World’s Nuclear Facilities Vulnerable to Cyber-Attacks
Stuxnet, the computer virus introduced into the Iranian nuclear program by Israel and the US has now escaped into other countries
As hackers continue to rampage through closely-guarded information systems and databases with monotonous regularity, there is a tempting new target for cyber-attacks: the world’s nuclear facilities.
A warning has already been sounded by the International Atomic Energy Agency (IAEA), which has urged the world community to intensify efforts to protect nuclear facilities from possible attacks.
"We need to drain the swamp and stop developing technologies that are vulnerable to catastrophic attacks." —Randy RydellPointing out the nuclear industry was not immune to such attacks, IAEA Director-General Yukiya Amano says there should be a serious attempt at protecting nuclear and radioactive material – since “reports of actual or attempted cyber-attacks are now virtually a daily occurrence.”
The United States, whose defence networks at the Pentagon and also its intelligence agencies have already been compromised by hackers largely from Russia and China, is increasingly concerned about possible cyber-attacks by terrorist organisations – specifically the Islamic State (IS) with its heavy and sophisticated presence on social media.
Ironically, the United States reportedly collaborated with Israel to launch a virus attack on Iran’s nuclear enrichment programme years ago.
Tariq Rauf, director of the Disarmament, Arms Control and Non-Proliferation Programme at the Stockholm International Peace Research Institute (SIPRI), told IPS nuclear power plants and the nuclear industry rely intensively on computer systems and computer codes.
“Any corruption, malware or targeted attacks potentially could have catastrophic consequences for nuclear safety and security,” he warned.
In this regard, he said, it is deplorable that Israel and the United States targeted Iran’s uranium enrichment programme in past years with malware and viruses, thus initiating unprovoked cyber warfare, he added.
Stuxnet, the computer virus introduced into the Iranian nuclear programme by these two countries, has now escaped into other programmes in other countries, said Rauf, the former head of IAEA’s Verification and Security Policy Coordination unit.
“This clearly demonstrates that cyber warfare agents cannot be contained, can spread uncontrollably and can potentially create many hazards for critical infrastructure in the nuclear field,” he said.
He said cyber warfare at the state level is much more dangerous and difficult to defend against than cyber-attacks by hackers, though the hacking of nuclear safety and security systems by amateurs or criminals also pose major risks for radioactive and nuclear materials.
Randy Rydell, a former senior political officer at the U.N’s Office of Disarmament Affairs (ODA), told IPS the real question here is not capabilities but motivation: “Why would someone wish to launch such an attack?"
The answer, he said, is political.
“We need to drain the swamp and stop developing technologies that are vulnerable to catastrophic attacks,” said Rydell, former senior counsellor and Report Director of the Weapons of Mass Destruction (WMD) Commission.
IAEA’s Amano pointed out that last year alone there were cases of random malware-based attacks at nuclear power plants, with such facilities being specifically targeted.
He said staff responsible for nuclear security should know how to repel cyber-attacks and to limit the damage, if systems are actually penetrated.
“The IAEA is doing what it can to help governments, organisations, and individuals adapt to evolving technology-driven threats from skilled cyber adversaries,” he added.
At the next IAEA ministerial conference, scheduled for December 2016, one of topics for discussion would be how best to elaborate a Code of Conduct for Cyber Security for the Nuclear Industry.
Asked about the cyber capability of terrorist groups and their use of social media, Admiral Cecil Haney, commander U.S. Strategic Command, told reporters last March the Islamic State (IS) and various other organisations have been able to recruit and threaten – “and so we see more and more sophistication associated with that.”
“This is something that we look at very, very closely,” he said, pointing out that U.S. Cyber Command, as well as its interagency team, is working on this.
“And, quite frankly, it is looked at on a day-to-day basis,” he added.
In one of the major breaches of security, the U.S. Office of Personnel Management, which maintains security clearance for millions of federal employees, was one of the targets of hackers last year.
“The threat we face is ever-evolving,” Josh Earnest, the White House press secretary, told reporters last June. “We understand that there is persistent risk out there and we take it seriously,” he added.
But cyber-attacks are also increasingly a policy decision by governments in the United States, Western Europe, Russia and China, as a means of fighting back when attacked.
SIPRI’s Rauf said the IAEA is recognised as playing the central role in setting nuclear security standards for peaceful nuclear activities and has issued guidance documents in this regards for operators of nuclear facilities.
Addressing the IAEA International Conference on Computer Security in a Nuclear World, held in Vienna on June 1, Amano correctly drew attention to the risks and dangers of actual or attempted cyber-attacks against nuclear power plants and the nuclear industry, he noted.
Amano said that “computers play an essential role in all aspects of the management and safe and secure operation of nuclear facilities, including maintaining physical protection, and thus it is vitally important that all such systems are properly secured against malicious intrusions”.
In a statement released last month, the White House said that from the beginning of his current administration, President Barack Obama “has made it clear that cyber security is one of the most important challenges we face as a nation.”
In response, “the U.S. Government has implemented a wide range of policies, both domestic and international, to improve our cyber defences, enhance our response capabilities, and upgrade our incident management tools.”
As the cyber threat continues to increase in severity and sophistication, so does the pace of the Administration’s efforts, the White House noted.