NEI August 2024

orderForm.title

orderForm.productCode

orderForm.description

orderForm.quantity

orderForm.itemPrice

orderForm.price

orderForm.totalPrice

orderForm.deliveryDetails.name

orderForm.deliveryDetails.accountNumber

orderForm.deliveryDetails.phone

orderForm.deliveryDetails.poNumber

orderForm.deliveryDetails.email

orderForm.deliveryDetails.companyName

orderForm.deliveryDetails.billingAddress

orderForm.deliveryDetails.deliveryAddress

orderForm.deliveryDetails.deliveryDetailsDeliveryAddressSameAsBillingAddress

orderForm.deliveryDetails.address1

orderForm.deliveryDetails.address2

orderForm.deliveryDetails.city

orderForm.deliveryDetails.state

orderForm.deliveryDetails.postCode

orderForm.deliveryDetails.country

orderForm.deliveryDetails.additionalInformation

orderForm.noItems

IT & DIGITAL | CYBERSECURITY

Playing catch-up on cyber safety

The nuclear industry is weak on cyber security, says a policy institute analysis.

To respond, the sector has to take a more transparent and collaborative approach – and speed up action on improvement

THE ROYAL INSTITUTE OF INTERNATIONAL Affairs (a UK policy institute colloquially known as ‘Chatham House’) has described the nuclear industry’s status on cybersecurity as “playing catch-up”. It has warned that “the nature of licensing systems for nuclear operators means that long periods of risky working practices are often tolerated”. As an example, it highlighted the UK’s Sellafield fuel cycle site, which pleaded guilty in June 2024 to criminal charges that related to gaps in its cybersecurity between 2019 and 2023. The site had been repeatedly flagged in inspections by the UK Office for Nuclear Regulation (ONR), which warned it would apply ‘enhanced regulatory attention’ to cybersecurity practices. The Royal Institute of International Affairs (RIIA) warning

came in a report, ‘Cybersecurity of the civil nuclear sector’ that considered the threat landscape and the international legal framework for cybersecurity as it applies to the nuclear industry. The group examined the issue because it saw the civil nuclear industry expanding worldwide at the same time as cyber threats are evolving, and because cyber operations targeting civil nuclear systems have been reported worldwide. The report says there is “only a small possibility” that a cyber operation would cause loss of control over a nuclear reactor to the point of meltdown or a significant release of radiation, because nuclear‘s ‘defence in depth’ approach means there are layers of protection and multiple redundancies, such as back-ups for cooling. Instead, RIIA focused on wider concerns. It listed potential harms from any type of cyberattack on nuclear, including information theft, equipment malfunction, disruption of energy supplies, environmental damage and health impacts. Disrupted supply is a key concern based on nuclear’s function in the electricity system, because a cyberattack on nuclear has the potential to disrupt the electricity

grid, affecting all system users and services (such as healthcare) important to life. The disruption may follow from nuclear’s role in providing ‘baseload’ power; which means that if it is shut down there may be power cuts. A further role not highlighted in the report is that nuclear (like other generating plant with rotating machinery) plays an important role in maintaining the system inertia, helping keep electricity supply within frequency and voltage limits, so if a nuclear plant is out of action the grid supply is less stable and users may experience blackouts even if there is sufficient power available.

Playing catch-up RIIA says that the nuclear sector lacks a comprehensive understanding of the threat landscape around cybersecurity and effective resilience strategies. Vulnerabilities arise from technical and non-technical

factors, including the use of older software, personnel being targeted and the lack of sufficient sector-wide awareness and collaboration. Cyber incidents can also occur accidentally as a result of existing vulnerabilities in commercial software. These vulnerabilities include: entry points such as inadequate IT infrastructure maintenance; missing patches and updates; unsafe working practices such as connection to unprotected networks; the use of portable storage devices; legacy systems; and inadequate data protection. The report says, “this range of potential threats makes it doubly essential to ensure fundamentally secure working practices, as it is very difficult to identify and protect against every individual vulnerability”. The authors say “the nuclear industry was a

comparatively late starter” on cybersecurity, compared with other industries associated with critical national infrastructure or sectors such as finance. They add that “the nuclear industry’s strong pre-existing physical security,

Above: The civil nuclear industry is expanding worldwide at the same time as cyber threats are evolving 28 | August 2024 | www.neimagazine.com

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7 | Page 8 | Page 9 | Page 10 | Page 11 | Page 12 | Page 13 | Page 14 | Page 15 | Page 16 | Page 17 | Page 18 | Page 19 | Page 20 | Page 21 | Page 22 | Page 23 | Page 24 | Page 25 | Page 26 | Page 27 | Page 28 | Page 29 | Page 30 | Page 31 | Page 32 | Page 33 | Page 34 | Page 35 | Page 36 | Page 37 | Page 38 | Page 39 | Page 40 | Page 41 | Page 42 | Page 43 | Page 44 | Page 45