BEYOND NUCLEAR PUBLICATIONS

Search
JOIN OUR NETWORK

     

     

DonateNow

 

 

Security

Nuclear reactors are sitting-duck targets, poorly protected and vulnerable to sabotage or attack. If their radioactive inventories were released in the event of a serious attack, hundreds of thousands of people could die immediately, or later, due to radiation sickness or latent cancers. Vast areas of the U.S. could become national sacrifice zones - an outcome too serious to risk. Beyond Nuclear advocates for the shutdown of nuclear power.

.................................................................................................................................................................................................................

Wednesday
Oct072015

Vulnerability of nuclear-related ICS/SCADA systems to cyber-attack, and the risk of catastrophic releases of hazardous radioactivity

As reported by John Bryk at NetworkWorld, in an article entitled "Non-technical manager’s guide to protecting energy ICS/SCADA":

Sophisticated cyber-attacks known as Advanced Persistent Threats (APT) are a growing challenge to the energy sector of our nation’s critical infrastructure. These attacks can largely be attributed to well-funded, dedicated nation-state actors.

APT attacks against Industrial Control Systems (ICS) and to Supervisory Control and Data Acquisition (SCADA) systems are increasing; the U.S. Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) cited ICS/SCADA and control system networks as one of the top two targets for hackers and viruses. These vulnerabilities begin with the human interface (13% of vulnerabilities required local access) and end with the actual Internet-facing ICS/SCADA hardware (87% of vulnerabilities are web-accessible).

There is a firm business argument that support the protection of ICS/ SCADA. Without proper safeguards in place, continued APT attacks will cause disruption, degradation, disability, and possible destruction of costly and/or irreplacible Energy Sector equipment and facilities. The economic impact to energy companies would be minor in comparison to the impact of a loss of electricity, natural gas, and petroleum throughout the United States. It is in the best interest of both Energy Sector companies and the Nation to immediately plan, fund, and effectively secure ICS/SCADA from front-to-back.

The article concludes with a "Call to Action," stating:

It is not unusual for energy sector partners to experience multiple millions of probes or attacks in a single day. One electrical producer reported 17.8 million occurrences in a 24-hour period. This is the reality of cybersecurity; the attacker only has to be lucky once. You, as the defender, must be perfect every time.

The loss of even short-term energy sector capability could be devastating for the lives of all U.S. citizens. Managers within this sector bear a social, moral, and legal responsibility to protect all facets of cyber and physical security within their span of control.

No longer is the question, “Can we afford the equipment?” The question has become, “When my industry becomes incapacitated in a cyber-attack, who will the public blame? Who will find their names in the newspaper? Who stands to lose everything?” The answer is, you and your company.

Of course, with atomic reactors, and other nuclear facilities such as high-level radioactive waste storage pools, a successful cyber-attack could cause a catastrophic release of hazardous radioactivity.

Monday
Oct052015

Chatham House: "Cyber Security at Civil Nuclear Facilities: Understanding the Risks"

Workers at the Wolsong nuclear power plant participate in an anti-cyber attack exercise, Gyeongju, South Korea. Photo: Getty Images.On Oct. 5, 2015, Chatham House/The Royal Institute of International Affairs published a report entitled Cyber Security at Civil Nuclear Facilities: Understanding the Risks.

The report does perform the public service of making abundantly clear that the risks of cyber attacks at nuclear power plants, and other nuclear power related facilities, are very serious. And that the nuclear power industry, and the government agencies in charge of protecting public health, safety, security, and the environment are not taking the risk of cyber attacks anywhere near seriously enough.

However the report also does the disservice of assuming that the nuclear power industry is essential, and must be continued. This is quite debatable, especially given the serious risks that cyber attacks represent for not only electric reliability on a large scale, but also in terms of the potential for catastrophic release of hazardous ionizing radioactivity -- risks this report itself acknowledges.

The report also does the disservice of naming anti-nuclear organizations as a potential source of cyber attacks on nuclear facilities. This unfortunately continues a trend of demonizing environmental opponents of nuclear power, as well as concerned citizens, who have devoted themselves to preventing radiological disasters, and in a non-violent manner.

