The Nuclear Security Summit 2016 was held in Washington, D.C., United States, on March 31-April 1. Though the threat of nuclear and radiological terrorism was the main topic presented at the Summit for the leaders of 58 participating countries, information and cybersecurity of nuclear infrastructure received extensive attention as well. In particular, the United Kingdom announced that it will be conducting a joint cyber security exercise with the US in 2017 on the civil nuclear industry to test both countries’ systems against attack.
As in 2012, 29 participants of the Summit joined the “Gift Basket” on cyber security, a commitment to participate in two international workshops held by the UK on this topic in 2016. The workshops are designed to enable the states and their nuclear sectors to receive good practice in managing risks to industrial control systems in nuclear sites, as well as to examine the impact of using information technology in managing safety and security aspects of plant control systems.
More than 20 states mentioned actions and achievements in the fight against cyber threats against nuclear infrastructure in their National Progress Reports. Australia, the Czech Republic, Finland, Germany, Hungary, Japan, the Netherlands, Republic of Korea reported including cybersecurity components in their Design Basis Threats (DBT) for nuclear facilities or renovating these components.
Canada, China, Germany, Hungary, Japan, the Netherlands, Republic of Korea, and the United Arab Emirates conducted national, regional and/or international workshops or exercises, or IAEA Regional and International Training Courses on cybersecurity.
Canada, the Czech Republic, Finland, France, Hungary, the Netherlands, Republic of Korea, Spain, Switzerland, and the United Arab Emirates adopted (or plan to adopt in the near future) or strengthened national legislation on cyber protection of nuclear infrastructure.
New regulatory and/or control public agencies on cybersecurity (including agencies for regulating infrastructures) were established in Belgium, India, and Singapore. In Belgium, Denmark, and the US, cyber components were included in the “stress-tests” for nuclear infrastructure facilities.
Highlights of the National Progress Reports on cybersecurity are presented below. Full texts of the reports are available on the Nuclear Security Summit website.
Australia employs a DBT for its nuclear facilities, which includes a cybersecurity component.
Belgian authorities have initiated a process aimed at identifying the principal features of potential cyber-attacks against the nuclear sector. This has allowed the identification of specific threats and risks against Belgian nuclear facilities. The Cybersecurity Centre in Belgium was established in 2015 under the authority of the Prime Minister.
Belgium voluntarily extended the scope of its “stress-tests”, which were established after the Fukushima accident, to include man-made events such as cyber-attacks.
The FANC (Federal Agency for Nuclear Control) pays heed to the global recommendations of the IAEA in the field of cybersecurity. The FANC is also committed to the exchange of information with foreign authorities in order to share good cybersecurity practices. The Cybersecurity Centre and the FANC are examining what kind of initiatives Belgium should take in order to optimize its cybersecurity and reinforce international cooperation in this field.
Canada has developed a national standard (CSA N290.7) to address cyber security at nuclear power plants and small reactor facilities. This standard was published in December 2014. Canada hosted an IAEA National Training Course on Computer Security and Conducting Assessments in December 2015.
Nuclear power plant operators in Canada have cyber security programs in place that are aligned with international standards and best practices.
China has been continuously enhancing related legislation, strengthening management on information security of industrial control systems and cybersecurity in the internet industry, and improving its capability to ensure information security and cybersecurity of its nuclear industry. China has put into place cyber security requirements for the management of industry control systems and is exploring the possibility of establishing a security risk notice mechanism. China has strengthened protection of internet infrastructure and operation systems and conducted risk assessment regularly. China has also enhanced its emergency response capabilities concerning cyber security incidents and conducted a number of exercises in this regard. China has improved its capability to prevent cyber-attacks on the public internet and strengthened internet data protection.
A permanent working group composed of representatives of central governmental authorities (the Ministry of Trade and Industry, Ministry of Interior, Ministry of Defense, Presidium of the Police, Security Information Service, State Office for Nuclear Safety and the Czech Power Company ČEZ) issued a new DBT for Czech nuclear facilities and material that now includes airborne and cyber threats.
In 2014 and 2015, the regulatory body of the Czech Republic has been involved preparing a new Atomic Act and a Regulation on the physical protection of nuclear material and nuclear facilities which will cover in greater detail new aspects of nuclear security, including computer security at NPPs.
In 2014, Danish police and military special forces conducted an exercise at the national nuclear facility site at Risoe. In addition, an inspection of computer systems with safety and security functions at the national nuclear site was carried out in the same year.
The National Counter Terrorism Strategy and Cyber Security Strategy of Finland include elements relevant to nuclear security. The nuclear security regulatory requirements are periodically reviewed. In 2013, a new regulatory guide on information security (including cyber security) entered into force as part of a comprehensive revision of STUK (Radiation and Nuclear Safety Authority) guides.
