Q&A: Expert Wants Nuclear Plants Taken ‘Off the Table’ in Cyber-Warfare

An employee looks at computer screens in the fourth reactor of the Kalinin Nuclear Power Plant in Udomlya, Russia, some 200 miles outside Moscow, in March 2011. Experts fear that atomic facilities could become targets of cyber-attacks, with potentially devastating consequences.
National Journal
Sebastian Sprenger
May 30, 2014, 9:49 a.m.

One U.S. cy­ber­se­cur­ity ex­pert is ar­guing that world na­tions should jointly pledge they will spare civil nuc­le­ar fa­cil­it­ies from com­puter at­tacks for hu­man­it­ari­an reas­ons.

Bruce Mc­Con­nell co-au­thored a Janu­ary 2014 re­port for the East­W­est In­sti­tute that de­scribes nuc­le­ar in­form­a­tion se­cur­ity as a “sig­na­ture se­cur­ity is­sue of the in­form­a­tion age,” de­cry­ing that the top­ic has re­ceived too little at­ten­tion. “There is a mor­al and polit­ic­al judg­ment to be made about hu­man­it­ari­an im­pacts, even in war­time, of po­ten­tial re­lease of large amounts of ra­di­ation by at­tack­ing tar­gets like a nuc­le­ar power sta­tion,” he con­tends.

Mc­Con­nell held vari­ous cy­ber­se­cur­ity-re­lated jobs dur­ing his roughly four-year ten­ure at the De­part­ment of Home­land Se­cur­ity. He left gov­ern­ment ser­vice last year to join the New York of­fice of the East­W­est In­sti­tute as a seni­or vice pres­id­ent and man­ager of the think tank’s Co­oper­a­tion in Cy­ber­space Pro­gram.

The re­com­mend­a­tion to for­mu­late an in­ter­na­tion­al agree­ment for ban­ning tech­no­lo­gic­al as­saults on nuc­le­ar fa­cil­it­ies aligns with con­ven­tion­al wis­dom that at­tack­ers’ cap­ab­il­it­ies will al­ways be a step ahead of vir­tu­al de­fenses, Mc­Con­nell told Glob­al Se­cur­ity News­wire in a May 13 tele­phone in­ter­view. Crit­ic­al in­fra­struc­ture — in­clud­ing nuc­le­ar-power fa­cil­it­ies — is es­pe­cially vul­ner­able if its op­er­a­tion­al con­trol sys­tems can be ac­cessed from the In­ter­net, as is in­creas­ingly the case.

He called the 2012 cy­ber-at­tack on Saudi Ar­a­bia’s na­tion­al oil com­pany Ara­mco a “scare.” While the hack­ers failed to af­fect the com­pany’s core pro­duc­tion pro­cesses, the at­tack played out dan­ger­ously close to the in­ter­sec­tion of routine busi­ness sys­tems and those ap­plic­a­tions gov­ern­ing an in­dus­tri­al plant’s phys­ic­al op­er­a­tion.

At the same time, Mc­Con­nell is care­ful not to over­state the threat as it ex­ists today, say­ing a true atom­ic dis­aster brought about by hack­ing could be “dire” but is un­likely. He ar­gues that a mix of policy de­cisions and reg­u­la­tions should be craf­ted today to en­sure atom­ic fa­cil­it­ies are “off the table” in fu­ture con­flicts.

Ed­ited ex­cerpts of the in­ter­view with Mc­Con­nell fol­low:

GSN: How vul­ner­able are U.S. nuc­le­ar power plants to cy­ber-at­tacks? And what about fa­cil­it­ies world­wide?

Mc­Con­nell: The an­swer is some­what coun­ter­in­tu­it­ive. In gen­er­al, what we find is that the United States tends to be an early ad­op­ter in terms of us­ing in­form­a­tion tech­no­logy in in­dus­tri­al con­trol sys­tems and in­dus­tri­al ap­plic­a­tions. “¦ The source of vul­ner­ab­il­ity is re­lated to how much of the nuc­le­ar op­er­a­tion is con­nec­ted and de­pend­ent upon IT. So, if you have older fa­cil­it­ies that are less con­nec­ted and “¦ loc­ated some­where where there is less ag­gress­ive use of IT in in­dus­tri­al spaces “¦ they may be less vul­ner­able.

