The UK Needs To Move Faster On Nuclear Energy Cybersecurity

Uploaded on 2024-07-30 in GOVERNMENT-National, FREE TO VIEW, BUSINESS-Production-Utilities, BUSINESS-Production-Energy

The new Labour government’s ‘Great British Energy’ bill sets out an ambitious agenda for the UK’s transition to net zero. The bill establishes a new publicly owned energy company to own and advance clean energy projects, including new nuclear power plants.

The government has said that it wants to invest in the long-term security of the nuclear power sector, focusing on its role as an engine for good jobs and for helping the UK achieve energy security and advancing towards its net-zero goals.

It has also declared its intention to make the UK a world leader in the construction and operation of small modular reactors - a new generation of smaller nuclear reactors that can be operated remotely even at locations unsuitable for a large nuclear power plant. SMRs are also expected to be much more affordable than traditional nuclear plants once they are produced at scale.

The energy transition provides an opportunity to reinvest in the UK’s nuclear energy sector that has languished over the last decade. Since the UK sold most of the states’ nuclear power plants to French energy company EDF in 2008, governments have done little to invest in the wider sector.

In 2022, the government attempted to revitalize nuclear energy as an important part of the UK’s attempt to reach energy independence, but despite aiming to approve a new reactor every year until 2030, progress has been slow. The Sizewell C site in Suffolk that was immediately announced in 2022 as going ahead still struggles to attract required funding.

Gaps Identified In Nuclear Cybersecurity

While the renewed and more energetic focus on nuclear energy is good news for UK industry, the cybersecurity of the UK’s nuclear energy industry has been called into question. This has been highlighted by the repeated gaps found during inspections by the Office of the Nuclear Regulator (ONR) at the Sellafield nuclear storage site.

While Sellafield is not a nuclear power plant but an end storage site for nuclear waste, it forms an important part of the UK’s nuclear ecosystem. The risks of cybersecurity gaps in the civil nuclear infrastructure include the potential theft of sensitive information, or in a worst case, a reduction in the reliability of energy production, damage to infrastructure, or the release of radiation.

While these are worst-case assumptions, there is precedent for cyberattacks causing physical damage, as in the Stuxnet attack in 2010 on Iran’s nuclear facilities. The fact that the ONR repeatedly found gaps in Sellafield’s cybersecurity from 2019 to 2023 that could not be fully resolved during that time highlights that the cybersecurity of the UK’s nuclear infrastructure remains a concern. 

The UK is not the only state struggling with the cybersecurity of critical national infrastructure. This is now a global issue with several critical sectors, including health services and energy providers, being identified as priority targets. Renewed investment in the sector provides the new government with an opportunity to take decisive steps to address the known gaps and to further build cybersecurity capacity.

Accelerating Implementation

In 2022, the previous UK government published the ‘Civil Nuclear Cybersecurity Strategy’. This document sets out a good set of goals for better securing the UK’s civil nuclear infrastructure. However, its completed implementation date was set for 2026–27 – leaving gaps in the cybersecurity of the UK’s civil nuclear infrastructure over that time.

Many of the document’s recommendations have been part of cybersecurity best practice for a long time. There thus may well be scope to review this strategy now to see which actions could be implemented sooner, particularly since secretary of state for energy security and net zero Ed Miliband has placed a renewed focus on nuclear energy.

Nuclear energy infrastructure is increasingly facing cyber threats, with national infrastructures and the International Atomic Energy Agency targeted alike. These threats stem from hostile state actors and from opportunistic cybercriminals. This risk is also increasing because the UK is rushing to build out new electricity grid infrastructure in order to meet its legally binding decarbonization goals, putting additional pressure on swift implementation.

International legal protections for civil nuclear infrastructure, as a critical infrastructure, exist. An established body of best practices and guidelines to protect against cyber threats is in place. What is missing is better implementation. Our recent Chatham House publication offers recommendations at various levels for how this could be strengthened.

Three Priorities For The UK

Three recommendations should be immediate priorities for the UK.
 
One is to speed up the implementation of the cybersecurity strategy. One area where this is possible is to improve incident response exercises. The 2022 strategy sets the delivery date of improved incident response exercises for 2026–27. Such exercises are an important part of cybersecurity best practice. As such, there is already much expertise from other sectors and international partners that the UK government can draw on. This includes the International Atomic Energy Agency (IAEA), which has updated guidance on available cybersecurity response exercises.

