The first UK nuclear cyber security strategy

Richard Piggin | 10 Aug 2016 | Comments

The Department for Business, Energy & Industrial Strategy is the first government department to launch a five year sector cyber security strategy. This sets expectations for industry, government, and regulators in light of increasing cyber threats and significant technological change. It specifies how risks will be addressed, by whom, when and how success is to be measured. It is transformational, and has substantial implications for the nuclear sector, particularly in the supply chain.

The Civil Nuclear Cyber Security Strategy; (CNCSS) complements the existing National Cyber Strategy, and sets stretch goals in consultation with industry, to address the risks to the safe and secure operation of new civil nuclear facilities and the management of legacy and waste facilities.

Success will be demonstrated:

  • Strategically in transforming industry’s approach to cyber security -  the ability to deter and protect against a cyber-attack and ensure cyber resilience, the ability to detect, contain, mitigate the effects and recover from a cyber-attack
  • Operationally with the continued safe and secure operation of legacy and future nuclear facilities in the face of growing cyber threats
  • Tactically with the increasing capability, capacity and agility of stakeholders to deal with all aspects of the cyber security challenges faced by the UK civil nuclear sector.

The desired outcome is to deliver an industry which has a mature approach to understanding the cyber threat, and is able to produce solutions which efficiently and effectively address that threat. Specific outcomes are:

  • The continuing improvement in capability and capacity through training and exercising with increasing senior executive understanding and ownership of cyber security risk
  • Industry to adapt to a tailored outcome-focused approach, as part of a holistic cyber security posture
  • An industry with a mature approach to understanding cyber threat and delivering outcome-focused solutions which are approved by the regulator.

The strategy highlights four distinct activities to support delivery:

  1. Deliver a comprehensive understanding of the cyber vulnerabilities across the civil nuclear sector
  2. Continuously mitigate identified issues and vulnerabilities
  3. Improve the sector’s capability to detect, respond to, and recover from cyber incidents
  4. Ensure sufficient resources are allocated to cyber security and resilience.

Atkins recognises the imperative for the nuclear sector. Recent events illustrate the potential consequences to the UK nuclear industry: Fukushima Daiichi nuclear disaster and the resulting closure of the German nuclear industry. Reputational damage resulted from malware found on the Gundremmingen nuclear plant in western Bavaria, which entailed a precautionary reactor shutdown. Incidents affecting individual organisations may impact the sector nationally and internationally, undermining confidence.

Work is already ongoing in a sector that keenly appreciates the need for safe and secure operation that also safeguards public confidence. The nuclear industry has traditionally focused on safety to provide resilience and security. More dynamic approaches are required to stay ahead of the continuously evolving cyber threat, the increasing nation state capability and the terrorist potential. The implementation of new operational technology could increase opportunities for malicious intent.

The strategy reinforces key themes essential to successful cyber security implementation; dealing with the increasing threat, board awareness, governance, Operational Technology (OT) and IT, and the interdependence of safety and security. Delivery will demand transformation, whilst ensuring all sector participants are fully engaged, particularly in the supply chain. This will entail closer relationships with partnering companies, contractors and suppliers to provide the proportionate cascaded risk ownership, understanding and mitigation. The supply chain will also be called upon to develop capacity and capability where there are skills shortfalls, especially in direct support of nuclear asset owners.

Nuclear facilities are required to be secure by design, and implementation. This necessitates appropriate cyber security skills and the development of industry capability to manage these activities both internally and the supply chain. This will place a requirement upon the supply chain to demonstrate measures proportionate to the risk they own. The regulatory approach is now transitioning from compliance to risk-based assurance. Whilst there have been rapid developments in both generic and sector guidance, industry participants would welcome direction under the new regime.

The nuclear industry needs to be resilient against increasingly sophisticated attacks requiring identification of critical assets and proportional risk mitigation. Security and safety necessitate equal emphasis to address risks, requiring IT, Operational Technology and physical security collaboration to achieve resilience. The Government is rightly looking to raise awareness across industry, ensuring executives have the information they require to develop the cyber security programmes with the necessary leadership, governance and resources to succeed. Non-executive boards will have greater means to hold boards to account.

The cyber strategy implementation is equally ambitious for all parties. It needs to be, in order to meet the continuously evolving, uninhibited threat and maintain public confidence in the nuclear industry, which is essential for our economic well-being.