Russia Hacks Into U.S. Power Plants, But Nuclear Reactors Should Be Impervious

The control room at the Browns Ferry nuclear reactor. These systems are robustly isolated from the outside world and the Internet. They cannot be hacked..Archives of Les Corrice

According to an alert from the United States Computer Emergency Readiness Team yesterday, Russia has hacked into many of our government entities and domestic companies in the energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectors – essentially most of what makes our country go.

This is not new — Russia seems to have made hacking America its favorite past-time, most notably in its efforts to impact the 2016 presidential campaign. They’ve been hacking into our electric grid for some time. It’s just that we haven’t done much to stop it or to respond in any potent fashion.

The electric grid is a system of systems, managed by thousands of people, computers and manual controls, with data supplied by tens of thousands of sensors connected by a wide variety of communications networks. Over the next 20 years, the growth in data flowing through our grid will far exceed the flow of electricity.

So it is essential that we protect it from cyber-attack.

According to an MIT study on the future of the grid, it will be impossible to fully protect the grid from cyber accident or attack, so mechanisms to respond, and recover rapidly in order to reduce the impact of these events, need to be promulgated throughout the industry as quickly as possible.

As described in the study, the U.S. National Institute of Standards and Technology Cybersecurity Working Group identified 137 types of interfaces between different grid systems. For example, every smart meter and most sensors and major pieces of equipment at generating plants and substations will have communications modules, using millions of components from potentially hundreds of manufacturers. Software applications will also be provided by many different developers.

While the North American Electric Reliability Corporation has developed Cybersecurity Infrastructure Protection standards covering the bulk power system, no organization presently has responsibility for overseeing grid cybersecurity across all aspects of our energy systems.

Therefore, to cope with cybersecurity threats, the first thing to do is give a single federal agency responsibility for cybersecurity preparedness, response, and recovery across the entire electric power sector, including both bulk power and distribution systems. This is going to take years to implement.

Comanche Peak Nuclear Generating Station. Most nuclear plants are still be analog and mostly not connected to the Internet. Hackers can’t affect a nuclear power plant operations or safety systems. They can only hack some business, personnel and other non-essential files.NEI

But what about nuclear? Are we at risk of cyber-induced meltdowns or releases of radiation?


Fortunately, while the Russians may be able to disrupt electricity transmission in general, and electricity generation from many power plants like natural gas and wind farms, they can’t hack into nuclear power plant operations. Nuclear plants are still mostly analog and not connected to the Internet.

On purpose.

Russian hackers can’t affect nuclear power plant operations or safety systems. But they could, and probably did, hack some business, personnel and other non-essential files, which may be embarrassing and a little costly, but not dangerous. These nuclear reactors are truly operational islands wholly disconnected from the Internet.

As we’ve discussed before, a recent joint report from the DHS and the FBI says, ‘There is no indication of a threat to public safety [from hacking of our nuclear plants] as any potential impact appears to be limited to administrative and business networks.’

America’s nuclear plants are one of the best protected of all systems from possible cyber threats. The safety and control systems for our nuclear reactors and other vital plant components are not connected to business networks or the Internet. We learned a lot from Stuxnet, the malicious computer worm that substantially damaged Iran’s nuclear program.

John Keeley of the Nuclear Energy Institute says no reactors operating in the United States have been affected by this hacking.

The nuclear industry does not use firewalls to isolate these systems, that’s not good enough. In the old days, we did have some firewalls which were vulnerable, and the Slammer worm taught us that we do not want to be connected to the internet.

Our plants now use hardware-based data diode technologies developed for high assurance environments, like the DOD. Data diodes allow information to be sent out, like operational and monitoring data, but ensure that information cannot flow back into the plant.

Updating software and equipment using portable devices, have strict restrictions. While there is always the possibility of an inside job, outside laptops and thumb drives cannot be used without serious scrubbing, if at all. But that’s different than a cyber-attack.

‘United States utilities with nuclear assets have very robust cyber security programs dating back to the days of Y2K,’ says David Blee, Executive Director of the National Nuclear Infrastructure Council. ‘Operational plant systems controls are segregated from normal business software by several layers of protection, including physical means.’

Since Russia’s hacking of our 2016 elections came to light, it seems that hacking has become the normal daily occurrence in our Brave New World. Global ransomware attacks are becoming common. In 2016, hacking cost the world over $450 billion.

Unfortunately, the global Internet is still developing its immune system. It is essential that we develop organism-like evolving cyber immune defenses if we are to feel secure in this new cyber age. Google’s Project Zero has formed an elite cyber SWAT team that is cruising the net like white blood cells.

But nuclear is fine. Like a shark, it has an immune system from the analog age. Also, nuclear is more monitored than any other industry. According to a spokesman for the United States Nuclear Regulatory Commission, the NRC is immediately notified if any of the safety, security, or emergency preparedness functions at an operating nuclear plant has been penetrated by a cyber attack.

New nuclear plant designs, like those at the new small modular reactor company NuScale Power in Oregon, have developed advanced cybersecurity systems along with their new safety and operational systems in order to guard against just this problem.

A key feature of the NuScale design is that it employs a defensive security architecture with multiple layers of protection against internet cybersecurity threats. NuScale’s platform implements a Field Programmable Gate Array (FPGA) technology that has non-microprocessor systems – they do not use software and are not vulnerable to Internet cyber-attacks.

Their nuclear plant doesn’t rely on computers or software to provide plant safety, that is, NuScale reactors can safely shut themselves down and cool themselves for an indefinite period of time without the need for computer or human actions, without AC or DC power, and without the need for additional water.

Almost all new reactor designs around the world are incorporating these sorts of features.

So don’t spend sleepless nights worrying about hacking of our nuclear power plants. But do worry about hacking our electric grid in general.

And definitely lose sleep over hacking of our democracy.

This content was originally published here.