Stuxnet attack offers lesson for U.S. energy industry

In this Sept. 2007 file photo, an anti-aircraft gun position is seen at Iran\'s nuclear enrichment facility in Natanz, Iran. (AP Photo/Hasan Sarbakhshian)

J.J. Green,

WASHINGTON – The still-classified U.S. and Israeli operation called Stuxnet that attacked Iran’s nuclear program was a wake-up call for the nuclear power industry in the U.S.

As cybercriminals become more sophisticated, concerns grow that nuclear power plants, which house dangerous nuclear materials, could be hacked and breached.

“Stuxnet required us to step back and take a look at the measures we had in place,” says Bill Gross, senior project manager at the Nuclear Energy Institute (NEI).

Although it has never been acknowledged by the U.S. government or Israel, David Sanger writes in his book “Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power,” that it’s widely believed computer networks at the Iranian Natanz nuclear facility were infected by a virus brought into the facility on a thumb drive.

It’s thought the thumb drive was brought from outside of a secure zone and plugged into the facility’s sensitive networks. The attack targeted centrifuges at a uranium enrichment facility.

It is precisely that type of attack that concerns U.S. intelligence officers, security officials and the NEI.

“We’re taking measures to further ensure that whenever we’re bringing data into the plant, like maintenance laptops and portable media that are used to carry in updates to programs and things like that, we’re taking every precaution we can to minimize our attack surface in that area,” says Gross.

In its 2011 report “Foreign Spies Stealing U.S. Economic Secrets in Cyberspace,” the Office of the National Counterintelligence Executive expressed deep concern about what it called “insider threats.” These threats stem from people inside agencies and organizations who engage in risky behavior on computer networks.

“Cyberspace – where most business activity and development of new ideas now takes place – amplifies these threats by making it possible for malicious actors, whether they are corrupted insiders or foreign intelligence services, to quickly steal and transfer massive quantities of data while remaining anonymous and hard to detect,” the counterintelligence report says.

The urgency to do more to protect the nation’s critical networks was heightened by President Barack Obama’s executive order issued this week on cybersecurity. The order reads in part:

“Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats.”

The nuclear industry works with government agencies to assess its readiness to protect power plants from cyberthreats, says Anthony Pietrangelo, NEI’s chief nuclear officer and senior vice president.

U.S. nuclear facilities are not accessible to hackers via the Internet, Pietrangelo says.

“Our facilities are essentially cyber-islands, in that safety and control systems are not connected to business networks or the Internet. Unlike industries for which two-way data flow is critical, nuclear power plants do not require incoming data flow,” says Pietrangelo. “Nuclear plants also are protected from grid instability, with multiple backup power supplies that provide for safe shutdown of a reactor in the event of a power blackout.”

Editor’s note: A spokesman for the Nuclear Energy Institute disputes the characterization that the Stuxnet attack was a “wake-up call” for the industry. He says the attack was an “attention-getter.”

Follow @JJGreenWTOP and @WTOP on Twitter.

Advertiser Content