The realities of nuclear cyber security

Richard Piggin | 13 Oct 2015 | Comments

The increasing digitisation of our national infrastructure offers many benefits to organisations and their customers. However, some fear that the systems used to control physical functions of this infrastructure, often now referred to as operational technology, could have the potential for a serious cyber-incident. The massive damage caused by a sophisticated cyber attack on a German steel mill last year illustrates the potential threat.

The Financial Times recently picked up on the report published by Chatham House on Cyber Security at Civil Nuclear Facilities Understanding the Risks, which considers the major cyber threats to civil nuclear facilities. This report comes hot on the heels of a review being undertaken by The Department for Energy and Climate Change into cyber risk in the civil nuclear sector in the UK.

Chatham House’s findings are generally consistent with our experience of other industrial sectors using control systems. Of course, a single incident in the nuclear sector carries greater consequences than other sectors and consequently generates greater public concern. However, what is less understood by the public is the systems used to control industrial plant are not the same as those used for safety critical control. The latter tend to be isolated systems, with rigorous access control, monitoring and working practices, not purely dependent upon digital technology for protection.

We work with almost all of the existing UK nuclear power generators and the nuclear new-build companies. In my experience, these organisations are ‘designing security in’ and developing best practice technical solutions to tackle threats.

The report highlights some challenges for the world-wide industry including:

  • Low levels of cyber incident disclosure, creating a false sense of security stifling appropriate security investment. However, full disclosure can lead to copying of tactics or techniques, thereby increasing risk.
  • Unsuitable risk assessments can lead to insufficient spending on cyber security. The issue of improving risk understanding at board level is a critical one. Our experience is that, in the UK, the nuclear industry is leading the adoption of good practice and boards are taking security and safety risk assessments very seriously. Integrating control system security and safety risk assessment and treatment is now a focus for good practice development and international standards committees.

The report goes on to identify other challenges:

  • Cultural challenges, including the difficulty in communications between plant engineering (operational technology) and information technology personnel, addressing the need for greater appreciation of cyber security, training and skills development. We have seen that this human element is already being addressed in the nuclear industry, particularly the cultural aspects of integration of formally disparate disciplines, as well as ensuring security roles and skills are developed to meet current and future needs.
  • Technical challenges, including control systems which were not initially designed securely. Standard IT security approaches are often difficult to implement in plants, due to technical validation requirements, potential downtime and the commercial imperative to remain operational. Yet, these generic findings do not illustrate the secure design developments and practices being undertaken by the UK nuclear industry and the supply chain.

The Chatham House report recommends that the nuclear industry should provide a balance between regulation and self-determined actions to avoid stagnation. It also recognises the need for risk-based approaches and innovation, whilst avoiding compliance-driven requirements that do not reflect the state-of-the-art, or the developing nature of threats and vulnerabilities.

In summary, though I’d broadly support the findings of the Chatham House report, I would emphasise that the UK nuclear industry is far from complacent. In fact, for all the reasons outlined above, it is world-leading in its approach to addressing cyber security threats.