As the world becomes more digital, maintaining our cybersecurity is paramount to keeping important information out of the hands of hackers and protecting our vital infrastructure. Perhaps no one understands this more than nuclear professionals, as our plants stand among the most secure facilities in the country.
Bill Gross, NEI’s director of security and incident preparedness—and a seasoned cybersecurity expert for the nuclear industry—shares his tips on keeping yourself safe in the digital age:
Never click links in emails, and never open attachments from people you don’t know
If you click the link or open the attachment, the attacker will establish a virtually bulletproof presence on your computer. In the best case, the attacker prevents you from reading, copying or even deleting all the files on the computer and holds them for ‘ransom.’ It only goes downhill from there: A more patient adversary will access the files, photos and emails in an effort to steal your identity or money. They can even use your computer to directly attack any other computer on your network. It’s a nightmare scenario.
In 2018, Verizon’s Data Breach Investigations Report summarized the findings of over 53,000 cyber incidents. Their report provides the sobering statistic that email was the attack vector in 96 percent of breaches.
At nuclear plants, we address this risk by completely segmenting the systems we rely on for safety and security from all other computer networks. Even the computers that plant personnel use day-to-day have absolutely no connection to the plant networks. The plant networks are a virtual island—there are no connections to the outside.
Use secure passwords, and don’t share them with anyone
In most cases, your username and password are the only things that stand between an attacker and your important accounts and vital information. The possible bad-day scenarios are considerable. Here’s a simple, but all too common outcome: let’s say a financially motivated attacker gets the password to your email account, he’s just about 5 clicks away from logging into your bank account!
Sadly, the “I forgot my password” feature almost always sends a reset link to your email address that he now has access to. My wife did not change her five character email account password for 10 years. When she finally did, the motivator wasn’t my nagging, it was when every single Yahoo account was hacked, “3 billion in all.”
At a nuclear power plant, physical access to the plant is needed to access important systems. A password alone is simply not enough. First, you need a valid reason to be inside the plant—someone must specifically request you to be admitted. Second, you will either be under constant escort or you will be processed for unescorted access. To be unescorted, you will be subject to extensive scrutiny—including undergoing personal, education and criminal history background checks; participating in initial and random drug and alcohol testing; undergoing a psychological evaluation; and being subject to a behavioral observation program.
Bad guys need not apply.
Keep your operating system, browser, cybersecurity and all other software up to date
Flaws or weak designs are exactly what a bad guy needs to get a toehold—and a toehold is all that’s needed. Bad guys are constantly searching for software flaws or design weaknesses which will allow them to run software without our knowing, to access information without our knowledge, or a host of other nefarious purposes.
I spent 10 years as a software developer. The sad reality is that unless you are running one of a handful of very specialized operating systems, your computer has more holes than a slice of Swiss cheese, and you will get compromised (if you aren’t already). Keeping everything up to date minimizes your computer’s exposure time and makes it harder for the bad guy.
Our plants have a program to constantly check for newly identified flaws or exploits of the systems and equipment we use. We confirm that security controls are in place to eliminate or mitigate the flaws. One source of information we use is the National Vulnerability Database—a trove of known vulnerabilities in software or systems. And we have, on several occasions, requested that the U.S. Department of Homeland Security provide detailed briefings on new vulnerabilities or threat campaigns.
"Eternal Vigilance”
The cyber threat is evolving, developing, learning and patient. Tools for cyber exploitation are readily available to the general public. Financially motivated attackers are constantly finding creative cyber-enabled means of separating us from our hard-earned dollars. Hactivist groups routinely use cyber as a means to make political statements. Nation-states are aggressively using cyber as a means for espionage, to prepare for some as-yet-to-be-identified conflict and to actively project power around the globe.
This is a "half" tip because your job never ends.
Being a successful cyber defender in this arena requires, as my good friend Army Maj. Gen. David Burford reminds me, “eternal vigilance.” Success requires eliminating unnecessary distraction and focusing like a laser on the systems, equipment and information that is vital to our core mission of protecting the health and safety of the public while powering the nation.
Stay Ahead of the Game
U.S. nuclear power plants are world leaders in addressing the cyber threat. Our plants and the U.S. Nuclear Regulatory Commission have been actively working on cybersecurity for nearly 20 years. Our success depends not just on our robust protective measures, but also on our continuous engagements with our federal partners, our private sector partners and among ourselves.
In March, we will have our annual cybersecurity workshop. We will be sharing lessons learned, discussing the latest trends and providing an opportunity for our peers in other countries to learn a little more about what we do every day. Join us in Boston to gain expert knowledge of the best protections for our nuclear assets.
