A new progress report from the Government Accountability Office (GAO) reveals that despite several years of efforts, the National Nuclear Security Administration (NNSA) and its contractors are still in the “early stages” of addressing cybersecurity threats at the system level in operational technology (OT) and nuclear weapons IT environments.
GAO explained in the June 12 report that NNSA is increasingly integrating digital systems into nuclear weapons, which could potentially be targeted by malicious actors.
“Really anyone with a reason could seek to attack the cyber systems associated with the support for these weapons or the cyber systems that are in the weapons themselves,” GAO’s Allison Bawden, an expert on nuclear security, said in a podcast accompanying the report. “This could include nation-state competitors or non-state actors, as well as insiders who become compromised. And cyber threats also can include non-malicious human accidents and errors.”
“So, it’s really essential that the National Nuclear Security Administration (NNSA) be ready to address those threats,” she continued. “Our work didn’t attempt to estimate the likelihood of a cyberattack of this type, but the consequences of such an attack could be so significant to our national security or to public safety that in practice, for kind of planning purposes, it’s safest to treat the likelihood of such an event as if it’s 100 percent.”
GAO’s report looks at two areas of vulnerability when it comes to nuclear weapons: OT – which is used to manufacture and monitor the weapons – and IT.
According to the report, NNSA has estimated that there could be hundreds of thousands of OT systems at sites across the nuclear security enterprise. However, NNSA does not yet have a full inventory or risk assessment of these OT systems.
The agency is currently working to create an inventory of systems in its OT environment and assess and mitigate the risks to those systems. It’s doing so by developing an Operational Technology Assurance (OTA) Guidebook, creating OT courses and training staff, identifying OT systems associated with the most critical capability at each site, and conducting assessments of OT systems.
As for IT systems, NNSA still does not have an estimate of the number of nuclear weapons IT systems, but agency officials told GAO that the number is smaller than the OT environment.
“In reality, there is not a lot of IT in our current weapons systems because their designs are fairly old,” Bawden said. “But there are certain components that do need to be protected along with equipment and systems containing IT that come into contact with weapons for diagnostic or maintenance purposes.”
NNSA has a number of efforts underway to create an inventory of nuclear weapons IT systems – and assess and mitigate risks to them. These include defining nuclear weapons IT, developing a cybersecurity risk management framework, performing a gap analysis, and revising internal weapons program guidance. However, these efforts are not yet complete.
“The bottom line is that while NNSA recognizes these cyber risks exist, it’s just in the beginning stages of identifying the full range of systems at risk, and assessing those risks well enough to effectively mitigate them,” Bawden said. “Concerted attention and sufficient resources are needed to get this foundational cybersecurity work completed.”