Moving Cyber from the Orbit to the Nucleus of the Nuclear Security Summit

World leaders are gearing up to discuss pertinent issues at the final edition of the Nuclear Security Summit in Washington D.C from March 31 to April 2, 2016. Prime Minister Narendra Modi is attending the 2016 Nuclear Security Summit. Since the 2009 Prague speech of U.S. President Barack Obama, the summit has attracted global attention, deliberating on the security of vulnerable nuclear materials, black markets, and illicit trafficking of nuclear materials. The first Nuclear Security Summit was held in Washington D.C. (April 2010). It was followed by the Summits in Seoul (March 2012) and The Hague (March 2014). Cybersecurity is rapidly garnering increased international attention; concerns about cyber attacks targeting the vulnerabilities in nuclear installations were initially highlighted at the 2012 Nuclear Security Summit in Seoul.

Three working group reports are lined up for discussion this week at the Nuclear Industry Summit – NIS (an official side event of the Nuclear Security Summit) – on issues critical to nuclear security, and cybersecurity is one of the key areas.1 Information Protection was put on the NIS table in 2012 at Seoul and the focus was brought on Industrial Automation/Control Systems protection in the subsequent NIS at Amsterdam in 2014.

Industrial Control Systems (ICS) are the nervous system of a nuclear power plant, critical for its safe operations.2 They perform a host of monitoring, supervision and control functions such as reactor protection systems, safety features actuation systems (emergency core cooling), safe shutdown systems, emergency power supply and diesel generator control systems, reactor control systems and access control systems. Over the years, analog ICS in nuclear power plants have been replaced with digital ICS, based on computers, microprocessors and digital communication for reliability, improved performance and efficiency, regulatory compliance, and safety. Their components and functions at a nuclear plant include the following:3

  • Interface with the physical parameters of plant operations, monitoring or measuring vital parameters such as neutron flux, temperature, pressure and flow using sensors.
  • Data processing for control and safety systems of the plant.
  • Analog or digital communication systems to transmit the large volume of data and information over wired, optical fiber or wireless networks.
  • Human-Machine Interface to provide real-time information to personnel at the control room.
  • Monitor sensor signals for abnormalities through plant health diagnostic systems.
  • Adjust the physical processes through control and safety systems.
  • Signal transmission for automatic or manual control of actuators.

A nuclear plant unit has approximately 10,000 sensors and detectors, connected by around 5,000 km of cables. Around 90 per cent of all the digital Instrumentation and Control installations that have been done are modernization projects at existing reactors, especially for safety systems.4 The 439 operational nuclear reactors across 31 countries use both digital and analog systems to monitor and operate plant processes, equipment, and store and retrieve information. Along with physical and system operational security, cybersecurity of electronic assets and computer/ICS networks have also become a major concern.

The International Atomic Energy Agency (IAEA) has published multiple documents related to information and computer security. The Technical Guidance and Implementing Guide – as part of the Nuclear Security Series – deal with Computer Security (NST045), Security of Instrumentation and Control Systems (NST036) and Computer Security Techniques (NST047) for nuclear facilities. At the industry end, the World Institute for Nuclear Security (WINS) has also increased its efforts in this domain.5 In June 2015, the IAEA organized the “International Conference on Cyber Security in a Nuclear World: Expert Discussion and Exchange”, which brought together over 700 experts, representing 92 countries and 17 international organizations, for discussion on both the challenges and progress with regards to cybersecurity in the nuclear industry.6

However, despite these efforts, the power industry has made to the headlines with repeated instances of cyber attacks, since Stuxnet in 2010. The South Korean nuclear operator, Korea Hydro and Nuclear Power Co. (KHNP), fell victim to a leak of company information, including employee information and plant blue prints, in 2014. In the same year, Havex, a Remote Access Trojan (RAT) infected Industrial Control Systems for reconnaissance in Germany, Switzerland and Belgium. Finally, in January 2016, the BlackEnergy trojan caused a massive electricity outage in Ukraine. Nuclear facilities are equally vulnerable to cyber attacks as other critical infrastructure installations using the same computing resources, software or Industrial Control Systems.

The 2016 NTI Index included a set of basic indicators related to cybersecurity.7 The index report finds that “nearly half the countries assessed do not have a single requirement in place to protect their nuclear facilities from cyber attacks, and only 9 of the 24 countries with weapons-usable nuclear materials received the maximum score on cybersecurity indicator; while 7 states scored 0 on the same index.”8 Many states do not even have the desired laws to provide effective protection from cyber attacks.

India has vast experience in the design, development and maintenance of indigenous technology in the areas of control and instrumentation systems for nuclear reactors and nuclear fuel cycle facilities. The Bhabha Atomic Research Centre (BARC) has a vibrant research and development programme to ensure self-reliance in Electronics, Control, Instrumentation and Computers.9 On the cybersecurity front, India can help countries with indigenous nuclear energy programmes to develop their own security solutions. States are generally wary of buying such solutions from other countries, as a lot of confidential information has to be shared with the vendors deploying security solutions. The IAEA would need to address these concerns of the states as well while framing the regulatory requirements on cybersecurity.

The global nuclear industry and IAEA as an international regulatory agency have a large ground to cover between the requirements and the existing cybersecurity measures in place, under the shadow of the rising number of cyber attacks targeted at power installations. The Nuclear Security Summit has led global leaders to move against the threats of nuclear terrorism, and its side event, the Nuclear Industry Summit, is shaping the industry understanding on critical issues, which includes cyber threats. The NIS has made considerable progress on this front in the last four years, but the sophistication and frequency of cyber attacks have outpaced it. The time is ripe to move cyber from the orbit to the nucleus of the Nuclear Security Summit.

Views expressed are of the author and do not necessarily reflect the views of the IDSA or of the Government of India.