The study reports a number of publicly known cyber attacks, and other cyber incidents, at nuclear power plants, while it hastens to add that the nuclear power industry itself is very likely concealing information about a much larger number of such incidents. As the study reports:

While only a few cyber attacks on nuclear facilities have been made public, one estimate (Source 8) puts the number of major incidents that have affected industrial control systems as high as 50 (this is in addition to frequent routine attacks on business networks):

What people keep saying is 'wait until something big happens, then we'll take it seriously.' But the problem is that we have already had a lot of very big things happen. There have probably been about 50 actual control systems cyber incidents in the nuclear industry so far, but only two or three have been made public. (Page 15, or 26 of 53 on the PDF counter)

The report does, however, document the following cyber attacks and other incidents that are publicly known:

Known cyber security incidents at nuclear facilities

Ignalina nuclear power plant (Lithuania, 1992)...Davis-Besse nuclear power plant (Ohio, 2003)...Browns Ferry nuclear power plant (Alabama, 2006)...Hatch nuclear power plant (Georgia, 2008)...Natanz [uranium enrichment] facility and Bushehr nuclear power plant -- Stuxnet (Iran, 2010)...Unnamed Russian nuclear power plant -- Stuxnet (circa 2010)...Korea Hydro and Nuclear Power Co. commercial network (South Korea, 2014)

(See Box 1, on Page 3 to 5, or 14 to 16 of 53 on the PDF counter, for more detailed information on each cyber security incident)

Cyber Security at Civil Nuclear Facilities: Understanding the Risks - See more at: https://www.chathamhouse.org/publication/cyber-security-civil-nuclear-facilities-understanding-risks#sthash.lfNUIyca.dpuf
Cyber Security at Civil Nuclear Facilities: Understanding the Risks - See more at: https://www.chathamhouse.org/publication/cyber-security-civil-nuclear-facilities-understanding-risks#sthash.lfNUIyca.dpuf
Tuesday
Jun302015

Gusterson in BAS: "How the next US nuclear accident could happen"

Although oddly titled and framed (since when are terrorist attacks -- the main thrust of Gustersen's article -- "accidents"?), Hugh Gusterson's article in the Bulletin of the Atomic Scientists does make good points about security, or lack thereof, at U.S. nuclear weapons complex sites.

His warning is also very relevant to vulnerabilities at U.S. commercial nuclear power plants. However, although Gundersen mentions "the potential for safety failures at US nuclear plants," and Chernobyl by name, he does not directly refer to any U.S. nuclear power plants in his article.

He does, however, focus his criticism on security failures at U.S. nuclear weapons complex sites, namely Oak Ridge's Y-12, and safety failures at Los Alamos.

Regarding the latter, his warning about profit-driven speed-up of radioactive waste barrel loading is quite apt. Such cutting of corners likely contributed to the radioactive barrel burst underground at the Waste Isolation Pilot Plant. That $500 million to $1 billion mistake (DOE and L.A. Times estimates, respectively, for the cost of "recovery" at WIPP) exposed two-dozen workers to ultra-hazardous, internal alpha particle contamination, and caused an atmospheric release of plutonium and other trans-uranics that fell out over the local landscape.

Tuesday
Feb242015

Security guards sue Entergy for overtime pay at Palisades

NRC file photo of Entergy's Palisades atomic reactor on the Lake Michigan shoreline in southwest Michigan.As reported by Jim Hayden at the Holland Sentinel, nearly two dozen security guards and security department supervisors at the Palisades atomic reactor in Covert, MI (photo, left) have launched a legal action against Entergy Nuclear. They are demanding back overtime pay due them, but Entergy refuses to pay. Vermont Yankee atomic reactor security guards previously prevailed in a similar lawsuit against Entergy.

Although the U.S. Nuclear Regulatory Commission (NRC) claims the "chilled work environment" in Palisades' security guard department has been resolved, security guards themselves seem to think otherwise -- including their feeling that as soon as NRC enhanced oversight ends, Entergy will return to harassing guards who "make waves" (that is, do their jobs, and call attention to problems).

Monday
Feb022015

"Nuclear power plant’s security changes mixed one year after ‘unusual’ death"

Cooper atomic reactor is shown here during a historic flood in the 1990s.As reported by Joe Jordan at Nebraska Watchdog, security protocols have changed little, if at all, at the Cooper nuclear power plant (photo, left) in Nebraska, a full year after a worker was found dead on the "critical refueling floor," 17 hours after he was last seen. 66-year old Ronald Nurney died of a heart attack, although it is unclear how long he suffered. None of the many cameras in the area detected his distress, and no one thought to look for him, despite his long absence.

As reported, 'Nurney’s widow, Donna, told Nebraska Watchdog she didn’t understand “how anybody in a nuclear power plant can go missing for that long and nobody look for him.”'

For their part, Cooper's owner, Nebraska Public Power District, its operator, Entergy Nuclear, and its supposed regulator, the U.S. Nuclear Regulatory Commission (NRC) have not seen fit to change security procedures, a full year later.

The Cooper atomic reactor is identical in design, and vintage, to the Fukushima Daiichi Units that melted down and exploded in Japan beginning on March 11, 2011.

Page 1 ... 3 4 5 6 7 ... 12 Next 5 Entries »