As reported by John Bryk at NetworkWorld, in an article entitled "Non-technical manager’s guide to protecting energy ICS/SCADA":

Sophisticated cyber-attacks known as Advanced Persistent Threats (APT) are a growing challenge to the energy sector of our nation’s critical infrastructure. These attacks can largely be attributed to well-funded, dedicated nation-state actors.

APT attacks against Industrial Control Systems (ICS) and to Supervisory Control and Data Acquisition (SCADA) systems are increasing; the U.S. Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) cited ICS/SCADA and control system networks as one of the top two targets for hackers and viruses. These vulnerabilities begin with the human interface (13% of vulnerabilities required local access) and end with the actual Internet-facing ICS/SCADA hardware (87% of vulnerabilities are web-accessible).

There is a firm business argument that support the protection of ICS/ SCADA. Without proper safeguards in place, continued APT attacks will cause disruption, degradation, disability, and possible destruction of costly and/or irreplacible Energy Sector equipment and facilities. The economic impact to energy companies would be minor in comparison to the impact of a loss of electricity, natural gas, and petroleum throughout the United States. It is in the best interest of both Energy Sector companies and the Nation to immediately plan, fund, and effectively secure ICS/SCADA from front-to-back.

The article concludes with a "Call to Action," stating:

It is not unusual for energy sector partners to experience multiple millions of probes or attacks in a single day. One electrical producer reported 17.8 million occurrences in a 24-hour period. This is the reality of cybersecurity; the attacker only has to be lucky once. You, as the defender, must be perfect every time.

The loss of even short-term energy sector capability could be devastating for the lives of all U.S. citizens. Managers within this sector bear a social, moral, and legal responsibility to protect all facets of cyber and physical security within their span of control.

No longer is the question, “Can we afford the equipment?” The question has become, “When my industry becomes incapacitated in a cyber-attack, who will the public blame? Who will find their names in the newspaper? Who stands to lose everything?” The answer is, you and your company.

Of course, with atomic reactors, and other nuclear facilities such as high-level radioactive waste storage pools, a successful cyber-attack could cause a catastrophic release of hazardous radioactivity.

Workers at the Wolsong nuclear power plant participate in an anti-cyber attack exercise, Gyeongju, South Korea. Photo: Getty Images.On Oct. 5, 2015, Chatham House/The Royal Institute of International Affairs published a report entitled Cyber Security at Civil Nuclear Facilities: Understanding the Risks.

The report does perform the public service of making abundantly clear that the risks of cyber attacks at nuclear power plants, and other nuclear power related facilities, are very serious. And that the nuclear power industry, and the government agencies in charge of protecting public health, safety, security, and the environment are not taking the risk of cyber attacks anywhere near seriously enough.

However the report also does the disservice of assuming that the nuclear power industry is essential, and must be continued. This is quite debatable, especially given the serious risks that cyber attacks represent for not only electric reliability on a large scale, but also in terms of the potential for catastrophic release of hazardous ionizing radioactivity -- risks this report itself acknowledges.

The report also does the disservice of naming anti-nuclear organizations as a potential source of cyber attacks on nuclear facilities. This unfortunately continues a trend of demonizing environmental opponents of nuclear power, as well as concerned citizens, who have devoted themselves to preventing radiological disasters, and in a non-violent manner.

The study reports a number of publicly known cyber attacks, and other cyber incidents, at nuclear power plants, while it hastens to add that the nuclear power industry itself is very likely concealing information about a much larger number of such incidents. As the study reports:

While only a few cyber attacks on nuclear facilities have been made public, one estimate (Source 8) puts the number of major incidents that have affected industrial control systems as high as 50 (this is in addition to frequent routine attacks on business networks):

What people keep saying is 'wait until something big happens, then we'll take it seriously.' But the problem is that we have already had a lot of very big things happen. There have probably been about 50 actual control systems cyber incidents in the nuclear industry so far, but only two or three have been made public. (Page 15, or 26 of 53 on the PDF counter)

The report does, however, document the following cyber attacks and other incidents that are publicly known:

Known cyber security incidents at nuclear facilities

Ignalina nuclear power plant (Lithuania, 1992)...Davis-Besse nuclear power plant (Ohio, 2003)...Browns Ferry nuclear power plant (Alabama, 2006)...Hatch nuclear power plant (Georgia, 2008)...Natanz [uranium enrichment] facility and Bushehr nuclear power plant -- Stuxnet (Iran, 2010)...Unnamed Russian nuclear power plant -- Stuxnet (circa 2010)...Korea Hydro and Nuclear Power Co. commercial network (South Korea, 2014)

(See Box 1, on Page 3 to 5, or 14 to 16 of 53 on the PDF counter, for more detailed information on each cyber security incident)