The New York Times reports (7/6/17) that for the past several months hackers have penetrated the computer networks of energy facilities including at least one nuclear power station – the Wolf Creek unit located near Burlington, Kansas.

Wolf Creek officials told the newspaper that while they could not comment on cyberattacks or security issues, a statement by plant management said that no “operations systems” were affected and that their corporate network and the internet were separate from the network that runs the plant.

In a much longer and more detailed report the Bloomberg Wire Service says that hackers based in Russia are responsible for attacks on more than a dozen energy facilities in the U.S.

The Bloomberg report notes that the possibility of a Russia connection is particularly worrisome, former and current officials say, because Russian hackers have previously taken down parts of the electrical grid in Ukraine and appear to be testing increasingly advanced tools to disrupt power supplies.

The New York Times report quotes John Keeley, a spokesman for the Nuclear Energy Institute, who said nuclear facilities are required to report cyberattacks that relate to their “safety, security and operations.”

None have reported that the security of their operations have been impacted by the latest attacks. A check of the NRC’s website shows no incident report about a cybersecurity event at Wolf Creek. However, in some instances, the NRC would not post information about such an incident on its public facing web site.

The newspaper published the information about the cyber attack, which appeared to target non-safety relatedf systems on the business side, after obtaining a report issued jointly by the Department of Homeland Security and the Federal Bureau of Investigation last week.

The newspaper says the report did not indicate whether the cyberattacks were an attempt at espionage — such as stealing industrial secrets — or part of a plan to cause destruction or to seek ransom for encrypting critical data and systems.

So far according to the report there is no indication that hackers had been able to move from business side computers into the control systems of the facilities. The report did not say how many facilities had been attacked by the hackers nor it identify who the government suspects is behind the hacking incidents.

Wind Farms Also at Risk

Nuclear facilities are not the only targets of hackers. Wired Magazine reported on June 28th that vulnerabilities have been found on ways to get inside the control systems of entire wind farms.

The University of Tulsa has been conducting ‘white hat” research on these threats by testing physical and digital barriers to cyber attacks.

What they found is that it was relatively easy to breach the control boxes of the wind towers and gain control over individual windmills and entire wind farms. The research report notes that hackers thousands of miles away could have launched similar attacks.

Brief Primer on Cyber Security at Nuclear Power Plants in the U.S.

The Nuclear Energy Institute has extensive briefing and technical material and information on cyber security at nuclear power plants and the compliance by utilities with NRC requirements in this area.  The NRC has a plain English explanation of its cybersecurity regulations on its web site. Every company operating nuclear power plants has an NRC-approved cyber security program.

From an industry perspective, the most important thing to keep in mind is that critical safety and security systems at nuclear energy facilities are isolated from the Internet.

Safety related information systems have no direct access to the web, nor do they have indirect access because they are not connected to the facilities’ internal networks. These systems use either air gaps, which do not require internal networking or internet connectivity, or robust hardware-based isolation devices that separate the control system from front-office computers.

You cannot conduct a Google search or catch up on sports scores from a terminal inside a nuclear reactor control room.

In addition, nuclear power plants are designed to shut down safely should their systems detect a disturbance on the electrical grid. Thus, nuclear plants are protected from digital threats by layer upon layer of safety measures.

Specific Cybersecurity Measures

Each U.S. nuclear power plant has taken the following measures to ensure protection against cyberthreats:

Isolated key control systems using either air gaps, which do not implement any network or internet connectivity, or installed robust hardware-based isolation devices that separate front-office computers from the control system, thus making the front-office computers useless for attacking essential systems.

As a result, key safety, security and power generation equipment at the plants are protected from any network-based cyberattacks originating outside the plant.

• Enhanced and implemented strict controls over the use of portable media and equipment.

Where devices like thumb drives, compact disks and laptops are used to interface with plant equipment, measures are in place to minimize the cyberthreat. In some cases the USB ports on some devices are disabled.

These measures include authorizing use of portable assets to the performance of a specific task, minimizing the movement from less secure assets to more secure assets, and virus scanning. As a result, nuclear power plants are well protected from attacks like Stuxnet, which was propagated through the use of portable media – USB sticks.

• Heightened defenses against an insider threat.

Training and insider mitigation programs have been enhanced to include cyber attributes. Individuals who work with digital plant equipment are subject to increased security screening, cyber security training and behavioral observation.

Each plant performs detailed cyber security assessments and implemented cyber security controls to protect equipment deemed most essential for the protection of public health and safety.

• Measures to maintain effective cyber protection measures.

These measures include maintaining equipment listed in the plant configuration management program and ensuring changes to the equipment are performed in a controlled manner. A cyber security impact analysis is performed before making changes to relevant equipment.

The effectiveness of cyber security controls is periodically assessed, and enhancements are made where necessary. Vulnerability assessments are performed to ensure that the cyber security posture of the equipment is maintained.

In summary, cybersecurity at a nuclear power plant is implemented by a combination of policies, procedures, and management of physical assets to prevent intrusions.

# # #