What is secure by design?
The practical difficulties that confront security managers at existing nuclear facilities remain a significant challenge. This is particularly the case regarding the retrofit of cybersecurity controls to organizations – and their attendant systems – that were brought into service before cybersecurity risks become so prevalent. New build programmes offer the opportunity for a fresh start in the protection of a nuclear facility’s sensitive digital assets. Through the installation of modern digital components and state-of-the-art software, along with the recruitment and training of a workforce familiar with an embedded nuclear security culture, new builds could represent a step change in how the civil nuclear industry protects its sensitive digital assets. This process could be referred to as ‘cybersecurity by design’, especially if vendors, designers, manufacturers and constructors of a new build nuclear power plant comprehensively take account of the implications of safeguarding the plant’s vulnerable, information-based systems from the very earliest design stages.
Recognizing and applying best practice in cybersecurity would be a reassuring and effective start to a new build, however, maintaining the focus on security in a project as complex as the construction of a nuclear power plant is a major challenge. Funding, design and construction complexities, the recruitment of specialists, and the impact of public, government and media scrutiny are all likely to demand the full attention of senior project managers. At the early stages of design, it would be understandable to not prioritize issues requiring less immediate attention – such as the protection of instrumentation control systems that might not themselves be procured until several years into the project.
Decisions on the protection of sensitive digital assets in a new build project will also be influenced by the significant time it currently takes to design, plan and build a nuclear power plant. Extremely rapid advances in both digital hardware and software often mean that, in a relatively short time, technical capabilities and vulnerabilities can change. In addition, there is a valid consideration that design assumptions made at the outset of a project might be overtaken by technological developments that could be difficult to ignore. In the design of sensitive digital assets for new build projects, there must come a point of ‘design freeze’, when technology, software and components have to be chosen for the new build plant and when, under the imperative of completing the project on time and on budget, a halt must be called on incorporating future innovations and improvements in the design. Perversely, this has the potential to create similar conditions to those confronted today by the operators of existing nuclear facilities. In other words, the hardware and software may achieve their original objective, but this would not necessarily incorporate the latest advances in protection or system performance when the plant begins operation.
Extremely rapid advances in both digital hardware and software often mean that, in a relatively short time, technical capabilities and vulnerabilities can change
More broadly, the application of security by design in nuclear new builds could provide operators with an opportunity to consider the protection of sensitive digital assets, at least at the beginning of a nuclear power plant’s life cycle. In the long run, security by design cannot be taken for granted, because cyber risks change and evolve rapidly and new ways to infiltrate the system architecture will emerge. Establishing layers of security – for instance, by designing a secure software development life cycle, and by creating a framework for nuclear security culture and by establishing cybersecurity best practices – is key to minimizing the risks, but it is essential that these initiatives are complemented by robust quality assurance programmes, which check for vulnerabilities in a product both before it is integrated into the critical system and then subsequently during its operating life.
Careful design can – and should – achieve levels of protection that exceed current norms and expectations, but the sourcing of components from a global supply chain means that the integrity of even the most skilfully designed security regime cannot be guaranteed without exhaustive checks of its components. Once a system designed to protect sensitive digital assets is operational, it will no doubt have an appeal to a cyberattacker as a challenge to be beaten.
A 2015 Chatham House research paper highlighted a point of view – held by many in the civil nuclear industry at the time – that nuclear facilities were de facto protected from cyberattacks by a perceived ‘air gap’ between instrumentation and control systems and the internet.3 However, recently there have been enough successful attacks on sensitive digital assets in the nuclear sector and other industries to discredit that assumption. It is more likely that hackers will regard elaborate cybersecurity architecture as simply another target to defeat or discredit, and it cannot be assumed that cybersecurity by design will ever deliver infallible protection against the range of threats that the sector faces. Cybersecurity by design, however, may provide a resilient security architecture that could protect a plant’s system, software and networks from malicious access, at least until new threat vectors arise. Therefore, cyber defences must evolve along with the threat.
Regulators will expect nuclear operators to continue to employ plans and policy in order to fend off cyberthreats. Many operators will rely on in-house experts who will use their experience and their detailed knowledge of a nuclear facility’s systems to meet regulatory and operational requirements. However, even in-house expertise may not be enough, and some form of outside assistance could be required, if only to provide a source of impartial assurance to the facility’s executive board that the facility is adequately protected. Cybersecurity by design may well include a requirement for a technical support organization to conduct quality assurance and penetration testing, but after the new build facility has been commissioned, the executive board should give direction – ensuring that such practices and testing occur regularly, and that board members themselves understand the implications of the vulnerabilities unearthed by the penetration test procedure.
Many operators will rely on in-house experts who will use their experience and their detailed knowledge of a nuclear facility’s systems to meet regulatory and operational requirements
Over the life cycle of a new nuclear plant, implementing recommendations made in the 2015 Chatham House research paper in the context of a robust design promoting cybersecurity may contribute to the protection of sensitive digital assets. Sharing experiences through effective information exchange, as well as training and motivating the executive boards of nuclear operators and their employees to improve their personal approaches to nuclear security culture – including cybersecurity, setting rules and standards in dealing with cybersecurity challenges and addressing supply chain vulnerabilities – may each have an effect out of all proportion to the resources required to implement such recommendations.