Q&A: Expert Wants Nuclear Plants Taken ‘Off the Table’ in Cyber-Warfare

An employee looks at computer screens in the fourth reactor of the Kalinin Nuclear Power Plant in Udomlya, Russia, some 200 miles outside Moscow, in March 2011. Experts fear that atomic facilities could become targets of cyber-attacks, with potentially devastating consequences.
National Journal
Sebastian Sprenger
May 30, 2014, 9:49 a.m.

One U.S. cy­ber­se­cur­ity ex­pert is ar­guing that world na­tions should jointly pledge they will spare civil nuc­le­ar fa­cil­it­ies from com­puter at­tacks for hu­man­it­ari­an reas­ons.

Bruce Mc­Con­nell co-au­thored a Janu­ary 2014 re­port for the East­W­est In­sti­tute that de­scribes nuc­le­ar in­form­a­tion se­cur­ity as a “sig­na­ture se­cur­ity is­sue of the in­form­a­tion age,” de­cry­ing that the top­ic has re­ceived too little at­ten­tion. “There is a mor­al and polit­ic­al judg­ment to be made about hu­man­it­ari­an im­pacts, even in war­time, of po­ten­tial re­lease of large amounts of ra­di­ation by at­tack­ing tar­gets like a nuc­le­ar power sta­tion,” he con­tends.

Mc­Con­nell held vari­ous cy­ber­se­cur­ity-re­lated jobs dur­ing his roughly four-year ten­ure at the De­part­ment of Home­land Se­cur­ity. He left gov­ern­ment ser­vice last year to join the New York of­fice of the East­W­est In­sti­tute as a seni­or vice pres­id­ent and man­ager of the think tank’s Co­oper­a­tion in Cy­ber­space Pro­gram.

The re­com­mend­a­tion to for­mu­late an in­ter­na­tion­al agree­ment for ban­ning tech­no­lo­gic­al as­saults on nuc­le­ar fa­cil­it­ies aligns with con­ven­tion­al wis­dom that at­tack­ers’ cap­ab­il­it­ies will al­ways be a step ahead of vir­tu­al de­fenses, Mc­Con­nell told Glob­al Se­cur­ity News­wire in a May 13 tele­phone in­ter­view. Crit­ic­al in­fra­struc­ture — in­clud­ing nuc­le­ar-power fa­cil­it­ies — is es­pe­cially vul­ner­able if its op­er­a­tion­al con­trol sys­tems can be ac­cessed from the In­ter­net, as is in­creas­ingly the case.

He called the 2012 cy­ber-at­tack on Saudi Ar­a­bia’s na­tion­al oil com­pany Ara­mco a “scare.” While the hack­ers failed to af­fect the com­pany’s core pro­duc­tion pro­cesses, the at­tack played out dan­ger­ously close to the in­ter­sec­tion of routine busi­ness sys­tems and those ap­plic­a­tions gov­ern­ing an in­dus­tri­al plant’s phys­ic­al op­er­a­tion.

At the same time, Mc­Con­nell is care­ful not to over­state the threat as it ex­ists today, say­ing a true atom­ic dis­aster brought about by hack­ing could be “dire” but is un­likely. He ar­gues that a mix of policy de­cisions and reg­u­la­tions should be craf­ted today to en­sure atom­ic fa­cil­it­ies are “off the table” in fu­ture con­flicts.

Ed­ited ex­cerpts of the in­ter­view with Mc­Con­nell fol­low:

GSN: How vul­ner­able are U.S. nuc­le­ar power plants to cy­ber-at­tacks? And what about fa­cil­it­ies world­wide?

Mc­Con­nell: The an­swer is some­what coun­ter­in­tu­it­ive. In gen­er­al, what we find is that the United States tends to be an early ad­op­ter in terms of us­ing in­form­a­tion tech­no­logy in in­dus­tri­al con­trol sys­tems and in­dus­tri­al ap­plic­a­tions. “¦ The source of vul­ner­ab­il­ity is re­lated to how much of the nuc­le­ar op­er­a­tion is con­nec­ted and de­pend­ent upon IT. So, if you have older fa­cil­it­ies that are less con­nec­ted and “¦ loc­ated some­where where there is less ag­gress­ive use of IT in in­dus­tri­al spaces “¦ they may be less vul­ner­able.

The prob­ab­il­ity of re­lease of ra­dio­act­ive ma­ter­i­al through a com­bined phys­ic­al cy­ber-at­tack is re­l­at­ively low. So, we try not to join the chor­us of hype here and say, “The sky is fall­ing,” be­cause it’s ac­tu­ally pretty hard to have a re­lease of ra­dio­act­ive ma­ter­i­al. So, it’s a low-prob­ab­il­ity event. It’s al­most im­possible, I think, just through cy­ber; you’d have to add some phys­ic­al as­pect to it.

I would say that neither U.S. nor European [nor] oth­er for­eign nuc­le­ar fa­cil­it­ies are par­tic­u­larly vul­ner­able from the stand­point of a dire re­lease of ra­dio­activ­ity. But if you think about the risk — a func­tion of threat, vul­ner­ab­il­ity and con­sequences — in this case it’s the con­sequences that make the risk high­er, not so much the vul­ner­ab­il­ity. Al­though vul­ner­ab­il­it­ies ex­ist, and there are people, ob­vi­ously, and threats who would like to take ad­vant­age of them.

