Courtesy: Washington Times

Nuclear facilities across the globe are increasingly vulnerable to cyberattacks because of industry-wide cultural and technical challenges that have the potential of proving to be catastrophic, experts told the authors of a new report.

A myriad of internal and external factors have made the world’s nuclear plants susceptible to sabotage and unintended failures, Chatham House, the London-based think tank, said.

“A range of potential risks at the points of intersection between cyber security and nuclear security” remain rampant, despite decades of warnings and routine upgrades, the authors wrote.

“No technology is immune to accident, misjudgment or deliberate sabotage. The 2011 nuclear disaster at Fukushima Daiichi as a result of the overwhelming Tōhoku earthquake and tsunami is a recent reminder of what can happen when basic prevention protocols and upgrades are not followed through and — perhaps more significantly — when the improbable is recast as impossible and the duty to plan for the overwhelmingly catastrophic is neglected,” Patricia Lewis, a research director for international security at Chatham House, wrote in the report’s foreword.

Thirty nuclear industry stakeholders were interviewed by the British think-tank during the course of its 18-month investigation, and their remarks yielded a report which largely found nuclear systems to be more favorable than ever to bad actors, be they nation-state computer scientists, tech-savvy extremist groups or anti-nuke hacktivists.

The report’s findings said factors that range from failing to adopt best practices to becoming increasingly reliant on vulnerable software and systems have opened up nuclear plants to unwanted incidents, even in light of purported precautionary measures and regulations implemented in the wake of the Fukushima disaster four years ago in Japan.

“The study found that the nuclear industry is beginning — but struggling — to come to grips with this new, insidious threat. The cyber risk to nuclear facilities requires constant evaluation and response, particularly as the industry increases its reliance on digital systems and as cyber criminal activity continues its relentless rise,” Ms. Lewis said.

With respect to the technological dependence cited in Chatham House’s report, nuclear experts suggested that the increasing use of commercial software within the industry has yielded considerable savings but at the cost of introducing vulnerabilities that worsen when programs aren’t persistently updated or patched.

Web portals have made it easier for hackers to share the tips and techniques needed to crack into platforms, the experts said, and exploit vendors that take advantage of security holes on behalf of curious clients instead of fixing flaws that could allow an entire system become compromised.

In other cases, experts said nuclear plants have been caught using factory-set passwords instead of abandoning them in exchange for harder-to-guess credentials.

“You know that for company X, the default password is always, say, 1234, so you can get in that way,” a director of a France-based cybersecurity firm told Chatham House investigators.

Coupled with breakdowns in communication and lackluster guidance for disclosing vulnerabilities, as well as insufficient security training and spending, the report determined that attacking critical infrastructure is easier than before for cybercriminals yet still poses the same colossal risks as well that the industry has been warned of for decades.

“A cyber attack that took one or more nuclear facilities offline could, in a very short time, remove a significant base component to the grid, causing instability,” the report reads.

“The nuclear industry, regulatory bodies, security establishments, governments and international organizations need to engage with cyber security experts and academics, on a sustainable basis, to formulate robust policy responses through coordinated plans of action to deal with the technical, managerial and cultural shortfalls identified in this report,” Ms. Lewis said.