01/23/12 Paper - Cyber Security for Nuclear Power Plants


Article
Washington, DC
Share

Cyber Security for Nuclear Power Plants[1]

Prepared by

Prof. Maurizio Martellini, IWG-LNCV and University of Insubria, Como, Italy

Dr Thomas Shea, IWG and TomSheaNuclear Consulting Services, West Richland, WA, US

Dr. Sandro Gaycken, IWG and Freie Universität, Berlin, Germany

January 2012

Setting the Stage

Nuclear power plants may be vulnerable to cyber attacks, which might – in extreme cases – lead to substantial releases of radioactive material with consequent loss of lives, radiation sickness and psycho-trauma, extensive property destruction and economic upheaval.

Today’s cyber attacks are made on computer systems operated for a wide spectrum of purposes. Until now, no cyber attacks on nuclear power plants have resulted in releases of radioactive material, but the trends are disquieting.[2] The objective of a cyber attack may not be to cause death and destruction, for example, but to disrupt the operation of a nuclear facility, to inflict economic damage, to embarrass government or utility officials, to blackmail companies, to get even, or just to test one’s skills or to see what happens. There is even a risk of cyber attacks aimed at other targets migrating into nuclear facilities and causing unpredictable damages. The overly large distribution of Stuxnet has demonstrated this possibility.[3] Given the potential for great harm, any successful cyber attack on a nuclear facility would – at the least – undermine confidence in the ability of the State to be a responsible host and the owner and operator to run the facility in a safe and secure manner.

Cyber attacks may be intended to have local and limited effects, but radioactive material ejected from a failed reactor pays no heed to national boundaries.

Foreign governments, groups hostile to the government of a given State, or individuals motivated by greed, hatred or curiosity may carry out cyber attacks. The systems intended to deter and defeat such threats must address all potential perpetrators, taking into the consideration the range of motivations noted above:

a. Cyber attacks carried out by the citizens of a State against targets within that State may violate the laws of the State intended to protect the public health and welfare and may be identified as acts of domestic terrorism;

b. Cyber attacks created by activities outside the targeted State or affecting other States in addition to the targeted State may be considered as acts of international terrorism; [4]

c. Cyber attacks carried out by or under the aegis of foreign governments may be considered as acts of war; [5]

d. Cyber attacks in certain circumstances might be classified as crimes against humanity. [6]

Contemporary nuclear power plants rely extensively on a large and diverse array of computers for a host of tasks. Some computers may play a role in monitoring or controlling the operation of the reactor itself or of ancillary systems. The nuclear power plant operating and technical support staff commonly uses computer networks, and connections may exist between these systems and plant control systems, sometimes known, sometimes not known. If the hard- or software used is modified or replaced, the reactor might be forced into an accident and the emergency response systems may fail to prevent calamity.

In principle, a plant employee acting alone might accomplish such an attack either acting on his/her own volition or under duress. Or, fabricated hardware or software introduced into the plant might contain surreptitious instructions that might be activated according to preset conditions, once in use.[7] Or, an attempt may be made to hack into the protective systems making it possible to take over the plant controls externally, from within the plant, within the State or virtually anywhere in the world.

Some such scenarios are known and have even been tested:

  • In one case, a group of hackers successfully manipulated the displays in the operating center, forcing the employees into false and potentially catastrophic reactions.
  • In another case, hackers were able to gain control of the cooling system of a nuclear power plant.[8]

Hacking in general and attacks on “protected” computer systems are becoming increasingly common and more sophisticated. All of these concerns above demand robust proactive countermeasures to prevent successful cyber attacks – the cost of inadequate protection may be disastrous. While reported nuclear cyber attacks events are rare no so far not cataclysmic, the threat trajectory suggests that ignoring cyber security may place individual nuclear power plants at risk, some more seriously than others.

Moreover, in addition to the direct consequences of a successful attack, the axiom that ‘an accident in any nuclear power plant is an accident in all nuclear power plants,’ would likely extend to a security event – including a cyber attack. A successful cyber attack on a nuclear reactor with substantial consequences would undermine global public confidence in the viability of nuclear power.

Some states are apparently establishing the ability to engage in such attacks, probing defensive barriers, exercising tests of cyber weapons or simply protecting their security by creating the ability to engage in cyber warfare in case the need arises.

Cyber security in relation to nuclear facilities is under increasing scrutiny. It is described in many publications, nowhere more cogently than in a “backgrounder” note provided by the U.S. Nuclear Regulatory Commission. That note is included in the Annex A to this document.

