Critical Read

Do air gaps protect nuke power plant systems?

Shutterstock image (by Maksim Kabakou): Science data concept, nuclear icon.

What: A Chatham House report on cybersecurity vulnerabilities at civilian nuclear facilities.

Why: Nuclear power plants are difficult for the federal government to protect from cyberattack because most are privately owned. However, their security is a matter of federal concern because they contain nuclear materials that are potentially dangerous if they get into the wrong hands or are manipulated remotely via the Internet.

U.S. nuclear power plants are relatively old, and their industrial control systems rely on aging, legacy technology. Attacks on IT and control processing technologies at nuclear power plants have been steadily increasing. The time-tested defense against hacks has been separating such systems from the Internet -- the so-called "air gap" method.

But according to the Chatham House report, air gaps do not guarantee isolation from the Internet. Office systems at plants often rely on virtual private networks for Internet connections, and those networks could be used to tunnel into control systems. Perhaps more alarming is that some facility operators might not even be aware of a VPN or any interconnection between infrastructure components and the Internet, according to the report.

Other risks include infrastructure components that are easily identified via a Google search, flash drives that can bridge air gaps and nuclear plant employees who are alarmingly unfamiliar with key cybersecurity procedures. Exacerbating the problem is the fact that nuclear engineers and cybersecurity experts don't speak the same technical language and are often not located at the same sites.

The report backs new risk assessment procedures that incorporate security and safety. It also encourages a vigorous conversation between engineers and contractors to raise awareness of the problems associated with unauthorized Internet connections.

Verbatim: "Not only can air gaps be breached with nothing more than a flash drive (as in the case of Stuxnet), but the commercial benefits of Internet connectivity mean that nuclear facilities may now have virtual private networks and other connections installed, sometimes undocumented or forgotten by contractors and other legitimate third-party operators."

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at mrockwell@fcw.com or follow him on Twitter at @MRockwell4.


Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.