If there is anything such as “critical infrastructure” where a cyber attack must be prevented by all means, it’s certainly the international fleet of nuclear power plants and associated facilities for the production, processing and storage of nuclear material. Potential cyber attacks against these facilities don’t cause concern in respect to the confidentiality, integrity, and availability of information, but in respect of public health and national security. While the majority of nuclear power plants still use analog safety systems that simply cannot be compromised by even the most sophisticated digital code, these analog systems are simply no longer available for purchase. Therefore, renewal projects for the instrumentation and control of nuke plants, and certainly new reactors, use digital devices for even the most sensitive systems and processes. Critical risk or acceptable? Well that’s what governments around the world need to figure out.
In the US, cyber security for nuclear power plants got its start as an industry best practice. Subsequent to the attacks of 9/11, many aspects of U.S. security were bolstered and nuclear power plants were considered among the most critical of critical infrastructure assets and therefore in need of additional security. Industry efforts were noteworthy and significant progress was made. However, the U.S. Nuclear Regulatory Commission (NRC) determined that industry efforts were insufficient and published a new cyber security rule in 2009 and cyber security guidance in 2010.