The 2012 Nuclear Security Summit in Seoul will take up the issue of cyber security. The Summit should address the key underlying questions in order to establish a future course of actions. How real is the threat? How and when should it be addressed? What mechanisms already exist for the international community to combat this global menace? What else is needed? What should the Summit agree to, and what steps should be taken collectively following the Summit – directly, as part of the Security Summit process, and indirectly, by States, international organizations and other bodies?

Domains for Engagement

The extent to which a nuclear power plant is vulnerable to such attacks will depend upon the design of the plant,[9] the technical and organizational history of the plant, how and which computers are used, whether the computers allow for internal and/or external networked interactions, and how effective the countermeasures employed are at preventing such attacks or mitigating the consequences of any attacks that succeed.

Some problems can best be dealt with nationally while others have to be dealt with internationally. National approaches can mobilize national technological and legal assets, giving less cause for dispute. International efforts should be driven by three concerns: firstly, the fact that a threat against a State may originate in a foreign land and the impact could affect other States; secondly, that a threat to one State today may presage an attack on another tomorrow; and thirdly, that international investment may help to strengthen the resolve of the international community and may provide more robust and secure hard- and software.

While nuclear cyber threats are in many ways unique, the security environment reflects interests common to other concerns. The security cycle presented below provides opportunities for engagement and collaboration at various levels.

1. Threat definition: Each State and each nuclear utility must assess the potential for cyber attacks that could result in major consequences. Specific models for threat assessment have to be developed to achieve this kind of oversight. Anticipating cyber threats from past events has not proven to be a viable method. Cyber threat modeling must include the types of malicious actors in question, their differing capacities for cyber attacks, the costs and benefits of attacks, typical and individual vulnerabilities providing potential attack vectors and) the security profile for the State, including the extent to which adversaries threaten the State, and the extent to which cyber attacks occur. [10] Cyber threat modeling should quantify and rank the threats and identify appropriate countermeasures. (The IAEA offers assistance to States seeking to develop a design basis threat to serve as the basis for all protective measures, and its mission could be expanded along these lines.[11])

2. Legal infrastructure:

a. The international community needs to review regularly whether the treaties and other measures in place are adequate. Such measures should reflect the fact that a cyber attack on a nuclear power plant with the intention of substantial radiation releases should be considered as act of terrorism and hence be prohibited by the International Convention for the Suppression of Acts of Nuclear Terrorism[12] or a crime against humanity subject to other relevant anti-terrorism treaties, the Convention on the Physical Protection of Nuclear Material, the Nuclear Safety Convention.

b. It is incumbent on the national government of each State to establish an inter-departmental response to the threat of cyber attacks on nuclear power plants, including its national security structure in all of its dimensions. It may be appropriate to define such arrangements within an existing governmental body or to create a new agency for this and related purposes.

c. It is further incumbent on each national government to enact legislation together with subordinate regulations and guidelines consistent with its legal structure and the threats it faces, in conformance with its treaty obligations and other considerations.

3. Intelligence: It is essential for a State to continually search for information on States, organizations and individuals who might engage in cyber attacks, and to devise appropriate response mechanisms. While protecting sensitive sources, each government should keep all nuclear utilities informed of emerging threat information. Nuclear utilities in turn have to be able to comprehend threat information and assess their individual potential impact.

4. Capability development: Each State must determine its national requirements and seek to establish national programs to detect, block and determine the source of hacking attacks. If detection is unlikely to be effective, security concepts have to be developed which compensate the loss of capabilities of early warning and crisis management. Capability development also includes educating experts to specialize in cyber security. (Standardized educational certifications to signify sufficient expertise are necessary and need to be created.) Cooperation with trusted States or international organizations could significantly enhance the cost-effectiveness of national and utility programs.[13], [14], [15]

5. Cyber security systems implementation: At the level of each reactor, the utility should implement a robust system aimed at reducing potential vulnerabilities and preventing cyber attacks. Such a system should include the following elements:

a. A detailed IT mapping of each nuclear facility;

b. Limiting network access, preferably disconnecting all critical areas from networks;

c. Highly hardened information security with standards to be determined by international bodies;

d. Capabilities for detecting abnormal instructions;

e. Capabilities for detecting attempts to gain access or to escalate access privileges;

f. Provisions and procedures for informing the national command authority;

g. Provisions and procedures for engaging law enforcement, as appropriate; and

h. Provisions and procedures for informing international bodies, as agreed by the national government.

6. Law enforcement: Depending on the circumstances of individual attacks, the site security force, local law enforcement, national law enforcement and international bodies, especially Interpol, should be prepared to respond and be engaged as soon as possible.[16] Law enforcement agencies have to develop sufficient capacities in the field of IT-forensics, including the undeveloped field of IT-forensics of Industrial Control Systems (ICS).

