Computer hackers, not content with mucking around with U.S. commerce and elections, have trained their sights on nuclear power plants, prompting questions about cybersecurity at Oyster Creek.
Industry officials and federal regulators say there’s nothing to fear, but experts say there is cause for concern, including from the harm that could be caused by cyberattacks on the electrical grid upon which power plants depend.
In recent weeks, hackers tried to — and in at least one case succeeded — in penetrating the firewalls and digital protections of administration information at these nuclear facilities, according to government reports cited recently in the New York Times and Bloomberg News.
“The nuclear industry didn’t really believe that they were a target,” said Edwin Lyman, senior scientist of the Global Security Program of the Union of Concerned Scientists in Washington, D.C.
Industry executives learned otherwise when hackers worked their way into computers at Wolf Creek nuclear power plant near Burlington, Kansas, according to the Times. The Asbury Park Press asked nuclear experts if hackers could also penetrate Oyster Creek.
“A plant like Oyster Creek, it’s old. Its systems that are used to control plant functions are mostly analog based, and that’s true for most of the plants in the United States. So the scenario of some malevolent terrorist pushing a button and causing a plant to melt down, that’s far-fetched,” Lyman said.
But there are reasons hackers might want to penetrate other plant systems.
“The fact is, a successful radiological sabotage attack on a nuclear plant, or on the spent fuel pool (where radioactive waste is cooled) at the plant, could cause a devastating catastrophe,” he added. “It could essentially contaminate hundreds of square miles with long-lived radioactive material. It could require the forced resettlement of millions of people. It could cost trillions of dollars in damages, and for a plant like Oyster Creek or others in the New York City area, a densely populated area, they are even more desirable targets for a terrorist who wants to cause that kind of mass disruption event.”
Plants separate critical systems from the internet or plant business networks by physical distance or hardware, Nuclear Regulatory Commission spokesman Neil Sheehan said in an email.
The Nuclear Regulatory Commission also regulates how employees use removable media, perform vulnerability assessments and train other employees on recognizing “insider threat(s),” he added.
The systems targeted in the recent attacks are not under the Nuclear Regulatory Commission’s regulations and oversight, Sheehan said in the email.
Hackers used faked resumes crafted in Microsoft Word that were riddled with malicious computer code to try and squeeze through the network protections, according to the Times. They also inserted malicious code into legitimate websites frequented by plant employees and tried to redirect employee web traffic through company computers, according to the report.
“The NRC’s threat and cyber experts have been in contact with relevant law-enforcement and homeland security officials related to this cyber incident,” Sheehan said.
He added that despite the incident, cybersecurity among nuclear plants has served as a “role model” for other industrial sectors.
In April, regulatory commission records show that Oyster Creek officials submitted an application to the commission to revise their cybersecurity plan.
When asked if Oyster Creek was responding to the cyberattacks with new safety evaluations or other measures, a spokeswoman for the plant deferred questions to John Keely, spokesman for the Nuclear Energy Institute, which represents the interests of nuclear power companies in the United States.
Keely said none of the 99 nuclear plants in the country notified the Nuclear Regulatory Commission of any successful system penetration. He said information about what happened at Wolf Creek was classified.
Nuclear plant administrative networks are not regulated by the Nuclear Regulatory Commission similarly to operational systems, Lyman said.
“I think that narrow interpretation (by the Nuclear Regulatory Commission) of what needs to be protected needs to be rethought,” he added.
By not regulating how administrative information is stored and protected, Lyman said information like plant blueprints, security guard schedules, computer passwords and door security could be vulnerable to hackers.
There is another way nuclear plants are vulnerable to hackers, said Paul Gunter, director of the Reactor Oversight Project at Beyond Nuclear, a Maryland-based organization that opposes nuclear energy,
“From our point of view, the biggest vulnerability comes from the electrical grid itself,” he said.
That electrical grid is a patchwork system that is more than 50 years old in many places. It is riddled with problems caused by “aging equipment, capacity bottlenecks and increased demand,” according to a report issued by the American Society of Civil Engineers. The society recently gave the nation’s energy grid a D+ rating in its 2017 Infrastructure Report Card.
If hackers attack the grid and shut it down, Oyster Creek is designed to automatically “scram,” or shut down, Gunter said.
“This is a little bit like hitting your breaks at full speed on the interstate,” he said. “It’s a violent action not to be taken lightly.”
The risk comes from power loss to the safety systems that cool the nuclear fuel and regulate the reactor, Gunter said. Those systems could be compromised when the grid loses power for an extended period of time, though the plant has emergency generators and batteries as backup, he said.
“The concern here is that a cyberattack may not necessarily be isolated to just disrupting the electrical grid to safety systems, but it could be associated with a much broader military objective,” Gunter said.
Gunter and Lyman aren’t the only ones worried. Sen. Maria Cantwell (D-Washington), the ranking member of the Senate Energy and Natural Resources Committee, called on the Trump administration to assess the nation’s energy infrastructure.
“The disturbing reports of the past 24 hours indicate that our adversaries are trying to take advantage of the very real vulnerabilities of our energy infrastructure’s cyber defenses,” Cantwell said in a statement last week.
Cantwell and 18 other senators urged the president in a June letter to direct the Department of Energy to analyze the possibility of Russian cyberattacks on the nation’s grid. Their letter also called for the administration to restore funding to the Office of Electricity Delivery and Energy Reliability, which they said is facing a 40 percent cut in funding.
“How can our government protect our national security assets if the administration does not allocate the necessary resources?” the senators wrote.
In the meantime, Keely said nuclear plants are well positioned against attacks, yet continue to evaluate new threats. He said the industry has formed key partnerships with government agencies as further protection.