The UK Nuclear Industry Needs To Take Cybersecurity More Seriously

Uploaded on 2023-12-12 in TECHNOLOGY--Resilience, GOVERNMENT-National, FREE TO VIEW, BUSINESS-Production-Energy

A recent Guardian investigation alleges that the Sellafield nuclear waste management site in the UK has been subjected to numerous cybersecurity breaches over the years.

These alleged breaches are wide-ranging, including an insecure server network which according to the Guardian, hackers have been able to access for years. Other alleged unsafe working practices are also identified, such as contractors being able to plug USB sticks into the system unsupervised when servicing it.  

While the UK government response said there was no evidence of a hack by state actors, the Office for Nuclear Regulation (ONR) has placed Sellafield under ‘significantly enhanced regulatory attention’ as it was not satisfied with cybersecurity standards at the site.

Sellafield is not the only UK nuclear site which has received this label recently. Earlier this year, the energy company EDF, which runs five of the UK’s active nuclear power plants, as well as three which are decommissioning, was also placed under ‘significantly enhanced regulatory attention’ due to its cybersecurity practices.  

The ONR was not satisfied with the cybersecurity standard in several of EDF’s nuclear power plants and will need to see enhancements at the next inspection to change the company’s status to a lower-risk one. EDF had already been alerted in 2022 that it would need to upgrade its cybersecurity practices for nuclear power plants but fell short of ONR’s expectations.

Longstanding Issues With UK Nuclear Cybersecurity

It is disappointing to see significant cybersecurity issues remain in the UK nuclear industry. The nuclear industry overall was relatively late to the cybersecurity conversation, as previous Chatham House research identified, and this is by no means a new conversation.  

Concerns about cybersecurity have existed for decades. Because of the nuclear industry’s strong emphasis on physical security, and the fact that much of the control software used in nuclear power plants was at first bespoke or only distributed to a small number of specialized facilities, there was a sense throughout the industry that it was managing cybersecurity risks adequately.  

But, as the use of IT systems spread further and upgrades included off-the-shelf software packages, the nuclear industry’s cybersecurity practices did not keep pace.  

The cybersecurity standard for nuclear sites is applied unevenly, depending on government and operator awareness and capacity.

The International Atomic Energy Agency (IAEA) has issued a set of recommendations and standards which states should adhere to, but their implementation is left up to each individual state government. This means that the cybersecurity standard for nuclear sites is applied unevenly, depending on government and operator awareness and capacity.

This could have far-reaching consequences. At Sellafield, the Guardian claims include concerns that the hackers have had access to information about the UK’s nuclear materials management and other sensitive data.  

Security Threats

The alleged security breaches could have long-term security implications for the UK and for nuclear security, depending on exactly what kind of data hackers might have had access to.

Digital access to IT infrastructure could grant physical control over systems, as was the case in the Stuxnet attack on Iran’s nuclear centrifuges.

Although highly unlikely in the UK, due to the safety measures in place, such an attack could lead to an accident which could result in radiation being released, causing damage to people’s health and contaminating the environment.  

There are also risks of disrupting the UK’s energy supply if an attack targets a nuclear power plant, and the threat of hackers holding data or other sensitive information for ransom. The UK’s Civil Nuclear Cyber Strategy 2022 recognizes these risks and lays out a plan to address them, but the time frame to 2026 seems too generous given that several of these risks have been known for years and should have been mitigated years ago.  

With the UK’s nuclear sector expected to grow in size and importance due to net zero commitments, this is an urgent area for improvement.  

Simple, Urgent Actions For The Industry

Some simple steps are already recognized as best practice and could be taken far quicker than over the next four years. Cyber security maturity assessments and PEST analysis as used in other sectors, would assist nuclear risk insurers and regulators to ascertain the effectiveness of responses to cyber threats.  

