Cyberattacks are increasingly challenging critical national infrastructure. This paper considers the security by design approach for civil nuclear power plants and analyses areas of risk and opportunities for the nuclear industry.
Introduction
Cyberattacks are increasingly challenging critical national infrastructure (CNI). Many stakeholders, ranging from governments to private-sector companies, have started to embrace cybersecurity prevention and mitigation measures. One effective measure would be to secure the CNI at the design stage: this is referred to as the ‘security by design’ (or ‘secure by design’) approach.
This paper considers the security by design approach for civil nuclear power plants, examining whether it is possible to secure the system architecture at the early stages of development and to build in layers of defence at the design stage – or whether security by design remains an elusive ideal. It refers to two examples of nuclear new build projects – Hinkley Point C in the UK and Barakah in the UAE – that rely to a greater or lesser extent on imported equipment, design or technology. The paper analyses areas of risk and opportunities for the nuclear industry.
Currently, the secure by design approach has to accept that:
- There is no incentive for manufacturers and construction companies to invest in security by design, because it is not a cost-efficient approach. There is a need for operators to exceed regulatory requirements when a project is in its infancy.
- Applying the principle of ‘Defence in Depth’1 for cybersecurity at the design stage may require the commissioning of technical expertise and investment in design, which some executive boards may consider to be both premature and unnecessary at that point in their project’s development.
- Imported equipment and software are manufactured to different standards2 and may trigger unexpected safety vulnerabilities when incorporated in another country’s CNI.
- Some software companies have failed to establish robust and effective quality assurance processes before writing code for programmes. This can result in erroneous threat assessments and a failure to identify vulnerabilities before the product is introduced in the CNI.
1 Defence in Depth was originally a nuclear safety concept. Today, it is also used in nuclear security terminology. The Defence in Depth approach suggests the creation of independent and redundant layers of defence in nuclear power plants, in order to increase safety and security. See, Madsen, M. (2014), ‘Defence-in-Depth and Its Role in Nuclear Safety’, IAEA, 22 September 2014, www.iaea.org/newscenter/news/defence-depth-and-its-role-nuclear-safety (accessed 6 Mar. 2019).
2 Foreign-manufactured equipment and software may function in exact accordance with the manufacturer’s claims, but without constant scrutiny from transmission system operators with the appropriate expertise, there may be additional (malicious) functions within the equipment/software, which may not have been identified.