Dangerous vulnerabilities exposed at nuclear power plants

Twenty-six security breaches have been found during an audit of the Belgian company Electrabel, which operates the nuclear power plants Tihange (approximately 150km from Luxembourg) and Doel.

The two nuclear power plants had been tested for data protection, and it turns out that documents on security codes for access to the plants and their Internet servers are not adequately protected, according to the Wednesday edition of the Belgian daily “Sudpresse”.

Some documents marked “confidential” or “secret” were unaccounted for. Among other things it was established that documents marked “confidential” or “secret” could be accessed elsewhere other than on the prescribed secure computers that were stored in rooms with limited personnel access.

This makes it possible that even unlicensed personnel with little skill could get security codes on the cache of PCs used at a later date.

Access to security plans of the premises

In addition, an outside company had been entrusted with the safety of operation passes that allow personnel to access the control panel. At least one of these contracts was farmed out to a subcontractor, so that another supplier unknown to Electrabel could access documents that are marked “confidential”. According to the daily, these include, among others, new security plans for the premises.

Furthermore, secret documents of the two nuclear plants were destroyed without knowledge of the responsible security chiefs. All safety codes were also not systematically changed, meaning that laid-off employees could even continue to use the codes, according to “Sudpress”.

Using the Internet for attacks

The issues concerning the danger these risks represent were raised in March by EU Counter Terrorism Coordinator Gilles de Kerchove, who brought up his concerns with “La Libre”.

“I would not be surprised if there was an attempt in the next five years to use the Internet to commit an attack,” he told the press, adding: “It would take the form of entering the SCADA (Supervisory Control and Data Acquisition), which is the nerve centre of a nuclear power plant, a dam, air traffic control centre or railroad switching station.”

The Tihange centre has also been repeatedly criticised in Luxembourg. In November, around 30 communes, along with the Aachen region, intended to file a class action law suit due to repeated incidents.