Explorar por categoría

Gestión y administración - Tecnología de la información (programas) | 2017-12-27

Cyber security at civil nuclear facilities – understanding the risks

World Economic Forum | Recent high-profile cyber attacks, including the deployment of the sophisticated 2010 Stuxnet worm, have raised new concerns about the cyber security vulnerabilities of nuclear facilities.

As cyber criminals, states and terrorist groups increase their online activities, the fear of a serious cyber attack is ever present. This is of particular concern because of the risk – even if remote – of a release of ionizing radiation as a result of such an attack, argues the report, Cyber Security at Civil Nuclear Facilities: Understanding the Risks. Moreover, even a small-scale cyber security incident at a nuclear facility would be likely to have a disproportionate effect on public opinion and the future of the civil nuclear industry.

Notwithstanding important recent steps taken by the International Atomic Energy Agency (IAEA) to improve cyber security across the sector, the nuclear energy industry currently has less experience in this field than other sectors.

Digital route

This is partly due to the nuclear industry’s regulatory requirements, which have meant that digital systems have been adopted later than in other types of critical infrastructure. In addition, the industry’s long-standing focus on physical protection and safety has meant that while these aspects of risk response are now relatively robust, less attention has been paid to developing cyber security readiness. As a result, exploiting weaknesses in digital technology could be the most attractive route for those seeking to attack nuclear facilities without fear of interdiction.

The cyber security risk is growing as nuclear facilities become increasingly reliant on digital systems and make increasing use of commercial ‘off-the-shelf’ software, which offers considerable cost savings but increases vulnerability to hacking attacks. The trend to digitization, when combined with a lack of executive-level awareness of the risks involved, also means that nuclear plant personnel may not realize the full extent of this cyber vulnerability and are thus inadequately prepared to deal with potential attacks.

There is a pervading myth that nuclear facilities are ‘air gapped’ – or completely isolated from the public internet – and that this protects them from cyber attack. Yet, not only can air gaps be breached with nothing more than a flash drive (as in the case of Stuxnet), but the commercial benefits of internet connectivity mean that nuclear facilities may now have virtual private networks and other connections installed, sometimes undocumented or forgotten by contractors and other legitimate third-party operators.

Hacking risk

Meanwhile, hacking is becoming ever easier to conduct, and more widespread: automatic cyber attack packages targeted at known and discovered vulnerabilities are now widely available; advanced techniques used by Stuxnet are now known and being copied; and search engines can readily identify critical infrastructure components that are connected to the internet.

In the light of these concerns, Chatham House undertook an 18-month project on the nexus between cyber security and nuclear security. By drawing on in-depth interviews with 30 industry practitioners, as well as policy-makers and academics, and convening three expert roundtables, the project sought to assess the major cyber security challenges facing the wider nuclear industry; to identify international policy measures that could help to enhance cyber security in the sector; and to help increase knowledge of current concerns in this area.

Its report examines the major cyber threats to civil nuclear facilities, focusing in particular on those that could have an impact on industrial control systems, and suggests some potential solutions to these challenges.

Main findings

The research identified the following major challenges for civil nuclear facilities:

Industry-wide challenges

The infrequency of cyber security incident disclosure at nuclear facilities makes it difficult to assess the true extent of the problem and may lead nuclear industry personnel to believe that there are few incidents. Moreover, limited collaboration with other industries or information-sharing means that the nuclear industry tends not to learn from other industries that are more advanced in this field.

A paucity of regulatory standards, as well as limited communication between cyber security companies and vendors, are also of concern.

This suggests that the industry’s risk assessment may be inadequate; as a consequence, there is often insufficient spending on cyber security.

Developing countries may be particularly at risk, because they have even fewer resources available to invest in cyber security.

Cultural challenges

Nuclear plant personnel, who are operational technology engineers, and cyber security personnel, who are information technology engineers, frequently have difficulty communicating, which can lead to friction. In many cases the problem is exacerbated by the off-site location of cyber security personnel.

Nuclear plant personnel often lack an understanding of key cyber security procedures, finding that the procedures documents produced by cyber security personnel do not communicate this information in language that is clear to them.

Cyber security training at nuclear facilities is often insufficient. In particular, there is a lack of integrated cyber security drills between nuclear plant personnel and cyber security personnel.

Reactive rather than proactive approaches to cyber security contribute to the possibility that a nuclear facility might not know of a cyber attack until it is already substantially under way.

This suggests that nuclear plants may lack preparedness for a large-scale cyber security emergency, particularly if one were to occur outside normal working hours.

Technical challenges

Many industrial control systems are ‘insecure by design’, since cyber security measures were not designed in from the beginning.

Standard IT solutions such as patching are difficult to implement at nuclear facilities, mainly owing to concern that patches could break a system and because of the commercial need to reduce plant downtime.

Supply chain vulnerabilities mean that equipment used at a nuclear facility risks compromise at any stage.

The report’s recommendations include:

· Developing guidelines to measure cyber security risk in the nuclear industry, including an integrated risk assessment that takes both security and safety measures into account.

· Engaging in robust dialogue with engineers and contractors to raise awareness of the cyber security risk, including the dangers of setting up unauthorized internet connections.

