The report does perform the public service of making abundantly clear that the risks of cyber attacks at nuclear power plants, and other nuclear power related facilities, are very serious. And that the nuclear power industry, and the government agencies in charge of protecting public health, safety, security, and the environment are not taking the risk of cyber attacks anywhere near seriously enough.
However the report also does the disservice of assuming that the nuclear power industry is essential, and must be continued. This is quite debatable, especially given the serious risks that cyber attacks represent for not only electric reliability on a large scale, but also in terms of the potential for catastrophic release of hazardous ionizing radioactivity -- risks this report itself acknowledges.
The report also does the disservice of naming anti-nuclear organizations as a potential source of cyber attacks on nuclear facilities. This unfortunately continues a trend of demonizing environmental opponents of nuclear power, as well as concerned citizens, who have devoted themselves to preventing radiological disasters, and in a non-violent manner.
The study reports a number of publicly known cyber attacks, and other cyber incidents, at nuclear power plants, while it hastens to add that the nuclear power industry itself is very likely concealing information about a much larger number of such incidents. As the study reports:
While only a few cyber attacks on nuclear facilities have been made public, one estimate (Source 8) puts the number of major incidents that have affected industrial control systems as high as 50 (this is in addition to frequent routine attacks on business networks):
What people keep saying is 'wait until something big happens, then we'll take it seriously.' But the problem is that we have already had a lot of very big things happen. There have probably been about 50 actual control systems cyber incidents in the nuclear industry so far, but only two or three have been made public. (Page 15, or 26 of 53 on the PDF counter)
The report does, however, document the following cyber attacks and other incidents that are publicly known:
Known cyber security incidents at nuclear facilities
Ignalina nuclear power plant (Lithuania, 1992)...Davis-Besse nuclear power plant (Ohio, 2003)...Browns Ferry nuclear power plant (Alabama, 2006)...Hatch nuclear power plant (Georgia, 2008)...Natanz [uranium enrichment] facility and Bushehr nuclear power plant -- Stuxnet (Iran, 2010)...Unnamed Russian nuclear power plant -- Stuxnet (circa 2010)...Korea Hydro and Nuclear Power Co. commercial network (South Korea, 2014)
(See Box 1, on Page 3 to 5, or 14 to 16 of 53 on the PDF counter, for more detailed information on each cyber security incident)