Crystal River 3 nuclear power plant/CC BY-SA 2.0

6 Things to Know about the 2020 Cyberattack and Nuclear Power Plants

, Director of Nuclear Power Safety, Climate & Energy | December 18, 2020, 5:56 pm EST
Bookmark and Share

News reports over the last day indicate that a massive and devastating cyberattack on US government agencies and private companies in the United States and abroad has occurred, and UCS will be watching as this news develops. While the scope of the cyberattack is still far from clear, here are some facts to consider regarding how the hack may have impacted US nuclear energy infrastructure.

  1. So far there have been no reports that the Nuclear Regulatory Commission (NRC), the agency that oversees the safety and security of US nuclear power plants, or any nuclear plants themselves, have been affected. The NRC once had a contract with SolarWinds, whose Orion software has been identified as a major vector of the attack, but apparently terminated it in 2011. However, the US Cybersecurity and Infrastructure Agency reported that Orion was not the only attack vector.
  2. Fortunately, it is highly unlikely that malevolent actors today could directly cause a severe accident at a US nuclear power plant because the instrumentation and control systems for the most important safety systems are primarily analog (non-digital) relics of the era decades ago when these plants were built.
  3. Even so, nuclear plants do have many digital systems that must be protected because they may have an indirect impact on plant safety—for example, the communication systems used by security officers. The NRC requires nuclear plant owners to protect such critical digital systems from cyberattack. In particular, there must be separation between a nuclear plant’s business systems, which are connected to the Internet, and any digital systems involved in reactor operations.
  4. Still, access to the business systems could be very useful to adversaries—for instance, they could obtain data revealing personal information about plant personnel and use it for blackmail. Moreover, even isolated systems need software updates, so if sophisticated malware is not detected by the scans a nuclear plant uses before loading updates on those systems, they could also become infected.
  5. The Nuclear Energy Institute, the industry’s chief lobbying group, has been fighting for years to reduce the scope of digital systems that plant owners have to protect under the NRC’s rules, including those that might protect against reactor shutdowns that could cause grid failures. The attack underway is a stark reminder that cybersecurity defenses at critical infrastructure facilities such as nuclear plants should be strengthened, not weakened.
  6. The NRC has still not yet completed its first round of inspections to confirm full compliance of nuclear plants with its cybersecurity rule, which was instituted more than ten years ago.

 

"Faces of the Commons 2019" by Sebastiaan ter Burg is licensed under CC BY 2.0 Creative Commons is proud to have provided free, flexible, and reusable tools powering much of the internet for nearly 20 years. Please donate what you can to support the global open movement! Donate Skip to content Share your work Use & remix What We do Blog Search for CC images Global Network Newsletters Store Contact Facebook Twitter Mail Help us build a vibrant, collaborative global commons This page is available in the following languages: Languages English cc logo Attribution-ShareAlike 2.0 Generic (

Posted in: Energy Tags: , ,

Support from UCS members make work like this possible. Will you join us? Help UCS advance independent science for a healthy environment and a safer world.

Show Comments


Comment Policy

UCS welcomes comments that foster civil conversation and debate. To help maintain a healthy, respectful discussion, please focus comments on the issues, topics, and facts at hand, and refrain from personal attacks. Posts that are commercial, self-promotional, obscene, rude, or disruptive will be removed.

Please note that comments are open for two weeks following each blog post. UCS respects your privacy and will not display, lend, or sell your email address for any reason.

  • Maxx Scott

    This is just a garbage fear mongering article. It shows no evidence or cause for concern with nuclear power plants with the latest cyber security breaches. The operations and security systems are isolated from outside forces and there is constant vigilance to ensure this remains.

  • Franko Ku

    Nuke plants in cohort with blue then green hydrogen trump solar and wind.
    Just as populism “Trump’s” one world order reset.

  • Mary Jane Williams

    The Dept. of Energy has been hacked. The communications system needed to launch nuclear weapons possibly? So if we can’t launch nuclear weapons that means the idea of “deterrence” is obsolete. No more excuse for nuclear weapons. Time to abolish them. Close nuclear reactors all over the world. Ban uranium mining.

    End the whole nuclear era!

    Then turn to guarding nuclear waste for thousands of years.

    • Maxx Scott

      Nuclear weapons are not nuclear power, but you already know that.

  • Patrick Jones

    Point #2 is very much the most important.

    When I left the industry 16 years ago there were NO computer control systems. What computers existed were only data gathering and storage.

    Upgrading any nuclear system is almost always prohibitively expensive. For example, at the plant where I worked, it cost $250,000 for the engineering evaluation to leave the BIT inlet valves (Safety Injection System) open. This was 20 years after the determination that the BIT really contributed nothing to plant safety and was no longer going to be used.

    I wouldn’t worry about nuclear power plants.

  • vlady47

    Did the NRC ever implement these:
    Cyber security is an element of decommissioning activities for nuclear facilities. Cyber security rulemaking is in progress for fuel cycle facilities, using the lessons learned from power reactor cyber security program implementations. Currently there are no cyber security requirements for Independent Spent Fuel Storage Installations, and research and test reactors. The NRC is considering the need for cyber security requirements for non-power production or utilization facilities and materials licensees.
    https://www.nrc.gov/reading-rm/doc-collections/fact-sheets/cyber-security-bg.html

    Grid failure could cause problems at NPP’s, by several different means.
    How far has their stock pile grown?
    Both the Department of Energy and electric grid companies have started efforts to stockpile specialized electrical equipment (such as large transformers) needed to restore the grid after these events.
    https://public-blog.nrc-gateway.gov/2016/07/05/update-keeping-u-s-reactors-safe-from-power-pulses/

    Plus there has been multiple times where the NRC website and communications have gone down. (last one just the other day)

    Safest nuke is one that doesn’t exist.