It is no secret that the nuclear energy industry has been targeted in the past by cyberattacks. Most of these attacks, however, were not on power plants but on other facilities. Such incidents include the Stuxnet attack against Iranian Uranium enrichment plants and other similar (but thwarted) attacks against Iran's nuclear energy program. For some time now, cybersecurity experts in the field of cyberwarfare, like myself, have known that there have been cyber incidents affecting global power plants. Now International Atomic Energy Agency (IAEA) Director Yukiya Amano has officially confirmed this to the world.
In a statement reported by Reuters, IAEA director Amano acknowledged a significant cyberattack on German and South Korean nuclear power plants. The attack in South Korea occurred in 2014 against Korea Hydro & Nuclear Power Co. Ltd. According to Korea Hydro, noncritical data was stolen from their systems. The data itself may have been noncritical, but the fact that hackers were able to access internal networks of nuclear power plants is a cause for concern.
The second incident, which occurred in Germany, was far more alarming, especially in light of Stuxnet's damage. In April 2016, the Gundremmingen plant, which belongs to the RWE utility company, discovered numerous viruses in its systems. Although the company asserts that no major operations were affected, the reality is they were just very lucky.
“This is not an imaginary risk,” Amano said. “This issue of cyberattacks on nuclear-related facilities or activities should be taken very seriously. We never know if we know everything or if it's the tip of the iceberg." His attitude is the proper one, because while a total shutdown of a reactor has not happened yet in a major metropolis, it very well could happen in the future. Cyberterrorism is a legitimate threat, and as the cyber battleground grows exponentially, it is only a matter of time before malware is coded with the capability of creating another Chernobyl.
Amano asserts that this issue is being taken seriously by the major entities governing nuclear security. The IAEA has pledged to assist 131 countries with security training, as well as radiation-detection devices. It is important that the IAEA not be the only one involved in the bolstering of defense mechanisms of nuclear energy. Cybersecurity researchers must consistently look for ways to prevent mass reactor shutdowns should the inevitable "doomsday" virus come into existence.
This is not paranoia anymore. This is reality.
Photo credit: IAEA, Felix Konig