Stuxnet and Cybersecurity

When Duke Energy’s first nuclear reactor began operation in 1973, “cybersecurity” was a term that most people had never heard of. Today, not only is cybersecurity top of mind, October has been designated as National Cybersecurity Awareness Month. The focus is on educating Americans about the risks of cyberspace and offering simple steps that everyone can take to protect themselves online. At Duke Energy, cybersecurity is an important part of our nuclear security program. 

While computer worms and viruses have been infiltrating systems for decades, none have been as devastating as the computer worm Stuxnet. Computer worms are computer viruses that can replicate themselves to any PC that is connected to an infected machine. First detected in 2009, experts believe Stuxnet to be the first computer worm created to target real-world infrastructures. Experts believe Iran’s Bushehr Nuclear Plant was Stuxnet’s intended target, calling it the world’s first cyber weapon.

It is reported that Stuxnet entered the computer system of the underground uranium centrifuge plant and spread throughout the network.  It then searched for the software controlling the action of high speed motors.  When it found the motors in question, it sped up the revolution speed by approx 33 percent and held the speed for 15 minutes. Because the centrifuges were running at speeds close to critical, this increase in speed caused damage in the bearings and structures of the centrifuges.  The worm then went dormant for 27 days.

When the worm became active again, it slowed the centrifuges from 1064 revolutions per second to a mere two revolutions per second for a total of 50 minutes.  This action allowed the uranium to mix back together, undoing all the separating of isotopes that had previously been done.  The worm went dormant again, then repeated the cycle two weeks later. 

Because the worm controlled the computers operating the centrifuges, it could block the alarms that operators use to detect changes.  It made itself invisible and the operators had no idea that things had changed.

Although experts agree Stuxnet used specific information that made Bushehr its intended target, the code is now an open source, available to anyone. For that reason, many businesses such as power stations and water plants have increased and changed their security measures to insure their facilities remain safe.  

Because the Stuxnet worm targets a specific Siemens software component that is not used in Duke Energy’s nuclear stations, there were no nesting sites available for the infection.  No Duke Energy nuclear stations were infected by the worm. 

Duke Energy’s nuclear stations, like all nuclear stations, are protected from grid instability with backup power supplies that provide for safe reactor shut down in the event of a blackout.   Safety and control systems at Duke Energy nuclear stations are not connected to the internet. 

Duke Energy’s cybersecurity teams are well aware of the threats and dangers that exist in cyberspace.  The Nuclear Regulatory Commission requires all power reactor facilities that have been licensed to have a cybersecurity plan in place.  The parameters of these cyber security plans are confidential. 

The nuclear industry as a whole has been researching and addressing these issues, even increasing cybersecurity requirements since 9/11. The NRC added cyber attacks to the adversary threat types the plants must be able to defend against, elevating cybersecurity yet again.

Because safety and security are always top priorities, Duke Energy’s cybersecurity teams are constantly working to keep the nuclear plants safe. The teams continue to perform plan assessments, update the plan and implement new standards/controls as necessary. 

Cybersecurity will continue to change and evolve and Duke Energy will do the same.

For real-time updates, follow us on Twitter

Follow Blog via Email

Enter your email address to follow this blog and receive notifications of new posts by email.

Check out our new Facebook page