A revision of the DBT was initiated in 2016. STUK is coordinating an informal information security working group with Finnish nuclear facility operators and other national authorities who play a role in information security. The aim of the working group is to develop training and testing, to strengthen response, and to improve information exchange on cyber security threats and incidents.
Finland is actively cooperating with the IAEA in the information security and cybersecurity domain. In 2012 Finland hosted an IAEA Consultancy Meeting on the development of a guidance document in Industrial Control System Security. Finland supports and participates in the development of IAEA guidance on Computer Security.
A national Nuclear Security Culture Workshop was conducted in Finland in 2011 in cooperation with the IAEA for top management of relevant stakeholders, including nuclear operators. Finland hosted an IAEA International Workshop on Nuclear Security Culture in 2013. Within its inspection and evaluation programs, STUK has begun to address how the processes of nuclear security (physical, information, and cybersecurity) are linked to the integrated management system of nuclear facilities and how security issues are included in their organizational culture, together with safety issues. As a reflection of such linkage and inclusion, nuclear facility operators have adopted a concept of site-walks to collect observations on physical security, information security, safety, and safeguards, which contributes to situational awareness and the management of anomalies.
In 2014 and 2015, France contributed to IAEA activities on cybersecurity, including:
Consultancy meetings on developing a possible future recommendation level document on cybersecurity;
Training courses including the first training course on conducting computer security assessments, which was held in France;
The revision of a document on computer security in nuclear facilities;
Consultancy meetings on taking into account current or emerging cyber threats in nuclear security planning or on the evaluation of cyber threats against nuclear facilities.
A law on cybersecurity that applies to critical infrastructures, including nuclear facilities, was voted on in late 2013 and will contribute to a reinforcement of the requirements on cybersecurity. Technical regulations will be adopted in the next few years to implement these new legislative provisions.
German DBTs and subsequent regulations for facilities, nuclear material transports, and computer security are either in place and are being regularly evaluated or are in the final stage of development.
Germany actively supports the IAEA in enhancing the Nuclear Security Series by providing nuclear security guidance on computer security, particularly at the recommendations level. In addition, Germany intensively exchanges knowledge and experience regarding the German DBT and guidelines on computer security with other states in bilateral meetings.
Germany has extended its efforts in bi- and multilateral cooperation with respect to nuclear security of nuclear facilities, computer security, and nuclear material transports. In this regard, Germany will continue to host meetings and regional workshops for sharing information and good practices regarding, inter alia, threat assessment, DBT, legal frameworks, technical countermeasures against, for example, sabotage scenarios during transport, as well as protections against intentional airplane crashes.
In 2014, new requirements were introduced into the domestic regulation concerning the programmable systems of nuclear facilities. As a result, the DBTs of the facilities were revised to include cyber threats in 2015.
A “National Cyber Security Workshop” was organized for the Hungarian nuclear facilities in June 2014 with 30 facilities participating.
Based on IAEA guidance and recommendations, Hungary has prepared a national guideline entitled “Protection of Programmable Systems and Components in Nuclear Facilities”. The Hungarian Atomic Energy Authority has established a dedicated group of experts to deal with the regulatory overview of the protection of programmable systems associated with the use of atomic energy.
Hungary will assess the establishment of an information sharing network for information security incidents.
Addressing the growing challenges of threats to computer, network, and information systems is a national priority. Utilizing the country’s extensive expertise, a hierarchy of on-site cybersecurity architecture has been deployed. In addition, a number of sophisticated products and services like secure network access systems have been developed and deployed for the protection of the country’s cyber infrastructure.
A Computer Information & Security Advisory Group was established in the Department of Atomic Energy.
Indonesia is currently in the process of establishing a Nuclear Cyber Security Specialization Doctoral Degree Program within the Computer Science Department of the Mathematic and Natural Science Faculty at Gadjah Mada University.
As part of the nuclear security inspection, the Nuclear Regulation Authority (NRA) has conducted enhanced inspections since 2013 in addition to the existing computer security inspection, and continues to improve capacity in the area of computer security.
Since 2014, Japan has implemented field exercises based on threat scenarios such as DBTs at all protected facilities. Since 2014, Japan has also held field exercises to counter cyber-attacks, or cyber-attacks in combination with physical attacks, to the control systems of nuclear facilities.
A national DBT relating to longer-term physical threats to the nuclear sector was updated in 2015; it will be implemented in the course of 2016. In line with the second recommendation derived from the series of International Physical Protection Advisory Service (IPPAS) missions, a DBT specifically concerning cyber security for the Dutch nuclear sector was introduced in 2013 and was fully implemented by 31 March 2014. Nuclear operators were actively involved in discussions regarding the design and implications of both the DBT relating to physical protection and the DBT relating to cybersecurity. In the second half of 2016, the integration of the two DBTs will be discussed, and the DBT for cybersecurity will be updated. Further, legislation to establish mandatory reporting of cyber incidents in the nuclear sector is currently being discussed in parliament. It is expected that related regulations will come into force in 2017.
