A focus on safety and high physical security means that many nuclear facilities are blind to the risks of cyber attacks, according to the report by think-tank Chatham House, citing 50 incidents globally of which only a handful have been made public.
The findings are drawn from 18 months of research and 30 interviews with senior nuclear officials at plants and in government in Canada, France, Germany, Japan, the UK, Ukraine and the US.
Dozens of nuclear power stations have control systems accessible through the internet even though many plant operators believe a persistent “myth” that their facilities are “air gapped” with physically separated computer networks, the report says.
It points to a 2003 incident at the Davis-Besse plant in Ohio, when an engineer accessed the plant from his home laptop through an encrypted VPN connection. His home computer had become infected with the nuisance self-replicating “slammer” worm. The trojan infected the nuclear plant’s computer system, causing a key safety control system to be overwhelmed with traffic from the worm and trip out.
A more serious 2006 incident occurred at Browns Ferry in Alabama when a key safety system was similarly overwhelmed with network traffic and nearly led to a meltdown.