Greater transparency would also help. It is very difficult to know what exactly is going on at Sellafield, or at the EDF sites under significantly enhanced ONR attention

ONR reports do not tend to go into significant detail, beyond saying whether or not cybersecurity standards have been reached.  It would be worth looking at other industries which have made big strides forward in cybersecurity and see which solutions can be applied quickly across the UK nuclear industry.

While it does not share the same materials challenges the nuclear industry faces, the finance industry has invested heavily in cybersecurity practices and could serve as an example of a high-risk industry. There are also obvious parallels with other critical national infrastructure sectors like water management or transport. A UK-wide CNI sector dialogue on cybersecurity could help ensure that industries learn from each other.

This could be followed up with a prioritized list of how to tackle the remaining challenges where prioritization takes into account risk, as well as the time required to mitigate it.  

It seems that nearly a decade after the conversation around enhancing the cybersecurity of civilian nuclear sites began, the UK’s industry is less far along in mitigating risks and making improvements than it should be.  

Given the expected growth and diversification across the industry, with new reactor types being designed, it is urgent that nuclear industry intensifies and sustains its work on cybersecurity. 

Dr. Marion Messmer is Senior Research FellowSenior Research Fellow at Chatham House

You Might Also Read: 

The Nuclear Governance Model Won’t Work For AI:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« OxCyber - Not for Profit Cyber Security Community
Google Launches Its New AI Model - Gemini »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

IX Associates

IX Associates

IX Associates is a UK based IT Integration business specialising in risk, compliance, eDefence, and network security solutions.

Linklaters LLP

Linklaters LLP

Linklaters is an international law firm. Practice areas include Information Management and Data Protection.

Ripjar

Ripjar

Ripjar is a global company of talented technologists, data scientists and analysts designing products that will change the way criminal activities are detected and prevented.

Quality Professionals (Q-Pros)

Quality Professionals (Q-Pros)

QPros are a recognized leader in providing full-cycle software quality assurance and application testing services.

SERMA Safety & Security (S3)

SERMA Safety & Security (S3)

SERMA Safety & Security provides a comprehensive cybersecurity offering incorporating Expertise, Evaluation, Consultancy and Training, covering hardware, software and information systems.

CyberSecurity Malaysia

CyberSecurity Malaysia

CyberSecurity Malaysia is the national cyber security specialist agency under the Ministry of Science, Technology and Innovation (MOSTI).

Cyberia Group

Cyberia Group

Cyberia is a leading Internet and Security services provider with operations in Saudi Arabia, Lebanon and Jordan.

Logz.io

Logz.io

Logz.io is an AI-powered log analysis platform that offers the open source ELK Stack as a enterprise-grade cloud service with machine learning technology.

redGuardian

redGuardian

redGuardian is a DDoS mitigation solution available both as a BGP-based service and as an on-premise platform.

Open Cloud Factory

Open Cloud Factory

Open Cloud Factory is a European based security company, that strives to ease the pressure on IT managers, by providing tools to implement your Security Strategy in an effective and easy manner.

Telecommunications & Digital Government Regulatory Authority (TDRA) - UAE

Telecommunications & Digital Government Regulatory Authority (TDRA) - UAE

TDRA focuses on regulating the telecommunications sector and enabling government entities in the field of smart transformation. It is responsible for the overall digital infrastructure in the UAE.

bluedog Security Monitoring

bluedog Security Monitoring

Sentinel from bluedog provides powerful and affordable internal network monitoring.

Kleiner Perkins

Kleiner Perkins

For five decades, Kleiner Perkins has made history by partnering with some of the most ingenious and forward-thinking founders in technology and life sciences.

Network Center Inc (NCI)

Network Center Inc (NCI)

NCI is one of the largest IT solution providers in the Midwest. We specialize in industry specific technology solutions, service, support, and expertise for small to enterprise businesses.

Transmit Security

Transmit Security

The Transmit Security Platform provides a solution for managing identity across applications while maintaining security and usability.

Block Harbor Cybersecurity

Block Harbor Cybersecurity

Block Harbor has worked closely with automakers, suppliers, and regulators since 2014 on vehicle cybersecurity.