7. System assurance: What steps should be taken at each level from a specific nuclear power plant up to the international community to guarantee that adequate protection is in place. Controls should be implemented to monitor compliance. Liabilities for non-compliance should be formulated. In addition, methodologies and certificates have to be given out to distinguish insufficient security technologies and configurations from effective ones.

8. Lessons learned: Characteristics of each attempt should be analyzed to determine the need for system modifications. Reviews of cyber attempts should be broadened to include the national government and all nuclear utilities, neighboring States (excluding adversaries), and the international community. To ensure cooperation, protocols for trusted information sharing have to be created and obligations to disclose such information have to be formulated.

Nuclear terrorism and the proliferation of nuclear weapons

Concerned with the threats associated with the proliferation of nuclear weapons, over the years the international community has created a remarkable nonproliferation regime. It is imperfect, as all things human are, but it is extensive and represents something unique in international relations. It is and likely will always remain a work in progress, evolving to meet new challenges and implementing new capabilities. Its elements are shown in Table 1. Its extent and pervasiveness reflect the all nations except for the remaining few interested in acquiring nuclear arsenals support the regime and continue to join in additional steps to make it perfect.

Authorities

Actors

Activities

National Laws and Regulations

Public (or parts thereof)

Create Nonproliferation Culture Diminishing Appeal of Nuclear Weapons

UN Charter, esp. Chapter VII

Sovereign National Governments and Agencies

Encourage States to Accept Binding Nonproliferation Commitments

UN Security Council Resolutions (including 1540)

Regional Control Bodies (EURATOM, ABACC)

Promote Proliferation-Resistant Nuclear Technology and Commercial Arrangements

Proliferation Security Initiative Agreed Principles

United Nations and UN Security Council

Obtain Intelligence and Other Information on a State’s Nuclear Activities

Treaty for the Nonproliferation of Nuclear Weapons (the NPT

International Atomic Energy Agency (IAEA)

Verify Design Information, Absence of Diversion or Clandestine Production of Nuclear Material, Weaponization

IAEA Statute

Nuclear Suppliers Group and Zangger Committee

Investigative Reporting, Scholarly Analysis

IAEA Safeguards Agreements

Nuclear Vendors

Deny Suspicious Export Requests and Notify Appropriate States & Organizations

Nuclear Suppliers Group and Zangger Committee

Nuclear Facility Operators

Interdict Illicit Trafficking in Nuclear Materials

Nuclear Supply Commercial Contracts

Non-governmental Organizations (e.g., World Institute of Nuclear Security, World Nuclear Association)

Use Diplomacy to Address Suspected Acts of Noncompliance

Nuclear Facility Policies, Procedures and Practices

Professional Societies (e.g., Institute of Nuclear Materials Management, European Safeguards Research & Development Association)

Apply Sanctions to Compel Compliance

Nuclear Weapon Free-Zone Treaties

National Laboratories and Universities

Employ Military Force as a Last Resort

Comprehensive Test Ban Treaty (not in force)

Armed Forces

Fissile Material Cutoff Treaty (negotiations not underway)

Table 1.

The International Nonproliferation Regime is the sum of its authorities, actors and activities. Readers are advised to use the Table as three separate lists. More than one of the elements in one column will influence or be affected by more than one element in the other columns. The Table is useful for determine interrelationships and steps to be considered when addressing specific situations.

It may be appropriate now to create a parallel table describing the national and international measures undertaken in relation to the prevention of nuclear terrorism, including cyber-terrorism, even if the likelihood of cyber terrorism is very low at present.

Cyber attacks may be directed at military or civilian targets including virtually any computer used for any purpose. Nuclear power plants or fuel cycle facilities could be attacked by other means involving force or guile; attacks by military forces are not within the scope of the Summit,[17] however, attacks aimed at taking over or destroying nuclear power reactors carried out by paramilitary forces clearly is and on that basis, nuclear cyber attacks should be addressed.

Recommended actions for the Seoul Nuclear Security Summit

Taking into account the potentially extreme consequences of a cyber attack on a nuclear reactor (especially) or on a nuclear fuel cycle facility, recognizing that nuclear facilities may already be reasonably well protected against credible threats today, and acknowledging that the trajectory of threats is a matter of uncomfortable speculation, we believe that the Seoul Nuclear Security Summit should take prudent steps to ensure that the peaceful use of nuclear energy is not vulnerable to cyber attack and that the international efforts directed as a result of this consideration are chosen so as to build strength and trust among States embarking on prudent and legitimate peaceful uses of nuclear energy. We recommend the following specific steps.

