Background
We are living in an era when cyberattacks are common. The number and complexity of cyberattacks has increased in recent years, and the nuclear industry is not exempt. Cybersecurity is challenging as cyberattacks are potentially more dynamic and more complex to counter than physical attacks. In addition, cyberthreats may originate from a different country far away from the nuclear facility. The world of cybersecurity is changing all the time as adversaries shift their tactics by creating new and innovative ways to carry out a cyberattack.
A cyberattack targeting information held in either an IT or an OT system at a nuclear facility could ultimately result in the sabotage of the facility or the theft of material. These scenarios can be prevented or mitigated by having an appropriate nuclear security regime in place that addresses all risks, including cybersecurity. This means, for instance, having an appropriate legal and regulatory framework, having responsibilities assigned to the right competent authorities and ensuring that operators have developed appropriate systems and measures to detect, assess and respond to a cybersecurity incident.
This online workshop explored cybersecurity challenges for operators taking into account differing levels of maturity of the regulatory framework and with a view to positioning cybersecurity as a key risk to be managed within the organisation. The pre-workshop material set the scene by providing material related to the overall context. The live sessions identified international best practices and lessons learned that will help the different stakeholders to reduce the risk posed by cyberthreat actors.
Objectives
The overall objective of this workshop was to provide attendees with an overview of cybersecurity in the nuclear industry, including challenges, terminology, relevant best practices and standards and focusing then on the operating organisation within this context. The key findings of this workshop will contribute to the WINS International Best Practice Guide on Cybersecurity for the Nuclear Industry that WINS will publish in 2022.
The workshop addressed the following main topics:
DAY 1: UNDERSTANDING CYBERSECURITY IN THE NUCLEAR INDUSTRY
- Cybersecurity in the context of the nuclear industry
- Cyber elements of the threat (both insiders and external adversaries) and the vulnerabilities that may be exploited
- The types of attacks that may be carried out by cyber threats, its vectors and potential consequences to organisations and society
- International instruments and the nature of the different responsibilities at an international scale and within a State for cybersecurity, including regulatory bodies, operators and providers in the supply chain.
DAY 2: IMPLEMENTING AND SUSTAINING CYBERSECURITY PROGRAMMES
- The key elements of, and importance of, developing, implementing and evaluating an effective cybersecurity risk management strategy as part of a wider organisational or enterprise risk management strategy
- Best practices and lessons learned on measures to effectively implement and sustain cybersecurity programmes.
- The importance of the cybersecurity component of the nuclear security culture as part of the wider organisational culture that supports the performance of an organisation.
DAY 3: EMERGING TOPICS IN CYBERSECURITY, WHAT’S ON THE HORIZON?
- Emerging threats posed by the Internet of Things (IoT) in the nuclear sector
- Risk analysis of emerging threats using the globally available knowledge base
- Staying ahead of curve: Sharing operational experience and reliable information on cyber threats to plan and respond effectively.
Audience
WINS welcomed participation from the following experts and organisations:
- Nuclear operators in charge of cybersecurity
- Regulatory bodies
- Policy makers
- Government official related to cybersecurity
- Security personnel related to cybersecurity
- Academics/researchers
- Law enforcement organisations
- International organisations
WINS is promoting gender parity and diversity in all of its events. This event had both female and male subject matter experts. Female participants and people from all backgrounds were strongly encouraged to apply for this event.
Process
This professionally facilitated online workshop brought together international cybersecurity specialists and leading thinkers including subject matter experts on nuclear security. The event followed a remote engagement approach in which the audience was challenged to identify and share best practices and lessons learned on this important topic.
WINS organised the online engagement as follows:
- Three live sessions on 12, 13 and 14 October 2021 from 02:30 PM to 05:30 PM Vienna time.
- Live interaction with the attendees to discuss the topics covered by the on-demand sessions. These sessions included a virtual plenary, virtual break-out groups, polls, and case studies.
- On-demand content: additional presentations, case studies, suggestions for further readings, etc.
WINS provided participants the opportunity to interact amongst themselves and with subject matter experts to exchange their thoughts and professional experiences on the topic.
All elements of this online workshop were conducted in English and drew only on unclassified information. Based on the various presentations and discussions, WINS will produce an event report highlighting the key findings of the event.
Recording: The recording of each session of the workshop is available for WINS Members here.
