This piece of analysis has been written on behalf of Pacific Forum by members of their Young Leaders Program, and published in partnership with Southeast Asia Globe as part of a weekly series looking at geopolitical issues impacting the Asia-Pacific.
Despite growing competence in the implementation of “hard” cyber security measures to boost cyber resilience and counter information, communications, and technology (ICT) threats across nuclear industrial control systems, cyber and AI remain a constant threat to nuclear safety and security across Southeast Asia and the wider Asia Pacific.
In early February, the Nuclear Energy Experts Group (NEEG) assembled in Singapore to consider and debate over ongoing efforts among Southeast Asian nations to facilitate the responsible procurement and use of nuclear technologies, and their support of collaborative initiatives in advancing energy policy in the region through improved nuclear governance measures.
In recent years, Southeast Asian nations have expressed a growing interest in the capabilities and opportunities offered by nuclear power to their developing economies. This has been highlighted under the ASEAN Plan of Action for Energy Cooperation 2016-2025, wherein civilian nuclear energy was highlighted as one of the seven programme areas to develop, and within the 2018 Pre-Feasibility Study on the Establishment of Nuclear Power Plant in ASEAN. The latter represents ASEAN’s latest account on the nature of civilian and commercial nuclear power development in the region.
Nuclear energy has increasingly been seen as a sustainable energy option by ASEAN members, with Southeast Asia set to readily adopt nuclear solutions between 2030 and 2040. However, the adoption of nuclear energy has faced prior difficulties, given public opinions surrounding notable international nuclear safety incidents. During the 1970s, the Philippines constructed its first nuclear power plant (NPP) in the mid-1970s at Bataan, only to never activate if following the 1979 Three Mile Island incident.
Likewise, Vietnam had previously sought procurement of the region’s first operational commercial NPP, until abandoning the idea in 2016 due to rising costs and safety concerns following the Fukushima disaster in Japan.
Regardless, both Indonesia and the Philippines are presently actively considering nuclear energy as a means of meeting their developing energy requirements through the procurement of small modular nuclear reactors – both land-based and floating.
The intersection between nuclear energy and cyber security has its origins within the conveniences offered by promising new technological developments in increasing user safety, reducing errors, and reducing operating costs through increased automation. Indeed, the use of digital data and analytics within power plants has been observed in reducing operations and maintenance costs, improving power plant and network efficiency, reducing unplanned outages and downtimes and extending the operational lifetime of assets.
Accordingly, the specific application of AI and cyber within nuclear infrastructure is evident in the use of robotic systems to operate in hazardous conditions in nuclear power plants, the use of AI technology to detect cracks and structural defects in nuclear reactors, and in the efficient operation of pressurised water reactors.
Security and safety concerns have long been considered by governments as foremost in the adoption and use of nuclear energy technologies. This includes active measures to address the theft, trafficking and sale of illicit nuclear materials through regional cooperation under the Global Initiative to Combat Nuclear Terrorism (GICNT), and the Interpol nuclear security program.
While these efforts by the Southeast Asian community have proven effective at addressing traditional physical threats, the rising utilisation of digitally-interconnected systems and Internet of Things (IoT) devices across national critical infrastructure poses a novel and significant threat to the safety and security of a nation’s nuclear facilities.
Within ASEAN, government ministers are increasingly concerned with cybersecurity and counterterrorism, but the lack of discussion on nuclear security during the June 2019 Ministerial Meeting in Bangkok highlights the absence of thought on the intersection between nuclear and cyber security. This lack of concern may be explained by the absence of a nuclear energy power plant in the region, and the still developing state of digital infrastructure across the majority of ASEAN members.
Consequently, ASEAN possesses an incomprehensible structure of consultative, networking, and technical assistance bodies on cyber security – wherein some bodies consider nuclear security, but not in an exclusive context. This includes the Cyber Security Agency of Singapore, and Indonesia’s establishment of a nuclear cyber security doctoral programme.
Nonetheless, a number of high-profile international cyber security incidents targeting various nations’ critical infrastructure over the past decade has elicited concern over the cyber security vulnerabilities present in nuclear facilities globally, and shed light on the anticipated risks posed to the nascent nuclear energy industry in Southeast Asia.
Chief among this is the October 2010 Stuxnet incident, wherein a cyber security attack upon the Iranian Natanz nuclear facility demonstrated the cyber capabilities of a determined state actor to sabotage and damage physical systems in nuclear facilities. The incident involved the introduction of a complex piece of malware into the Natanz facility, designed to interfere with Siemens Industrial Control Systems – specifically the modern supervisory control and data acquisition (SCADA) and PLC systems, present in nuclear facilities globally.
