Critical Read

Do air gaps protect nuke power plant systems?

Shutterstock image (by Maksim Kabakou): Science data concept, nuclear icon.

What: A Chatham House report on cybersecurity vulnerabilities at civilian nuclear facilities.

Why: Nuclear power plants are difficult for the federal government to protect from cyberattack because most are privately owned. However, their security is a matter of federal concern because they contain nuclear materials that are potentially dangerous if they get into the wrong hands or are manipulated remotely via the Internet.

U.S. nuclear power plants are relatively old, and their industrial control systems rely on aging, legacy technology. Attacks on IT and control processing technologies at nuclear power plants have been steadily increasing. The time-tested defense against hacks has been separating such systems from the Internet -- the so-called "air gap" method.

But according to the Chatham House report, air gaps do not guarantee isolation from the Internet. Office systems at plants often rely on virtual private networks for Internet connections, and those networks could be used to tunnel into control systems. Perhaps more alarming is that some facility operators might not even be aware of a VPN or any interconnection between infrastructure components and the Internet, according to the report.

Other risks include infrastructure components that are easily identified via a Google search, flash drives that can bridge air gaps and nuclear plant employees who are alarmingly unfamiliar with key cybersecurity procedures. Exacerbating the problem is the fact that nuclear engineers and cybersecurity experts don't speak the same technical language and are often not located at the same sites.

The report backs new risk assessment procedures that incorporate security and safety. It also encourages a vigorous conversation between engineers and contractors to raise awareness of the problems associated with unauthorized Internet connections.

Verbatim: "Not only can air gaps be breached with nothing more than a flash drive (as in the case of Stuxnet), but the commercial benefits of Internet connectivity mean that nuclear facilities may now have virtual private networks and other connections installed, sometimes undocumented or forgotten by contractors and other legitimate third-party operators."

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

  • IT Modernization
    Blue Signage and logo of the U.S. Department of Veterans Affairs

    VA plans 'strategic review' of $16B software program

    New Veterans Affairs chief Denis McDonough announced a "strategic review" of the agency's Electronic Health Record Modernization program of up to 12 weeks.

Stay Connected