4.14 Assuring the Effectiveness of Cybersecurity Arrangements at Nuclear Facilities

A cyberthreat is a dynamic adversary that readily adapts to changes in technology and responds to (i.e. counteracts) the application of specific cybersecurity controls. Consequently, the implementation of a cybersecurity programme must be an active, ongoing process that continually self-evaluates to ensure the organisation meets both nuclear security and business goals, while accounting for ongoing digital transformations. Organisations conduct assurance activities such as internal and external assessments to gain confidence that the cybersecurity programme sufficiently reduces the risk of an event with adverse consequences to nuclear security and likewise to business goals.

The purpose of this BPG is to provide a review of the state of practice in conducting cybersecurity assurance activities as well as types of assessments and assessment methodologies at nuclear facilities to offer guidance from leading industry experts on best practices in this field.

This is a companion document to WINS BPG 4.3 Cybersecurity in the Nuclear Industry.