Title: Cyber Security of Nuclear Power Plants: US and Global Perspectives

Global nuclear energy capacity is expected to grow for several decades. About 10 percent of the world’s electricity today is generated by about 440 nuclear reactors. Thirty countries have operational nuclear power plants and about fifty new reactors are under construction. Russia is pursuing new reactor projects with Belarus, China, Hungary, India, Iran, and Turkey. China has an aggressive nuclear program with eleven reactors under construction. The United Arab Emirates, Belarus, Bangladesh, and Turkey also have nuclear reactors under construction.

The expanding global footprint of nuclear energy brings with it concerns about safety, security (both physical and cyber), and nuclear nonproliferation and safeguards. This expansion, the introduction of new technologies, and the creation of new operating environments require comprehensive policies and technologies for managing increasingly complex risks. In particular, the increasing use of digital infrastructure in nuclear power and subsequent cyber vulnerability should be accompanied by total system risk assessment, and greater regulation and guidance at the national and international level.

Cyber Vulnerability of Nuclear Power Plants

As global nuclear energy grows, so does the threat of cyber attack. Over time, process control systems in nuclear power plants have evolved from early analogue systems to digital systems. Digital systems themselves are continuing to evolve from highly specialized hardware and software to more standardized hardware and software in Supervisory Control and Data Acquisition (SCADA) systems. The transition to digital systems brings with it new risks and vulnerability to new interconnects of system components, potential operational issues, and vulnerabilities from cyber-attack that must be assessed and addressed.

In assessing system vulnerabilities, four main categories of digital computer and communication systems must be considered:

1. Safety-related and important-to-safety functions
2. Security functions
3. Emergency preparedness functions
4. Support systems and equipment important to safety and security

This scheme provides an important framework for designing and implementing cyber security plans for nuclear power plants.

There are several reasons why the cyber security of nuclear energy is essential to national security. Adversaries may attempt a cyber-attack on a nuclear power plant to access individual expertise, documented information, technology (hardware and software), and nuclear materials. Their goal may be to use a cyber-attack to create a physical outcome to disrupt power, create a radiological release, or increase the threat of nuclear proliferation. Consequences associated with these risks include political damage, loss of public confidence, coercion of interests, environmental damage, economic damage, and casualties. Therefore, it is essential that nuclear facilities strengthen their digital infrastructure to prevent these damaging impacts.

Total System Risk Assessment

Given the complexity of both threat and nuclear power plant systems, total system risk assessment is needed to develop protection strategies and technologies. A total system risk assessment is a comprehensive analysis of events that could negatively impact the system, the probability of the events occurring, and the consequences if they were to occur. In nuclear energy, the system can include one or more of the following: fuel enrichment and fabrication, power production, reprocessing of spent nuclear fuel; the storage, transportation, and disposal of spent nuclear fuel and high-level waste; and the decommissioning of closed nuclear power plants. The objectives of this type of assessment are to identify ways to reduce the probability of the events occurring, mitigate resulting consequences, and improve the system’s ability to recover.

An example of total system risk assessment in the cyber-energy arena is the Integrated Cyber-Physical Impact Analysis framework developed by Sandia National Laboratories. Multiple attack scenarios have been used to demonstrate the extended consequences of a cyber-attack from the initiating event, to component- or      system-     level effects, and ultimately the regional- or national-level impacts. This framework incorporates a holistic view of the causes, consequences, and potential mitigation strategies crossing six domains: threat, cyber-attack, component effects, physical system response, extended consequences, and recovery.

National Level: Cyber Status of US Nuclear Power Plants

At the national level, policies and regulations serve as additional tools to bolster against the threat of cyber attack.  The Nuclear Regulatory Commission (NRC) first included cyber requirements in the early 2000s and later issued the 10 CFR 73.54 Cyber Security Rule. This rule requires nuclear plant operators to submit a cyber      security plan for Commission review and approval. Full implementation of NRC’s Cyber Security Rule was completed in 2017. The industry-led Nuclear Energy Institute has worked on cyber security issues over time and has developed industry standard guidelines for how nuclear plants can meet these NRC requirements.

