There is a need to emphasize the enormity of the risks we the human civilization are taking with the development of the Internet of Things. I wanted to comment on the announcement made by the Director-General of the International Atomic Energy Agency (IAEA), Yukiya Amano. He stated that there is a grave threat of militant attacks on nuclear power plants becoming the target of a disruptive cyber-attack as evidenced by an attack on a German nuclear power station that occurred two to three years ago.
Well, so much for security in a disconnected power plant. Shall we add IoT to this mix just to make things more interesting? Mister Amano continued saying: “this is not a theoretical risk… This issue of cyber-attacks on nuclear-related facilities or activities should be taken very seriously. We never know if we are aware of everything or if it’s the tip of the iceberg.”
We all have known for quite some time now that computer malware can and has been used to attack industry. These attacks have caused disruption and destruction to industrial complexes. Why not nuclear sites and related services? This issue has been brought to the attention of the United Nations and has been part of the discussion at IAEA cybersecurity conferences for a few years. However, it’s about time to see some action to improve safety, and one such measure should be to eliminate IoT industrial controls in nuclear-related sites.
The article by Andrea Shalal on Reuters states that the IAEA is providing countries with cell phone-sized equipment for detecting nuclear and other radioactive material. This action, assuming the countries on the receiving end of these detection devices do use them, can help minimize the effects of a dirty bomb but can do nothing to protect a nuclear power related facility from a cyber-attack.
What to do then? A Nuclear Energy Institute (NEI) Policy Brief has as one of its primary key points the isolation of critical systems at nuclear sites from the Internet and states that nuclear plants should start addressing cyber-security immediately. These two pieces of evidence lead to the conclusion that nuclear facilities aren’t ready to take on cyber-attacks and aren’t doing much to change their current state.
As we contemplate the landscape, we see organizations like the United States Nuclear Regulatory Commission (NRC) calling for increased security at many levels since the attacks of 911. Nonetheless, globally we see little regarding standards and frameworks for cybersecurity for these facilities coming into effect, and thus the international nuclear community is left to fend for themselves in an uncharted new frontier, cyberspace.