Nuclear power plants in ‘culture of denial’ over hacking risk - FT.com:
"Nuclear power plants around the world are harbouring a “culture of denial” about the risks of cyber hacking, with many failing to protect themselves against digital attacks, a review of the industry has warned.
A focus on safety and high physical security means that many nuclear facilities are blind to the risks of cyber attacks, according to the report by think-tank Chatham House, citing 50 incidents globally of which only a handful have been made public.
The findings are drawn from 18 months of research and 30 interviews with senior nuclear officials at plants and in government in Canada, France, Germany, Japan, the UK, Ukraine and the US.
“Cyber security is still new to many in the nuclear industry,” said Caroline Baylon, the report’s author.
“They are really good at safety and, after 9/11, they’ve got really good at physical security.
But they have barely grappled with cyber.”
The report cites officials who describe the industry as being “far behind” other industrial sectors when it comes to insulating themselves against digital attacks.
Ms Baylon said there was a “culture of denial” at many nuclear plants, with a standard response from engineers and officials being that because their systems were not connected to the internet, it would be very hard to compromise them.
“Many people said it was simply not possible to cause a major incident like a release of ionising radiation with a cyber attack . . . but that’s not necessarily true.”
...The report points to a 2008 incident at the Hatch plant in Georgia to illustrate how vulnerable plants could be to deliberate digital disruption: though not an attack, when a contractor issued a routine patch to a business network system, it triggered a shutdown.
Most facilities still do not take cyber security seriously enough in spite of such instances, Ms Baylon said.
...“It would be extremely difficult to cause a meltdown at a plant or compromise one but it would be possible for a state actor to do, certainly,” said Ms Baylon
“The point is that risk is probability times consequence.
And even though the probability might be low, the consequence of a cyber incident at a nuclear plant is extremely high.”"
No comments:
Post a Comment