A Policy Memo
Executive Summary
Cybersecurity challenges have become one of the key concerns for the operators across all critical infrastructure (CI) sectors. Rapid progress in offensive cyber capabilities and upsurge of the number of CI cybersecurity incidents demand urgent reaction from operators, regulators and international community. However, all these stakeholders have to face global trends that obviously increase cybersecurity vulnerabilities of CI objects. Those include extensive and ongoing digitalization of PCS and ICS at critical facilities; broad connectivity of CI corporate office and even industrial networks to the Internet, with the advent of IoT and IoE. Internet connectivity goes hand in hand with “mobile revolution”, bringing to CI sectors BYOD an d “CI in your pocket” concepts. Finally, extreme complexity of transcontinental ICS, SCADA software and field devices supply chains has become a common issue for most CI sectors.
Though these trends take place among all CIs, the CNF sector stands out due to a number of its unique characteristics. One of them is unparalleled infrastructural complexity of CNF information systems, measured by hundreds of ICS systems and many thousands of detectors for a single NPP. The factor of extreme complexity generates three pressure points in terms of ensuring CNF cybersecurity. One is unique and one-in-a-kind nature of architecture and engineering cybersecurity and network security solutions at CNF that seriously limit the applicability of previous experience and best practices. Second, trust to vendors and integrity of IT supply chains becomes a grave serious issue. Third, complex environment demands for a complex and comprehensive cybersecurity approach, including Cybersecurity-by-design (CBD), real-time event management, deployment of cryptography and possibly disclosure of source code of the field devices’ firmware by vendors to CNF operators. Second unique characteristic of the CNF sector in terms of cybersecurity is its uncertain place and role of cybersecurity with regard to nuclear security. CNF cybersecurity emerges at the intersection of ICS safety, (physical) nuclear security and information security. So far, the integration of CNF cybersecurity with nuclear security is not over, so it brings a number of challenges, including unclear division of functions among regulators, conflicting requirements, standards and procedures, as well as terminological and conceptual gap between the two security dimensions.
Concerning the regulatory landscape, in most states CNF cybersecurity is just emerging as a separate regulatory framework on a nation-wide level. Key issues include ambiguity in division of regulatory agenda between governmental agencies and gaps and overlaps in the regulators’ functions. In many developing countries, these functions are scattered across many regulators with lack of contact between each other. Next issue is lack of a single sector-specific regulator that often leads to weak feedback from private sector stakeholders. Also, the rigid, though highly elaborated nuclear security paradigm sometimes acts as a barrier to elaboration of a hybrid regulatory framework addressing specific issues of the CNF sector. This is often accompanied with the lack of integration of international guidelines, recommendations and best practices into national CNF cybersecurity regulations.
Still, steady progress is observed in many jurisdictions since the beginning of 2010s: elaboration of sector-specific cybersecurity legislation has sped up; increase in regulatory activities focused on CNF cybersecurity takes place even in countries without single sector-specific regulators, e.g. Russia. Finally, the interest of governments in international discussions and initiatives on CNF cybersecurity is growing, judging by their engagement in international conferences and discussion fora.
On the international level, the CNF cybersecurity debate has been taking place in the midst of a legal vacuum and lack of joint incident mitigation and investigation. Thus, no obligatory frameworks are in place to ensure integrity of ICS supply chains for NPPs. Next, cyber-attacks against CNF do not fall under the scope international mechanisms aimed at countering and preventing cybercrime, e.g. the CoE Convention of 2001. Similarly, no ad-hoc international norms or treaties that would address the CNF cybersecurity issue are in place. Proposed treaties and adaptations of existing norms would have limited use and lack compliance incentives unless the issues of attribution and varication in cyberspace are effectively resolved. However, the window of opportunities is open with regard to the UN GGE activities. Proposing the ban of cyber-attacks on CIs and ensuring integrity of IT supply chains in the format of non-binding policy norms might be a major step to advance global CNF cybersecurity debate.
In terms of technical guidelines, trainings, capacity building and awareness raising activities, the IAEA role remains instrumental and is permanently increasing. In 2015, the International Conference on Computer Security in a Nuclear World became a major effort at focusing international attention on the issue. However, to mitigate the threat efficiently, the Agency probably has to push its member states and wider international community towards debate on enhanced and more practical transborder cooperation mechanisms and formats.
Speaking on cyber-threats to CNF, one key thing is that no universally accepted taxonomy of cyber impacts on nuclear facilities currently exists. The IAEA, OSCE and others try to reduce this gap by introducing their classifications, though none of them could be comprehensive. While comprehensive taxonomy is task for the future, a basic reference model with three parameters (source of threat / threat nature / intention) is used to conduct a case-based analysis of 4 cybersecurity incidents at CNF facilities: worm infection of the David-Besse NPP in 2003, Stuxnet and the Olympic Games operation in 2005-2012, cyber-espionage and blackmailing campaign against KHNP NPP operator in December 2014, and worm infection of the Gundremmingen NPP in Germany in April 2016. Analysis of the cases allows to identify some basic trends. First, unlike earlier decades, highly-advanced cyber-threats to CNF tend to prevail today that combine the tools of cyber espionage and cyber sabotage and targeting the critical systems and CNF employees very precisely. Next, revealing and investigating the incident might not be enough to displace the threat once and forever, since the malware has become multi-modular and easily modifiable, while cyber-attacks from short-term spontaneous actions have evolved into continuous well-planned APTs with longstanding lifespans. Finally, threat vectors with regard to CNF cybersecurity incidents drift from traditional spectrum of threats covered by nuclear security. A complex and permanent threat environment has come to the CNF sector, though a bit later then to other CI sectors.
To mitigate these challenges, an integrated system of steps is required on technical, regulatory and global policy-making levels.