1. Definitions

The Summit should seek to define terms related to this topic, including nuclear cyber threat, nuclear cyber attack and nuclear cyber security according to the potential for damage, the motivation and the outcome; e.g., as presented above. The definitions should include the full range of possible attacks, ranging from those made by clever individuals to attacks mounted by or on behalf of a hostile government or terrorist organization.

a. Cyber attacks carried out by the citizens of a State against targets within that State may violate the laws of the State intended to protect the public health and welfare and may be identified as acts of domestic terrorism; [18]

b. Cyber attacks created by activities outside the targeted State or affecting other States in addition to the targeted State may be considered as acts of international terrorism;

c. Cyber attacks carried out by or under the aegis of foreign governments may be considered as acts of war; [19] or

d. Cyber attacks may be considered as crimes against humanity. [20]

2. Legal authority

The Summit should create the legal frameworks necessary to ensure that states protect themselves against domestic and international nuclear cyber attacks:

a. Each state should enact and enforce legislation to prevent cyber attacks on nuclear reactors and nuclear fuel cycle facilities, detect and apprehend perpetrators and punish individuals or organizations operating within the territory of a state responsible for or abetting such activities.

b. States should examine the provisions of existing conventions (especially the Convention for the Suppression of Acts of Nuclear Terrorism and the Convention for the Physical Protection of Nuclear Material) with the intention of identifying interpretations and/or modifications as necessary to extend their provisions to include domestic and international nuclear cyber-terrorism.

c. Using once again its extraordinary authority under Chapter VII of the Charter of the United Nations, the Security Council should determine whether existing Resolutions 1373[21] and 1540 should be amended to address nuclear cyber terrorism, and whether under specific circumstances acts of nuclear cyber terror should be identified as crimes against humanity.

d. The Summit should examine the role of specific regional and international organizations in relation to the prevention, detection and resolution of nuclear cyber attacks, to seek a clear and streamlined ability to confront the threats of nuclear cyber-terror, including Interpol, the International Telecommunications Union (ITU), the UN Group on Information Security, the International Atomic Energy Agency, EURATOM and ABACC.

3. Protective measures

The Summit should organize and oversee investigations into technical and administrative barriers that would prevent cyber attacks from succeeding. 

4. Capability

The Summit should:

a. Define the specific human skills required to protect against nuclear cyber-terrorism, and create internationally recognized standards and certifications to confirm that the people involved are adequately prepared for their work;[22]

b. Identify education and training institutes engaged in this field and encourage cross fertilization;

c. Encourage the development and presentation of “best practices” in cyber security;[23]

d. Encourage further work by professional societies and national bodies to create standards affecting cyber security;

e. Encourage continued R&D into protection against cyber attacks on nuclear reactors and nuclear fuel cycle facilities;

f. Define computer hardware and software intended to be immune to cyber attacks;

g. Using probabilistic risk assessments identifying failure modes for nuclear reactors and nuclear fuel cycle facilities, define methods and procedures for facility officials and national security officials to test the adequacy of applied counter-cyber terrorism systems;

h. Define mechanisms for detecting the source of cyber attacks;

i. Establish communication arrangements and associated security protocols to facilitate information sharing and problem solving; and

j. Remain seized of the issue and the importance of prevention. 

5. Creation & sharing of relevant national & international intelligence

The Summit should encourage states to share intelligence on evolving threats and information associated with the source of any attack.

6. Cyber security systems implementation

The Summit should explore alternative means through which states seeking assurance in the cyber security systems they employ could provide advice, recommendations on system hardware, software, expert advice, quality assurance and certification, including performance requirements for facility-level systems, national systems, and the response capabilities suitable for local law enforcement.

7. Law enforcement

The Summit should provide encouragement and possibly funding as needed to assist States concerned about their ability to protect against nuclear cyber attacks. The Summit should ensure that essential international bodies receive cooperation and financial support as necessary to excel in performing their required functions.

8. Lessons learned

The Summit should create a mechanism for reviewing progress in relation to the prevention of nuclear cyber terrorism, including progress by States, advancement of counter-cyber terrorism measures, and systematic a posteriori reviews of attacks that have occurred – including those that fail and those that succeed.


-------------------------

Annex 1. The following is an NRC Background Note on Cyber Security[24]

Cyber Security

Background

Nuclear facilities use digital and analog systems to monitor and operate equipment, and to obtain and store vital information. Analog systems do their job by following “hard-wired” instructions, while digital computer-based systems follow instructions (software) stored in memory. In addition, many plant computer systems are now linked to digital networks that extend across the plant, performing safety, security and emergency preparedness functions. Protecting these critical digital assets and the information they contain from sabotage or malicious use is called cyber security. All power reactor facilities licensed by the NRC must have a cyber security program.

Cyber Security Requirements After 9/11

Shortly after the terrorist attacks of Sept. 11, 2001, the NRC ordered its nuclear power plant licensees to enhance their overall security. The order included specific requirements for addressing certain cyber security threats and vulnerabilities. The order contains sensitive information and is not available to the public.