In 2012, the Netherlands hosted the international table-top exercise @tomic 2012, focused on preventing the threat of nuclear or radiological terrorism. The exercise included cyber security and forensics components. In February 2014, the Netherlands hosted a follow-up exercise, @tomic 2014.
The Netherlands also supports the NSS 2016 gift baskets, which included the British initiative on cyber security.
The NCTV has organized table-top exercises on nuclear forensics, cybersecurity and incident response.
Norway hosted an IPPAS mission in October 2015 in line with its support to IAEA Information Circular (INFCIRC) 869. One of recommendations of the mission to Norway was to strengthen measures against cyber threats.
Republic of Korea
The Republic of Korea revised its national laws and regulations to add cybersecurity requirements to nuclear facilities. In accordance with these laws and regulations, the Republic of Korea has been conducting regular inspections and reviews of cybersecurity at nuclear facilities since 2015. In addition, the Republic of Korea has included cyber threats as one of the elements in tits DBT of nuclear facilities.
The Republic of Korea hosted the IAEA-ROK Regional Workshop on Computer Security for Nuclear Facilities in November 2014 and participated in the IAEA International Conference on Computer Security in a Nuclear World in June 2015 by sharing its experience of an attempted cyber-attack against its nuclear facilities.
At the national level, the Republic of Korea will further strengthen its legislative and regulatory framework for cybersecurity at nuclear facilities through the development of cybersecurity regulation procedures, review of cybersecurity training programs, and the improvement of its capabilities in responding to cyber incidents.
At the international level, the Republic of Korea will continue to cooperate with the IAEA to strengthen cybersecurity at nuclear facilities. The planned activities include collaboration on a Coordinated Research Program on the development of evaluation methods for cyber incident response, participation in the review process of the Nuclear Security Series publications to reflect cyber security considerations, and hosting the IAEA Regional Training Course in 2016 and the IAEA International Training Course in 2017.
Singapore established a Cyber Security Agency (CSA), which began operation on 1 April 2015. The CSA is a high-level central agency to coordinate public- and private sector efforts to protect national systems from increasing cyber threats. Given the transboundary nature of cybersecurity threats to critical infrastructure, Singapore recognizes the crucial need for like-minded countries to cooperate closely on cybersecurity initiatives, through cooperation between Computer Emergency Response Teams (CERTs), the sharing of best practices and procedures, and joint training and drills, as well as through cybersecurity capacity building. The CSA has already established close working relationships in these areas with ASEAN and international partners through existing ASEAN platforms as well as through the signing of MOUs. Singapore also organized and actively participated in a workshop on cyber confidence building measures in the ASEAN region.
Spain has amended and updated its regulations for the physical protection of nuclear material and facilities (RD 1308/2011) through a new Royal Decree 1086/2015 on 4 December, 2015. The new regulations included the basic elements of the new 2013 national cybersecurity strategy.
In June 2012, the Swiss Government adopted a National Strategy for the Protection of Switzerland against Cyber Risks.
The Information Protection Program Operating Manual, which defines the management of sensitive nuclear information in the UAE, was updated and is currently implemented by relevant entities in the nuclear sector, such as the Federal Authority for Nuclear Regulation (FANR), the Emirates Nuclear Energy Corporation and the Critical Infrastructure and Coastal Protection Authority.
UAE Regulation and the associated regulatory guides are based on the IAEA publication. Protection against cyber-attacks has been taken into account in various FANR regulations developed between 2009 and 2015.
The UAE hosted an IAEA national workshop on cybersecurity in 2014.
The United Kingdom
The United Kingdom inspired the first ever IAEA guidance on nuclear information security. Following its 2012 and 2014 Summit commitments, it continued to lead international action to ensure the protection of sensitive nuclear information. This culminated in the IAEA’s recognition that information security measures are an essential part of a State’s nuclear security regime with the publication of Nuclear Security Series no. 23-G “Security of Nuclear Information” in February 2015.
The United States of America
The United States assessed and verified through inspection activities that operating nuclear power plants are implementing cybersecurity regulatory requirements in accordance with their cybersecurity plans. In addition, the program is designed to identify lessons learned throughout the process and implement improvements as needed.
The United States will continue to partner with states on nuclear security training courses, to engage Centers of Excellence and Nuclear Security Support Centers, to support cyber security efforts and training as it relates to nuclear security, and to work to exchange and develop best practices for the physical protection of high activity radioactive sources, as well as to assist other than high income countries to upgrade physical protection systems at facilities with materials of concern.
The United States supported World Institute for Nuclear Security-led best practices workshops on security exercises on insider threat identification and mitigation, effective integration of cybersecurity and physical protection, and nuclear material control and accountancy.
CyberPulse #2 (20), June 2016