Chatham House has released an important study on the vulnerabilities of nuclear power plants to cyber attacks. You can find the whole report here.
Specific findings include:
- The conventional belief that all nuclear facilities are ‘air gapped’ (isolated from the public internet) is a myth. The commercial benefits of internet connectivity mean that a number of nuclear facilities now have VPN connections installed, which facility operators are sometimes unaware of.
- Search engines can readily identify critical infrastructure components with such connections.
- Even where facilities are air gapped, this safeguard can be breached with nothing more than a flash drive.
- Supply chain vulnerabilities mean that equipment used at a nuclear facility risks compromise at any stage.
- A lack of training, combined with communication breakdowns between engineers and security personnel, means that nuclear plant personnel often lack an understanding of key cyber security procedures.
- Reactive rather than proactive approaches to cyber security contribute to the possibility that a nuclear facility might not know of a cyber attack until it is already substantially under way.
– See more at: https://www.chathamhouse.org/publication/cyber-security-civil-nuclear-facilities-understanding-risks#sthash.kuamiRKl.dpuf