A year later, the NRC issued another order that, for the first time, added cyber attacks to the adversary threat types the plants must be able to defend against. This order also contains sensitive information and is not available to the public.

In October 2004, the NRC again addressed cyber security concerns by publishing a self-assessment tool for use by nuclear power plants. In 2005, the NRC also endorsed a program developed by the Nuclear Energy Institute to help nuclear power reactor licensees establish and maintain cyber security programs at their facilities. Additional cyber security guidance was published in January 2006 and March 2007. It included specifics for designing, developing and implementing protective measures for digital instrumentation and controls used in nuclear safety-related applications.

In March 2009, the NRC issued a new cyber security rule. This new section of the NRC Code of Federal Regulations, “Protection of Digital Computer and Communications Systems and Networks” (10 CFR 73.54), affected existing nuclear power reactor licensees and those corporations applying for new reactor licenses. The new regulation requires licensees to submit a new cyber security plan and an implementation timeline for NRC approval. The plan must show how the facility identified (or would identify) critical digital assets and describe its protective strategy, among other requirements.

Most recently, in January 2010, the NRC published a Regulatory Guide that provides comprehensive guidance to licensees and applicants for licenses on an acceptable way to meet the requirements of 10 CFR 73.54. The guidance includes recommended best practices from such organizations as the International Society of Automation, the Institute of Electrical and Electronics Engineers, and the National Institute of Standards and Technology, as well as guidance from the Department of Homeland Security. This guide is publically available.

How the NRC Regulates Cyber Security Power reactor licensees and those seeking permission to construct and operate new reactors must prove that their digital computer and communication systems and networks are protected against cyber attacks, including those systems and networks associated with:

  • safety-related and important-to-safety functions,
  • security functions,
  • emergency preparedness functions, including offsite communications, and
  • support systems and equipment important to safety and security.

To do this, they must submit a plan describing how the facility’s cyber security program has been or will be established and maintained to meet the cyber security requirements added to 10 CFR. The plan is submitted to the NRC for review and approval and must account for any site-specific conditions that might affect implementation. The NRC cyber security staff then reviews it, and may need to ask for additional information as part of the review. If the NRC finds that the cyber security plan meets the requirements of 10 CFR 73.54, the staff issues a Safety Evaluation Report. Once approved, the plan becomes part of the site’s operating license and is enforceable.

Ongoing Actions of the NRC Cyber Security Staff

Defending against hackers, criminals, and cyber terrorists is a complex endeavor that involves facing a changing and evolving threat. The NRC’s cyber security team includes technology and threat assessment experts who team with other federal agencies and the nuclear industry to evaluate and help resolve issues that could affect digital systems. This team makes recommendations to other offices within the NRC and is also designing a cyber security inspection program for future implementation. All sites will be required to satisfy those inspection requirements.

In addition, the NRC is collaborating with the Federal Energy Regulatory Commission, the North American Electric Reliability Corporation (NERC) and other organizations on cyber security. The NRC has signed a Memorandum of Understanding with NERC to clarify the regulatory roles and responsibilities of each organization, including inspection protocols and enforcement actions. This MOU ensures a continuity of cyber security oversight that extends from the plant itself to the electrical grid as a whole.

To be successful in combating the cyber threat, the NRC, and its government and private sector partners must continue to build on their relationships and make use of advances in technology. That partnering, when combined with the use of technology, helps ensure that cyber attacks at both prevented and deterred.

 


April 2010

28/09/2001

Press Release
SC/7158

Security Council

4385th Meeting (Night)

SECURITY COUNCIL UNANIMOUSLY ADOPTS WIDE-RANGING ANTI-TERRORISM RESOLUTION;

CALLS FOR SUPPRESSING FINANCING, IMPROVING INTERNATIONAL COOPERATION

Resolution 1373 (2001) Also Creates Committee to Monitor Implementation

Reaffirming its unequivocal condemnation of the terrorist acts that took place in New York, Washington, D.C., and Pennsylvania on 11 September, the Security Council this evening unanimously adopted a wide-ranging, comprehensive resolution with steps and strategies to combat international terrorism.

By resolution 1373 (2001) the Council also established a Committee of the Council to monitor the resolution’s implementation and called on all States to report on actions they had taken to that end no later than 90 days from today.

Under terms of the text, the Council decided that all States should prevent and suppress the financing of terrorism, as well as criminalize the willful provision or collection of funds for such acts. The funds, financial assets and economic resources of those who commit or attempt to commit terrorist acts or participate in or facilitate the commission of terrorist acts and of persons and entities acting on behalf of terrorists should also be frozen without delay.

