There has been a rising number of security breaches at nuclear power plants over the past few years, according to a new Chatham House report which highlights how important systems at plants were not properly secured or isolated from the internet.
As critical infrastructure and facilities such as power plants become increasingly complex they are, directly or indirectly, linked to the internet. This opens up a channel through which malicious hackers can launch attacks – potentially with extremely serious consequences. For example, a poorly secured steel mill in Germany was seriously damaged after being hacked, causing substantial harm to blast furnaces after the computer controls failed to shut them down. The notorious malware, the Stuxnet worm, was specifically developed to target nuclear facilities.
The report also found that power plants rarely employ an “air gap” (where critical systems are entirely disconnected from networks) as the commercial and practical benefits of using the internet too often trump security.
In one case in 2003, an engineer at the Davis-Besse plant in Ohio used a virtual private network connection to access the plant from his home. While the connection was encrypted, his home computer was infected with the Slammer worm which infected the nuclear plant’s computers, causing a key safety control system to fail. A more serious incident in 2006 at the Browns Ferry plant in Alabama nearly led to a meltdown.