The prob­ab­il­ity of re­lease of ra­dio­act­ive ma­ter­i­al through a com­bined phys­ic­al cy­ber-at­tack is re­l­at­ively low. So, we try not to join the chor­us of hype here and say, “The sky is fall­ing,” be­cause it’s ac­tu­ally pretty hard to have a re­lease of ra­dio­act­ive ma­ter­i­al. So, it’s a low-prob­ab­il­ity event. It’s al­most im­possible, I think, just through cy­ber; you’d have to add some phys­ic­al as­pect to it.

I would say that neither U.S. nor European [nor] oth­er for­eign nuc­le­ar fa­cil­it­ies are par­tic­u­larly vul­ner­able from the stand­point of a dire re­lease of ra­dio­activ­ity. But if you think about the risk — a func­tion of threat, vul­ner­ab­il­ity and con­sequences — in this case it’s the con­sequences that make the risk high­er, not so much the vul­ner­ab­il­ity. Al­though vul­ner­ab­il­it­ies ex­ist, and there are people, ob­vi­ously, and threats who would like to take ad­vant­age of them.

GSN: What de­term­ines the de­gree to which nuc­le­ar fa­cil­it­ies are at risk of cy­ber-at­tacks?

Mc­Con­nell: There are two ways of at­tack. One way is through the busi­ness sys­tems, which are gen­er­ally con­nec­ted to the In­ter­net. So, the ex­ample here would be the Saudi Ara­mco at­tack. It was a scare. We’ve seen oth­er cases where busi­ness sys­tems have been used to get in­to op­er­a­tion­al sys­tems, which have been less well pub­li­cized.

In the old days, there was a rule in the util­ity in­dustry nev­er to con­nect your busi­ness sys­tems to your con­trol sys­tems, be­cause of just that prob­lem. And this was even be­fore the In­ter­net. But eco­nom­ics has [changed] that, and now you can do main­ten­ance re­motely “¦ and save a lot of money and be more ef­fi­cient. But you also in­tro­duce more vul­ner­ab­il­ity. It’s the con­nec­tion to the busi­ness sys­tem, in gen­er­al, that opens up a whole host of gen­er­ic vul­ner­ab­il­it­ies that cre­ate the po­ten­tial for hav­oc.

The oth­er way is what we saw in Stuxnet, which is where the con­trol sys­tems were not con­nec­ted to the out­side world. So, there the mal­ware was in­tro­duced through — and we don’t know the de­tails — a com­bin­a­tion of phys­ic­al means, maybe a thumb drive, and very soph­ist­ic­ated “¦ tech­niques that al­low you to get in that way. “¦

That was a more cum­ber­some pro­cess. The kind of phys­ic­al way of do­ing it, wheth­er it’s through a thumb drive or some­body on the in­side, takes more art form, a more soph­ist­ic­ated, bet­ter re­sourced at­tack­er. But it’s also a pos­sib­il­ity.

GSN: Are there in­dic­a­tions that ter­ror­ists seek to hack nuc­le­ar fa­cil­it­ies?

Mc­Con­nell: It’s cer­tainly plaus­ible. It’s a good re­search ques­tion wheth­er there are pub­lic do­main writ­ings that say, “We would really like to take down a nuc­le­ar plant.” But all the ele­ments are there. From the stand­point of in­tent, cre­at­ing a small ac­ci­dent would cre­ate a big ef­fect if you got a re­lease of ra­dio­act­ive ma­ter­i­al. Even the scare that there might be a danger of re­lease would be an ef­fect­ive at­tack by a ter­ror­ist who is try­ing to cre­ate ter­ror. I don’t ac­tu­ally know the an­swer. I can’t point to some­body who said they want to do this. But it’s cer­tainly plaus­ible that they would.

