August 31, 2021 –The recent ransomware attack on Colonial Pipeline, a pipeline system in the Southeastern U.S., halted pipeline operations and resulted in a regional emergency declaration for 11 states. The event demonstrated the impact a cyberattack can have on critical infrastructure. In the case of nuclear power, safety is the number one concern for utilities. Sargent & Lundy provides cybersecurity services to our clients that ensure nuclear safety is not compromised by the introduction of digital equipment.
On May 7, a cyberattack was launched against the Colonial Pipeline, approximately 5,500 miles of pipeline that carry gasoline, jet fuel, and other refined petroleum products from Texas to New Jersey.[i] The pipeline supplies about 45% of the East Coast’s fuel.[ii]
The hackers were able to infiltrate Colonial Pipeline’s IT systems and upload ransomware to steal data and lock files. In response to the attack, Colonial shut down parts of the pipeline’s operation with the intent of minimizing the extent of the attack. The only way to unlock the files and prevent a leak of the data was to pay a hefty ransom of approximately $5 million to the group responsible.[I]
In addition to a substantial financial loss, this attack resulted in a major interruption to part of the country’s critical infrastructure on the East Coast. This caused the public to panic and purchase gasoline in bulk, leading many gas stations to completely run out of gasoline. The combination of the cyberattack and ensuing panic caused gas prices to rise considerably in Southeastern cities. In fact, the national average for a gallon of gas rose above $3 for the first time since 2014.[iii]
Could nuclear safety systems be similarly compromised?
The results of the Colonial Pipeline attack demonstrate the impact a cyberattack can have on critical infrastructure and reinforces the need for robust cybersecurity programs, training, and controls. With the increased use of digital equipment in nuclear power, many are questioning if nuclear plants may be susceptible to the same type of attack.
Nuclear plants employ a defense-in-depth strategy that eliminates the potential for an outside organization to remotely access operational monitoring and control systems. Within the plant, access to critical digital systems is limited to certain individuals who have been vetted and are appropriately trained. In addition, cybersecurity hardware and software controls are integrated into any component or system design. With a combination of strong technical and programmatic cybersecurity controls, redundancy, training, and fail-safe designs, power production and safety systems are well protected.
Sargent & Lundy’s team of subject matter experts have designed, implemented, and protected modern digital systems with robust cybersecurity controls across the U.S. commercial nuclear fleet. Applying cybersecurity controls for nuclear plants requires more than just knowledge of cybersecurity. A unique skillset of nuclear plant system design and a thorough understanding of NRC regulations and industry guidance along with cybersecurity expertise is required to adequately protect nuclear plants. Our unique experience designing and constructing nuclear plant systems over the past 65 years and extensive cybersecurity expertise position us as industry leaders.
As the threat landscape evolves, so do we. We assist our clients in evaluating digital system designs and maintaining robust cybersecurity programs. Our cybersecurity services include critical system and critical digital asset determinations and assessments, defensive network design, security control implementation, procedure development, NRC inspection support, incident response, staff training, and more.
Our team is ready to meet the challenge to protect critical infrastructure and the population it serves.