Cyberthreats need continual vigilance

The momentum and dynamic of cyberattacks underwent a period of change in 2022 which constituted a notable shift from the picture developing over more recent years, when cyberattacks had been on the constant increase.”

This is according to lawyer Julia Varley of Pinsent Masons, which saw a fall in the number of instructions to advise on cyber incident response in the first six months of last year. However, far from allowing for complacency, Varley was illustrating the changing nature of the threat. Pinsent Masons, says it is possible that Russia’s invasion of Ukraine and the on-going conflict there drew the attention of cyber criminals away from ordinary businesses in the first half of 2022. She said in an online article that, “The decrease in activity generally coincided with the early stages of the Russian invasion of Ukraine; one theory being that this was caused by cyber criminals shifting to focus on targeting opposing national infrastructure rather than for financial gain.” It is notable that against the backdrop of European conflict, the UK Information Commissioner’s Office (ICO) still said that its data showed that the greatest proportion of cyber incidents arose after data was emailed to an incorrect recipient and so-called ‘phishing’ is still the most common technique cyber criminals use to initiate attacks. Other types of attacks that have assumed a higher profile recently are ransomware attacks (see box), but these have prompted action from companies and as Varley said: “No doubt in response to the high profile proliferation of ransomware and other debilitating cyberattacks on businesses over the past few years, we have noted a very significant increase in the number of organisations proactively seeking to improve their cybersecurity posture, both technically and from an incident response capability. “

The need for companies to be prepared to respond to a cyberattack was one of the key messages in a the ‘2022 Civil Nuclear Cyber Security Strategy’, an update of an earlier strategy produced in 2017 by the UK government (the Department for Business, Energy and Industrial Strategy, or BEIS) and the UK civil nuclear industry.

The strategy is clear that cyber security requires investment, resource and commitment from senior leadership because it means business change. It says nuclear sector organisations would need to dedicate 5-10% of their annual organisational change capacity to cyber to deliver the strategic outcomes. It says this is critical “as the outcomes cannot be achieved by security teams alone but need active support from all areas of each business”.

The UK’s goal, as summarised in the updated strategy, is: ‘A UK civil nuclear sector which effectively manages and mitigates cyber risk in a collaborative and mature manner, is resilient in responding to and recovering from incidents, and ensures an inclusive culture for all’.

It says cyber maturity has improved since the 2017 strategy was produced but stresses: “there is more work to do, and the evolving nature of both the threat and technology means we need to accelerate to keep pace”. There are some key messages around the threat represented from operational technology systems and from the supply chain:

It gives the sector four new objectives for 2026:

• To appropriately prioritise cyber security as part of a holistic risk management approach, underpinned by a common risk understanding, and outcome-focused regulation;
• With the supply chain, to take proactive action to mitigate cyber risks in the face of evolving threats, legacy challenges and adoption of new technologies;
• To enhance resilience by preparing for, and responding collaboratively to cyber incidents, minimising impacts and recovery time; and
• To collaborate to increase cyber maturity, develop cyber skills and promote a positive security culture.

These objectives will be delivered by a range of priority and supporting activities and overseen by a programmatic approach to delivery. Key commitments include:

• Rolling out cyber adversary simulation (CyAS) assessments and other threat-informed testing activities across the sector’s critical information technology (IT)and operational technology (OT) systems
• Setting baseline cyber security standards for the civil nuclear supply chain
• Collaborating across the sector on third party and component assurance and management
• Working with developers of advanced nuclear technologies to support cyber security by design.

The nature of cyberspace and the challenges faced mean that this strategy cannot be delivered by any organisation alone, and has therefore been developed jointly with leaders from public and private sector civil nuclear organisations, the Office for Nuclear Regulation, and the National Cyber Security Centre. Its success hinges on joint delivery and continued co-operation across all partners.

In recognition of this, the strategy has been endorsed by senior decision-makers across the sector through the Cyber Security Oversight Group, which will take responsibility for its implementation.

The UK strategy has several activities to help achieve its objectives for the next five years, such as:

• Mitigating cyber risks across IT and OT domains, by sharing and improving approaches to software and equipment assurance across the sector, using appropriate tools (including Active Cyber Defence) as they become available; conducting threat-informed assessment activities; improving asset management; investigating the development of a sector Centre of Excellence to share knowledge and expertise; and continuing R&D.
• Ensuring cyber security is embedded into the deployment of new nuclear and digital technologies by: integrating new systems securely onto networks systems; reviewing and promoting cloud security guidance; and sharing risk assessments on new technologies.
• Managing supply chain cyber risk: regular mapping of supply chains; sharing model third party contracts; working jointly with suppliers and trade associations; promoting international guidance (from the IAEA), and utilising existing best practice toolkits.
• Support the nuclear supply chain by: increasing engagement with industry groups; and working with trade associations. Nuclear organisations will set baseline cyber and information security standards for suppliers; the ONR will benchmark the existing cyber security maturity of holders of SNI; and BEIS will consider the case for regulation of cyber security in the supply chain.

