Bailing out nuclear and coal-fired power plants will not toughen the U.S. power grid against cyber attacks as the Trump administration claims, according to cyber experts, because hackers have a wide array of options for hitting electric infrastructure and nuclear facilities that are high-profile targets.
U.S. President Donald Trump this month directed Energy Secretary Rick Perry to take emergency steps to stem a surge in coal and nuclear plant retirements in recent years, arguing that more shutdowns would leave the country less able to bounce back from disruptions caused by storms, physical attacks, and hackers.
The announcement came as the National Security Council debated a Department of Energy (DOE) memo that said cyber and physical threats are “minimized” at nuclear and coal plants because they can store months of fuel on site to survive a supply cut – unlike natural gas facilities that rely on pipeline networks, or wind and solar installations that need the right weather.
While the administration had been arguing for months that “fuel secure” facilities were important to America’s ability to rebound from storms and physical attacks, its efforts to link plant closures with protection from cyber attacks appeared to open a new front in its support for the coal and nuclear industries.
Chris Bronk, a professor of computer and information systems at the University of Houston, said he could not endorse the idea.
“I don’t see where a policy of keeping open aging infrastructure that would shut unless there was federal markets intervention keeps us any safer from cyber attacks,” he said.
Bronk said coal plants, train deliveries and transmission systems are just as susceptible to hackers as gas pipelines, and added that, while nuclear facilities are tough targets, the stakes involved in a successful nuclear cyber attack are enormous – potentially involving an accident that leaks radioactivity and hits surrounding communities.
Nuclear power backers stress that reactors are protected from hackers by so called “air gaps” isolating them from unsecured networks.
But Bronk said air gaps are not impervious to attackers that may seek to gain information such as worker and maintenance schedules from administrative networks over long periods of time.
“Those are the control systems that frighten me to no end,” Bronk said.
Sergio Caltagirone, the director of threat intelligence at cyber security company Dragos, agreed that bailing out nuclear and coal plants offers little protection.
“I do not expect this policy shift to deliver any additional cyber security resilience based on the threats we’re actively monitoring,” Caltagirone said.
“ONE FELL SWOOP”
A DOE official, who spoke on the condition of anonymity, said the agency recognizes that cyber security risk permeates every energy source.
But the official said there is concern that natural gas’s role has grown too rapidly in the last decade, making the grid vulnerable to hacks on pipelines that could knock out 10 to 15 natural gas plants “in one fell swoop.”
While the administration talks about gas pipelines, nuclear plants have also been attacked.
In March, the Trump administration blamed Russia for seeking to penetrate multiple types of infrastructure including nuclear, water and manufacturing.
And last July, news reports said Wolf Creek Nuclear Operating Corp, which runs a nuclear power plant in Kansas, had been targeted by hackers. Wolf Creek said there was no operational damage and sensitive systems were separate from the corporate network.
Ben Garber, a cyber security engineer for Ultra Electronics, 3eTI, said the government should put greater focus on encouraging power utilities to strengthen security against attacks, as it has with the financial and health industries.
The DOE said in February it is forming an office of cyber security to do that. Trump’s fiscal year 2019 budget included $96 million to fund it but Trump has not yet nominated a leader to run it.
Cameron Camp, a researcher at Slovakian anti-virus software maker ESET said the push to subsidize coal and nuclear seemed more about saving blue collar energy jobs than boosting resiliency.
“It’s trying to kill multiple birds with one stone, rather than take a holistic view of the structural problems with the grid itself,” said Camp.