Outperforming Cyber Threats Seeking Critical Nuclear

Infrastructures:
A White Paper
February 2020

Ginger Wright, University of New Mexico

OUTPERFORMING CYBER THREATS SEEKING CRITICAL NUCLEAR INFRASTRUCTURE | Ginger Wright

 INTRODUCTION

The peril of cyber-attacks towards critical nuclear infrastructures is a serious matter and

increasingly growing as the threat landscape evolves, cyber capabilities expands, and new actors

get involved (Stoutland, 2018). When considering the widespread maturity of cyber-attacks and

the consequences of a cyber-mediated theft of nuclear materials or sabotage of nuclear facilities,

nations with nuclear programs need to take the steps necessary to facilitate national and

regulatory frameworks that will ensure effective cyber security at nuclear facilities or strengthen

existing regimes. Without doing so, nuclear materials may be compromised for terrorist acts and

thus used to create weapons such as radiological dispersal devices (RDD) or radiological

exposure devices (RED), and nuclear facilities may be at risk of information theft, technological

shutdowns, and physical disasters (Moore, 2004). The purpose of this paper will be to expand on

threats posed by cyber-attacks on nuclear infrastructures and introduce recommendations to

assuage these threats. By the end of this paper, national authorities, such as policymakers, facility

operators, and national authorities will be informed on this threat and better equipped to make

productive decisions regarding cyber-policy creation and cyber-security implementation.

CURRENT STATE

According to an extensive report by the Nuclear Threat Initiative (NTI) released in September of

2018, one-third of the 44 countries that have nuclear facilities such as reactors and reprocessing

plants, or possess weapons-grade nuclear materials, are lacking in fundamental cyber-protections

for their critical infrastructures (Nuclear Threat Initiative, 2018). Countries who did receive a

high grade for their cyber-defenses, such as the United States and the Russian Federation, still

need to initiate ways to enhance their level of protection as cyber capabilities continuously

evolve in the complex and dynamic cyber realm. The report states:

OUTPERFORMING CYBER THREATS SEEKING CRITICAL NUCLEAR INFRASTRUCTURE | Ginger Wright

 The results of the 2018 NTI Index indicate that nuclear facilities’ defenses against
cybersecurity threats remain insufficient. The NTI Index asks whether domestic laws,
regulations, or licensing rules require nuclear facilities to have protections in place,
protect critical digital assets, include cyber threats in the Design Basis Threat, conduct
cybersecurity assessments, and ensure an incident-response plan is in place. Although
some countries have made modest improvements, many remain poorly prepared for a
cyber threat. (Nuclear Threat Initiative, 2018)

Potential cyber-attacks may look like the compromise of access control systems, which could

allow unauthorized personnel to “steal nuclear materials or to damage the facility.” Along with

that, accounting systems may be tampered with to reflect numbers that indicate that none of the

materials have gone missing. Cooling systems for reactors could also be manipulated and

disabled, which could cause it to overheat and explode as we had seen with the Fukushima

Daiichi Accident when a tsunami disabled its power supply.

CASE STUDIES ON TARGETED ATTACKS

Stuxnet

In June of 2010, a malware known as Stuxnet was discovered at Iran’s uranium-enrichment plant

in Natanz. This malicious malware performed “four zero-day exploits” in Microsoft Windows

networks, “repeatedly replicated itself”, and then “sought out Siemens Step7 software”, another

Windows system. From there, it was used to program “industrial control systems that operate

equipment” (Kushner, 2013). In this case, these were programmable logic controllers that

operated centrifuges, which were enriching uranium into weapons-grade material, Uranium-235.

The operators behind Stuxnet had the capacity to not only spy on the industrial control systems,

they could also control the rotational speed of the centrifuge in which they manipulated several

of them to spin so fast they tore themselves apart (Kushner, 2013). Marked in history is the first

time a malware is known to of caused physical destruction, let alone on a nuclear infrastructure.

KNPP Hack

OUTPERFORMING CYBER THREATS SEEKING CRITICAL NUCLEAR INFRASTRUCTURE | Ginger Wright

 More recently in October of 2019, India’s Kudankulam Nuclear Power Plant (KNPP) was

targeted by a malware seeking to collect information. It was reported that the malware sought

out, “NAT’ed (Network Translation Device) devices, stole admin credentials, and then

incorporated those details into this new malware, a second-stage payload designed for deeper and

more thorough reconnaissance” (Porup, 2019). The malware used a technique that frequently

escapes attention from antivirus scanners wherein it concealed itself in “modified copies of

legitimate programs, such as 7Zip or VNC” (Porup, 2019). This report states that “Targeted

critical infrastructure security teams need to engage in constant network monitoring for

suspicious activity to hunt threats and root them out before they can do any damage” (Porup,

2019). It is attacks like this event that can be prevented by an adequate review of program

signatures, however, it demonstrates how countries with nuclear infrastructures need to have

stronger regulatory frameworks to ensure effective cyber security.

LOOKING FORWARD

Nations with more nuclear sites tend to have more cyber-nuclear regulations and as a result are

more prepared to defend their critical assets. Meanwhile, there are countries with new nuclear

programs who need to establish regulatory systems in addition to attracting and training cyber-

nuclear experts. A 2016 NTI study revealed that close to half of the countries with nuclear

facilities require from themselves, “virtually no security measures at nuclear facilities to address

the threat posed by cyber criminals or malicious actors” (Dine, Assante, & Stoutland, 2016)

Looking forward, to combat the threat of cyber-attacks, nuclear facilities and the countries

funding them need to make sure they are in a position to protect themselves from these threats

through expertise and technology. The NTI insists that “governments must provide assistance by

sharing threat information and surge capacity provided by skilled computer emergency response

OUTPERFORMING CYBER THREATS SEEKING CRITICAL NUCLEAR INFRASTRUCTURE | Ginger Wright

 teams who specialize in responding to computer security incidents” (Nuclear Threat Initiative,

2018). Although countries have been acknowledged to be taking steps in strengthening their

cybersecurity requirements, wherein regulations and laws are being passed and updated, the lack

of framework is leaving facilities unprepared for the growing threat of cyber.

