search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
CYBERTHREAT SOLUTION | SPECIAL REPORT


Are you ready for a ‘ransomware’ attack?


Pinsent Masons lawyer Julia Varley said ‘ransomware’ cases accounted for 45% of the matters Pinsent Masons’ cyber risk team advised on in 2022 – a significant increase from to 31% in 2021.


She says companies should consider how they will engage with those behind ransomware attacks ahead of time In the event of a ransomware attack, the organisation may


wish to engage in discussions with those behind the incidents and may ultimately choose to make a ransom payment. The decision as to whether to engage with an attacker or make a ransom payment is often a complicated one, involving important


commercial, ethical and reputational considerations, as well as complex legal and compliance issues. The choice to engage is a business decision. Should an organisation decide to pay a ransom, there are


important compliance steps which will need to be put in place before any payment is made. This will ensure that the organisation does not fall foul of any anti-money laundering and/or terrorism funding offences, sanctions, and any other applicable laws. Failure to take the appropriate steps can expose the business and directors to criminal and civil liability. ■


The UK’s goal, as summarised in the updated strategy,


is: ‘A UK civil nuclear sector which effectively manages and mitigates cyber risk in a collaborative and mature manner, is resilient in responding to and recovering from incidents, and ensures an inclusive culture for all’. It says cyber maturity has improved since the 2017


strategy was produced but stresses: “there is more work to do, and the evolving nature of both the threat and technology means we need to accelerate to keep pace”. There are some key messages around the threat represented from operational technology systems and from the supply chain: It gives the sector four new objectives for 2026:


● To appropriately prioritise cyber security as part of a holistic risk management approach, underpinned by a common risk understanding, and outcome-focused regulation;


● With the supply chain, to take proactive action to mitigate cyber risks in the face of evolving threats, legacy challenges and adoption of new technologies;


● To enhance resilience by preparing for, and responding collaboratively to cyber incidents, minimising impacts and recovery time; and


● To collaborate to increase cyber maturity, develop cyber skills and promote a positive security culture.


These objectives will be delivered by a range of priority and supporting activities and overseen by a programmatic


approach to delivery. Key commitments include: ● Rolling out cyber adversary simulation (CyAS) assessments and other threat-informed testing activities across the sector’s critical information technology (IT)and operational technology (OT) systems


● Setting baseline cyber security standards for the civil nuclear supply chain


● Collaborating across the sector on third party and component assurance and management


● Working with developers of advanced nuclear technologies to support cyber security by design.


The nature of cyberspace and the challenges faced mean that this strategy cannot be delivered by any organisation alone, and has therefore been developed jointly with leaders from public and private sector civil nuclear organisations, the Office for Nuclear Regulation, and the National Cyber Security Centre. Its success hinges on joint delivery and continued co-operation across all partners.


In recognition of this, the strategy has been endorsed by senior decision-makers across the sector through the Cyber Security Oversight Group, which will take responsibility for its implementation. The UK strategy has several activities to help achieve its


objectives for the next five years, such as: ● Mitigating cyber risks across IT and OT domains, by sharing and improving approaches to software and equipment assurance across the sector, using appropriate tools (including Active Cyber Defence) as they become available; conducting threat-informed assessment activities; improving asset management; investigating the development of a sector Centre of Excellence to share knowledge and expertise; and continuing R&D.


● Ensuring cyber security is embedded into the deployment of new nuclear and digital technologies by: integrating new systems securely onto networks systems; reviewing and promoting cloud security guidance; and sharing risk assessments on new technologies.


● Managing supply chain cyber risk: regular mapping of supply chains; sharing model third party contracts; working jointly with suppliers and trade associations; promoting international guidance (from the IAEA), and utilising existing best practice toolkits.


● Support the nuclear supply chain by: increasing engagement with industry groups; and working with trade associations. Nuclear organisations will set baseline cyber and information security standards for suppliers; the ONR will benchmark the existing cyber security maturity of holders of SNI; and BEIS will consider the case for regulation of cyber security in the supply chain.


Be ready to respond Whereas in the past cybersecurity strategies might have focused almost entirely on trying to stop incidents, the 2022 strategy is clear that companies have to be able to respond effectively to them as well. One of the new strategy’s deliverables is a sector-wide live cyber incident response exercise with the National Cyber Security Centre, alongside an exercising programme targeted at senior decision- makers.


Pinsent Mason lawyer David McIlwaine set out some


of the ways organisations should be prepared to respond to incidents. He agrees with the Strategy’s advice that organisations would benefit from scenario planning, playbooks and testing exercises. He advises that a U


www.neimagazine.com | March 2023 | 17


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45