8
SigniFicant Cyber Vulnerabilities in Nuclear Energy Facilities www.GlobalCyberPolicyWatch.com October 2018
SigniFicant Cyber Vulnerabilities in Nuclear Energy Facilities
www.GlobalCyberPolicyWatch.com
October 2018
Significant Cyber Vulnerabilities in Nuclear Energy Facilities
Executive SummaryReports of foreign meddling and cyber attacks in American critical infrastructure continue to surge, with the energy industry facing increased attention. As politicians, policymakers, and taxpayers question the resiliency of the energy grid to withstand increased cyber risks, the energy sectors and owner-operators of the critical infrastructure must comprehensively examine their current vulnerabilities. Meanwhile, some members of Congress propose increasing funding to some energy sectors but not others to help address these vulnerabilities. While the Trump Administration originally favored such an approach to securing the grid, the Administration has since realized that one energy sector cannot be favored over another, especially when the market does not support such an action.
The reality is that each energy sector has unique cyber vulnerabilities, and some sectors are addressing them more proactively than others. This brief explains how nuclear energy facilities have significant cyber security vulnerabilities and may actually represent a greater threat to our grid resilience than other sources of energy.
Key Points:• Nuclear Energy Cyber Security Influenced By A
Washington Political Agenda. Some in Washington have urged for greater investment in nuclear energy, based on the false argument that nuclear is inherently more secure than other energy industries. However, this argument only gained popularity after Federal Energy Regulatory Commission (FERC) denied an initial subsidy proposal from the Department of Energy (DOE); the DOE’s subsidy proposal has since reportedly been shelved following mounting opposition from several Trump administration officials. This politicization clearly ignores the facts that nuclear energy faces several cyber security vulnerabilities.
• DHS and FBI Investigation Shows Nuclear Plants Have Been Compromised by Russian Hackers. A joint investigation by the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) indicates ‘a number of nuclear facilities’ have been targeted and compromised by Russian hackers. Hackers have gained enough access to nuclear infrastructure to infiltrate numerous plants, and they have the ability to sabotage their control systems. Nuclear plants prove to be high impact and priority targets, but lack the necessary readiness to address cyber threats.
• Nuclear Network Communication Flaws. The Royal Institute of International Affairs published a report citing nuclear vulnerabilities that lacked, “effective communication, both between different facilities and between information technology teams and operational engineers...” The report concludes that these flaws are a cultural problem permeating nuclear plants industry-wide.
• Nuclear Power Plant Age Linked to Vulnerability. Researchers from Chatham House determined nuclear plants to have significant technical challenges making them especially open to cyber risks. These include aging systems that lack built-in security features, commercial firewall protection, and an insufficient ‘air gap.’ These factors, in combination, make nuclear plants susceptible to the tactics of modern cyber attacks.
• Nuclear Plants are Behind the Adaptation Curve. The University of California (UC) at Berkley released a report detailing unique nuclear plant disadvantages for addressing cyber threats. Amongst them was a lag in response to advancements in instrumentation and control technologies stemming from “regulatory, training, and economic factors.”
1
3
BackgroundAs the 21st century progresses and technology becomes increasingly accessible, the risk of cyber attacks will continue to grow. This is true in every corner of life and every industry, but has become especially important for the energy sector. Bringing even a single power plant to its knees can have major consequences for millions of Americans in terms of life, property, and national security. Some individual facilities have the potential to impact large parts of the national grid and shut down hospitals, security systems, stock exchanges and even home refrigerators, putting thousands of lives and billions of dollars at risk.
While the fear of cyber attacks keeps IT executives up at night across the sector, the threat potential is exceptionally high for nuclear power plants. Reports in recent years have shown that many nuclear plant control systems are not truly ‘airgapped’ from the internet – meaning there is some network connectivity between systems which control nuclear reactors and those with internet accessibility.
