Light Dark
October 7, 2015 By Douglas Bonderud 3 min read

Nuclear facilities are now a critical facet of the American utility market. According to the Nuclear Energy Institute (NEI), these facilities generated almost 20 percent of U.S. electricity through 2014, with 99 reactors in use across the country. Owing to the volatile nature of the materials and processes in any nuclear plant, companies have developed excellent physical safety and security procedures.

But as noted by a new Chatham House report based on interviews with 30 industry experts, cybersecurity risk is underestimated at nuclear facilities, leaving these critical producers open to cyberattacks. If plants are breached, what’s the fallout?

The Myth of Air

A recent SecurityWeek article discusses some of the reasons for this lack of nuclear cyber readiness. The biggest problem? A belief that air-gapped systems effectively curtail the risk of cyberattack. The idea here is that since potentially vulnerable points such as industrial control system (ICS) software are often isolated from the Internet, there’s little chance they could be compromised by attackers. The Chatham report, however, found that many nuclear facilities use technology such as virtual private networks (VPNs) to forge outside-facing connections — and in some cases, plant operators aren’t even aware they exist.

Risk assessment is also problematic. The nuclear industry doesn’t have a set of unified guidelines for measuring such risk, and the infrequency of cyber incident disclosures often provides a false sense of security. And according to the report, “very few” plants actually take steps — such as installing software patches, for example — to mitigate security risks. What’s more, most are reliant on perimeter defenses alone to stop attackers, which hasn’t been successful for retail, finance, manufacturing or other energy companies.

Culture also plays a role. As noted by Dark Reading, nuclear operations and IT staff don’t always get along. Operations employees are focused on preventing accidental nuclear incidents, while IT professionals focus on curtailing intentional damage. Add in a different set of employment standards for regular staff and IT teams and it’s not surprising to see that cybersecurity isn’t making headway.

In sum: Nuclear facilities are protected only by myth and miscommunication. And that’s a problem.

Big Boom

How big a problem, exactly? According to the Chatham report, there are a number of worrisome possibilities. For example, cyberattacks targeting a facility’s turbine-cooling water supply could derail its energy production for days or weeks. There’s also the risk of a simultaneous physical/cyberattack designed to force a plant offline. Think of the physical breach as a kind of distracting distributed denial-of-service (DDoS) tactic: With nuclear plants focused on repelling attackers on the ground, cybercriminals could sneak behind the lines and cause havoc.

The most disturbing possibility? Attackers could compromise both the off-site backup power supply and on-site backup system. Coupled with the failure of in-plant safety features, the result could be a nuclear incident of Fukushima-like proportions. While this is not a likely scenario, the lacking cybersecurity environment presents an opportunity for motivated cybercriminals to compromise plants during a natural disaster and cause widespread chaos.

Closing the Gap

A recent Energy Live News showcased the disparity between the nuclear industry’s public face and the reports of Chatham’s 30 anonymous security experts, positioning nuclear facilities as “leading in cybersecurity due to its collaborative skills.” While this may be the ultimate goal, the current state of cybersecurity is one of fragmentation, assumption and cross-purposes. The result is a tempting target for motivated nation-states or disgruntled hacktivists.

Preventing fallout from cyberattacks is possible if plants recognize three basic truths: First, their industry is not immune to cybersecurity risk, whether it’s air-gapped or not; second, reassessment of all cyber defenses is crucial, along with a real accounting of threat likelihood; lastly, ops and IT professionals must learn to get along. Despite vastly different routes, they’re headed for the same destination: a secure nuclear future.

 |  |  |  | 
Douglas Bonderud
Freelance Writer

More from

March 4, 2025

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

February 21, 2025

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

February 14, 2025

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature