U.S. authorities are investigating a cyber intrusion affecting multiple nuclear power generation sites this year, E&E News has learned.
There is no evidence that the nuclear energy industry’s highly regulated safety systems were compromised. But any cybersecurity breach — targeted or not — at closely guarded U.S. nuclear reactors marks an escalation of hackers’ probes into U.S. critical infrastructure.
Electricity-sector officials confirmed yesterday that they are working to unpack the significance of the secretive cyber event, code named "Nuclear 17."
Asked about the case, a representative from the North American Electric Reliability Corp. (NERC) said the nonprofit grid overseer "is aware of an incident" and has shared information with its members through a secure portal.
U.S. energy utilities pass around information on the latest hacking threats and vulnerabilities through NERC’s Electricity Information Sharing and Analysis Center. That organization "is working closely with the government to better understand any implications this incident might have for the electricity industry," NERC spokeswoman Kimberly Mielcarek said in an emailed statement.
E&E News has reached out to nearly two dozen owners and operators of nuclear power plants for comment. None of the companies that replied by last night shared additional information on the incident, the details of which may be classified.
The case apparently was not severe enough to trigger the public safety alert systems at the Nuclear Regulatory Commission or the International Atomic Energy Agency. Those facts, paired with subsequent statements from operators, strongly indicate that the episode never put nuclear safety directly or immediately at risk.
Patrick Flynn, a spokesman for the utility operator Scana Corp., said "there has been no impact" to its main V.C. Summer Nuclear Generating Station, and added that two expansion units "are being designed and constructed with measures to ensure cybersecurity is protected."
Entergy Corp., which owns and operates nuclear plants across several states, from Louisiana to New York, declined to offer details about the incident, citing corporate security policy. "In keeping with our rigorous procedures to protect our computers and other information systems from cyber and physical harm, Entergy is aware of, but has not been affected by, the recent cyber incident named ‘Nuclear 17,’" spokeswoman Emily Parenteau said in an emailed statement.
Omaha Public Power District, whose only nuclear asset at Fort Calhoun Station is permanently offline and undergoing decommissioning, said in a statement that it was aware of the incident but declined to share details, aside from pointing out that its facilities were not affected.
Nuclear 17 and recent threats
An incident of this kind would almost certainly attract the attention of the Department of Homeland Security and the broader intelligence community, though a DHS spokesman did not confirm whether the agency was involved yesterday. If the threat rises to a certain level, members of Congress with intelligence oversight would also be looped in. Senate staff members would not confirm if they’re looking into the nuclear breach when asked for comment yesterday afternoon.
Even relatively routine cyber intrusions at sensitive facilities can trigger a high-level response from government and industry, given the potential stakes involved. In another recent nuclear breach, a South Korean state-owned utility reported losing potentially sensitive data to hackers in 2014 and 2015, though the attackers didn’t get into operational systems (Energywire, July 14, 2015).
Earlier this month, however, back-to-back cybersecurity warnings from U.S. officials put grid operators on high alert.
The twin threats came from Hidden Cobra, the U.S. government’s nickname for North Korean government-sponsored hackers, and Electrum, a separate group that cybersecurity firm Dragos Inc. has linked to a first-of-its-kind hacking tool designed to disrupt power grids.
NERC posted its first public alert of the year this month about that grid-focused malware, which Dragos calls "CrashOverride." Experts claim it was used last December to briefly knock out power to part of Ukraine in an attack tentatively linked to Russia-based hackers. DHS issued its own alert about CrashOverride, then followed up with a separate report on a far-reaching campaign of North Korean cyber activity hitting "critical infrastructure sectors" in the United States and globally.
It’s not clear where Nuclear 17 fits into that timeline of recent cyber events. But even if it never jeopardized nuclear processes or grid reliability, a successful breach of non-safety systems at a nuclear power plant is troubling, said David Lochbaum, director of the Nuclear Safety Project for the Union of Concerned Scientists.
"If they are able to introduce mayhem there, what else could they do?" he said.
Nuclear plants had an extra margin of safety in their legacy controls that were "old tech" and thus harder for outsiders to penetrate. "As more and more systems are converted to digital controls, there could be more and more opportunities for problems to crop up, deliberate or inadvertent," Lochbaum said.
"The Nuclear Regulatory Commission and the industry are not unaware of that threat," he added.
Even if safety systems were not apparently affected as part of Nuclear 17, malicious actions directed against comparatively less critical equipment could still have knock-on effects if hackers managed to unexpectedly disconnect a nuclear plant from the grid, experts say.
Such a sudden disruption would send a pressure "pulse" back to the reactor and turbine, which would still be generating electricity with no place to send it. The reactor would immediately "trip," setting in motion a series of planned actions designed to bring the reactor to a safe shutdown condition.
Control rods would halt the reactor chain reaction, and depending on the type of reactor, valves would open to dissipate energy and backup systems would be triggered. "It’s something that has been anticipated," Lochbaum said. "Plants are designed to handle an instantaneous loss of load."
However, "that response is all predicated on all those things working right," Lochbaum added. "Even though it’s highly reliable, it’s not guaranteed."
It’s not clear if the Nuclear 17 breach posed such a risk, and investigators are still analyzing the incident. If it does emerge that hackers were specifically targeting the nuclear sites, there will be no shortage of potential culprits.
"When it comes to nuclear, let me tell you — everyone’s interested," William "Bill" Evanina, director of the National Counterintelligence and Security Center, said at a nuclear regulatory conference earlier this year.
The scant public information so far makes it difficult to draw conclusions, noted Ralph Langner, a control system security consultant who dissected the secretive Stuxnet worm that infected Iranian nuclear centrifuges in the late 2000s.
"If it’s not safety-related, we’re probably not talking about a ‘nuclear’ incident per se," said Langner, who added that he had not heard about Nuclear 17 prior to being contacted by E&E News. "If you take the safety part away, a cyber incident in a nuclear power plant would be just like a cyber incident in any other power plant — a hydro plant, a coal-fired plant, etc."
Langner pointed to an incident last year that involved old computer viruses cropping up in a nuclear environment in Germany — "not at all" representing a serious, targeted attack on a nuclear environment, he said.