1 Perlroth, Nicole, and David E. Sanger, “Cyberattacks Put Russian Fingers on the Switch at Power Plants, US says,” The New York Times, published 15 March 2018, https://www.nytimes.com/2018/03/15/us/politics/russia-cyberattacks.html
2 http://www.joint-project.org/upload/file/WorkingPaper_NuclearSecurity_2017_final.pdf; http://www.assemblee-nationale.fr/15/rap-enq/r1122-tI.asp
Additionally, there is no shortage of actors who have the motivation and capability to target these high-impact sites. In March of this year, the New York Times reported on a joint DHS – FBI report that stated that the Russian government had infiltrated a number of nuclear power plants across the United States and Europe.1 In the last two years, French and German governments have also expressed concern over the potential for a joint cyber-kinetic strike on nuclear sites.2
Ultimately, it is clear that there are significant gaps in cyber security at nuclear power plants. Considering that the damage potential for a nuclear facility outweighs that of any other type of fossil or renewable fuel, it is vital to explain these vulnerabilities in clear terms. This brief explains the cyber vulnerabilities facing the nuclear energy industry, and counters the prevailing argument that nuclear energy is inherently insulated from cyber threats.
• Natural Gas Plants Face Less Risk Thanks to Resource Dispersion. UC Berkley research concluded the site risks of nuclear plants to be much greater than alternatives like oil or liquefied natural gas (LNG). Nuclear plants are responsible for keeping spent and unspent nuclear materials on site thereby greatly increasing intrusion risk. This is unique to nuclear plants as their LNG counterparts can disperse resources downline to mitigate the effectiveness of cyber security attacks by dispersing potentially dangerous resources.
• Nuclear Plants Average Age Prevents Modern Cyber security Capabilities. The Energy Information Agency (EIA) found the average age of U.S. nuclear plants to be nearly 40 years old, with the most recent finishing construction in 1996. As a result, nuclear plants lack the ability to increase their cyber security immunity because of aged hardware and incompatibility with modern software throughout the plants. Significant down-time costs that compile when nuclear plants are closed will make it difficult to bring nuclear plants up to meet modern cyber security needs.
• Shared Software Highlights Shared Risk. Supervisory Control and Data Acquisition (SCADA) software, used to monitor plant and control systems, is shared between nuclear, oil, and liquefied natural gas plants. The software is used to increase efficiency and lower
issue response time. However, their commonplace nature dispels myths spread by federal agencies that nuclear plants are inherently better suited to withstand cyber attacks.
• Barriers to Information and Best Practices Sharing. A private-public partnership between 50 natural gas and oil companies work cooperatively in the Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC) to share cyber threats, intelligence, and best practices. The Institute of Nuclear Power Operations claims to have a similar practice though an American nuclear facility worker countered their commitment to cyber security by stating: “The nuclear industry has always been insular…the feeling is that when it comes to nuclear, they know best. When it comes to cyber, they do not, period.”
• Nuclear Industry Associations Lack Coordinated Efforts against Cyber Threats. The Institute of Nuclear Power Operations and the World Nuclear Association make no mention on their websites of cyber security, universally-recognized standards, or information sharing. In contrast, the American Petroleum Institute describes in detail their information sharing practices and efforts to follow the National Institute of Standards and Technologies (NIST) cyber security structure.
4
Expert Analysis – Cyber and Related Threats to Nuclear Energy FacilitiesIn recent months, some in Washington have urged for greater investment in nuclear energy. Among these proponents’ arguments, it is claimed that the U.S. energy grid would be safer from the emerging threat of a cyber attack. For example, the Department of Energy, under the guidance of Secretary Rick Perry and President Trump, has argued that nuclear power plants inherently improve the U.S. energy grid’s resiliency from cyber attacks.3 After all, systems which control nuclear reactors themselves are supposed to be wholly isolated from the internet. In September, Senators Lisa Murkowski (R-AK), Cory Booker (D-NJ) and others introduced the Nuclear Energy Leadership Act in the Senate Energy and Natural Resources Committee, which makes similar claims regarding cyber security to the Administration itself.4 However, it is clear that several influential institutions, such as the Department of Homeland Security and the University of California, Berkeley, challenge the perspective that nuclear power plants are safer than nonnuclear alternatives. In fact, the opposite may very well be the case.
