On 7 December, the Nuclear Threat Initiative (NTI) launched a new report entitled “Outpacing Cyber Threats: Priorities for Cyber Security at Nuclear Facilities”.
The development of the report was driven by the fear that we’re heading for a world where a cyber-attack on a nuclear facility could have devastating effects and that the increased digitalisation of nuclear facilities makes such an attack more likely.
Another key factor is the fear that potential attackers are increasingly at an advantage. The threat landscape is evolving rapidly both technically and in terms of potential aggressors. Attacks which would have taken nation state-level resources a few years ago are now within the reach of smaller, less well-resourced groups or even individuals.
The brief to the authors of the report was as simple as the problem statement – given a free hand, what can be done to reduce this risk over and above what is already being done? What could we do better or faster to reduce the likelihood of a cyber-attack causing a devastating incident? Four key ideas became the basis of the report. These were:
- Institutionalise cyber security – treat cyber security in the same way that safety is treated in the nuclear industry
- Mount an Active Defence – be able to detect and respond to an attack quickly rather than relying on static defences (such as firewalls and anti-malware) to keep you safe
- Reduce complexity – limit the digital footprint in the most critical areas of the plant, avoiding digital technology entirely in some areas e.g. in favour of purely electromechanical devices
- Pursue transformation – devise innovative approaches in both technology and in developing human resource to drive a step change reduction in the cyber risk to nuclear facilities.
Institutionalising cyber security is a fairly obvious and attractive objective. Although there have been high profile nuclear accidents such as Three Mile Island, Chernobyl and Fukushima, the nuclear industry has an enviable safety record. In fact, you are probably safer on a nuclear plant than in a normal office environment.
The approach to physical and information security is also very obvious to anyone who has visited a nuclear facility. That can give the impression that everything is covered but until comparatively recently the approach to cyber security has been almost totally focused on avoiding the loss of Sensitive Nuclear Information (SNI). It seems paradoxical that the cyber security of critical control systems is not afforded the same importance. How can an insecure system be regarded as safe?
A malicious cyber-attack needs to be considered in the same way as any other event which may befall a nuclear facility. Many cyber-attacks have had consequences that the perpetrators did not intend e.g. early malware such as Sasser. The worry here is that we will have to wait for a series of incidents before we say enough is enough and give cyber security the same level of importance as safety.
The idea of Active Defence was also readily accepted in the development of the report. The same concept is expressed in the UK’s National Cyber Security Strategy 2016 to 2021, published in November. Active Defence does not mean returning fire. Rather it means that you cannot rely on protective technology such as firewalls (or data diodes or even air gaps), anti-virus software etc. to protect against attacks. It refers to an ability to detect threats and respond intelligently and quickly as required, limiting the effects of an attack.
Reducing complexity was probably the most difficult idea to accept. Everyone has gotten used to the benefits of digitalisation in the industrial arena and in their personal lives. Many times in my career I’ve heard comments along the lines of: “Over my dead body will you bring X onto my plant,” where X is connectivity to the enterprise network, the use of Windows etc. Every time the change has eventually come, so while resisting it is going to be hard, in some cases it may be the right choice.
Pursuing transformation is perhaps the vaguest recommendation but it may turn out to be the most important. Good cyber security of nuclear installations is hard enough to achieve in countries with a long established nuclear industry. Global warming is driving us to pursue nuclear power and renewables as our main energy sources so many states are now building nuclear facilities for the first time. We need a better, clearer way to ensure that such countries can ensure that they are as cyber secure as possible and this may need approaches which are radically different from the ones currently in use.
It’s always difficult to talk about the cyber security of control systems in any sector in a way which does not seem pessimistic but the above discussion and the report itself should not be seen as all doom and gloom. For those of us that have been involved in the quest for better control system cyber security for a long time there are encouraging signs of change. Indeed, in the UK the changes which the nuclear sector has undergone are now being used as a model for other sectors.
If you'd like to read more about our views on how critical national infrastructure can become more cyber resilient, why not download our free report here.