Nuclear security culture21 October 2013 Caroline Peachey
The UK nuclear power industry should take an integrated approach to site security, cyber security and personnel security, according to experts from defence and security firm, Thales.
"We cannot afford for physical and cyber security to be addressed in isolation from each other," said Tony Burton, critical infrastructure protection business lead at Thales UK, which has been providing technical support for the UK fleet of nuclear power stations for 25 years.
"In order to maximise public safety, the nuclear regulator should require a holistic security approach for all new nuclear sites, and insist on the tight integration of cyber-defences with processes, people and physical measures."
Thales' commitment to cyber security was highlighted to NEI during a recent visit to the company's new Cyber Integration and Innovation Centre in Basingstoke. The £2 million facility is essentially a battle lab, designed to improve the cyber security for critical national infrastructure, governments and companies.
The centre enables client networks to be mirrored in a controlled environment, and for systems to be tested against a barrage of threats.
Thales (which rhymes with "Alice") has access to a library of over 6000 pieces of malware, which it can use for training staff how to protect systems, spot vulnerabilities and respond to breaches.
"We can model networks for clients in a safe environments so we can upgrade, update and change things before they go live. This is particularly important in safety critical industries, such as a nuclear power station," said Sam Keayes, Thales vice president national security & resilience.
During the trip we witnessed simulated cyber attacks from the perspectives of the attackers, defenders and operators. In one room, experts from Thales took control of security camera feeds and disrupted control systems by launching denial of service (DoS) attacks. In a second room the 'defenders' used a variety of tools, including a number of free/open source products, to monitor the networks and pick out suspicious activity. Tools used included Nessus (a vulnerability scanner), Snort (a network intrusion prevention system) and Splunk (a visulization tool). Meanwhile, the effects of the 'attacks' were witnessed in a simulated control room environment, which contained various industrial control systems, as well as physical security (a fence and movement sensors).
The main challenges when it comes to cyber security relate to people: educating people in general and training the next generation of cyber security experts.
"People need to know how they can contribute to cyber security, without being a vulnerability," Keayes said.
It is up to companies to educate their staff not to put too much information online, for example, which could make them a target of a social engineering phishing attack (which aims to acquire information by masquerading as a trustworthy entity in online communication).
Companies also need to be aware that no one is 'too small' to be immune from a cyber attack, and need to understand that 'good cyber security is good business,' Thales says.
Like the nuclear industry, cyber security experts (and particularly those with knowledge of nuclear power) are in "very short supply," Keayes said.
The new centre will be pivotal in training this next generation of experts. This is well illustrated by the fact that around 20% of today's 60-strong workforce at the Cyber Integration and Innovation Centre are new graduates.