I. DHS and FBI ReportVarious reports which have emerged in recent years, from government and independent third-party sources alike, have expressed concern about the cyber readiness of nuclear power plants. In the spring of 2018, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) conducted a joint investigation into several instances of Russian cyber intrusions at nuclear facilities throughout the United States and Europe. According to the report, issued by DHS’s Computer Emergency Readiness Team (CERT), “Russian hackers made their way to machines with access to critical control systems” at a number of nuclear facilities.5 The New York Times interviewed Eric Chien, a cyber security expert, about the report’s findings. Chien’s conclusions were a far-cry from the rosy outlook of nuclear cyber readiness expressed above, as he testified that “We now have evidence (the Russians are) sitting on the machines, connected to industrial control infrastructure, that allow them to effectively turn the power off or effect sabotage.”6
3 Douhy, Jennifer A, “Trump Prepares Lifeline for Money-Losing Coal Plants,” Bloomberg, published 31 May 2018, https://www.bloomberg.com/news/arti-cles/2018-06-01/trump-said-to-grant-lifeline-to-money-losing-coal-power-plants-jhv94ghl
4 https://www.energy.senate.gov/public/index.cfm?a=files.serve&File_id=75CC1B38-815F-4F1B-AC37-D67A6D2F52D85 Perlroth and Sanger, “Cyberattacks.”6 Qtd., Ibid.7 https://www.us-cert.gov/ncas/alerts/TA18-074A8 Ibid.9 Ibid.10 Baylon, Caroline, Roger Brunt, and David Livingstone, “Cyber Security at Civil Nuclear Facilities: Understanding the Risks,” Chatham House: The Royal Insti-
tute of International Affairs, published September 2015, https://www.chathamhouse.org/sites/default/files/field/field_document/20151005CyberSecurityNu-clearBaylonBruntLivingstoneUpdate.pdf
‘Russian hackers made their way to machines with access to critical control systems’ at a number of nuclear facilities.
“
”While it is unclear whether the hackers in these particular instances were motivated by industrial espionage or something more nefarious, it is obvious that the U.S. Government’s primary counterespionage agencies do not believe that American nuclear power plants are safe from cyber intrusion, and believe that “the threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity.”7 CERT analyzed the hackers’ actions through the Lockheed-Martin Cyber Kill Chain model, which has five phases: Reconnaissance, Weaponization, Delivery, Exploitation, and Installation.8 The report also counters the generally-held belief that nuclear plants are sufficiently airgapped from the internet – clearly, the Russians were able to commit a series of intrusions across two continents over a couple of years, meaning they must have originated from the internet rather than a local source. Specifically, the hackers used a variety of internet-based tactics to intrude into systems, including spear-phishing emails, watering-hole domains, and other methods.9 While the CERT report investigated specific intrusions into nuclear and other facilities, a 2015 Chatham House document discusses nuclear energy vulnerabilities in more comprehensive terms.
II. Chatham House ReportA 2015 report by the Royal Institute of International Affairs, titled “Cyber Security at Civil Nuclear Facilities,” finds a number of significant vulnerabilities in cyber security at nuclear power plants. Specifically, the authors categorize discovered cyber problems into three main realms: industry-wide, cultural, and technical challenges. For the former two categories, Chatham House found a lack of effective communication, both between different facilities and between information technology teams and operational engineers within each site.10
5
The technical challenges are perhaps the most damning, however. The document states that, by and large, the nuclear plants were “insecure by design.” Many of the systems were aging, without built-in security features, and some facilities used basic off-the-shelf firewalls and other technologies to secure their most vital networks. Perhaps even worse, the researchers found multiple examples where vital control systems were networked with administrative systems that had internet access – a lack of a sufficient air gap. Even when air gaps did exist, USB drives were often used casually enough to still transfer a virus from an administrative computer to a control system itself.11
III. University of California, BerkeleyIn September 2017, experts from the University of California, Berkeley’s Center for Long-Term Cyber security published the results of a review of nuclear cyber security. Titled “Cyber Security in Nuclear Power Plants: Insights for Advanced Nuclear Technologies,” the report “provides some insight into past, present, and future cyber security issues… with nuclear power plants.” The research provides a general overview of the problems nuclear sites have with cyber security, specific to system design within these plants.
The team reviewed the history of instrumentation and control (I&C) in nuclear power plants and explains the interplay of various computer systems at different levels of a facility. The report states: “While other power plant industries have taken advantage of advancements in I&C technologies, existing nuclear power plants have been slower to pursue adoption due to regulatory, training, and economic factors.”12 Additionally, the report found that centralized control was particularly dangerous for nuclear sites. Systems with independent purposes are almost always integrated with one another, with significant overlap between them. From the operational standpoint, this makes sense, as it allows plant engineers to save time and improves overall efficiency, However, this also leads to “clear cyber security and diversity implications,” because “for example, the reactor protection system uses signals from sensors that are also used for plant unit control functions.”13 The findings in these three reports, and other academic and government sources, expose a series of vulnerabilities that are specific to nuclear power plants.
