Breaking into a nuclear power plant's computer system may actually be easier than physically breaking into the power plant itself.
While nuclear power plants have established physical safety and security measures, many of them still lack the same level of security against cyber attacks, especially when employees still use default passwords like "1234" for computer systems that control a power plant's processes.
Based on findings from an 18-month study by UK thinktank Chatham House, the researchers concluded that nuclear facilities will have to ante up against potential cyber attacks as these infrastructures "become increasingly reliant on digital systems and make increasing use of commercial 'off-the-shelf' software, which offers considerable cost savings but increases vulnerability to hacking attacks."
The report's conclusion and recommendations come from at least 30 interviews from senior officials at nuclear power plants and governments from Japan, Ukraine, France, United Kingdom, Germany and the United States.
One key finding debunks the myth that all nuclear facilities are "air gapped," which suggests their systems are blocked from the Internet that the rest of us use. Rather, because of the commercial benefits of wider connectivity, some nuclear facilities use virtual private networks that are sometimes undocumented or even forgotten by contractors and third-party operators.
It's these multiple layers of technical, cultural and industry-wide practices that allow a possible cyber attack. In fact, the Chatham report reveals [pdf] that there may have already been 50 incidents of cyber infiltrations in the nuclear power plant industry while only two or three have actually been made public.
A main source of vulnerability at power plants comes from the people working in these high-security high-tech facilities. The problem isn't only with technology as insiders share that engineers are the "worst offenders" and that "operations people dislike IT." On the other hand, power plant managers themselves wouldn't know what to do if a cyber attack did happen.
According to the report's author Caroline Baylon, in a worst-case scenario, such hacking attacks could cause the release of ionizing radiation with potentially disastrous impacts on local populations. She further comments that, while the chances of causing a meltdown at a power plant are low, "the consequence of a cyber incident at a nuclear plant is extremely high."
Photo: Dawn Ellner | Flickr