The increasing digitisation of our national infrastructure offers many benefits to organisations and their customers. However, some fear that the systems used to control physical functions of this infrastructure, often now referred to as operational technology, could have the potential for a serious cyber-incident. The massive damage caused by a sophisticated cyber attack on a German steel mill last year illustrates the potential threat.
The Financial Times recently picked up on the report published by Chatham House on Cyber Security at Civil Nuclear Facilities Understanding the Risks, which considers the major cyber threats to civil nuclear facilities. This report comes hot on the heels of a review being undertaken by The Department for Energy and Climate Change into cyber risk in the civil nuclear sector in the UK.
Chatham House’s findings are generally consistent with our experience of other industrial sectors using control systems. Of course, a single incident in the nuclear sector carries greater consequences than other sectors and consequently generates greater public concern. However, what is less understood by the public is the systems used to control industrial plant are not the same as those used for safety critical control. The latter tend to be isolated systems, with rigorous access control, monitoring and working practices, not purely dependent upon digital technology for protection.
We work with almost all of the existing UK nuclear power generators and the nuclear new-build companies. In my experience, these organisations are ‘designing security in’ and developing best practice technical solutions to tackle threats.
The report highlights some challenges for the world-wide industry including:
The report goes on to identify other challenges:
The Chatham House report recommends that the nuclear industry should provide a balance between regulation and self-determined actions to avoid stagnation. It also recognises the need for risk-based approaches and innovation, whilst avoiding compliance-driven requirements that do not reflect the state-of-the-art, or the developing nature of threats and vulnerabilities.
In summary, though I’d broadly support the findings of the Chatham House report, I would emphasise that the UK nuclear industry is far from complacent. In fact, for all the reasons outlined above, it is world-leading in its approach to addressing cyber security threats.