GSN: What de­term­ines the de­gree to which nuc­le­ar fa­cil­it­ies are at risk of cy­ber-at­tacks?

Mc­Con­nell: There are two ways of at­tack. One way is through the busi­ness sys­tems, which are gen­er­ally con­nec­ted to the In­ter­net. So, the ex­ample here would be the Saudi Ara­mco at­tack. It was a scare. We’ve seen oth­er cases where busi­ness sys­tems have been used to get in­to op­er­a­tion­al sys­tems, which have been less well pub­li­cized.

In the old days, there was a rule in the util­ity in­dustry nev­er to con­nect your busi­ness sys­tems to your con­trol sys­tems, be­cause of just that prob­lem. And this was even be­fore the In­ter­net. But eco­nom­ics has [changed] that, and now you can do main­ten­ance re­motely “¦ and save a lot of money and be more ef­fi­cient. But you also in­tro­duce more vul­ner­ab­il­ity. It’s the con­nec­tion to the busi­ness sys­tem, in gen­er­al, that opens up a whole host of gen­er­ic vul­ner­ab­il­it­ies that cre­ate the po­ten­tial for hav­oc.

The oth­er way is what we saw in Stuxnet, which is where the con­trol sys­tems were not con­nec­ted to the out­side world. So, there the mal­ware was in­tro­duced through — and we don’t know the de­tails — a com­bin­a­tion of phys­ic­al means, maybe a thumb drive, and very soph­ist­ic­ated “¦ tech­niques that al­low you to get in that way. “¦

That was a more cum­ber­some pro­cess. The kind of phys­ic­al way of do­ing it, wheth­er it’s through a thumb drive or some­body on the in­side, takes more art form, a more soph­ist­ic­ated, bet­ter re­sourced at­tack­er. But it’s also a pos­sib­il­ity.

GSN: Are there in­dic­a­tions that ter­ror­ists seek to hack nuc­le­ar fa­cil­it­ies?

Mc­Con­nell: It’s cer­tainly plaus­ible. It’s a good re­search ques­tion wheth­er there are pub­lic do­main writ­ings that say, “We would really like to take down a nuc­le­ar plant.” But all the ele­ments are there. From the stand­point of in­tent, cre­at­ing a small ac­ci­dent would cre­ate a big ef­fect if you got a re­lease of ra­dio­act­ive ma­ter­i­al. Even the scare that there might be a danger of re­lease would be an ef­fect­ive at­tack by a ter­ror­ist who is try­ing to cre­ate ter­ror. I don’t ac­tu­ally know the an­swer. I can’t point to some­body who said they want to do this. But it’s cer­tainly plaus­ible that they would.

It gets to the is­sue of cap­ab­il­ity and in­tent in a giv­en threat. And in this case, as in most oth­er cases of cy­ber ter­ror­ism, where there is in­tent, there is not as much cap­ab­il­ity today. I think the con­ven­tion­al wis­dom is that it’s a mat­ter of time be­fore cap­ab­il­ity be­comes avail­able, and there will be a race between harden­ing some of these sites and the cap­ab­il­it­ies of the ter­ror­ists.

GSN: What are the reg­u­lat­ory mech­an­isms for min­im­iz­ing the risk of a suc­cess­ful cy­ber-at­tack?

Mc­Con­nell: Do­mest­ic­ally, of course, there is the Nuc­le­ar Reg­u­lat­ory Com­mis­sion. They are very aware of cy­ber is­sues. Their reg­u­la­tions are quite strict. If you look across the spec­trum of crit­ic­al in­fra­struc­ture and cy­ber reg­u­la­tion, the two that are at the highest level are fin­an­cial ser­vices and nuc­le­ar. There are some pretty high stand­ards.

What I would point out in this reg­u­lat­ory en­vir­on­ment is that you can reg­u­late people and re­quire them to pro­tect them­selves, but as it is true with all things cy­ber, you’ll nev­er get 100 per­cent pro­tec­tion. So, what we’re call­ing for in our re­port [with co-au­thor Greg Aus­tin] is rather than — cer­tainly people should pro­tect their sys­tems — but we’re pro­pos­ing that [na­tion-]states take the step of say­ing they’re not go­ing to do this. There are some things that are not a good idea to at­tack for pub­lic-good reas­ons, if you will. And this is an ex­ample of that.

GSN: Do you see a blind spot in reg­u­la­tion that has yet to be covered?

Mc­Con­nell: I think that the reg­u­la­tion side, or what pro­viders and own­ers of these fa­cil­it­ies [do], is pretty good. I don’t think there are any big blind spots for the ma­jor ones. I haven’t looked care­fully at health ap­plic­a­tions and man­u­fac­tur­ing of X-ray devices and things like that. The health in­dustry is fairly un­der-reg­u­lated in cy­ber, so I would ima­gine there are some gaps there. But I don’t know that the risk is as great as it would be in the area that we’re look­ing at. … But that’s more of an im­pres­sion.

