Since the 9/11 terrorist attacks in New York and Washington, DC, reviews of CNI in many countries have prompted numerous security improvements, often involving costly, complicated and sub-optimal retrofits in facilities nearing the end of their operating lives. Within the civil nuclear sector, the so-called ‘nuclear renaissance’ and the prospect of constructing a series of new build nuclear power plants has encouraged regulators and operators to think hard about the security of nuclear facilities throughout their life cycle. In the immediate aftermath of 9/11, the object of these security reviews early in the design process was to implement physical protection measures, but the debate has been dominated increasingly over the last decade by the growing threat from cyberattacks. Moreover, rigorous regulatory reviews have been implemented and increased attention paid to security in the wake of the meltdown at the Fukushima Daiichi nuclear plant in March 2011, which followed a tsunami.
The aspiration among many is to improve resilience against cyberthreats through security by design. Whereas physical protection measures at new nuclear power plants could be designed and built to take account of how the threat of physical attack might develop in the years ahead, the rapidly changing and evolving cyberthreat presents greater challenges to designers and is likely to continue doing so. There will always be a compelling argument to design and incorporate as much security as is reasonably possible into the digital systems of a new nuclear power plant as early as possible, but it is hard to see how such design decisions can remain robust and effective in the context of exponential developments in cyber capability and cyberthreats, while being implemented within the timelines for the construction of a new nuclear power plant. This remains the biggest challenge in the concept of security by design.
There is no panacea against cyberattacks. However, strong security, built into the design of a nuclear power plant, can provide a layer of defence against current and emerging cyberthreats by limiting attack vectors and vulnerabilities in sensitive digital technology. The executive boards of nuclear operators should focus on building and sustaining an effective and demanding nuclear security culture, including cybersecurity, which all employees should adopt and practise. Boards should also recognize the contribution that can be made by technical support organizations familiar with both the cyberthreat environment and the nuclear sector to the protection of their digital assets. Above all, operators and regulators must guard against complacency and must demand sustained commitment to security, including cybersecurity, within the civil nuclear sector and across the supply chain.