In preparation for the January 2017 Texas A&M Cyber Security Conference, a question was raised to some select participants about our thoughts concerning a recent article on nuclear plant cyber security – “UN: Threat of a hacking attack on nuclear plants is growing”. I would have thought that agreeing with the article that nuclear plant cyber threats are real and growing would have been straightforward. However, Marcus Sachs, NERC’s Chief Security Officer, responded to the article: “Typical media hype. The headline of the story is designed to hook in those who want to believe that we are a mouse click away from total destruction. But the rest of the article provides no supporting evidence. Just conjecture that appeals to the un-educated masses. While the risk of unauthorized external access to nuclear power plant control systems will always be non-zero, it’s teeny tiny compared to other potential failure modes. So I am not going to say that it can’t happen, but I do get tired of the media playing to peoples’ fears of the unknown.”
I do not understand Marc’s rationale for his comments to experts (his response was not to the general public). Nuclear plants use the same ICS equipment with the same cyber vulnerabilities as non-nuclear plants. I have reviewed nuclear plant Failure Modes and Effects Analyses (FMEAs) and they have not adequately addressed the common cause failures that could be associated with cyber threats (not “teeny tiny”). I have documented more than 50 nuclear plant cyber incidents to date and presented 3 of those case histories at the June 2015 International Atomic Energy Agency (IAEA) Cyber Security Conference. At that Conference, the Vice President from Korea Hydro and Nuclear gave a presentation on the North Korean’s cyber attacks of South Korean nuclear plants. At the 2016 October ICS Cyber Security Conference, there was a demonstration of hacking a protective relay used by many nuclear plants to prevent Aurora where the compromised relays could be used to cause Aurora events in nuclear plants.
This isn’t the first time NERC has downplayed real cyber threats. Following the December 2015 Ukrainian cyber attack, NERC stated the Ukrainian cyber attack couldn’t happen in the US. Why is NERC minimizing cyber threats?