Ed Lyman
Director, Nuclear Power Safety

News reports over the last day indicate that a massive and devastating cyberattack on US government agencies and private companies in the United States and abroad has occurred, and UCS will be watching as this news develops. While the scope of the cyberattack is still far from clear, here are some facts to consider regarding how the hack may have impacted US nuclear energy infrastructure.

  1. So far there have been no reports that the Nuclear Regulatory Commission (NRC), the agency that oversees the safety and security of US nuclear power plants, or any nuclear plants themselves, have been affected. The NRC once had a contract with SolarWinds, whose Orion software has been identified as a major vector of the attack, but apparently terminated it in 2011. However, the US Cybersecurity and Infrastructure Agency reported that Orion was not the only attack vector.
  2. Fortunately, it is highly unlikely that malevolent actors today could directly cause a severe accident at a US nuclear power plant because the instrumentation and control systems for the most important safety systems are primarily analog (non-digital) relics of the era decades ago when these plants were built.
  3. Even so, nuclear plants do have many digital systems that must be protected because they may have an indirect impact on plant safety—for example, the communication systems used by security officers. The NRC requires nuclear plant owners to protect such critical digital systems from cyberattack. In particular, there must be separation between a nuclear plant’s business systems, which are connected to the Internet, and any digital systems involved in reactor operations.
  4. Still, access to the business systems could be very useful to adversaries—for instance, they could obtain data revealing personal information about plant personnel and use it for blackmail. Moreover, even isolated systems need software updates, so if sophisticated malware is not detected by the scans a nuclear plant uses before loading updates on those systems, they could also become infected.
  5. The Nuclear Energy Institute, the industry’s chief lobbying group, has been fighting for years to reduce the scope of digital systems that plant owners have to protect under the NRC’s rules, including those that might protect against reactor shutdowns that could cause grid failures. The attack underway is a stark reminder that cybersecurity defenses at critical infrastructure facilities such as nuclear plants should be strengthened, not weakened.
  6. The NRC has still not yet completed its first round of inspections to confirm full compliance of nuclear plants with its cybersecurity rule, which was instituted more than ten years ago.