While other power plant industries have taken advantage of advancements in I&C technologies, existing nuclear power plants have been slower to pursue adoption due to regulatory, training, and economic factors.
“
”11 Ibid.12 Poresky, Christopher, Charalampos Andreades, James Kendrick, and Per Peterson, “Cyber Security in Nuclear Power Plants: Insights for Advanced Nuclear
Technologies,” Center for Long-Term Cybersecurity, University of California, Berkeley, published September 2017, http://fhr.nuc.berkeley.edu/wp-content/up-loads/2017/09/TH-Report-UCBTH-17-004.pdf
13 Ibid.
‘Insecure by Design:’ Selected Threats Specific to Nuclear SitesContrary to the claim that nuclear plants are inherently safe from cyber attacks, there are certain features unique to these facilities which make them particularly vulnerable. UC Berkeley and Chatham House each explain several industry-wide and technological traits which threaten the security of nuclear energy systems. Below are several examples which are especially applicable to this industry.
I. Centralized Control SystemsThe Berkeley account explains in clear terms that nuclear power plants are highly centralized and increasingly networked. Old-school analog systems, which carry their own safety risks, are increasingly being phased out, meaning the argument that plants are airgapped is no longer compelling. If for example, an administrative computer system is compromised by a cyber intrusion, the entire plant is put at risk because of its interconnectivity. As previously stated, interconnectivity often makes sense from an operational perspective, as it increases efficiency by allowing more information to come to a single control center. However, it is obvious that this exposes the entire facility to a virus if any part of the network is hacked.
The potential damage from centralized control is in a category of its own among nuclear energy providers.
“
”Additionally, both spent and unspent nuclear material is kept on site, under the same system. If an intrusion were to occur in, for example, an oil or liquefied natural gas (LNG) facility, the problem could be minimized, as both site control and physical infrastructure are more dispersed. That is not the case for nuclear power plants. The potential damage from centralized control is in a category of its own among nuclear energy providers.
6
II. Aging Systems Which Predate Built-in Security MeasuresAccording to the Energy Information Agency (EIA), only one nuclear power plant has been built in the United States since 1996. The average age of nuclear reactors is almost 40 years old.14 That is in stark contrast with both hardware and software intended to improve cyber security, which are relatively newer technologies. Essentially, the aging nuclear infrastructure is simply incompatible with state-of-the-art cyber security measures.
With the high-costs of down-time and changing fundamental control systems, it is highly unlikely that nuclear plants would be willing to improve their cyber security positions without being forced to.
“
”Both the Chatham House and Berkeley reports state as much, with the former arguing that “the control systems in most nuclear facilities were developed in the 1960s or 1970s when computing was in its infancy and designers gave no thought to the possibility that an actor with a malicious agenda might deliberately try to attack a computer system with electronic means.”15 With the high-costs of down-time and changing fundamental control systems, it is highly unlikely that nuclear plants would be willing to improve their cyber security positions without being forced to.
III. Lack of Deliberate Cyber security StrategiesThe Nuclear Regulatory Commission did not require nuclear facilities to have explicit cyber security strategies until after the September 11th, terrorist attacks in 2001, years after an overwhelming majority of plants had been in operation. Since, only new facilities have been required to implement cyber security features into plant system design, leaving almost the entire nuclear industry at risk. If that were not concerning enough, Berkeley’s researchers could not find any information on the cyber security efforts from 3 out of 4 companies building or operating new reactors.16 While other industries in the energy sector have recognized the significance of increased cyber threats, nuclear power operators have lagged behind.
