Experts

  • Position : Consultant
  • Affiliation : Researcher, Security and Technologies Program, The United Nations Institute for Disarmament Research (UNIDIR)
complete list

Related articles

It was almost two decades ago, when I was brought a manuscript. It was entitled “Information challenges to national and international security”. International information security – or cybersecurity, to use the more popular but grossly oversimplified term – is now high on the agenda of global challe...

At first glance, last couple of years added nothing new to the global cybersecurity threat landscape of the nuclear energy industry and its incident track records. The last major publicly reported cybersecurity incidents were cyber-attack on KHNP in late 2014-early 2015, and worm infection of the Gu...

Protecting nuclear infrastructure: the need for coordinated action in the domain of technical standardization, coordinated strategy and exchange of information

22.06.2017

MOSCOW, JUNE 22, 2017. PIR PRESS. — “IAEA itself is the key structure and authority that could design and engineer the perspective mechanism of international collaboration against cyber threats to nuclear energy industry”, — PIR Center Consultant Oleg Demidov. 

PIR Center experts continue researching cyber security of civil nuclear infrastructure. In his article "Protecting nuclear infrastructure: the need for coordinated action in the domain of technical standardization, coordinated strategy and exchange of information" PIR Center Consultant Oleg Demidov analyses the events of 2015-2016 in the sphere of cyber security, looks at the new challenges arising, and suggests several ideas for the international cooperation in this sphere. Here are the key conclusions:

  • Standards and normative regulations are necessary, but not enough tools to combat cyber threats to civil nuclear facilities on the global level. Technical standardization and building of comprehensive regulatory frameworks on the national level are the essential basis for ensuring cyber security in the nuclear energy industry. However, on top of that basis further constructions need to be erected, and they need to ensure transnational scope of coordinated action. 

 

  • One of the potential vehicles for such coordinated actions could be the process of implementations of trust and confidence building measures developed within certain international formats, including OSCE. On March 10, 2016 the Permanent Council of OSCE adopted Decision No.1202 “Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies”. The document expands the initial set of cyber-TSBMs outlined by OSCE in December 2013, and focuses predominantly on critical infrastructure (CI) protection. Article 15 of Decision No. 1202 encourages states to facilitate regional collaboration between legally-authorized authorities responsible for securing CIs to discuss opportunities and address challenges to national as well as trans-border ICT networks, upon which such CI relies. This includes developing shared responses to computer incidents affecting CIs and sharing information on cyber threats to CIs on the regional and subregional level. Also importantly, Article 16 suggests that states encourage reporting of vulnerabilities affecting the security of CIs and share associated information on available remedies to such vulnerabilities, including with industry and private sector. Since nuclear energy industry does belong to CIs in any of existing classification, these mechanisms could be of much use for advancing regional collaboration among nuclear facilities operators and regulators in the European region. Of course, the key obstacle is severe lack of trust that would be hard to overcome. However, one possible step in this direction might be shifting the momentum of such collaboration to private sector and PPPs. Shared approaches might be built upon shared solutions and mechanisms. Thus, in 2016 Russian Kaspersky Lab announce its initiative of a CII-CERT designed to provide services both for government agencies – and private entities, including nuclear energy industry actors. Although this initiative at the first stage targets Russian customers, nothing prevents it from going regional in the future – probably, except toxic fallout from mass accusations of ‘Russian hackers”. 

 

  • Finally, IAEA itself is the key structure and authority that could design and engineer the perspective mechanism of international collaboration against cyber threats to nuclear energy industry. The first thing that comes to mind is creating under IAEA the global repository of malware and vulnerabilities that were or potentially could be used in cyber-attacks against peaceful nuclear installations. Due to grave trust issues, the information in such repository could be available to a restricted number of subjects, including NPP operators and certain major vendors of critical ICS components for nuclear industry operators. IAEA with its reputation would guarantee protection of such sensitive information on vulnerabilities and restricted access to it. Finally, in the horizon of 2020 the Agency could expand the format and functions of its Incident and Emergency Centre (IEC). It becomes more and more obvious that cyber incident management profile should be added to the IEC functions, so that the Centre could become a focal point for national and industry CERTs, and security operation centers (SOC) of nuclear industry operators. Also, the IEC could provide consultations, information and other assistance to nuclear energy newcomer states trying to secure their objects against cyber threats. Finally, in a more distant perspective the IEC could really take certain functions of a CERT, providing technical consultations to operators in cases of cyber incidents or their immediate threat. 

No technical or financial obstacles make these ideas impossible – it is just a matter of trust and political will that should be generated and promoted in all frameworks, including the UN among the key ones. 

Full text of the article is available on the PIR Center website

Comments

 
 
loading