The COVID-19 crisis has exposed our vulnerability to cyber attacks and online scams. Almost every single major industry in the world has had to alter business practices to work around the global pandemic. The pandemic has also demonstrated how reliant the world has become on nuclear power to fuel our demand on electricity. Nuclear energy now provides about 10% of the world’s electricity. Globally there are 440 power reactors, with over 50 countries utilising nuclear energy in about 220 research reactors. Therefore it is crucial that global efforts are made to protect the civil nuclear sector during this disruptive period. An array of experts have put forward their emergency management suggestions for how the civil nuclear industry can be preserved.
One of the most effective means of reducing the nuclear power base’s vulnerability to cyber criminals is to ramp up cyber defences, according to Martin Smith MBE of the Security Awareness Special Interest Group. He recently outlined that unscrupulous hackers would take advantage of the fragility of the situation. Contingency planning to protect nuclear power plants have previously been discussed through the U.S Nuclear Regulatory Commission’s workshop on Sustaining Safe Nuclear Operations in an Influenza Pandemic and in April 2006, through the Nuclear Energy Institute’s draft pandemic contingency plan – but despite these positive steps consensus between states was not reached.
The COVID-19 crisis also reveals how, despite the need for a global effort to preserve the security of the civil nuclear sector, geopolitical issues and the role of non-state actors can severely complicate matters. For example international terrorist group ISIS urged its followers in mid March to stage attacks exploiting the current global crisis. Four members of the group were arrested on April 16th for plotting to attack a U.S military base which contained nuclear weapons. In a world that is increasingly characterised by geopolitical tensions from the US-China trade war, Brexit and the recent crash in oil prices, the nuclear sector is not exempt from cyber security risks.
We only need to look back at the Stuxnet attack in Iran, which damaged 1,000 Iranian centrifuges, to understand how poor cyber security can be exploited in global rifts between major and regional powers such as the U.S, Israel and Iran. Similarly as early as 2016 a Russian group, DragonFly 2.0, gained access to US and European nuclear energy companies as part of their multi-stage intrusion campaign compromising security. The attack involved conducting a network reconnaissance, moved laterally and collected information pertaining to industrial control systems. A further piece of malware by the group also infected 18,000 power plants globally, leading to a potential explosion in Saudi Arabia.
One way to move forward to mitigate these risks is to provide comprehensive training to employees on cyber security to make organisations aware of the risks posed by hackers and to increase resilience. While rigorous and continuous monitoring of risks is key to safeguarding network information systems, such an approach – also known as cyber hygiene – can be time consuming. A streamlined training programme is also required to educate employees on the potential risks of clicking on suspicious links within emails, as we become ever more dependent on teleworking practices.
Despite increasing our vulnerability and exposure to hackers, one silver lining of the pandemic has been the increase in discussions around optimising artificial intelligence and machine learning in cyber threat intelligence practices. Such an approach can save analysts time and also allow for faster, more robust preparedness approaches to be adopted by civil nuclear organisations. During these unprecedented times, there are several approaches and perspectives that need to be considered when applying cyber defence practices to nuclear facilities. A macro approach utilising the PEST method helps to give an overview of how interlinked cyber security risks are with major nuclear power systems. The approach allows organizations to consider the following elements: assessing the political factors (Political) allocating the necessary budget for cyber security incidents and for contingency budgets (Economic); establishing a cyber security culture through training (Societal); and considering the use of technological developments and how these change the risk calculation (Technological). However, both micro and macro approaches should be adopted simultaneously in order to preserve the security of nuclear power stations.
Now more than ever, global leadership is required to identify how to protect civilian nuclear facilities. A macro policy reform approach as well as a micro approach – involving innovative time efficient methods – offer hope at a time of difficulty.