It gets to the is­sue of cap­ab­il­ity and in­tent in a giv­en threat. And in this case, as in most oth­er cases of cy­ber ter­ror­ism, where there is in­tent, there is not as much cap­ab­il­ity today. I think the con­ven­tion­al wis­dom is that it’s a mat­ter of time be­fore cap­ab­il­ity be­comes avail­able, and there will be a race between harden­ing some of these sites and the cap­ab­il­it­ies of the ter­ror­ists.

GSN: What are the reg­u­lat­ory mech­an­isms for min­im­iz­ing the risk of a suc­cess­ful cy­ber-at­tack?

Mc­Con­nell: Do­mest­ic­ally, of course, there is the Nuc­le­ar Reg­u­lat­ory Com­mis­sion. They are very aware of cy­ber is­sues. Their reg­u­la­tions are quite strict. If you look across the spec­trum of crit­ic­al in­fra­struc­ture and cy­ber reg­u­la­tion, the two that are at the highest level are fin­an­cial ser­vices and nuc­le­ar. There are some pretty high stand­ards.

What I would point out in this reg­u­lat­ory en­vir­on­ment is that you can reg­u­late people and re­quire them to pro­tect them­selves, but as it is true with all things cy­ber, you’ll nev­er get 100 per­cent pro­tec­tion. So, what we’re call­ing for in our re­port [with co-au­thor Greg Aus­tin] is rather than — cer­tainly people should pro­tect their sys­tems — but we’re pro­pos­ing that [na­tion-]states take the step of say­ing they’re not go­ing to do this. There are some things that are not a good idea to at­tack for pub­lic-good reas­ons, if you will. And this is an ex­ample of that.

GSN: Do you see a blind spot in reg­u­la­tion that has yet to be covered?

Mc­Con­nell: I think that the reg­u­la­tion side, or what pro­viders and own­ers of these fa­cil­it­ies [do], is pretty good. I don’t think there are any big blind spots for the ma­jor ones. I haven’t looked care­fully at health ap­plic­a­tions and man­u­fac­tur­ing of X-ray devices and things like that. The health in­dustry is fairly un­der-reg­u­lated in cy­ber, so I would ima­gine there are some gaps there. But I don’t know that the risk is as great as it would be in the area that we’re look­ing at. … But that’s more of an im­pres­sion.

GSN: What is the role of the nuc­le­ar in­dustry to se­cure fa­cil­it­ies against cy­ber-at­tacks?

Mc­Con­nell: Well, it’s the in­dustry’s as­sets, so they need to pro­tect them. The prob­lem with in­dustry — and par­tic­u­larly crit­ic­al in­fra­struc­ture — is that un­less there’s a reg­u­la­tion in place, the pub­lic util­ity com­mis­sions gen­er­ally don’t al­low the costs. If you’re a reg­u­lated in­dustry, you can’t go out and say, “We’re go­ing to make a big in­vest­ment in cy­ber­se­cur­ity.” You have to get that through the loc­al [pub­lic util­ity com­mis­sion]; that’s a prob­lem. That’s why it’s handy for the na­tion­al reg­u­lat­or, at least in the United States, to do this.

These firms are pro­act­ive, and they’re act­ing re­spons­ibly. But again, no in­di­vidu­al firm can af­ford to make the in­vest­ments to pro­tect against a ser­i­ously well fun­ded at­tack­er.

In gen­er­al, in­vest­ment among com­pan­ies in cy­ber­se­cur­ity is not what it should be. Cre­at­ing the will­ing­ness to pay is a long pro­cess. They’re aware of the prob­lem, but do they take ac­tion? More so now, but not enough yet.

GSN: You have pro­posed the cre­ation of an in­ter­na­tion­al re­sponse cen­ter for nuc­le­ar in­form­a­tion se­cur­ity in­cid­ents, based on pro­pos­als by U.S. and Rus­si­an spe­cial­ists. How would that work?

Mc­Con­nell: The In­ter­na­tion­al Atom­ic En­ergy Agency is the ex­pert body on the in­ter­na­tion­al stage that has the abil­ity to make a dif­fer­ence here if something is go­ing to be done mul­ti­lat­er­ally. That’s where you would set up such a cen­ter. You’d have people in it from vari­ous coun­tries, and they would all have phone num­bers and in­ter­net ad­dresses of part­ners and in­dustry rep­res­ent­at­ives, and if something happened, that’s where you would go to get help.