14 https://www.eia.gov/tools/faqs/faq.php?id=228&t=2115 Baylon, Brunt and Livingstone, “Cyber Security at Civil Nuclear Facilities,” 23.16 Poresky et. al, “Cyber Security in Nuclear Power Plants,” 9-10.17 http://www.joint-project.org/upload/file/WorkingPaper_NuclearSecurity_2017_final.pdf ; http://www.assemblee-nationale.fr/15/rap-enq/r1122-tI.asp
IV. Integration of Hackable Assets into Physical Security InfrastructureIn the last two years, both French and German governments have released intelligence reports which express concern for a kinetic attack on nuclear sites.17 The rise of globalization and extremism have increased the ease and likelihood of terrorist attacks throughout the developed world. Nuclear power plants are an enticing target due to the significant impact such an attack, successful or not, would have on a population. The physical security of these sites, however, has become increasingly reliant on digital assets. Security cameras, sensor arrays, automated gates and doors and other technologies are all critical pieces to the security infrastructure a nuclear power plant. All of these are vulnerable to cyber intrusion and could be used in conjunction with a kinetic attack for maximum effectiveness.
A Comparison: Cyber Threat Environment in Nuclear vs. Nonnuclear FacilitiesMany of the same cyber threats which nuclear power plants face are universal across the energy sector, and throughout society as a whole. Digitalization and the networking of systems is happening across the board. However, the unique threats explained above represent a singular threat to nuclear sites which make their vulnerability to cyber intrusion significantly higher than other types of power plants. This directly contradicts the claims made by some within the Trump Administration and the U.S. Congress that nuclear facilities are inherently isolated from cyber attacks. This section further contextualizes the cyber threat of nuclear facilities within the energy sector.
I. Nuclear Power Plants Are High Impact TargetsAs previously mentioned, the impact of a successful attack on a nuclear site would be catastrophic. The radiological, environmental, medical and security implications for a community or country which result from a successful attack that causes a meltdown or other release of radioactive material would be absolutely devastating. In all likelihood, even an unsuccessful cyber or combined cyber and kinetic attack on a nuclear power plant would erode the public trust in security institutions and government. Other facilities in the energy sector, however, do not have the same threat level, as the impact of either a cyber or kinetic assault would be, while detrimental, nothing near the scale as that on a nuclear site.
7
II. SCADA Systems Are Common Throughout The Energy IndustryA SCADA, or Supervisory Control and Data Acquisition, system is a plant-wide monitoring and control system often used in power plants and other industrial facilities. The system allows a handful of operators to keep tabs on an entire site and respond to issues quickly. The system improves efficiency and safety in important ways. SCADA systems, being plantwide, are vulnerable to a cyber attack, meaning they require significant security features in them. However, the relevant point to this brief is that SCADA systems are commonplace in the energy sector – both nuclear and nonnuclear sites rely heavily on them. Nuclear power plants, are, therefore, not intrinsically safer from cyber attacks than other types of power plants – an important distinction considering today’s popular narrative.
III. Information-sharing is Less Common Among Nuclear Power CompaniesAmong the various concerns found in the 2015 Chatham House report on civilian nuclear cyber, intra-industry communication was considered a top challenge18. The British think tank found that there is a so-called ‘need to know’ mentality among nuclear operators. In short, the industry views itself in a highly compartmentalized manner and is hesitant to collaborate and share information among its contributors. This reduces the possibility of collective security which is commonplace in other sectors, and even among other industries within the energy field. For example, the fossil fuel industry has a robust information sharing public-private partnership in the Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC). The ONG-ISAC is comprised of over 50 companies that share information on cyber threat indicators, threat intelligence, and best practices, and has bi-directional intelligence sharing with the federal government, to reduce the overall vulnerability to a cyber attack.
