Published by Chatham House - the Royal Institute of International Affairs think tank - the report says there is a lack of executive-level awareness regarding the risks associated with digitisation. It goes on to claim that plant personnel are often unaware of the extent of cyber vulnerabilities, and are thus inadequately prepared to deal with potential attacks.
According to the report, there is a general misconception that nuclear facilities are ‘air gapped’ – isolated away from the public internet. The reality, however, is that many nuclear facilities now have VPN connections installed. The report says that search engines can readily identify critical infrastructure components that have VPN connections, exposing them to cyber threats.
In addition, where facilities are in fact air gapped, these safeguards can be circumvented with nothing more sophisticated than a flash drive. The Chatham House report claims there is a communication gap between engineers and security personnel, meaning those working at nuclear plants can sometimes lack understanding of key cyber security procedures.
To address these issues, the report makes a number of policy and technical recommendations. These include guidelines for measuring cyber security risk across the nuclear industry, and an integrated risk assessment that looks at both security and safety. Improving of ‘IT hygiene’ at nuclear facilities is also suggested, such as the banning of personal devices, as well as robust dialogue with engineers and contractors in order to raise awareness of the dangers of unauthorised internet connections.