What further elevates threats towards countries possessing nuclear assets is the “increased

political instability, ineffective governance, pervasive corruption, and the presence of terrorist

groups” they experience (Kramer, 2018). It is important to recognize that it is only be a matter of

time before a devastating event occurs by an adversary. Actors responsible for security, from

policymakers to national authorities, face the challenge of surpassing a fast-developing threat.

RECOMMENDATIONS

With heightened political and terrorist risks, national leadership and stewardship is critical

regarding cyber threats towards nuclear security. Recommendations to ensure effective

cybersecurity and to strengthen existing regimes include:

Setting international standards and broadening efforts to build a stronger nuclear security

system – Nations with nuclear capacities should be held accountable for having appropriate and

effective cybersecurity in their nuclear regimes. There is a deficit of mutual international

standards and cyber-nuclear policies that leave for an inadequate legal framework and foundation

for protecting nuclear assets. There have been steps taken in the right direction such as the

continued elimination of weapons-grade nuclear material stocks and initiatives such as the

Nuclear Security Contact Group created at the 2016 Nuclear Security Summit (Arms Control

Association, 2018), which is tasked with identifying and acting on nuclear security-related

issues. However, major gaps remain in the current regime that safeguards nuclear materials and

facilities, which inhibits the system from being its most effective. Countries should take

OUTPERFORMING CYBER THREATS SEEKING CRITICAL NUCLEAR INFRASTRUCTURE | Ginger Wright

 voluntary measures and act on their commitment to strengthening nuclear security against cyber-

attacks by conducting trainings and workshops to share awareness and best practices with one

another. Such efforts should be done through the International Atomic Energy Agency (IAEA) as

this organization is, “the world’s centre for cooperation in the nuclear field and seeks to promote

the safe, secure and peaceful use of nuclear technologies” (IAEA, 2019).

Defending against the advancing risk of cyberattacks – Critical Infrastructures are not

immune to cyberattacks and often times, responses by the government and nuclear facilities are

inadequate. Cybersecurity measures such as including cyber threats into threat assessments,

mandating cyber-incident responses from nuclear facilities, having an international collective

response toward cyberattacks, and increasing human resources of cyber-nuclear experts will

strengthen defense approaches. Overall, countries need to come together to craft norms and

facilitate cooperative opportunities that will minimize cyber threats against nuclear facilities.

Improving international stewardship – In an effort of to reduce the consequences and

motivations of cyber threats towards nuclear security, countries should further commit to

reducing their stocks of weapons-grade material. There is a greater risk of theft when there are

more nuclear materials and facilities. Improvements to fill in known security and policy gaps in

the existing regime must also be of precedence to countries across the board, from on-site

physical protection regulations to accounting procedures. In particular, countries developing new

nuclear facilities must make efforts to learn from other long-standing programs and upgrade their

national and regulatory frameworks to defy known vulnerabilities. Lastly, all countries must take

into consideration economic and political factors that aggravate threats towards nuclear assets.

To reduce such illicit activities, governments should advocate efforts to provide political stability

and intensify their cyber-nuclear security efforts to ensure their infrastructures are secured.

OUTPERFORMING CYBER THREATS SEEKING CRITICAL NUCLEAR INFRASTRUCTURE | Ginger Wright

 Works Cited

Arms Control Association. (2018, June). Nuclear Security Summit at a Glance. Retrieved from
Arms Control Association:
https://www.armscontrol.org/factsheets/NuclearSecuritySummit

Dine, A. V., Assante, M., & Stoutland, P. (2016). Outpacing Cyber Threats: Priorities for
Cybersecurity at Nuclear Facilities. Washington, D.C.: Nuclear Threat Initiative.

IAEA. (2019). Retrieved from International Atomic Energy Agency: https://www.iaea.org

Kramer, D. (2018, September 14). Nuclear theft and sabotage threats remain high, report warns.
Retrieved from Physics Today:
https://physicstoday.scitation.org/do/10.1063/PT.6.2.20180914a/full/

Kushner, D. (2013, February 13). The Real Story of Stuxnet. Retrieved from IEEE Spectrum:
https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet

Moore, A. (2004). Radiological and Nuclear Terrorism: Are You Prepared? Journal of the
American College of Radiology, 54-58.

Nuclear Threat Initiative. (2018). Building a Framework for Assurance, Accountability, and
Action. Washington, DC: Nuclear Threat Initiative. Retrieved from Nuclear Threat
Initiative: https://ntiindex.org/data-results/mapview/theftwith/theftwith

Porup, J. (2019, December 9). How a nuclear power plant got hacked. Retrieved from CSO
United States: https://www.csoonline.com/article/3488816/how-a-nuclear-plant-got-
hacked.html

Stoutland, P. (2018, March 19). Cyberattacks on Nuclear Power Plants: How Worried Should
We Be? Retrieved from Nuclear Threat Initiative: https://www.nti.org/analysis/atomic-
pulse/cyberattacks-nuclear-power-plants-how-worried-should-we-be/

OUTPERFORMING CYBER THREATS SEEKING CRITICAL NUCLEAR INFRASTRUCTURE | Ginger Wright