Additionally, both the National Institute of Standards and Technologies (NIST) “Framework for Improving Critical Infrastructure Cyber Security” and DHS’s “Nuclear Sector Cybersecurity Framework Implementation Guidance” state that information sharing is a vital part of developing an effective cyber defense strategy.19 While the Institute of Nuclear Power Operations (INPO) claims to push for best-practice sharing between sites, it is not clear whether there are effective processes in place
18 Baylon, Brunt and Livingstone, “Cyber Security at Civil Nuclear Facilities,” 15-16.19 https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf ; https://www.us-cert.gov/sites/default/files/c3vp/framework_guidance/nuclear-frame-
work-implementation-guide-2015-508.pdf20 Baylon, Brunt and Livingstone, “Cyber Security at Civil Nuclear Facilities,” 15.21 http://www.inpo.info/AboutUs.htm ; http://www.world-nuclear.org/22 https://www.nei.org/resources/reports-briefs/cybersecurity-for-nuclear-power-plants23 https://www.api.org/news-policy-and-issues/cybersecurity
for consistent information sharing, or whether nuclear operators are culturally enamored with the idea in the first place. Chatham House cites a nuclear engineer who works at an American facility, who stated:20
The nuclear industry has always been insular, and the feeling is that when it comes to nuclear, they know best. When it comes to cyber, they do not, period. The bulk of the expertise, the bulk of the experience, the bulk of everything else comes from outside nuclear, but they refuse to use it.20
“
”Furthermore, neither the INPO or the World Nuclear Association’s websites mention cyber security at all, nor do they provide specific guidelines to follow NIST or other universally-recognized standards of cyber security, including regarding information sharing.21 The Nuclear Energy Institute describes the nuclear industry’s efforts to enhance its cyber security measures, but does not discuss information sharing in this context.22 This is in contrast with the oil and natural gas industry, which per the American Petroleum Institute, describes its information-sharing efforts in detail and explains the oil and natural gas industry’s efforts to follow the NIST cyber security framework.23
8
Malicious Actors with Capability and IntentNuclear sites face a wide range of both state and non-state actors who intend to cause harm to the United States or the industry itself. Revisionist powers such as Russia and China may seek to improve their own energy technology through industrial espionage campaigns, or to gain insight into critical energy infrastructure throughout the United States. In the event of hostilities between major states, the ability to shut down an energy grid would certainly be a part of an integrated hybrid-warfare strategy, which is becoming increasingly common in interstate gamesmanship. As mentioned above, there is significant evidence that Russia has already gained access to vital systems within nuclear plants in the United States and Europe. Rogue states like Iran or North Korea have the means and interests to intrude on nuclear facilities for geopolitical purposes as well, creating a significant cyber threat environment.
To make matters worse, non-state actors have also expressed a willingness to go after nuclear facilities in the cyber and related realms.24 Causing a meltdown at a nuclear power plant could be the result of a successful cyber attack intrusion. A nuclear plant meltdown would lead to significant health and environmental problems and would cost the U.S. government billions of dollars to address this disaster. On the other hand, ‘hacktivists’ – those who use cyber misconduct for political activism – have also proven willing to commit dangerous cyberattacks for their causes. Extremist environmentalists, anarchists, and others represent a significant threat to nuclear facilities because of their own ideologies. Ultimately, nuclear power plants have always been considered major targets to those with malicious intent, which is why massive security infrastructures have always surrounded them. Nuclear power plants will continue to be to cyber targets as the 21st century changes the overall global security environment.
24 https://www.apnews.com/a0e79e8b1edf42e59e4a56e57c9de18025 Walters, Joanna, “Energy Agency Rejects Trump Plan to Prop up Coal and Nuclear Power Plants,” The Guardian, published 8 January 2018. https://www.
theguardian.com/environment/2018/jan/08/donald-trump-coal-industry-plan-rejected-rick-perry26 Wolf, Eric, and Darius Dixon, “Rick Perry’s Coal Rescue Runs Aground at White House,” Politico, Published 15 October 2018, https://www.politico.com/sto-
ry/2018/10/15/rick-perry-coal-rescue-trump-850528
ConclusionThe claims that the US energy grid will be insulated from cyber attacks with an increase in nuclear investment is simply untrue. Various academic, government, and corporate sources have expressed concern about the safety of nuclear systems in recent years. It is possible that the argument promoted by some in Washington is inherently political – the Department of Energy, after all, did not discuss cyber resiliency until after its nuclear plant subsidy proposal was already denied by FERC.25 This brief shows that the argument is false, and it’s clear that the Administration is slowly coming to see that, considering that it has reportedly shelved its push to bolster nuclear facilities through subsidies.26 With midterm elections in the near future and a lack of support from regulatory entities, the nuclear proponents do not have either the political capital or the empirical evidence to fall back on. Regardless of motivation, the nuclear sector in the United States faces significant shortfalls in its preparedness for cyber attacks.
It is possible that the argument promoted by some in Washington is inherently political – the Department of Energy, after all, did not discuss cyber resiliency until after its nuclear plant subsidy proposal was already denied by FERC.
“
”
