DAVID LOWRY questions whether enough is being done to ensure Britain’s nuclear power plants are protected from cyber attacks
JUST after Christmas, the Times’s science correspondent Oliver Moody provided a public and political service in exposing the worrying inadequacies of Britain’s nuclear safety and security regulator, the Office for Nuclear Regulation (ONR).
But while the article concentrated mainly on safety concerns, there are several security issues unresolved.
In ONR’s latest annual report it records that: “There are areas where the duty holder’s security arrangements did not fully meet regulatory expectations.”
Regarding the Sellafield facility, it continues: “A requirement to improve processes in place for Cyber Security and Information Assurance (CS&IA) was identified. A contributory factor in this area was associated with a lack of resources within CS&IA capability.”
I raised these concerns at a nuclear policy roundtable seminar in the past month at the Politics Department at Cambridge University.
It was here where Baroness Lucy Neville-Rolfe made her final appearance as energy minister, before being moved to the Treasury two days later, to be replaced by Lord Prior of Brampton.
At a conference on December 6 to the International Conference on Nuclear Security in Vienna, hosted by the UN’s nuclear watchdog the International Atomic Energy Agency (IAEA), Baroness NevilleRolfe made a presentation in which she spent far more time promoting the British nuclear industry than addressing nuclear security.
Indeed, even her announcement that Britain “will make a further contribution of at least £5.5 million before the end of March 2017” to the IAEA nuclear security fund should be put into the context that Business, Energy and Industrial Strategy and the Treasury have committed at least £370m to support proliferationrisky and insecure Small Modular Reactor (SMR) development in the past year.
A report titled Outpacing Cyber Threats: Priorities for Cybersecurity at Nuclear Facilities, issued by the Washington DC-based Nuclear Threat Initiative (NTI) at the same IAEA conference, reveals that Britain’s nuclear sector has suffered two significant cyber security failures in the past: one in June 1999 at the Bradwell Nuclear Power Plant — when an employee intentionally “altered/destroyed data” — and in September 1991 at Sellafield — when a software bug led to “unauthorised opening of doors.”
The report asserts worryingly that: “The global community is in the early stages of understanding the magnitude of the cyber threat. In many ways, humans have created systems that are too complex to manage, in most cases, risks cannot even be quantified.”
In a forward to the report, experienced former US senator Sam Nunn, now co-chair of NTI, writes: “Governments and industry simply must get ahead of this rapidly evolving global threat.
“There’s no doubt that nuclear facility operators and regulators are aware of the threat.
“Unfortunately, many of the traditional methods of cyber defence at nuclear facilities — including firewalls, antivirus technology, and air gaps — are no longer enough to match today’s dynamic threats.
As the renowned cryptographer Bruce Schneier said: ‘Today’s NSA secrets become tomorrow’s PhD theses and the next day’s hacker tools’.”
Backing up this assessment is Britain’s Security Minister Ben Wallace, who said in a wide-ranging interview on the terrorism threat in the Sunday Times on New Year’s Day that “our greatest vulnerability” is to cyber-attacks and the range and frequency of attacks by Britain’s enemies is “quite breathtaking,” adding that “big companies and banks are not taking the threat seriously enough.”
Just over five years ago, ONR published a report on a new reactor design nuclear vendors wanted to build in Britain, saying: “Overall, based on the review undertaken, we are satisfied that the claims, arguments and evidence laid down within the documentation [...] presents an adequate security case for the generic AP1000 reactor design.
“The AP1000 reactor is therefore considered suitable from a security perspective for construction in the UK, subject to satisfactory progression and resolution of Generic Design Assessment Findings.”
But it also points out that “a number of plant items have been agreed with Westinghouse as being outside the scope of the Generic Design Assessment process and hence have not been included in the assessment.”
Readers may be surprised to learn these exclusions include (but are not limited to): “The physical security measures for the High Security Area boundary within which the nuclear island will be contained and the long-term storage facilities for spent nuclear fuel and intermediate level waste.”
Later the report reveals: “Aircraft Impact is not considered as a part of the security assessment.” But clarifies: “However, this subject is addressed under the Civil Engineering and External Hazards topic areas.”
The report also admits that “the Nuclear Industries Malicious Capabilities Planning Assumptions document is protectively marked with a UK eyes only caveat and could not be shared with Westinghouse. “However, the methodologies used to identify potential Vital Areas were shared.”
This means Westinghouse had to make educated guesses against which malicious threats to plan, an approach that does not fill external analysts with confidence in the robustness of the security measures being in-built into the reactor and associated facilities design.
Adrienne Kelbie, the relatively new chief executive of the ONR who joined in January 2016, has a major job on her hands to ensure Britain has more robust nuclear security.
Dr David Lowry is a senior research fellow for the Institute for Resource and Security Studies.
We need your support to keep running. If you like what you read please donate by clicking here