GSN: Is it real­ist­ic to bank on people’s “mor­al and polit­ic­al judg­ment,” as you call it, in the pro­pos­al to make nuc­le­ar fa­cil­it­ies off-lim­its for cy­ber-at­tacks?

Mc­Con­nell: You have to start some­where, right? I mean, this would re­quire coun­tries to agree not to do this. But they’ve agreed to not at­tack hos­pit­als in con­ven­tion­al war­fare. So there is pre­ced­ent for this. They have agreed not to at­tack civil avi­ation by tech­no­lo­gic­al means.

I think it’s prac­tic­al. We just need to get the con­ver­sa­tion star­ted. And there is an in­terest in set­ting up more com­pre­hens­ive norms. What we’re try­ing to say is, in ad­di­tion to that top-down com­pre­hens­ive ap­proach, why don’t we just start by tak­ing a few things off the table. So I think it’s ab­so­lutely real­ist­ic.

GSN: Giv­en past U.S.-Rus­si­an ex­pert co­oper­a­tion on the is­sue, has the Ukraine crisis had an ef­fect on the con­ver­sa­tion?

Mc­Con­nell: Two things: Just the over­all dis­trac­tion of the Ukraine crisis has made con­ver­sa­tions with the Rus­si­ans more dif­fi­cult, only be­cause there’s a lot of ex­tra stuff go­ing on. But we con­tin­ue to dis­cuss and work with the Rus­si­ans on cy­ber­se­cur­ity mat­ters from here. But I think the of­fi­cials chan­nels have been strained by the un­pleas­ant­ries in the Ukraine, so I think that has set back of­fi­cial con­ver­sa­tions around this.

What We're Following See More »
MARCIA FUDGE TO PRESIDE
Wasserman Schultz Stripped of Convention Duties
5 hours ago
THE DETAILS

Democratic National Committee Chairwoman Debbie Wasserman Schultz "will not have a major speaking role or preside over daily convention proceedings this week," and is under increasing pressure to resign. The DNC Rules Committee on Saturday named Ohio Democratic Rep. Marcia Fudge as "permanent chair of the convention." At issue: internal DNC emails leaked by Wikileaks that show how "the DNC favored Clinton during the primary and tried to take down Bernie Sanders by questioning his religion."

Source:
EARLY BUMP FOR TRUMP?
New Round of Polls Show a Tight Race
2 days ago
THE LATEST
  • A Rasmussen Reports poll shows Donald Trump ahead of Hillary Clinton, 43%-42%, the fourth week in a row he's led the poll (one of the few poll in which he's led consistently of late).
  • A Reuters/Ipsos survey shows Clinton leading 40%-36%. In a four-way race, she maintains her four-point lead, 39%-35%, with Gary Johnson and Jill Stein pulling 7% and 3%, respectively.
  • And the LA Times/USC daily tracking poll shows a dead heat, with Trump ahead by about half a percentage point.
BELLWETHER?
Candidates Deadlocked in Ohio
3 days ago
THE LATEST
17-POINT EDGE AMONG MILLENNIALS
Clinton Dominates Among Younger Voters
3 days ago
THE DETAILS

In an election between two candidates around 70 years of age, millennials strongly prefer one over the other. Hillary Clinton has a 47%-30% edge among votes 18 to 29. She also leads 46%-36% among voters aged 30 to 44.

Source:
NEW POLL SHOWS TROUBLE FOR TRUMP
Clinton Leads Trump Among Latinos by Nearly 70 Points
3 days ago
THE DETAILS

According to an online tracking poll released by New Latino Voice, Hillary Clinton leads Donald Trump among Latino voters, attracting support from 81 percent of Latino voters, to just 12 percent support for Trump. The results of this poll are consistent with those from a series of other surveys conducted by various organizations. With Pew Research predicting the 2016 electorate will be 12 percent Hispanic, which would be the highest ever, Trump could be in serious trouble if he can't close the gap.

Source:
×