Be ready to respond

Whereas in the past cybersecurity strategies might have focused almost entirely on trying to stop incidents, the 2022 strategy is clear that companies have to be able to respond effectively to them as well. One of the new strategy’s deliverables is a sector-wide live cyber incident response exercise with the National Cyber Security Centre, alongside an exercising programme targeted at senior decision-makers.

Pinsent Mason lawyer David McIlwaine set out some of the ways organisations should be prepared to respond to incidents. He agrees with the Strategy’s advice that organisations would benefit from scenario planning, playbooks and testing exercises. He advises that a tailored cyber response plan and playbook can help organisations understand what to do in the event of an incident and will also show regulators that the company took appropriate steps to adopt a cyber readiness process. His advice includes:

• Identify the information assets to protect, and for example whether it is intellectual property or data. This will be unique for each sector, and for companies at various points in the supply chain, among other factors. In critical industries like nuclear, “ensuring that operational systems remain secure will be paramount”. All businesses will want to ensure their confidential business operations information remains protected and information relating to litigation or regulatory investigations.
• Identify relevant jurisdictions and the data held in each location. Identify and assess privacy and other industry regulations across jurisdictions.
• Comply with prescribed time periods for reporting different types of cyber incident to relevant bodies. Knowing what you need to report and when in each jurisdiction is imperative.
• Identify obligations under standard terms and contracts, as a cyber incident may trigger contractual notifications. Contractual terms should be reviewed on a prioritised basis – large customer contracts, contracts with government bodies, and sensitive contracts should be reviewed first, for example – to check the terms for items relating to confidentiality and data protection. Publicly listed companies may have obligations to notify the market of cyberattacks.
• Identify relevant individuals within the business and across jurisdictions to form an internal crisis management team to lead the organisation’s response to cyber incidents. Include individuals from legal, IT, HR, PR and the board.
• Identify external providers and, if possible, agree engagement terms up-front. Specialist IT forensics firms, crisis negotiators, external specialist cyber lawyers, external PR agencies, and credit monitoring businesses – where financial data has been compromised – can all help businesses manage cyber incidents effectively.

With this framework in place McIlwaine says companies should review their cyber response incident response and business continuity plans and rehearse them regularly. And they should train their employees, who are often in the first line of defence, to spot the signs of potential malicious activity.

Smart preparedness

The IAEA says that nuclear plants have to replace analogue devices that have reached their end of life and become unmaintainable or obsolete and it is moving towards using smart devices designed for non-nuclear applications, in safety-related systems. It discussed the current safety and security issues of smart devices in a new report, ‘Safe Use Of Smart Devices In Systems Important To Safety In Nuclear Power Plants’, published in January.

It notes that these industrial or commercial-grade smart devices are typically developed and certified according to non-nuclear-industry standards. It says qualifying such a smart device for nuclear applications may be more difficult than for a device specifically developed, “because the commercial development processes for such devices may be less transparent and controlled than the processes described in the relevant IAEA safety standards,” especially if there is no cooperation from the manufacturer. Information to demonstrate quality and reliability may not be available.

There is limited regulatory consensus on the safe use of smart devices in nuclear safety systems.

The IAEA says digital devices may be susceptible to cyberthreats but smart devices offer some resilience compared with other complex digital systems. Resilience comes from the few reprogramming opportunities (although they can be reconfigured) compared with systems like programmable logic controllers (PLCs) and the fact that changes generally need physical access to the smart devices.

But vulnerabilities include access to backdoors in smart device software or counterfeit devices providing remote access to smart devices. There may also be vulnerabilities in the supply chain, such as hacking of manufacturers and introduction of malware, hidden malicious code in the libraries or tools used for the smart device development. Some of the cyberthreats identified above arise from the supply chain. If malware is inserted into a software library or module it could affect several devices, while if it is inserted into a software tool such as a compiler it could affect all devices that are produced using that software tool.

Compared with other systematic failures, such as unintended software flaws, cyberthreats typically change rapidly and can be designed to simultaneously target multiple smart devices. Consequently, it is difficult to assess whether threat protection is adequate and to predict the consequences. Nonetheless, the industry must remain vigilant.

Are you ready for a ‘ransomware’ attack?

Pinsent Masons lawyer Julia Varley said ‘ransomware’ cases accounted for 45% of the matters Pinsent Masons’ cyber risk team advised on in 2022 – a significant increase from to 31% in 2021.

She says companies should consider how they will engage with those behind ransomware attacks ahead of time.

In the event of a ransomware attack, the organisation may wish to engage in discussions with those behind the incidents and may ultimately choose to make a ransom payment. The decision as to whether to engage with an attacker or make a ransom payment is often a complicated one, involving important commercial, ethical and reputational considerations, as well as complex legal and compliance issues. The choice to engage is a business decision.

Should an organisation decide to pay a ransom, there are important compliance steps which will need to be put in place before any payment is made. This will ensure that the organisation does not fall foul of any anti-money laundering and/or terrorism funding offences, sanctions, and any other applicable laws.

Failure to take the appropriate steps can expose the business and directors to criminal and civil liability.

Author: Janet Wood, Expert author on energy issues