A new Civil Nuclear Cyber Security Strategy has been issued by the Department for Business, Energy and Industrial Strategy in the UK.
BEIS says the strategy helps ensure the UK has a secure and resilient energy system “by ensuring that the civil nuclear sector is able to defend against, recover from, and is resilient to evolving cyber threats”.
The 25-page document addresses the threat posed by a range of potential attackers including terrorists, hacktivists, criminals and foreign intelligence services. BEIS fears disruption through the interruption of power generation or the compromise of sensitive information.
A blended attack is another scenario that it is concerned about, in which an adversary uses a cyber-attack to enable or reinforce a physical attack.
And SCADA legacy equipment – that is, computers and electronics that play a part in running nuclear plants but were developed prior to the advent of the internet – are widely regarded as dangerous because they lack robust online security systems.
The civilian nuclear industry generates about 18 percent of the UK's power and is seen as a way of helping the government meet its obligations to reduce carbon emissions.
The UK is about to embark on a programme of building new nuclear power plants and concerns have been raised about the threat to systems from both conventional cyber-criminals and nation-state actors.
The 2015 National Security Strategy and Strategic Defence and Security Review highlighted cyber-threats as one of the four most serious dangers facing the UK.
Last year, concerns were raised about the involvement of Chinese companies in the construction of the new Hinkley Point nuclear power plant, with the US government accusing an advisor to the China General Nuclear Power company of attempting to export nuclear technology from the US in violation of federal law.
However, other experts dismissed concerns about the Chinese, claiming that such concerns were misdirected and could be a distraction from more pressing concerns such as the general state of security in SCADA controllers.
The strategy calls on all sectors involved in civilian nuclear power to improve cyber-security, including licensed nuclear facilities, suppliers, the government, the nuclear regulator and the Information Commissioner.
The strategy document says that while all nuclear sites have cyber-security programmes in place, it usually only accounts for a small part of the budget, so it says that the industry must ensure that cyber-security is “considered as part of decisions to improve physical security and safety. This will potentially identify cost savings where the desired outcomes can be achieved by a more optimal mix of the three areas.”
Its says industry must also identify a clear career path for cyber-security professionals within the nuclear industry.
Government will assist by eliminating barriers to cyber-security resource allocation and helping to raise cyber-security capabilities among staff.
In addition to addressing the security of live plants, the strategy also tasks the Nuclear Decommissioning Authority with enhancing its cyber-incident response plan.