Cybersecurity regulations and guidance for civil nuclear facilities
There is no internationally recognized ‘gold standard’ on how nuclear cybersecurity should be organized, but several international organizations and regional bodies have published guidance. This paper notes the position of the International Atomic Energy Agency (IAEA) that security is a national responsibility. For the civil nuclear sector, the IAEA publishes nuclear security recommendations that reflect internationally accepted best practice, but there are no recognized international regulations as such. Other non-governmental organizations and lobbying groups, such as the World Institute for Nuclear Security (WINS),4 have issued high-level guidance documents on how national infrastructure for cybersecurity might be prepared, while instructions from organizations that set industry guidance in CNI have also provided useful technical advice.5 Some national authorities have created comparable technical frameworks and processes. For instance, the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce, has developed guidance specifically to assist nuclear facilities in complying with multi-faceted regulations to verify that the computers, digital communications and systems in CNI are protected from cyberattacks.6
Guidance for greater cybersecurity at nuclear facilities has also been issued through regional advisory bodies, such as the European Union’s Energy Expert Cyber Security Platform (EECSP). A cross–sectoral EECSP report from February 2017 identified vulnerable cybersecurity gaps in EU member states’ energy sectors, and recommended various initiatives for the European Commission to develop a European strategic framework and auxiliary legislative acts to promote greater cybersecurity in the nuclear sector.7 At the international level, successive UN Groups of Governmental Experts (GGE) delivered reports in 2010,8 20139 and 201510 on cyber developments in the context of international security. An important recommendation from the 2015 GGE report was that states should not conduct or knowingly support activity that intentionally damages or otherwise impairs the use and operations of critical infrastructure. It also recommended that states should take appropriate cybersecurity measures to protect these facilities.11 Despite a consensus regarding the desired inviolability of CNI from cyberattacks, conflicting national interpretations of how international law applies to state responses in the event of a cyberattack have thwarted further discussion,12 emphasizing the shortcomings in multilateral decision-making in the context of cybersecurity.