Professional Documents
Culture Documents
Wright White Paper 20200215
Wright White Paper 20200215
Infrastructures:
A White Paper
February 2020
The peril of cyber-attacks towards critical nuclear infrastructures is a serious matter and
increasingly growing as the threat landscape evolves, cyber capabilities expands, and new actors
get involved (Stoutland, 2018). When considering the widespread maturity of cyber-attacks and
nations with nuclear programs need to take the steps necessary to facilitate national and
regulatory frameworks that will ensure effective cyber security at nuclear facilities or strengthen
existing regimes. Without doing so, nuclear materials may be compromised for terrorist acts and
thus used to create weapons such as radiological dispersal devices (RDD) or radiological
exposure devices (RED), and nuclear facilities may be at risk of information theft, technological
shutdowns, and physical disasters (Moore, 2004). The purpose of this paper will be to expand on
assuage these threats. By the end of this paper, national authorities, such as policymakers, facility
operators, and national authorities will be informed on this threat and better equipped to make
CURRENT STATE
According to an extensive report by the Nuclear Threat Initiative (NTI) released in September of
2018, one-third of the 44 countries that have nuclear facilities such as reactors and reprocessing
for their critical infrastructures (Nuclear Threat Initiative, 2018). Countries who did receive a
high grade for their cyber-defenses, such as the United States and the Russian Federation, still
need to initiate ways to enhance their level of protection as cyber capabilities continuously
evolve in the complex and dynamic cyber realm. The report states:
Potential cyber-attacks may look like the compromise of access control systems, which could
allow unauthorized personnel to “steal nuclear materials or to damage the facility.” Along with
that, accounting systems may be tampered with to reflect numbers that indicate that none of the
materials have gone missing. Cooling systems for reactors could also be manipulated and
disabled, which could cause it to overheat and explode as we had seen with the Fukushima
Stuxnet
In June of 2010, a malware known as Stuxnet was discovered at Iran’s uranium-enrichment plant
in Natanz. This malicious malware performed “four zero-day exploits” in Microsoft Windows
networks, “repeatedly replicated itself”, and then “sought out Siemens Step7 software”, another
Windows system. From there, it was used to program “industrial control systems that operate
equipment” (Kushner, 2013). In this case, these were programmable logic controllers that
operated centrifuges, which were enriching uranium into weapons-grade material, Uranium-235.
The operators behind Stuxnet had the capacity to not only spy on the industrial control systems,
they could also control the rotational speed of the centrifuge in which they manipulated several
of them to spin so fast they tore themselves apart (Kushner, 2013). Marked in history is the first
time a malware is known to of caused physical destruction, let alone on a nuclear infrastructure.
KNPP Hack
targeted by a malware seeking to collect information. It was reported that the malware sought
out, “NAT’ed (Network Translation Device) devices, stole admin credentials, and then
incorporated those details into this new malware, a second-stage payload designed for deeper and
more thorough reconnaissance” (Porup, 2019). The malware used a technique that frequently
escapes attention from antivirus scanners wherein it concealed itself in “modified copies of
legitimate programs, such as 7Zip or VNC” (Porup, 2019). This report states that “Targeted
critical infrastructure security teams need to engage in constant network monitoring for
suspicious activity to hunt threats and root them out before they can do any damage” (Porup,
2019). It is attacks like this event that can be prevented by an adequate review of program
signatures, however, it demonstrates how countries with nuclear infrastructures need to have
LOOKING FORWARD
Nations with more nuclear sites tend to have more cyber-nuclear regulations and as a result are
more prepared to defend their critical assets. Meanwhile, there are countries with new nuclear
programs who need to establish regulatory systems in addition to attracting and training cyber-
nuclear experts. A 2016 NTI study revealed that close to half of the countries with nuclear
facilities require from themselves, “virtually no security measures at nuclear facilities to address
the threat posed by cyber criminals or malicious actors” (Dine, Assante, & Stoutland, 2016)
Looking forward, to combat the threat of cyber-attacks, nuclear facilities and the countries
funding them need to make sure they are in a position to protect themselves from these threats
through expertise and technology. The NTI insists that “governments must provide assistance by
