Sheridan Morris is a Nuclear Inspector, Cyber Security & Information Assurance at the UK’s Office for Nuclear Regulation. He has worked for three decades in security risk management, with experience spanning law enforcement, national security, and safeguarding critical national infrastructure.
As the newest WINS Academy Ambassador, he shared his views on the importance of a broad skill set and international experience sharing to support nuclear security, as well as the principles that guide security practices as technologies evolve.
What emerging technologies present the biggest opportunities and/or challenges for nuclear cybersecurity?
Artificial intelligence is certainly the most talked-about development at the moment, offering potential contributions to enhance security but also introducing fresh risks from its use by malicious actors, as well as an operational platform to potentially be compromised. But before AI, the emergence of cloud platforms brought similar opportunities and challenges for security professionals. Ultimately, I believe that by robustly applying proven security principles — those championed by regulators and national infrastructure authorities — we can effectively manage most new technologies.
“By robustly applying proven security principles — those championed by regulators and national infrastructure authorities — we can effectively manage most new technologies.”
How does exposure to international best practice through WINS strengthen even well-established nuclear security regimes?
When I attended the WINS cybersecurity course, I appreciated that the lecturers were active practitioners with experience from a range of countries. They compared and contrasted different international regulatory approaches, which sparked insightful discussions and broadened the perspectives of even the most experienced security professionals.
How do you promote a strong security culture around cybersecurity within a highly regulated environment?
The foundations of a robust security culture are well established — clear, accessible policies and practices, reinforced by regular training and visible leadership that highlights security’s importance to the organisation’s mission or business objectives. It’s also crucial to create a non-blame culture, encouraging people to report incidents and mistakes so the organisation can learn and improve. In highly regulated environments, I think a key component is to continuously communicate that the responsibility for security lies with the dutyholder, not the regulator. Regulators, in turn, need to create positive relationships to ensure dutyholders report issues so as to fulfill their legal obligations.
“Unlike traditional IT, OT, or regulatory training, the WINS training takes a holistic approach, covering physical, cyber, and personnel security.”
What skills or mindsets do you think are most important for developing future nuclear cybersecurity professionals?
My extensive ONR training has shown me that technical skills are just the beginning. Understanding how to apply them to complex nuclear environments is not simply about ticking boxes: We are not auditors. Effective professionals also need the ‘inspector craft’: a blend of legal, business, administrative, and people skills. Technical qualifications alone aren’t enough; it’s this broader skill set that really makes a difference.
How does WINS Academy certification add value beyond national qualifications and regulatory training?
Unlike traditional IT, OT, or regulatory training, the WINS training takes a holistic approach, covering physical, cyber, and personnel security while also considering nuclear regulatory and business drivers. I found that it helps connect the dots between different disciplines and management levels, which is invaluable.
How can certification help experienced professionals challenge assumptions and avoid complacency?
The WINS course is built around global standards and the lecturers’ extensive international experience, reaching beyond what many of us encounter in national settings. Their insights into new-build plants also provide a fresh perspective to those working in older facilities, highlighting newer technologies and security practices. This exposure helps to challenge established ways of thinking and staying ahead of emerging threats.
