Last month, Canada took a prominent seat at the Nuclear Security Summit in Washington, DC to discuss strategies aimed at preventing future terrorist threats. Despite Canada’s strong nuclear non-proliferation stance, it still endorses NATO’s policy of possessing nuclear forces for deterrence. Canadian Prime Minister Justin Trudeau proposed what is known as the “gift basket initiative,” which urges participants to not only prevent proliferation of nuclear weapons, but to also better track nuclear material within their borders and keep radioactive material out of the hands of non-state actors.
Doing so, however, could prove more difficult than expected. This is because while the international community has a good grasp on physical threats to nuclear security, it has yet to adopt the same standards to cyber-nuclear security. Cyber-nuclear security is a young, emerging field – and quickly growing in sophistication. At the heart of it is the security of nuclear plants, and how vulnerable they are to cyber attacks.
Nuclear facilities have traditionally been exclusively physical entities. However, these facilities have become increasingly more reliant on digital control systems. Operators lack experience in implementing cyber security measures on these systems, leading to a misperception that they are not as exposed to cyber threats.
But these cyber threats are real. In 2010, a malicious computer worm called Stuxnet targeted electromechanical automation systems in Iran – systems that included centrifuges for separating nuclear material. Stuxnet was remarkable in its sophistication, as it is believed to have been a joint U.S.-Israeli project to sabotage the Iranian nuclear program. Although it successfully disrupted 984 centrifuges at Iran’s uranium enrichment facility in Natanz, it was only a minor threat to Iran due to its limitations. Yet incidents like Stuxnet demonstrate the potential threats of cyber-nuclear security.
Once fuel is installed in a nuclear reactor, a plant runs continuously for 1-2 years. There is no quick “off” button to a plant; even when shut down, the fuel still continues to produce decay heat. The reactor must be cooled or the core may melt. If errors such as the Three Mile Island malfunction can be replicated in a cyber attack, it is possible to induce a reactor meltdown. All it takes is one employee, acting alone or under duress, and a portable thumb drive similar to the one used in Stuxnet. Due to increased adoption of digital control systems, it has become possible to remotely manipulate displays in the operating centre, which could force employees into false reactions.
However frightening this sounds, launching a catastrophic attack is far from simple. It requires sophistication on behalf of the adversary. Then again, it is no news that al-Qaeda has sought nuclear weapons or that ISIS, demonstrating technical knowledge that has eluded its predecessors, has been trying to obtain dirty bombs. While it is highly unlikely that these terrorist groups can obtain enough highly enriched uranium for a fission bomb, it is possible for them to make a dirty bomb from radioactive waste or by-products.
There are plenty of warning signs. Belgian authorities recently discovered that Mohamed Bakkali, a suspect in the Paris attacks of November 2015, had video surveillance footage of a senior Belgian nuclear official. This is alarming, as Belgium has the highest number of nationals leaving to become fighters for ISIS in Syria. One Belgian jihadist spent years working as a security engineer at Belgium’s oldest nuclear reactor, signaling an alarming trend of terrorist infiltration into the nuclear industry. Yukiya Amano, the head of the International Atomic Energy Agency, has warned about the danger of missing nuclear materials, which could be combined with more conventional explosives to create a dirty bomb. Not all nations have trained experts specializing in cyber-nuclear security. In fact, there is growing concern that Pakistan and India, the two countries that rank last in nuclear security ratings, are not taking sufficient measures.
It is important to note that the best way to deal with this emerging threat is not to cut back on power plants. Many Belgians want their plants to continue operations to have electricity at affordable prices. Instead, policymakers should be focused on gaps in nuclear regulation when formulating cyber security policies. A study conducted by the Nuclear Threat Initiative concludes that there is a large spread in the maturity of cyber security programs between nations, as it pertains to the nuclear industry. The Initiative stresses how cyber security should become a fully incorporated factor in the operations of nuclear facilities. At the most basic level, it is clear that increased efforts need to be made to coordinate between cyber and nuclear security bodies.