The Council also decided that States should prohibit their nationals or persons or entities in their territories from making funds, financial assets, economic resources, financial or other related services available to persons who commit or attempt to commit, facilitate or participate in the commission of terrorist acts. States should also refrain from providing any form of support to entities or persons involved in terrorist acts; take the necessary steps to prevent the commission of terrorist acts; deny safe haven to those who finance, plan, support, commit terrorist acts and provide safe havens as well.

By other terms, the Council decided that all States should prevent those who finance, plan, facilitate or commit terrorist acts from using their respective territories for those purposes against other countries and their citizens. States should also ensure that anyone who has participated in the financing, planning, preparation or perpetration of terrorist acts or in supporting terrorist acts is brought to justice. They should also ensure that terrorist acts are established as serious criminal offences in domestic laws and regulations and that the seriousness of such acts is duly reflected in sentences served.

By further terms, the Council decided that States should afford one another the greatest measure of assistance for criminal investigations or criminal proceedings relating to the financing or support of terrorist acts. States should

also prevent the movement of terrorists or their groups by effective border controls as well.

Also by the text, the Council called on all States to intensify and accelerate the exchange of information regarding terrorist actions or movements; forged or falsified documents; traffic in arms and sensitive material; use of communications and technologies by terrorist groups; and the threat posed by the possession of weapons of mass destruction.

States were also called on to exchange information and cooperate to prevent and suppress terrorist acts and to take action against the perpetrators of such acts. States should become parties to, and fully implement as soon as possible, the relevant international conventions and protocols to combat terrorism.

By the text, before granting refugee status, all States should take appropriate measures to ensure that the asylum seekers had not planned, facilitated or participated in terrorist acts. Further, States should ensure that refugee status was not abused by the perpetrators, organizers or facilitators of terrorist acts, and that claims of political motivation were not recognized as grounds for refusing requests for the extradition of alleged terrorists.

The Council noted with concern the close connection between international terrorism and transnational organized crime, illicit drugs, money laundering and illegal movement of nuclear, chemical, biological and other deadly materials. In that regard, it emphasized the need to enhance the coordination of national, subregional, regional and international efforts to strengthen a global response to that threat to international security.

Reaffirming the need to combat by all means, in accordance with the Charter, threats to international peace and security caused by terrorist acts, the Council expressed its determination to take all necessary steps to fully implement the current resolution.

The meeting, which began at 10:50 p.m., adjourned at 10:53 p.m.

Resolution

The full text of resolution 1373 (2001) reads as follows:

“The Security Council,

“Reaffirming its resolutions 1269 (1999) of 19 October 1999 and 1368 (2001) of 12 September 2001,

“Reaffirming also its unequivocal condemnation of the terrorist attacks which took place in New York, Washington, D.C., and Pennsylvania on 11 September 2001, and expressing its determination to prevent all such acts,

“Reaffirming further that such acts, like any act of international terrorism, constitute a threat to international peace and security,

“Reaffirming the inherent right of individual or collective self-defence as recognized by the Charter of the United Nations as reiterated in resolution 1368 (2001),

“Reaffirming the need to combat by all means, in accordance with the Charter of the United Nations, threats to international peace and security caused by terrorist acts,

“Deeply concerned by the increase, in various regions of the world, of acts of terrorism motivated by intolerance or extremism,

“Calling on States to work together urgently to prevent and suppress terrorist acts, including through increased cooperation and full implementation of the relevant international conventions relating to terrorism,

“Recognizing the need for States to complement international cooperation by taking additional measures to prevent and suppress, in their territories through all lawful means, the financing and preparation of any acts of terrorism,

“Reaffirming the principle established by the General Assembly in its declaration of October 1970 (resolution 2625 (XXV)) and reiterated by the Security Council in its resolution 1189 (1998) of 13 August 1998, namely that every State has the duty to refrain from organizing, instigating, assisting or participating in terrorist acts in another State or acquiescing in organized activities within its territory directed towards the commission of such acts,

“Acting under Chapter VII of the Charter of the United Nations,

“1. Decides that all States shall:

“(a) Prevent and suppress the financing of terrorist acts;

“(b) Criminalize the willful provision or collection, by any means, directly or indirectly, of funds by their nationals or in their territories with the intention that the funds should be used, or in the knowledge that they are to be used, in order to carry out terrorist acts;

“(c) Freeze without delay funds and other financial assets or economic resources of persons who commit, or attempt to commit, terrorist acts or participate in or facilitate the commission of terrorist acts; of entities owned or controlled directly or indirectly by such persons; and of persons and entities acting on behalf of, or at the direction of such persons and entities, including funds derived or generated from property owned or controlled directly or indirectly by such persons and associated persons and entities;

