Chinese cyberattack on US nuclear agency highlights importance of cyber hygiene

Cyberattacks on any critical infrastructure should be alarming, but attacks on nuclear infrastructure are all the more so due to the potential consequences, including radiation leaks.

A China-sponsored hacker attacked the US National Nuclear Security Administration in July. The organisation is responsible for building and managing the US nuclear stockpile as well as the nuclear power plants on US warships and submarines.

Like other critical infrastructure, nuclear facilities and installations rely heavily on digital systems for a variety of functions.  These include nuclear-reactor controls, safety and security systems within a nuclear facility, transportation of nuclear material, and emergency response protocols. Effective cybersecurity protocols and cyber-hygiene measures are important to prevent intentional attacks and accidents in a nuclear establishment.

A cyberattack on a nuclear facility can result in loss and tampering of data, which could disrupt safety and security operations, producing disastrous effects. Hackers inside plant networks would also be looking for internal documents to map vulnerabilities and weak points, both in terms of physical security and cyber liabilities. This could then be used later to maximise an attack’s effect. Hackers could also feed flawed messages into the digital network to create confusion, increasing the risk of miscalculation in terms of responses or even inadvertent escalation.

Another consequence is the potential loss of public trust in nuclear power at a time when every source of clean energy should be pursued with vigour. Financial loss to the industry and governments engaged in the nuclear sector can also be quite painful. In addition, private sector businesses could face loss of market and investor confidence, which could have long-term consequences. Humanitarian and environmental consequences of any nuclear or radiological incident should be worrying as well.

From a strategic perspective, adversaries such as China and Russia are hacking US systems to get a better idea of US strategic capabilities. They can use this information to prepare appropriate countermeasures to weaken the US’s nuclear deterrence posture. General Timothy Haugh, who headed the US National Security Agency until April, warned of the growing cyber threat from China.

Stakeholders in the sector need to put in place several important corrective and proactive measures. That this incident affected Microsoft shows that nobody is immune to the threats and all are potentially vulnerable. But it could also be a sign of complacency, which is a great danger.

Urgent steps include the segmentation of critical and sensitive information. Information sharing within a nuclear agency or facility has to be on a need-to-know basis, a point that appears obvious but is often ignored. Also, employees should be vetted periodically to address insider security threats. This is a recognised problem in nuclear safety and security systems, but cyber threats are an added dimension to this threat. Industries that provide cybersecurity services to the nuclear sector don’t appear to entirely appreciate the rigorous vetting process that is required to keep out unwanted elements. US security agencies have had considerable problems with the use of improperly vetted or monitored contractors. In late July, for example, Microsoft decided to ‘stop relying on engineers based in China to support the Pentagon’s use of cloud services.’

Additional steps include conducting periodic facility risk assessments and creating a database that details known threats, how they have been managed and lessons learnt. Such a database could be shared with all critical infrastructure players to address common threats. This could be extended to scenario exercises to explore risks and how to respond to in case of a violation or breach.

Finally, as we aim to effectively and rapidly identify breaches and contain the consequences, nothing can replace robust incident response planning, active defence approaches, and integrated digital security across facilities and across regulatory levels.