The need to mitigate cyber threats is further reflected in US prioritization of cybersecurity research.  The US Department of Energy, Office of Nuclear Energy’s (DOE-NE) mission is to “advance nuclear power to meet the nation’s energy, environmental, and national security needs.” Within this mission, DOE-NE funds cybersecurity research to support its research objectives at many national laboratories, universities, and other research organizations, ensuring its research accounts for the cyber aspects related to its advanced technology research. DOE-NE also supports cybersecurity research at universities and has issued multiple cybersecurity-focused awards through the Nuclear Energy University Programs. This cybersecurity program has four research thrust areas: risk and risk-informed technologies, cybersecurity modeling and simulation, secure digital architectures, and digital supply chain risk management. Thus, cybersecurity research has clearly been highlighted as a necessity in the development of US nuclear energy. Because the majority of this research is in its early stages, it is not publicly available.

Global Level: Cyber Status of Global Nuclear Power Plants

Beyond the United States, the topic of cybersecurity in nuclear programs has been examined at the international scale as well. The Nuclear Threat Initiative (NTI) has developed a simple, but useful “cyber score index” assessing the degree to which national-     level cyber standards have been set. Scoring on this index illustrates the wide range of how seriously cyber threats are being addressed, from countries with well-developed nuclear power capabilities, such as the United States, Canada, France, Switzerland, and Russia, to countries with nuclear reactors and much more limited oversight, such as Mexico, Brazil, Italy, Kazakhstan, and China. The NTI identified four overarching priorities they believe would substantially reduce the risk of damaging cyber-attacks on nuclear facilities. The priorities include institutionalizing cyber security, mounting an active defense, reducing complexity, and pursuing transformation. These recommendations are ambitious and not easily achieved, but if implemented, they would dramatically reduce the probability of a successful cyber attack.

Additionally, the International Atomic Energy Agency (IAEA) and other international organizations are actively working to provide guidance and recommendations for cyber protection of nuclear facilities. Using a cyber-risk assessment as a starting point, the IAEA recommends cyber requirements based on a risk-informed, graded approach addressing the following elements:

1. Importance of Instrumentation and Control (I&C) system functions for both safety and security.
2. The identified and assessed threats to the facility.
3. Attractiveness of the I&C system to potential adversaries.
4. Vulnerabilities of the I&C system.
5. Operating environment.
6. Potential consequences that could either directly or indirectly result from a compromise of the system.

This guidance is especially useful to countries with emerging nuclear energy programs because it relies on risk and grading to help apply limited resources where they may do the most good.

The US government recently established a global research program to facilitate mitigation of the risks associated with the global civilian nuclear energy programs. To facilitate the technical basis for this program, Sandia National Laboratories developed a Global Nuclear Risk Assessment Framework to evaluate the potential for a non-state actor to exploit a nuclear power plant to cause a radiological release, e.g., cyber-attack. The assessment evaluates threat potential and nuclear power plant incident potential. While the results of this analysis are not publicly available, one insight from this study is how a nuclear power plant’s risk posture can change over time.

Closing Observations

The cyber threat/risk landscape for critical infrastructure in the US and around the world is constantly evolving. Because of the potentially serious consequences of compromising a nuclear power plant, these risks require rigorous attention at multiple scales ranging from individual plant operations to national scale oversight and regulatory functions. Given the growing scope of nuclear plant construction, there is a compelling need for international principles, regulatory standards, operational guidance, and technical cyber expertise. Policy and decision makers must understand the cyber threat to nuclear power plants, the potential resulting consequences, and the need for mitigation strategies. Concrete actions must be identified and implemented.

. . .

Susan Y. Pickering is a Director Emeritus from Sandia National Laboratories. Susan has over thirty years of experience in nuclear-related research and development. She has worked in the disposal of nuclear waste, the design and production of nuclear weapons, and the safety and security of nuclear energy. Susan and Peter led a mission initiative bringing together Sandia’s deep cyber security expertise with Sandia’s nuclear reactor safety and global nuclear security missions.

Peter B. Davies, Ph.D., is a Director Emeritus from Sandia National Laboratories. He served in six Center Director positions across Sandia missions, including the Nuclear Energy and Fuel Cycle Center and later, the Geoscience, Climate and Consequence Effects Center. With over three decades of service, he currently serves as a Global Fellow at the Wilson Center Polar Institute.      

The authors would like to recognize and thank Lon Dawson, Mitch McCrory (retired), and Amir Mohagheghi of Sandia National Laboratories for their input.