Many nuclear power facilities aren't air-gapped from the Internet, and many "critical infrastructure components" can be identified via search engines. These are just two of the graphic warnings made in a recent report on the nuclear power industry by think tank Chatham House.
Among the report's findings are that some nuclear plant workers don't realize the full extent of their cyber vulnerability.
The study found that cybersecurity training is often insufficient, with a lack of drills conducted between regular plant workers and IT security staff.
Widespread reactive, rather than proactive, approaches are commonplace. That means that a nuclear facility might not be aware of a cyberattack until it is "already substantially under way," the report says.
That would be particularly likely if the attack happened after normal working hours, the report says.
Remarkably, default passwords such as "1234" were described as being left in use.
"You know that for company X, the default password is always, say, 1234, so you can get in that way," one source is quoted as saying in the study.
"Thus, hackers can often gain access more easily than managers of nuclear facilities expect," the report says.
'Culture of denial'
The risk of a "serious cyberattack on civil nuclear infrastructure is growing," the study says.
And while the industry has made progress with physical security, it hasn't with cyber, the report's main author thinks.
The nuclear industry has "barely grappled with cyber," Caroline Baylon, the report's author, said in an article about the study in the Financial Times.
There's a "culture of denial," she says in the newspaper.
"The conventional belief that all nuclear facilities are 'air gapped,'" in other words, isolated from the public internet, "is a myth," the report says.
Problems include that operators want the "commercial benefits" of Internet connectivity, or don't even know that they are connected to the Internet.
"A number of nuclear facilities now have VPN connections installed, which facility operators are sometimes unaware of," the report says. VPNs can be used to introduce malware onto the industrial control network.
Even where facilities are air gapped, this safeguard can be "breached with nothing more than a flash drive." Personal computers are used at nuclear facilities, the study found. They were directly connected to industrial control systems in some cases.
Among the concerns would be copies of the Stuxnet worm getting in. Stuxnet is a cyberattack tool that targets electromechanical processes.
Other concerns are automated exploit toolkits that are increasingly available, the report says. Open source penetration testing tools carrying malicious payloads is a concern, for example.
Personal BYOD is also an issue. In one case, a source said that an engineer's use of a zip drive introduced a virus into a turbine control that caused the turbine to increase speed. A failsafe kicked in in that case.
Release of radiation?
And how much does it actually matter?
A cyberattack that takes out one or more plants could quickly "remove a significant base component to the grid, causing instability," the report says.
And in the worst-case scenario? Plants need power to operate safely. In theory, a cyberattack on a nuclear plant's backup power system could cause an "uncontrolled release of ionizing radiation," the study grimly speculates.
This article is published as part of the IDG Contributor Network. Want to Join?