The second priority is ensuring the cybersecurity of small modular reactors (SMRs). As SMR technology is still under development, it provides an important opportunity to consider cybersecurity from the design stage. The UK has an opportunity to become a standard-setter for cybersecurity by design. This would be a win for cybersecurity and for UK engineering capabilities and industry. SMRs are attracting greater interest as a potentially cheaper and more versatile way of gaining access to nuclear power, once developed at scale. As such, a well-designed and reputable fleet of SMRs could also turn into an export opportunity in the longer term. This would be a benefit for the UK economy, and good for the UK’s geopolitical standing as China and Russia use the export of nuclear reactor technology to leverage their geopolitical positions.

The third priority is connecting work on the cybersecurity of nuclear infrastructure better with other UK government cybersecurity efforts. The background note accompanying the King’s speech outlining the new government’s legislative agenda mentioned plans to introduce a cyber security and resilience bill, to better protect the UK’s essential public services from cyberattacks. The bill will strengthen cybersecurity rules and reporting mechanisms for private sector companies that provide important public services in the UK. This provides a prime opportunity to better integrate cybersecurity efforts across different UK sectors.

The Labour government’s commitment to nuclear energy provides important opportunities to the UK. Not least among them is the opportunity to rapidly improve the cybersecurity of an important part of the state’s critical national infrastructure.

Dr Marion Messmer is Senior Research Fellow, International Security Programme at Chatham House

Image: Ideogram

You Might Also Read: 

The UK Nuclear Industry Needs To Take Cybersecurity More Seriously:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Overcoming Obstacles To Zero Trust Adoption
What Sets Next-Generation Firewalls Apart From Traditional Firewalls? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

Watch this webinar and get a comprehensive roadmap for securely adopting generative AI using Amazon Bedrock, a fully managed service that offers a choice of high-performing foundation models (FMs).

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Academic Centres of Excellence in Cyber Security Research

Academic Centres of Excellence in Cyber Security Research

The ACE-CSRs scheme is part of the UK Government’s National Cyber Security Strategy, working with academia and industry to make the UK more resilient to cyber attacks.

ADF Solutions

ADF Solutions

ADF Solutions is a leading provider of digital forensic and media storage exploitation tools.

Telia Cygate

Telia Cygate

Cygate are specialists in information security, data networks, and data centre and cloud technologies.

Gigacycle

Gigacycle

Gigacycle is one of the leading IT disposal and recycling providers in the UK. We specialise in IT asset disposal (ITAD) and data destruction.

Technology Ireland ICT Skillnet

Technology Ireland ICT Skillnet

Technology Ireland ICT Skillnet is a network of companies who collaborate to address skills needs within the technology sector.

National CyberWatch Center

National CyberWatch Center

National CyberWatch Center is a cybersecurity consortium working to advance cybersecurity education and strengthen the national workforce.

Keeper Security

Keeper Security

Keeper is a leading enterprise password manager and cybersecurity platform for preventing password-related data breaches and cyberthreats.

GBT Technologies

GBT Technologies

GBT Technologies is a technology company focused on chip design and software to enable IoT, global mesh networks, and for applications relating to artificial intelligence.

SuperCom

SuperCom

SuperCom are a global secure solutions integrator and technology provider for governments and other consumers facing organizations around the world.

BitTrap

BitTrap

BitTrap helps companies worldwide detect attackers and put an early end to breaches, preventing data exfiltration and ransomware altogether.

SecureStream Technologies

SecureStream Technologies

SecureStream Technologies have built the IoT SafetyNet - the Network Security Analytics platform to Eliminate Security Threats, Guarantee Privacy, Ensure Compliance, Simply & Easily.

Imageware

Imageware

Imageware is a leader in biometric cybersecurity. Protect against costly, damaging ransomware hacks by employing biometric cybersecurity solutions.

Mindaro Insurance

Mindaro Insurance

Mindaro is adding the crucial piece of the cyber security puzzle that protects your organization from the financial ramifications of cyber attacks.

CertiProf

CertiProf

CertiProf has been enhancing professional lives since 2015, offering a wide range of IT certifications and agile framework training.

OSP Cyber Academy

OSP Cyber Academy

OSP Cyber Academy are a managed service provider of cyber, information security and data protection training.

Reken

Reken

Reken are building a new type of AI platform and products to protect against generative AI threats.