The control room inside the Paks nuclear power plant in Hungary. Photo: Bloomberg/Contributor
Recommendations
Civil nuclear facilities should consider the following steps to review and strengthen their cyber risk response capabilities.
1. Quantify the risk
Each organization should examine how much it spends on cybersecurity. It should compare this amount to the sums spent by organizations of similar size in similar sectors, where such data are available, and should see how often breaches, ransomware attacks and DDoS events occur for them. This investigative exercise may offer scope to improve on the base risk calculations supplied by other entities (although in many cases the calculations are likely to be similar). Incident response reports, where available, should be examined to determine how much other organizations tend to spend in a crisis. It is worth comparing such documents to the fire, safety, HR and/or geopolitical risk budgets for one’s own organization, thus starting a dialogue between risk and finance managers about cyberattacks.
2. Measure response capacity
Each organization should find out what proportions of its cybersecurity and cyber risk budgets are divided between prevention and mitigation/response. Money spent on firewalls does not help when notifications of breach need to be sent to all employees or customers. The process of budget ‘discovery’ should therefore be followed by the division of the cybersecurity budget into prevention and response components. The money set aside for response can be compared against the claims figures cited in reports such as the Cyber Claims Study, published by NetDiligence.38
3. Use training to shorten recovery time
Even if enough money is set aside, a crucial activity in cyber response is training staff to reduce the ‘time to recovery’. How quickly can employees reset email passwords? How quickly can hackers in a network be detected? How quickly can a crucial employee’s computers be rebuilt from backup?
Preventing attacks such as those involving phishing and ransomware requires good cyber hygiene practices throughout the workforce. Reducing the time to recovery for an organization takes training and dedication. Practising tasks in simulation settings can greatly reduce subsequent friction and the potential for errors in a crisis, just as safety training does in other areas. Crisis simulations help identify communication channels and define the roles and responsibilities of different personnel and departments. The lessons from crisis simulations can boost organizational resilience. Board-level support is preferable for attempting such exercises – although, failing this, a training exercise involving crisis role-playing for senior managers can still be of benefit. Many boards think they are ready for crises, but rapidly discover they don’t know what phone numbers to dial, or what communication path to activate to achieve the desired outcome. In this context, it is useful to find a supportive internal stakeholder and create a scenario around hackers compromising or disabling key parts of the organization. Such practice improves essential understanding of risks and capabilities.
Crisis simulations help identify communication channels and define the roles and responsibilities of different personnel and departments.
There are many places to look for cybersecurity training, from the solutions approved by the UK’s National Cyber Security Centre (NCSC)39 to the SANS Institute, a professional security personnel certification organization.40 The Forum of Incident Response and Security Teams (FIRST) offers training on running computer incident response teams.41 It has an Industrial Control System Special Interest Group (ICS-SIG) and a Cyber Insurance Special Interest Group (CI-SIG). It also provides training in technical incident response and digital forensics. For more specific civil nuclear computer security advice, the U.S. Nuclear Regulatory Commission has useful documentation on how to apply computer security practices and principles to safety instrumentation systems.42 This is especially relevant now that evidence has emerged of actual threat actors using malware to target safety system integrity, rather than malware’s capabilities simply being demonstrated by the ‘white-hat’ research community (members of which use their knowledge and expertise in computer security systems for ethical coding and hacking).43
One organization dedicated to all types of civil nuclear security is the World Institute for Nuclear Security (WINS).44 It offers online training on issues from physical site security to information risk management.45 To build on these activities, programmes such as those offered by WINS for board-level personnel could be utilized to deliver bespoke training at a high level within the duty-holder community.
Board-level engagement is crucial for budgeting decisions, but also because executives will be decision-makers during a crisis. A cybersecurity crisis is significantly different from other types of crisis; management and decision-making during a cybersecurity crisis can present unexpected challenges. Organizational training and board-level crisis simulations, as mentioned above, can aid understanding and budgeting both for prevention and for response.
The Safety Directors’ Forum provides frank discussions and sharing of information and practices among senior-level civil nuclear executives.46 In the UK, initiatives include a CISO working group that is co-chaired (on rotation) by the government, industry and the Office for Nuclear Regulation.47
It is known in certification circles that sometimes people undergo training, neglect to sit the requisite exams, then claim the training on their CVs. Accreditation organizations are exploring better ways of verifying that people have passed the exams. Pearson, for example, is exploring the use of digital badges. It is also important to verify organizations in the supply chain, as well as employees and consultants. One method of doing so is to examine chairs’ reports on security performance, but increasingly a number of cyber risk telemetry and metrics companies offer simple cyber health check scoring systems. These companies may currently offer only shallow views of cyber risk (focused on online presence security, instead of control system security), but such offerings will improve in time and are useful leading indicators of poor practices.
In conclusion, training is an essential part of cyber risk management and response. It should be leveraged at the individual, organizational and board levels simultaneously. Crisis simulations can provide cost-effective ways of building a culture of security within an organization. They offer potential improvements in the management of, and response to, the future challenges of cyber risk for civil nuclear facilities.