top of page
Search

Cybersecurity Risks and Remedies


Close consideration is required to address growing concerns in cybersecurity and the potential for new approaches to minimize the cybersecurity risks affecting the cybersecurity sector. There is a need for comparative analysis across states of cybersecurity specific to national security in order to ascertain the effectiveness of different regulation models and elements that may be improved.


The majority of cybersecurity regulations are for facilities and are high-level performance guidance. The challenge is how the regulations are implemented and evaluated. Best practices may not be incorporated into regulations, but they can be part of regulatory guidance development, which is well-needed. As regulators are increasingly moving towards outcome-based regulation, it is up to the operators to prove they have effective systems in place. A relatively mature security department, with supportive and informed management, does not need a regulator to stimulate appropriate cybersecurity risk management.


In the realm of cyberspace, the operators and their security teams including specialists, and consultants are on the front lines and can better understand the vulnerabilities of their own facilities and systems than regulators. Therefore, a dynamic open-source toolkit that leverages past experience and successes from the global community can be instrumental in assisting the nuclear sector in the implementation of regulatory agencies, cybersecurity experts, etc. Moreover, regulations only work if they are effectively implemented, and sufficiently evaluated for conformance. Note, that both conditions depend upon the capability and capacity of the regulator and the operator. On a voluntary basis, states can request special IAEA advisory missions to review aspects of safety and security performance. For instance, IAEA reviews, such as an International Physical Protection Advisory Service [IPPAS]mission, are well regarded but the IAEA does not have enough staff to serve all its member state requests. For nuclear power plants, the World Association of Nuclear Operators [WANO] could be encouraged to include a cyber assessment as part of an extended safety review of power plants since many of the instrument and control systems of concern are installed for safety reasons.


Insurers are currently developing a cyber assessment scheme, which could feed into cybersecurity assessments. Furthermore, experts discussed a potential cyber non-attack on nuclear facilities agreement between countries mirroring the India – Pakistan non-attack agreement. Additional coordination is needed not only to agree on what actions should be prohibited but also on joint processes for investigation, prosecution, and penalties. Additional research is required in this area to further assess this potential.


The Patches: Identifying Current Work and Common Threads

Current efforts in the cyber/nuclear security realm, including NTI’s work on cybersecurity regulatory assessments and the IAEA development of soon–to–be–released guidance on cybersecurity. More work is required to make critical infrastructure; and regulations more concrete. The work to further make critical infrastructure as a whole cyber–secure should be considered.

In my professional opinion, I believe cybersecurity is only one of many important issues that are considered by personnel running facilities and much can be learned from other sectors’ security approaches, including how the diamond industry has confronted insider threats. It is critical that the importance of cybersecurity is conveyed to those running the nuclear facility so that it is properly prioritized within an “all-risks” integrated management system.


Future Forward: Incentivizing for Future Success


What cost–effective tools can be implemented to incentivize proactive cybersecurity globally? Further exploration to incentivize security can be achieved by way of recognizing good performers and limiting liability. For example, insurance providers can provide cybersecurity incentives to those with a good level of security. A cybersecurity assessment could be completed by a trusted third party. Demonstrations related to good governance or due care can reduce potential liabilities in the event of an incident thereby incentivizing good governance. Another key area of exploration is voluntary standards of which there are many – albeit with little agreement on essential ones. Additionally, EU efforts, the U.S. work on the National Institute of Standards and Technology {NIST} Cybersecurity Framework, and the U.S.–Canadian electric sector supply chain reliability standards were discussed as possible models that could be used alongside other countries' minimum regulatory requirements.


Countries should also consider adopting an approach to limit liability in exchange for attaining certain performance standards such as the U.S. supporting Anti-Terrorism by Fostering Effective Technologies Act [Safety Act]. Such an approach would be an important step in establishing an international norm. Standards adoption and compliance are risk reduction measures that can become market differentiators for companies and vendors. Most commercial off–the–shelf software providers include disclaimers in their standard terms of sale to the effect that their products are not covered for use at certain power plants this raises a level of risk at the operator uses commercial off-the-shelf software at its own risk.

Recommended Next Steps to help alleviate cyber risks:

  1. Facilitate more communication among stakeholders to improve information exchange regarding best practices, emerging threats, risks, and new regulatory approaches which are especially important as there is more digitization in existing facilities and new technologies.

a. This can be accomplished through forums ranging from workshops to tabletop exercises, as appropriate for each targeted effort. NGOs could provide an independent forum for information exchange, potentially as side events to existing events or conferences.

Some examples include:

  • WINS's large membership base and its workshops could be further supported to provide a system of regular exchanges among selected parties.

  • The Nuclear Energy Agency's Multilateral Design Evaluation Programme and other interested parties joint initiatives that might be leveraged.

b. Regional discussions could include topics on risk management, standards, and approaches to certifications, e.g. EU certifications and good practices.


2. In support of the above, it is recommended that a comparative analysis of existing cybersecurity regulation and assessment activities be conducted to identify effective strategies and good practices and how to enforce and incentivize compliance. NGOs, the IAEA, or regulators can lead the effort, which should include multiple stakeholder groups.








11 views0 comments

Comments


bottom of page