“(d) Prohibit their nationals or any persons and entities within their territories from making any funds, financial assets or economic resources or financial or other related services available, directly or indirectly, for the benefit of persons who commit or attempt to commit or facilitate or participate in the commission of terrorist acts, of entities owned or controlled, directly or indirectly, by such persons and of persons and entities acting on behalf of or at the direction of such persons;

“2. Decides also that all States shall:

“(a) Refrain from providing any form of support, active or passive, to entities or persons involved in terrorist acts, including by suppressing recruitment of members of terrorist groups and eliminating the supply of weapons to terrorists;

“(b) Take the necessary steps to prevent the commission of terrorist acts, including by provision of early warning to other States by exchange of information;

“(c) Deny safe haven to those who finance, plan, support, or commit terrorist acts, or provide safe havens;

“(d) Prevent those who finance, plan, facilitate or commit terrorist acts from using their respective territories for those purposes against other States or their citizens;

“(e) Ensure that any person who participates in the financing, planning, preparation or perpetration of terrorist acts or in supporting terrorist acts is brought to justice and ensure that, in addition to any other measures against them, such terrorist acts are established as serious criminal offences in domestic laws and regulations and that the punishment duly reflects the seriousness of such terrorist acts;

“(f) Afford one another the greatest measure of assistance in connection with criminal investigations or criminal proceedings relating to the financing or support of terrorist acts, including assistance in obtaining evidence in their possession necessary for the proceedings;

“(g) Prevent the movement of terrorists or terrorist groups by effective border controls and controls on issuance of identity papers and travel documents, and through measures for preventing counterfeiting, forgery or fraudulent use of identity papers and travel documents;

“3. Calls upon all States to:

“(a) Find ways of intensifying and accelerating the exchange of operational information, especially regarding actions or movements of terrorist persons or networks; forged or falsified travel documents; traffic in arms, explosives or sensitive materials; use of communications technologies by terrorist groups; and the threat posed by the possession of weapons of mass destruction by terrorist groups;

“(b) Exchange information in accordance with international and domestic law and cooperate on administrative and judicial matters to prevent the commission of terrorist acts;

“(c) Cooperate, particularly through bilateral and multilateral arrangements and agreements, to prevent and suppress terrorist attacks and take action against perpetrators of such acts;

“(d) Become parties as soon as possible to the relevant international conventions and protocols relating to terrorism, including the International Convention for the Suppression of the Financing of Terrorism of 9 December 1999;

“(e) Increase cooperation and fully implement the relevant international conventions and protocols relating to terrorism and Security Council resolutions 1269 (1999) and 1368 (2001);

“(f) Take appropriate measures in conformity with the relevant provisions of national and international law, including international standards of human rights, before granting refugee status, for the purpose of ensuring that the asylum seeker has not planned, facilitated or participated in the commission of terrorist acts;

“(g) Ensure, in conformity with international law, that refugee status is not abused by the perpetrators, organizers or facilitators of terrorist acts, and that claims of political motivation are not recognized as grounds for refusing requests for the extradition of alleged terrorists;

“4. Notes with concern the close connection between international terrorism and transnational organized crime, illicit drugs, money-laundering, illegal arms-trafficking, and illegal movement of nuclear, chemical, biological and other potentially deadly materials, and in this regard emphasizes the need to enhance coordination of efforts on national, subregional, regional and international levels in order to strengthen a global response to this serious challenge and threat to international security;

“5. Declares that acts, methods, and practices of terrorism are contrary to the purposes and principles of the United Nations and that knowingly financing, planning and inciting terrorist acts are also contrary to the purposes and principles of the United Nations;

“6. Decides to establish, in accordance with rule 28 of its provisional rules of procedure, a Committee of the Security Council, consisting of all the members of the Council, to monitor implementation of this resolution, with the assistance of appropriate expertise, and calls upon all States to report to the Committee, no later than 90 days from the date of adoption of this resolution and thereafter according to a timetable to be proposed by the Committee, on the steps they have taken to implement this resolution;

“7. Directs the Committee to delineate its tasks, submit a work programme within 30 days of the adoption of this resolution, and to consider the support it requires, in consultation with the Secretary-General;

“8. Expresses its determination to take all necessary steps in order to ensure the full implementation of this resolution, in accordance with its responsibilities under the Charter;

“9. Decides to remain seized of this matter.”

_________________________________

[1] This paper has been prepared by the Executive Secretariat of the International Working Group (IWG). The opinions or recommendations expressed in this paper do not necessarily represent the views of the governmental organizations providing support for the research. This paper has been produced under the support to the IWG activities by the IWG funding members.

[2] B. Kesler, “The Vulnerability of Nuclear Facilities to Cyber Attack,” Strategic Insights, Vol. 10, Issue 1, Spring 2010, pp. 15-25.

