search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
SPECIAL REPORT | CYBERTHREAT SOLUTION


V tailored cyber response plan and playbook can help organisations understand what to do in the event of an incident and will also show regulators that the company took appropriate steps to adopt a cyber readiness process.


His advice includes: ● Identify the information assets to protect, and for example whether it is intellectual property or data. This will be unique for each sector, and for companies at various points in the supply chain, among other factors. In critical industries like nuclear, “ensuring that operational systems remain secure will be paramount”. All businesses will want to ensure their confidential business operations information remains protected and information relating to litigation or regulatory investigations.


● Identify relevant jurisdictions and the data held in each location. Identify and assess privacy and other industry regulations across jurisdictions.


● Comply with prescribed time periods for reporting different types of cyber incident to relevant bodies. Knowing what you need to report and when in each jurisdiction is imperative.


● Identify obligations under standard terms and contracts, as a cyber incident may trigger contractual notifications. Contractual terms should be reviewed on a prioritised basis – large customer contracts, contracts with government bodies, and sensitive contracts should be reviewed first, for example – to check the terms for items relating to confidentiality and data protection. Publicly listed companies may have obligations to notify the market of cyberattacks.


● Identify relevant individuals within the business and across jurisdictions to form an internal crisis management team to lead the organisation’s response to cyber incidents. Include individuals from legal, IT, HR, PR and the board.


● Identify external providers and, if possible, agree engagement terms up-front. Specialist IT forensics firms, crisis negotiators, external specialist cyber lawyers, external PR agencies, and credit monitoring businesses – where financial data has been compromised – can all help businesses manage cyber incidents effectively.


With this framework in place McIlwaine says companies should review their cyber response incident response and business continuity plans and rehearse them regularly. And they should train their employees, who are often in the first line of defence, to spot the signs of potential malicious activity.


Smart preparedness The IAEA says that nuclear plants have to replace analogue devices that have reached their end of life and become unmaintainable or obsolete and it is moving towards using smart devices designed for non-nuclear applications, in safety-related systems. It discussed the current safety and security issues of smart devices in a new report, ‘Safe Use Of Smart Devices In Systems Important To Safety In Nuclear Power Plants’, published in January. It notes that these industrial or commercial-grade smart


devices are typically developed and certified according to non-nuclear-industry standards. It says qualifying such a smart device for nuclear applications may be more difficult than for a device specifically developed, “because the


18 | March 2023 | www.neimagazine.com


Above: The UK’s National Cyber Security Centre helped develop the 2022 Civil Nuclear Cyber Security Strategy Photo credit: Pepgooner/Shutterstock.com


commercial development processes for such devices may be less transparent and controlled than the processes described in the relevant IAEA safety standards,” especially if there is no cooperation from the


manufacturer. Information to demonstrate quality and reliability may not be available. There is limited regulatory consensus on the safe use of smart devices in nuclear safety systems. The IAEA says digital devices may be susceptible to


cyberthreats but smart devices offer some resilience compared with other complex digital systems. Resilience comes from the few reprogramming opportunities (although they can be reconfigured) compared with systems like programmable logic controllers (PLCs) and the fact that changes generally need physical access to the smart devices.


But vulnerabilities include access to backdoors in smart


device software or counterfeit devices providing remote access to smart devices. There may also be vulnerabilities in the supply chain, such as hacking of manufacturers and introduction of malware, hidden malicious code in the libraries or tools used for the smart device development. Some of the cyberthreats identified above arise from the supply chain. If malware is inserted into a software library or module it could affect several devices, while if it is inserted into a software tool such as a compiler it could affect all devices that are produced using that software tool. Compared with other systematic failures, such as


unintended software flaws, cyberthreats typically change rapidly and can be designed to simultaneously target multiple smart devices. Consequently, it is difficult to assess whether threat protection is adequate and to predict the consequences. Nonetheless, the industry must remain vigilant. ■


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45