· Implementing rules, where not already in place, to promote good IT hygiene in nuclear facilities (for example to forbid the use of personal devices) and enforcing rules where they do exist.

· Improving disclosure by encouraging anonymous information sharing and the establishment of industrial CERTs (Computer Emergency Response Team).

· Encouraging universal adoption of regulatory standards.


This article is published in collaboration with Chatham House.

Originally written for the World Economic Forum

Economía - Tecnología de la información (programas) | 2018-03-22

Colombia, pionera en economía digital en América Latina

CRC | En el marco del Congreso BICSI ANDINO 2018, que se desarrollará el 16 y el 17 de mayo en el Cubo de Colsubsidio de Bogotá, se revelarán detalles del impulso de Colombia para el desarrollo de la economía digital durante 2017 y su aporte a las cifras latinoamericanas que, tan sólo entre 2014 y 2015, mostraron un ascenso monumental de US$9.961 millones a $16.329 millones de dólares en ventas.

Académico - Tecnología de la información (programas) | 2018-03-16

Wormhole integra el ranking top 10 de proveedores de soluciones LMS

Wormhole | Wormhole Live Learning fue incluida en el ranking de proveedores de plataformas degestión del conocimiento, ‘Top 10 Learning Management System Solution Providers2018’, elaborado por la revista y plataforma especializada estadounidense, EducationTechnology Insights.

Tecnología de la información (programas) | 2018-03-15

Sophos destaca como líder en el cuadrante mágico de Gartner 2018

Sophos | La firma de ciberaseguridad se mantiene a la vanguardia al integrar una red neuronal de aprendizaje profundo y tecnología avanzada anti-exploit a la última versión de Intercept X.

Gestión y administración - Tecnología de la información (programas) | 2018-03-14

DHL utiliza realidad virtual para capacitar a los empleados

DHL | En la región ya se utiliza como herramienta en el proceso de incorporación de personal. A través de juegos y recorridos de RA, los nuevos empleados se sumergen en una plataforma interactiva sobre DHL y sus operaciones, lo que permite captar mayor interés y mejorar la eficiencia del trabajo.

Tecnología de la información (programas) | 2018-03-12

“Internet para todos”, el reto de conectar a más de 100 millones de personas en Latinoamérica

Blogthinkbig | El proyecto quiere conectar a los más de 100 millones de personas en Latinoamérica que no tienen acceso a Internet.

Académico - Tecnología de la información (programas) | 2018-03-08

Repositorios donde descargar libros de informática gratis

Blogthinkbig | Aunque YouTube está repleto de videotutoriales, los libros de informática siguen siendo una gran fuente para aprender y mejorar nuestros conocimientos.

Siganos en redes sociales


Empresas Destacadas


Explorar noticias por categoría

Noticias más leídas

Equipos y accesorios - Medio ambiente | 2018-03-08

Braskem será la proveedora de Plástico Verde para el Grupo LEGO

Braskem | Polietileno Verde, elaborado a partir de la caña de azúcar, será usado en los elementos «botánicos» de la empresa dinamarquesa en 2018.

Ciencias aplicadas e interdisciplinarias - Ingeniería civil - Tecnología de la información (programas) | 2018-02-12

Los mejores programas de diseño 3D para arquitectos

Blogthinkbig | En este mundo visual en el que vivimos, las imágenes y cómo presentamos nuestras ideas es fundamental. Los programas de diseño 3D constituyen una herramienta básica para cualquier estudio de arquitectura que se precie.

Ciencias aplicadas e interdisciplinarias - Medio ambiente | 2016-06-02

Proyecto de Investigación de Ingeniería Ambiental, calificado como “Excelente” en el IV Exponacional MILSET BRASIL 2016.

Uceva | Los proyectos de investigación de la Unidad Central del Valle del Cauca continúan destacándose a nivel internacional; en esta ocasión, el proyecto del grupo de investigación en Recursos Naturales y Gestión Ambiental Tolúes, adscrito a la Facultad de Ingenierías, denominada “REMOCIÓN DEL CROMO DE LAS AGUAS RESIDUALES DE CURTIEMBRESMEDIANTE ENSAYOS DE FITORREMEDIACIÓN Y PRECIPITACIÓN QUÍMICA”, presentado en la IV versión de la Feria MILSET Brasil -2016, cumplido enFortaleza, Estado de Ceará, el pasado mes de mayo, obtuvo en la clasificación general el título de“Excelente” y la credencial para participar en el evento mundial Expo-Sciences International 2017,así como un prestigioso Segundo lugar, en la categoría de Ciencias Exactas y de la Tierra.

Académico - Ciencias aplicadas e interdisciplinarias - Diseño, modelado, automatización, simulación, optimización | 2016-04-05

Científicos presentan avances en Ingeniería Mecánica

Agencia de Noticias Univalle | El egresado de la Universidad del Valle Francisco Posada Sánchez, investigador Senior en el Consejo Internacional en Transporte Limpio de USA quien dirigió el proyecto que puso al descubierto los problemas de emisión de gases de vehículos de la empresa Volkswagen, será uno de los conferencistas del Tercer Congreso Internacional sobre Tecnologías Avanzadas de Mecatrónica, Diseño y Manufactura –AMDM, que se realiza en Cali, del 13 al 15 de abril de 2016.

Entidades con suscripción institucional