalampos Andreades is a postdoctoral scholar in the University of California, Berkeley Department of Engineering.