sharing threat information and surge capacity provided by skilled computer emergency response
2018). Although countries have been acknowledged to be taking steps in strengthening their
cybersecurity requirements, wherein regulations and laws are being passed and updated, the lack
What further elevates threats towards countries possessing nuclear assets is the “increased
political instability, ineffective governance, pervasive corruption, and the presence of terrorist
groups” they experience (Kramer, 2018). It is important to recognize that it is only be a matter of
time before a devastating event occurs by an adversary. Actors responsible for security, from
RECOMMENDATIONS
With heightened political and terrorist risks, national leadership and stewardship is critical
Setting international standards and broadening efforts to build a stronger nuclear security
system – Nations with nuclear capacities should be held accountable for having appropriate and
standards and cyber-nuclear policies that leave for an inadequate legal framework and foundation
for protecting nuclear assets. There have been steps taken in the right direction such as the
continued elimination of weapons-grade nuclear material stocks and initiatives such as the
Nuclear Security Contact Group created at the 2016 Nuclear Security Summit (Arms Control
Association, 2018), which is tasked with identifying and acting on nuclear security-related
issues. However, major gaps remain in the current regime that safeguards nuclear materials and
facilities, which inhibits the system from being its most effective. Countries should take
attacks by conducting trainings and workshops to share awareness and best practices with one
another. Such efforts should be done through the International Atomic Energy Agency (IAEA) as
this organization is, “the world’s centre for cooperation in the nuclear field and seeks to promote
the safe, secure and peaceful use of nuclear technologies” (IAEA, 2019).
Defending against the advancing risk of cyberattacks – Critical Infrastructures are not
immune to cyberattacks and often times, responses by the government and nuclear facilities are
inadequate. Cybersecurity measures such as including cyber threats into threat assessments,
response toward cyberattacks, and increasing human resources of cyber-nuclear experts will
strengthen defense approaches. Overall, countries need to come together to craft norms and
facilitate cooperative opportunities that will minimize cyber threats against nuclear facilities.
motivations of cyber threats towards nuclear security, countries should further commit to
reducing their stocks of weapons-grade material. There is a greater risk of theft when there are
more nuclear materials and facilities. Improvements to fill in known security and policy gaps in
the existing regime must also be of precedence to countries across the board, from on-site
nuclear facilities must make efforts to learn from other long-standing programs and upgrade their
national and regulatory frameworks to defy known vulnerabilities. Lastly, all countries must take
into consideration economic and political factors that aggravate threats towards nuclear assets.
To reduce such illicit activities, governments should advocate efforts to provide political stability
and intensify their cyber-nuclear security efforts to ensure their infrastructures are secured.
Arms Control Association. (2018, June). Nuclear Security Summit at a Glance. Retrieved from
Arms Control Association:
https://www.armscontrol.org/factsheets/NuclearSecuritySummit
Dine, A. V., Assante, M., & Stoutland, P. (2016). Outpacing Cyber Threats: Priorities for
Cybersecurity at Nuclear Facilities. Washington, D.C.: Nuclear Threat Initiative.
Kramer, D. (2018, September 14). Nuclear theft and sabotage threats remain high, report warns.
Retrieved from Physics Today:
https://physicstoday.scitation.org/do/10.1063/PT.6.2.20180914a/full/
Kushner, D. (2013, February 13). The Real Story of Stuxnet. Retrieved from IEEE Spectrum:
https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
Moore, A. (2004). Radiological and Nuclear Terrorism: Are You Prepared? Journal of the
American College of Radiology, 54-58.
Nuclear Threat Initiative. (2018). Building a Framework for Assurance, Accountability, and
Action. Washington, DC: Nuclear Threat Initiative. Retrieved from Nuclear Threat
Initiative: https://ntiindex.org/data-results/mapview/theftwith/theftwith
Porup, J. (2019, December 9). How a nuclear power plant got hacked. Retrieved from CSO
United States: https://www.csoonline.com/article/3488816/how-a-nuclear-plant-got-
hacked.html
Stoutland, P. (2018, March 19). Cyberattacks on Nuclear Power Plants: How Worried Should
We Be? Retrieved from Nuclear Threat Initiative: https://www.nti.org/analysis/atomic-
pulse/cyberattacks-nuclear-power-plants-how-worried-should-we-be/