GSN: What is the role of the nuc­le­ar in­dustry to se­cure fa­cil­it­ies against cy­ber-at­tacks?

Mc­Con­nell: Well, it’s the in­dustry’s as­sets, so they need to pro­tect them. The prob­lem with in­dustry — and par­tic­u­larly crit­ic­al in­fra­struc­ture — is that un­less there’s a reg­u­la­tion in place, the pub­lic util­ity com­mis­sions gen­er­ally don’t al­low the costs. If you’re a reg­u­lated in­dustry, you can’t go out and say, “We’re go­ing to make a big in­vest­ment in cy­ber­se­cur­ity.” You have to get that through the loc­al [pub­lic util­ity com­mis­sion]; that’s a prob­lem. That’s why it’s handy for the na­tion­al reg­u­lat­or, at least in the United States, to do this.

These firms are pro­act­ive, and they’re act­ing re­spons­ibly. But again, no in­di­vidu­al firm can af­ford to make the in­vest­ments to pro­tect against a ser­i­ously well fun­ded at­tack­er.

In gen­er­al, in­vest­ment among com­pan­ies in cy­ber­se­cur­ity is not what it should be. Cre­at­ing the will­ing­ness to pay is a long pro­cess. They’re aware of the prob­lem, but do they take ac­tion? More so now, but not enough yet.

GSN: You have pro­posed the cre­ation of an in­ter­na­tion­al re­sponse cen­ter for nuc­le­ar in­form­a­tion se­cur­ity in­cid­ents, based on pro­pos­als by U.S. and Rus­si­an spe­cial­ists. How would that work?

Mc­Con­nell: The In­ter­na­tion­al Atom­ic En­ergy Agency is the ex­pert body on the in­ter­na­tion­al stage that has the abil­ity to make a dif­fer­ence here if something is go­ing to be done mul­ti­lat­er­ally. That’s where you would set up such a cen­ter. You’d have people in it from vari­ous coun­tries, and they would all have phone num­bers and in­ter­net ad­dresses of part­ners and in­dustry rep­res­ent­at­ives, and if something happened, that’s where you would go to get help.

GSN: Is it real­ist­ic to bank on people’s “mor­al and polit­ic­al judg­ment,” as you call it, in the pro­pos­al to make nuc­le­ar fa­cil­it­ies off-lim­its for cy­ber-at­tacks?

Mc­Con­nell: You have to start some­where, right? I mean, this would re­quire coun­tries to agree not to do this. But they’ve agreed to not at­tack hos­pit­als in con­ven­tion­al war­fare. So there is pre­ced­ent for this. They have agreed not to at­tack civil avi­ation by tech­no­lo­gic­al means.

I think it’s prac­tic­al. We just need to get the con­ver­sa­tion star­ted. And there is an in­terest in set­ting up more com­pre­hens­ive norms. What we’re try­ing to say is, in ad­di­tion to that top-down com­pre­hens­ive ap­proach, why don’t we just start by tak­ing a few things off the table. So I think it’s ab­so­lutely real­ist­ic.

GSN: Giv­en past U.S.-Rus­si­an ex­pert co­oper­a­tion on the is­sue, has the Ukraine crisis had an ef­fect on the con­ver­sa­tion?

Mc­Con­nell: Two things: Just the over­all dis­trac­tion of the Ukraine crisis has made con­ver­sa­tions with the Rus­si­ans more dif­fi­cult, only be­cause there’s a lot of ex­tra stuff go­ing on. But we con­tin­ue to dis­cuss and work with the Rus­si­ans on cy­ber­se­cur­ity mat­ters from here. But I think the of­fi­cials chan­nels have been strained by the un­pleas­ant­ries in the Ukraine, so I think that has set back of­fi­cial con­ver­sa­tions around this.

What We're Following See More »
ON GUN RIGHTS
Trump Jr. Meeting with GOP Members
11 hours ago
THE LATEST
FLOPPY DISKS
US Nukes Rely on Decades-Old Tech
11 hours ago
THE DETAILS
CONTRARY TO REPORTS
Ryan Not Endorsing Trump Just Yet
16 hours ago
THE LATEST
OTHER SECRETARIES AT FAULT, TOO
State Dept. Review Faults Clinton Email Management
18 hours ago
THE LATEST

"A State Department audit has faulted Hillary Clinton and previous secretaries of state for poorly managing email and other computer information and slowly responding to new cybersecurity risks. ... It cites 'longstanding, systemic weaknesses' related to communications. These started before Clinton's appointment as secretary of state, but her failures were singled out as more serious."

Source:
CRUZ STILL TOOK DELEGATES AT THE CONVENTION
Trump Rolls in Washington Primary
18 hours ago
THE LATEST

Donald Trump "was on course to win more than three-quarters of the vote in Washington's primary" last night. Ted Cruz's defunct candidacy still pulled about 10 percent. "Cruz dropped out of the race on May 3, but won 40 of the state's 41 delegates up for grabs at last weekend's state GOP convention."

Source:
×