It may have been 35 years since Matthew Broderick’s teenage hacker raised the spectre of accidental nuclear war, but a new assessment of global nuclear protections suggests that the concerns raised by Wargames are still worryingly real.
Cyber security threats now form part of the Nuclear Threat Initiative-Economist Intelligence Unit’s NTI Nuclear Security Index – a regular evaluation of the protections around the world’s nuclear-materials stocks – and, NTI CEO Ernest Moniz warns, “defences remain dangerously insufficient to meet the expanding and rapidly evolving cyber threat.”
Some 22 countries have 1kg or more of weapons-grade nuclear materials, with 45 other geographies operating nuclear facilities where an act of sabotage could create a “dangerous release of radiation”.
Yet just 12 countries have improved their cyber security regulations since the last index in 2016, and just 13 jurisdictions have implemented basic cyber security regulations.
Noting that cyber security threats were outpacing defences and regulations, the report’s authors warned that cyber security breaches could potentially cause “catastrophic health consequences to the public”.
The report encourages governments to embed cyber security best practices into nuclear facilities’ cultures; to build mutual assistance mechanism and shared resources for responding to cyberattacks; and to increase the quality and number of cyber-nuclear experts by bridging talent gaps through upskilling and mutual support agreements.
Weighing the cyber-nuclear threat
The high-profile Stuxnet worm – which is credited for hindering or disabling Iran’s nuclear-enrichment program by tampering with sensitive centrifuges – was one of many nuclear-related cyber security incidents to make headlines in recent years.
International Atomic Energy Agency director Yukiya Amano went on the record warning that the cyber threat “is not an imaginary risk” after a nuclear power plant was targeted several years ago in an attack that, he said, “caused some problems”.
Last year, reports suggested that hackers have already breached and targeted more than a dozen organisations, where concerns about vulnerabilities in operational networks and industrial control systems have kept authorities and nuclear facilities operators on high alert.
Growing concern about the vulnerability of nuclear facilities is no surprise to John McClurg, a Cylance vice president and former US FBI agent who began evaluating cyber security risk in nuclear facilities decades ago after being seconded to nuclear regulator the US Department of Energy (DoE).
Threats from environmental activists may have dominated the FBI’s concerns in the period around the 1981 Diablo Canyon protests, but these days trends such as the Internet of Things (IoT) mean cyber security risks could come from anywhere at any time, McClurg – whose previous investigations included work chasing ‘Dark Dante’ hacker Kevin Poulsen – told Information Age.
“The attack vectors are increasing exponentially as these little platforms open up doors and new possibilities to an adversary,” he explained.
Can AI outsmart the hackers?
Critical nuclear states aren’t helping the situation: one-third of the countries with weapons-grade nuclear materials or facilities, the NTI Index found, “lack all of the basic cyber security regulations measured by the NTI Index” while 68% of evaluated countries do not yet have a cyber incident response plan.
“Given that cyber security measures never will be perfectly effective,” the report warns, “an incident response plan and response capabilities are essential.”
That sense of inevitability has long pervaded the industry given the reactive nature of law enforcement in both physical and cyber contexts, McClurg said.
“Particularly with nuclear facilities, we have often found ourselves, in almost every dimension of the law-enforcement community, stymied in reactive detection,” he said.
“Even though we in our hearts wanted to be ahead of the adversary, I had accepted that was an inevitable lot that I wasn’t going to be able to escape in my career.”
“And, unfortunately, I see a lot of our nuclear members in the industry still work the mindset that compromise is inevitable – that it’s not ‘if we get breached’, but ‘when’.”
He has gained some optimism from the broader use of artificial intelligence (AI) techniques, which are helping investigators churn through mountains of data to proactively identify harbingers of potential cyber security activity.
It’s a far cry from the late 1990s, when McClurg was tasked with creating a cyber counterintelligence capability for the DoE – putting him on a collision course with a growing hacker climate that was targeting an industry that lacked the tools to keep up.
And while modern big-data and AI methods may have provided the tools, McClurg says, it’s now up to the industry to figure out how to leverage the tools to get on the right side of the nuclear-safety equation.
“AI and analytics have changed the battle space,” he explained, “and they’ve given me hope that for the first time we are looking at a new age where we will finally have a leg up on the bad guys.”
