Cybersecurity is a topic covered frequently in the pages of POWER magazine, and one that all power plants need to take seriously. A recent simulation proved that the consequences of a hack can be grave.
The drill took place in Sweden, but could have been conducted anywhere in the world. The attack used plant control systems against themselves to flood a cooling system, showing that hacking of computer systems can lead to physical plant damage.
Some experts, including Robert M. Lee, founder of cybersecurity firm Dragos, believe cyber incidents go underreported in the nuclear sector. The reason is that the Nuclear Regulatory Commission only requires the reporting of incidents that affect the safety, security functions, or emergency preparedness of the plant.
Although air-gapping systems, that is, keeping them disconnected from the internet, offers some protection, it is not the complete answer. Viruses, such as Stuxnet, have proven that systems can be infiltrated using USB drives, contractor laptops, or through a host of other seemingly innocuous methods.
Many researchers believe the best way to prepare for an attack is through simulation. By mimicking real-world conditions and pitting teams of professionals against each other—one on offense, one on defense—people are forced to deal with attacks under stressful conditions, yet with minimal consequences. Results can be analyzed and lessons shared for the benefit of all. To gain the most value, however, the simulation needs to feel less like a game and more like the real thing.
A nuclear plant owner could sustain severe reputational damage too, if a cyberattack were carried out successfully against one of its facilities. With that in mind, an exercise involving lawyers, insurance companies, and nuclear plant executives was carried out recently in London. The results should concern plant owners worldwide, because the pretend court found the power company in the case criminally and civilly liable for damages following a simulated cybersecurity breach.
Read more at The Verge: “Hacking Nuclear Systems Is the Ultimate Cyber Threat. Are We Prepared?”
—Aaron Larson, executive editor (@AaronL_Power, @POWERmagazine)