The Nuclear Threat Initiative’s NTI Index shows that only 47 percent of countries have a response plan in place for a cyberattack on a nuclear facility.
Further, NTI reveals that most of those nations do not have adequate regulations for cybersecurity. The NTI Index found that only 34 percent receive a high score for cybersecurity.
In a post by NTI’s Cira Mancuso, an intern with NTI’s Materials Risk Management team, there are several ways countries can strengthen cybersecurity at nuclear facilities. Those steps include: integrating physical protection and cybersecurity, protecting critical digital assets, requiring a cybersecurity response plan, and building greater awareness of cyber threats among facility personnel.
Mancuso points out that there have been 23 publicly disclosed cyber incidents at nuclear facilities since 1990, including the 2010 Stuxnet virus attacks on the Natanz uranium enrichment facility in Iran.
The author notes that all security measures—including cybersecurity—will be ineffective if an employee with knowledge of security systems can bypass the system. Fortunately, there have not been many cases, but facilities still must be vigilant to threats by insiders. Often, they are not, Mancuso said.
“Despite the importance of addressing threats posed by insiders, the NTI Index reports that only 55 percent of countries require that personnel vetting be conducted regularly, and only 35 percent require robust personnel vetting that includes drug tests, background checks, and psychological tests. An alarming 20 percent do not require any of these tests. In addition, the Index details how improvement in the Global Norms category has slowed, and until nuclear security treaties are universalized, the critical gap in the coverage of protection, criminalization, and cooperation on prosecuting nuclear theft, smuggling, sabotage, and terrorism will continue,” writes Mancuso.
Mancuso states that there are several ways to address the human factor in nuclear security, including implementing more stringent and frequent personnel vetting; enhancing surveillance of sensitive areas; creating insider threat awareness programs to enhance the ability to detect and respond to threats; and emphasizing security culture as distinct from safety culture.