While countries such as the US have implemented cyber security programmes since 2002 to protect digital assets and the information they contain from malicious use, there has been a number of notable cyber incidents involving nuclear facilities over the past several decades, most recently the 2019 cyberattack on India’s Kudankulam nuclear power plant involving North Korean malware designed for data extraction.
These incidents have demonstrated the changing and dynamic nature of attacks targeting national nuclear facilities. Threat vectors have drifted away from traditional physical threats to such facilities, and now include attacks on third parties, social engineering techniques and other innovative methods.
With the elementary state of the nuclear sector in Southeast Asia, the NEEG determined that discussions concerning nuclear safety and cyber security would be beneficial in pre-empting cyber security risks, allowing the implementation of security measures within commercial nuclear facilities. To avoid vulnerabilities, regional governments would be wise to immediately initiate and engage in dialogue over the specific cyber security risks posed at nuclear facilities around the globe.
As Singapore ranks as one of the top ten best cyber security countries best prepared for cyber-attacks, it stands positioned as the leading ASEAN member able to provide knowledge and guidance on the proper standards to be adopted in creating a stable and secure environment for nuclear development.
But given the apparent safety and security requirements, standard technical cybersecurity solutions are insufficient for nuclear facilities. This necessitates the devising of innovative approaches in technology and the development of human resources to drive a reduction in cyber risk to nuclear facilities – encompassing cybersecurity-by-design, real-time event management, and deployment of cryptography on industrial networks.
Additionally, promoting transparency and confidence building measures between ASEAN members is crucial in building trust, enabling cooperation, and in promoting the wide adoption of minimum cyber security standards. Reducing risk is a fundamentally transnational issue involving multilateral dialogue and cooperation, one which can be supported through the use of science diplomacy in reducing conflict and tensions, and which will facilitate data sharing and joint training exercises.
A cyber security incident is not a question of if, but when. A failure by regional governments to address rising cyber security concerns, and its intersection with nuclear safety, will result in catastrophic consequences
Further, the institutionalising of cybersecurity into nuclear safety and security must be pursued. Where safety and security were generally considered as separate concerns at nuclear facilities, the widespread use of digital technologies at facilities has eliminated the gap between these areas. Where a cyber incident may result in serious physical consequences, cyber security must be treated with the same rigor as applied to safety and physical security. This requires embedding cyber security into the operation of nuclear facilities across several areas of concern, including in its people and organisational culture, in the design solutions, as well as the facility processes and practices.
Finally, Southeast Asian governments would be wise to adopt proactive threat intelligence measures. This involves the collection of data surrounding potential risks, analysing the nature of threats across cyberspace, and devising appropriate countermeasures to emergent cyber security threats. Doing so enables organisations to stay one step ahead of any aspiring malicious actor. This will help reduce the amount of loss suffered from data breaches, improve the efficiency and capabilities of internal security teams, and reduce an organisation’s overall attack surface to malicious actors in cyberspace.
While regional interest in commercial nuclear energy power plants has intensified, many ASEAN governments have yet to address the cyber-specific challenges arising from the development of nuclear facilities, and must act to do so before it is too late.
While various governments and businesses in ASEAN are increasingly prioritising cyber security in the identification of focus areas, priorities and investment decisions, only 0.06% ($1.9 billion) of the region’s GDP has been invested into the area. Where the region’s digital economy is set to expand six-fold to $200 billion by 2029, increased measures are needed to ensure economic stability and a sustained commitment to cyber security.
Already the average cost of a data breach in ASEAN is $2.62 million, and the average number of records per breach is 22,500. A combination of lax cyber security measures and poor training at nuclear energy power plants would present an acute national security risk – leaving these future facilities vulnerable to attacks from terrorists and determined state actors.
In addressing the cyber-nuclear deficiency in ASEAN, Singapore stands to gain the most as the region’s thought leader in cyber security – having a highly connected economy, highly educated population, and experience in the use of technology across critical sectors like financial services, risk management, and logistics. Similarly, Australia’s offering as a developed and technically capable cyber security leader in the Asia-Pacific will move to address ASEAN’s shortage of local skills and talent – especially given the $7.3 billion cyber security opportunity presented to Australian cyber security businesses in the region.
Ultimately, a cyber security incident is not a question of if, but when. Accordingly, a failure by regional governments to address rising cyber security concerns, and its intersection with nuclear safety and security, will result in catastrophic consequences.
Jonathan Lim is a Young Leader Fellow with Pacific Forum, a solicitor at WiseLaw, and former East Asia Fellow with Young Australians in International Affairs. His expertise spans Chinese foreign policy, cyber warfare, and space law.
