http://www.ft.com/cms/s/0/b5f0df54-6aa1-11e5-aca9-d87542bf8673.html

Nuclear power plants in ‘culture of denial’ over hacking risk

Sam Jones, Defence and Security Editor
October 5, 2015 12:03 am

Nuclear power plants around the world are harbouring a “culture of denial” about the risks of cyber hacking, with many failing to protect themselves against digital attacks, a review of the industry has warned.

A focus on safety and high physical security means that many nuclear facilities are blind to the risks of cyber attacks, according to the report by think-tank Chatham House, citing 50 incidents globally of which only a handful have been made public.

The findings are drawn from 18 months of research and 30 interviews with senior nuclear officials at plants and in government in Canada, France, Germany, Japan, the UK, Ukraine and the US.

<snip>

Ms Baylon described how systems and back-ups powering reactor cooling systems could be compromised, for example, to trigger an incident similar to that seen at Fukushima Daichi in Japan in 2011, the worst nuclear failure since Chernobyl.

<snip>

http://www.ibtimes.com/nuclear-power-plants-around-world-unprepared-cyberattacks-warns-new-report-2126456

Nuclear Power Plants Around The World Unprepared For Cyberattacks, Warns New Report

By Avaneesh Pandey @avaneeshp88 a.pandey@ibtimes.com on October 05 2015 6:18 AM EDT

Nuclear power plants across the world are getting increasingly vulnerable to cyberattacks as they increase their reliance on digital systems and “off-the-shelf” software, Chatham House -- a London-based nonprofit -- warned, in a new report. Moreover, because of an “element of denial,” several nuclear facilities have failed to put in place mechanisms to protect themselves against digital attacks.

“There is a pervading myth that nuclear facilities are ‘air gapped’ -- or completely isolated from the public internet -- and that this protects them from cyber attack,” the report, which analyzed cyber defenses in power plants across the world in an 18-month period, said. “Yet not only can air gaps be breached with nothing more than a flash drive, but the commercial benefits of internet connectivity mean that nuclear facilities may now have virtual private networks and other connections installed, sometimes undocumented or forgotten by contractors and other legitimate third party operators.”

<snip>

In addition, even as vulnerability of nuclear power plants increases -- partly because of their outdated control systems -- hacking is becoming even easier to conduct with the availability of automatic cyberattack packages that can be purchased online.

<snip>


A diagram showing the potential control system vulnerabilities at nuclear power plants across the world. Chatham House

http://europe.newsweek.com/cyberattack-nuclear-facilities-could-cause-radiation-leak-report-334124

Cyberattack on Nuclear Facilities Could Cause Radiation Leak: Report

By Conor Gaffey 10/5/15 at 3:00 PM

Nuclear power plants are at increasing risk of cyberattacks which could ultimately lead to radiation leaks, according to a new report.

The report, by U.K.-based international affairs thinktank Chatham House, also points out that the so-called "air gap" between public internet and internal systems at nuclear facilities can be breached with "nothing more than a [USB] flash drive." This was exemplified by the Stuxnet worm in 2010, which caused centrifuges to fail at Iran's main nuclear facility and was blamed by Tehran on the U.S. and Israel.

In a worst-case scenario, says the report, cyberattacks could lead to a release of ionizing radiation with potentially disastrous impacts on local populations. Caroline Baylon, cybersecurity research associate at Chatham House and the report's lead author, says such a breach could lead to similar consequences as those seen after the Fukushima disaster four years ago in Japan.

<snip>

The report, which looked at nuclear facilities around the world over an 18-month period, highlighted a number of areas where improvements are required to protect the industry from the "ever-present" threat posed by state-sponsored and independent hackers. A comprehensive set of guidelines measuring cybersecurity risk should be developed and nuclear facilities must be encouraged to admit attacks anonymously, say the report's authors, who believe disclosure of such attacks is limited due to concern about reputation damage.

<snip>

The BBC reported research carried out for the study showed that U.K. nuclear plants are not well-protected from the threat of cyberattack, since the industry has only recently converted to digital systems. A spokesperson for the Office for Nuclear Regulation (ONR), the U.K. government agency responsible for nuclear safety and security at British facilities, told Newsweek that the ONR accepted "the thrust of the recommendations" in the report. "Cyber risks are always developing and no one can afford to be complacent. In addition to our robust inspection regime, ONR is constantly reinforcing the importance of cybersecurity to senior figures across the U.K. nuclear industry," the spokesperson says.

Keith Parker, chief executive of the Nuclear Industry Association, which represents hundreds of companies in the U.K.'s civil nuclear sector, said in a statement: "All of Britain's power stations are designed with safety in mind and are stress-tested to withstand a vast range of potential incidents." Parker added that the U.K.'s current fleet of nuclear power stations has no embedded software, which he said means "it would be impossible to defeat reactor protection systems."

<snip>

http://www.theregister.co.uk/2015/10/05/nuclear_plants_cyber_denial_man_in_the_middle/

Search engine can find the VPN that NUCLEAR PLANT boss DIDN'T KNOW was there - report

No 'exec-level awareness', warns research

5 Oct 2015 at 10:42, Alexander J Martin

The nuclear industry is ignorant of its cybersecurity shortcomings, claimed a report released today, and despite understanding the consequences of an interruption to power generation and the related issues, cyber efforts to prevent such incidents are lacking.

<snip>