[3] See, for example, “Is Stuxnet the 'best' malware ever?” G. Keizer, ComputerWorld, posted 9/16, 2010.

[4] The International Convention for the Suppression of Acts of Nuclear Terrorism states in Article 2.1 that “Any person commits an offence within the meaning of this Convention if that person unlawfully and intentionally:

(b) Uses in any way radioactive material or a device, or uses or damages a nuclear facility in a manner which releases or risks the release of radioactive matter.” http://treaties.un.org/doc/db/Terrorism.pdf

[5] “The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.” Cyber Combat, S. Gorman and J. Barnes, Wall Street Journal, May 31, 2011.

[6] See, for example, the Rome Statute of the International Criminal Court

[7] In such circumstances, the cyber attack may have been unforeseen and unintended, but the originator of the worm or virus may still be prosecuted on the basis of the end results. Nuclear operators must ensure that casual vulnerabilities are blocked; no security system should contain unintended holes.

[8] B. Kessler, op.cit.

[9] On December 26, 2011, the United States Nuclear Regulatory Commission gave the green light to Westinghouse's 1,100 MWe AP1000 pressurized water reactor design. The NRC said the design incorporates passive safety features that would cool down the reactor after an accident without the need for human intervention. The design provides enhanced safety margins through use of simplified, inherent, passive, or other innovative safety and security functions. (See, for example, http://www.energyonline.com/Industry/News.aspx?NewsID=7552&NRC_Approves_Rule_to_Amend_AP1000_Nuclear_Reactor_Design.)

[10] The North American Electric Reliability Corporation promulgates standards related to cyber security. See: http://www.nerc.com/filez/standards/Project_2008-06_Cyber_Security.html

[11] Development, Use and Maintenance of the Design Basis Threat, IAEA Nuclear Security Series No. 10, 2009. http://www-pub.iaea.org/MTCD/publications/PDF/Pub1386_web.pdf

[12] International Convention for the Suppression of Acts of Nuclear Terrorism, http://treaties.un.org/doc/db/Terrorism/.pdf

[13] The World Institute of Nuclear Security is presenting a Workshop on the Security of Information Technology (IT) & Instrumentation and Control (IC) Systems at Nuclear Facilities, February 27-29, 2012 in Ontario, Canada. See: http://www.wins.org/

[14] A summary of IAEA cyber security programs is given in: http://www.iaea.org/NuclearPower/Downloads/Engineering/meetings/2011-05-TWG-NPPIC/.

[15] The International Electrotechnical Commission issues standards addressing cyber security. See: http://www.iec.ch/dyn/www/f?p=103:30:0::::FSP_ORG_ID,FSP_LANG_ID:1358,25, especially Standard 45A/846/CD, IEC 62645 Ed.1: Nuclear power plants - Instrumentation and control systems - Requirements for security programmes for computer-based systems.

[16] http://www.interpol.int/Crime-areas/Cybercrime/Cybercrime

[17] In 1985, the UN General Assembly strongly condemned an attack on a civilian nuclear reactor. See: http://books.google.com/books?id=MLAxV20gktQC&pg=PA294&lpg=PA294&dq=prevention+of+military+attacks+on+nuclear+reactors&source=bl&ots=E1dBq3-VC-&sig=XfjvTxy1I92E7HuNb4pgE1Bibcg&hl=en&sa=X&ei=gKIIT8G1BYa0iQLcqvyZCQ&sqi=2&ved=0CD4Q6AEwBQ#v=onepage&q=prevention%20of%20military%20attacks%20on%20nuclear%20reactors&f=false

[18] The International Convention for the Suppression of Acts of Nuclear Terrorism states in Article 2.1 that “Any person commits an offence within the meaning of this Convention if that person unlawfully and intentionally:

(b) Uses in any way radioactive material or a device, or uses or damages a nuclear facility in a manner which releases or risks the release of radioactive matter.” http://treaties.un.org/doc/db/Terrorism.pdf

[19] “The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.” Cyber Combat, S. Gorman and J. Barnes, Wall Street Journal, May 31, 2011.

[20] See, for example, the Rome Statute of the International Criminal Court

[21] The text of UNSCR 1373 is reproduced in Annex B.

[22] The World Institute of Nuclear Security (WINS) might undertake such activities.

[23] Such activities are already underway by the IAEA and WINS.

[24] See: http://www.nrc.gov/reading-rm/doc-collections/fact-sheets/cyber-security-bg.pdf



Back to Top
Sign-in

Do you already have an account on one of these sites? Click the logo to sign in with it here:

OpenID is a service that allows you to sign in to many different websites using a single identity. Find out more about OpenID and how to get an OpenID-enabled account.