Nuclear energy has faced no shortage of obstacles over the past several years, although the biggest threat to date has been economics.
Existing facilities have struggled to compete with cheap natural gas -- which can be turned on and off to respond to grid demand -- and subsidized wind power -- which sends electricity to the grid no matter what. However, reactors could become more competitive soon. Exelon (NASDAQ:EXC) managed to win Zero Emission Credits for nuclear generation in the states of Illinois and New York, while Pennsylvania may be next.
Meanwhile, the handful of new reactors in various stages of construction have been mired in costly budget overruns and delays, an unfortunate side effect of America's lack of investment and nurturing of nuclear technology and institutional knowledge in the last 50 years. We literally don't even know how to build nuclear reactors anymore.
But economics may no longer be the biggest threat. A series of recently uncovered cyberattacks hint that hacking may be a worrisome new risk for existing nuclear reactors.
A serious threat?
In late June E&E News was the first to report that an American nuclear facility had been hacked into, prompting the FBI and Department of Homeland Security to issue back-to-back cybersecurity warnings to grid operators. The site, initially identified only as "nuclear 17", was later confirmed to be the Wolf Creek facility in Kansas.
It's owned by a consortium that includes Westar Energy (NYSE: WR). Although it hasn't commented on the hack directly to shareholders, the company began including "cyber terrorism" as a potential risk in SEC filings beginning on July 9. That may soon become the norm for utilities and power generators, especially those exposed to nuclear energy, which generates 19% of American electricity.
How real is the risk? The New York Times obtained an urgent joint report issued by the Department of Homeland Security and the FBI that resulted in an "urgent amber warning", which is the second-highest possible.
Grid hacking is already commonplace in the Ukraine, which security experts suspect Russia is using as a sandbox to test hacking tools for industrial infrastructure. Indeed, the techniques used to hack into Wolf Creek are eerily similar to a Russian hacking group called "Energetic Bear".
Wolf Creek was hardly a one time incident in the United States. Michael Yates of Vanity Fair recently interviewed current and former officials at the U.S. Department of Energy, which devotes half of its annual budget to nuclear waste management and nuclear security for the entire planet. One interviewee, John MacWilliams, the first Chief Risk Officer for the DOE, spoke to the vulnerability of the national grid to hacking:
In his briefings on the electrical grid MacWilliams made a specific point and a more general one. The specific point was that we don't actually have a national grid. Our electricity is supplied by a patchwork of not terribly innovative or imaginatively managed regional utilities. The federal government offers the only hope of a coordinated, intelligent response to threats to the system: there is no private-sector mechanism. To that end the DOE had begun to gather the executives of the utility companies, to educate them about the threats they face. "They all sort of said, 'But is this really real?' " said MacWilliams. "You get them security clearance for a day and tell them about the attacks and all of a sudden you see their eyes go really wide."
A silver lining
Officials from Westar Energy said no operations systems were affected and that they were run on a network that was separate from the corporate network. That brings up an interesting point: The age of nuclear power facilities may actually help insulate them from cyber terrorism. Many are still run with analog controls, although others are being upgraded to digital controls that are more susceptible to hacking.
Even if you consider that to be reassuring, a hacked nuclear plant could lead to more than grid outages. It's a long tail risk, or one in which the odds of occurrence are low but the consequences are severe. Should the cooling systems and other safeguards "fail" in a nuclear power plant, then a crisis could quickly emerge.
What does it mean for investors?
The new reality of cyber warfare presents a significant new risk to nuclear power plant operators such as Exelon and Westar Energy, and investors should expect new risk factors to begin appearing in SEC filings. It also presents another argument in favor of distributed, clean energy systems -- and I'm saying that as a nuclear bull. After all, a hacked solar panel or wind turbine sounds significantly less terrifying than a hacked nuclear plant.
Unfortunately, right now there are not enough data to quantify the risks posed to nuclear power facilities in the United States, let alone broken down by owner. But should the cybersecurity threat continue to grow -- and all indications are that it will -- then it's yet another downside to nuclear energy. And this latest risk could be the last straw in the court of public opinion.