Cyber security: retaining the power16 February 2016
Vincent Zabielski and William Fork give an overview of the elements required for a robust cyber security programme in the nuclear sector.
The nuclear industry has long been aware of the importance of cyber security and the potential risks of a cyber attack to the safety, security and emergency response of nuclear plants. As the cyber threat landscape has grown over the past two decades, plant operators have been quietly, but steadily, improving their ability to prevent, detect, and mitigate the effects of such an attack. Under the US regulatory structure, for example, a critical component of the design basis is that a nuclear licensee's physical protection programme must include a high level of assurance against a cyber attack. In the wake of the 11 September 2001 attacks, the US Nuclear Regulatory Commission (NRC) orders requiring licensees to address cyber security vulnerabilities. Other countries, such as the United Kingdom, also require nuclear licensees to protect their facilities from a cyber attack.
Cyber security describes the full suite of technology and practice that protects networks, systems, computers, programs and data from attack, damage or unauthorised access. The focus for a nuclear regulator is important systems in the power plant. But as a business owner the plant operator has other critical information systems, unrelated to the safe functioning of the reactor, that contain sensitive financial and personal information.
Attacks on information and process control systems can originate from anywhere in the world, and the creativity involved in the attacks appears limitless. The attacks can originate through connections to the internet, vendor software updates and, in the case of so-called "air-gapped" systems, through portable media such as USB drives, CDs, or floppy disks. The attacks can target process controls, nuclear information, commercial trade secrets and personal information.
Details involved in developing and implementing an effective cyber security programme vary depending on the jurisdiction, but the basic approach is the same.
In the UK, computer-based systems important to nuclear safety ("CBSIS") are defined by the Office for Nuclear Regulation as systems that are either safety systems (which respond to a potentially hazardous plant fault by implementing a safety action) or safety-related systems (any other computer systems that could, through their actions or lack thereof, have an adverse effect on the safety of a nuclear system).
In the USA, where the nuclear regulatory system is more prescriptive and less goal-oriented than in the UK, the Nuclear Regulatory Commission defines assets that must be protected from cyber attack as "critical digital assets". These: perform or are relied upon for safety, security, and emergency preparedness; affect safety or emergency function or critical systems; provide a pathway to a critical system that could be used to compromise, attack, or degrade another function; support a critical system; or protect any of the foregoing from cyber attack. The definitions between the two countries vary but the principle is the same - to keep a cyber attack from affecting nuclear safety.
It is good practice to include the entirety of the enterprise within the scope of the company's cyber security programme, not just that of the nuclear plant. As the former US secretary of homeland security stated in September 2013: "Cybersecurity is not all about technology, it's much bigger than that; it's a business challenge . . . the impact on their bottom line isn't virtual; it's real, so companies [had] better start thinking about it as a real, honest-to-goodness business problem."
What are the elements of a solid cyber security programme? The first and most important element is a commitment to a robust cyber security programme from the board of directors. Cyber security is a bet-the-company issue that should be adequately funded. It should be a regular agenda item subject to continuous board and executive oversight. The board of directors should issue a comprehensive policy statement and reporting structure, establishing clear lines of responsibility. Once the board establishes the cyber security policy, a cyber security team should be formed. The team should be comprehensive and can include expertise not only from plant operations, design and systems engineering, security, and information technology, but from the office of the general counsel, human resources, and public relations. A set of detailed procedures should designate the roles and responsibilities of the members of the team in order to meet regulatory standards and best practices.
The cyber security team should be responsible for establishing and implementing a methodology and an additional set of procedures to identify all potential critical digital assets, in accordance with applicable regulations. This is a major undertaking that requires careful planning, as some of the equipment may be in locations that are difficult or impossible to reach while the plant is operating. Having a good multi-disciplined team of operators, system and design engineers, information technology professionals, security experts and lawyers is crucial to identifying all potential vulnerabilities and ensuring regulatory compliance. The company's lawyers play an increasingly important role in ensuring that the process is compliant with changing regulations, identifying best practices from other systems and ensuring that the contractual commitments of vendors to maintain secrecy are maintained.
The vulnerability assessment must address all of the possible information flow paths into and out of each asset, and the connections between and among them. Typically, a graded approach is used. Assets important to safety and security functions, and support systems and equipment which, if compromised, would adversely impact safety, should only allow data flow outwards and should not have any automated inputs. Non-critical assets may allow data flow, provided that such data flow is controlled by the appropriate security measures.
To be clear, this comprehensive assessment requires dedicated resources. The output of the vulnerability assessment is typically a report that clearly identifies risks and vulnerabilities and the recommended mitigation strategy for each, including potential modifications required for continuously monitoring systems for signs of an attack.
The recommendations of the vulnerability plan should be carefully evaluated by the management team and reported to the board of directors. A mitigation plan should be developed and implemented.
Finally, continuous monitoring and improvement should be established to ensure that the cyber security programme is fully integrated into the plant design, operation and security procedures. The executive suite must lead this effort, and ensure that the company tests its ability to handle different cyber security threat scenarios.
In addition to cyber penetration testing and regular regulatory compliance audits, a particularly effective tool at the corporate level is to conduct a cyber threat table-top exercise. Such an exercise can test full-scale responses by the executive leadership to cyber threats and test the company's procedures and interactions between information technology, operations, legal, human resources and public relations personnel. Exercises can also test the interactions between the company, authorities and vendors that will be needed to act quickly and effectively in the event of an attack.
About the authors
Vincent Zabielski and William Fork are Senior Lawyers at Pillsbury Winthrop Shaw Pittman