Background
As existing nuclear facilities are modernised and new ones constructed, their dependence on digital systems is increasing dramatically. This includes the integration of digital systems into everything from business systems to nuclear safety and security systems. These digital technologies are generally categorised as Information Technology (IT) or Operational Technologies (OT). This growing dependence on digital systems brings an ever increasing need to implement strong defence measures to protect digital systems, both IT and OT, from compromise.
Cybersecurity is the protection of digital systems and the information contained within these systems against cyberattacks. Specifically, cybersecurity seeks to protect the confidentiality, integrity and availability of digital systems and the associated data and processes they maintain. Cybersecurity is a subset of information security which looks at the broader protection of information in both digital and physical form. Along with physical protection, cybersecurity needs to be part of the overall security strategy at a nuclear facility, and enhancing cybersecurity capabilities in the nuclear industry is a main priority for WINS.
Objectives
The objective of this five-day in person training course was to build awareness of the cyberthreat and risks to nuclear facilities. The course covered how to implement cybersecurity to manage and reduce the risk of as well as prevent, detect, delay and recover from a cyberattack. The course also served as a venue for information sharing on operator experience related to implementing cybersecurity and developing a cyber-aware culture at nuclear facilities.
This training was derived from the WINS Academy module on Cybersecurity in the Nuclear Industry and the WINS Best Practice Guide Cybersecurity in a Nuclear Facility. On completion of the training and course evaluation delegates will be offered the additional opportunity to access the WINS Academy course and to take the exam at a PearsonVue Test Centre or OnVUE online proctored exam to achieve certification and become a WINS Certified Nuclear Security specialised Professional (CNSsP) status should they wish to (individual preference). The certification is recognised by the UK National College for Nuclear (NCfN) and Internationally by IAEA INFCIRC 901.
Audience
The target audience of this training was delegates from the UK who have a responsibility for operations of IT and OT systems and equipment and delegates who have a responsibility for managing and leading cybersecurity to protect UK nuclear assets from potential cyberthreats. The course was also applicable for non UK based international delegates wishing to gain further learning on cybersecurity for the nuclear sector and have a fluent understanding of the English language,
- Facility Operators and Engineers of OT and IT systems
- Cyber and Threat Analysts
- Government officials and Security Officers
- Regulatory Inspectors
The course was designed for anyone new to cybersecurity within the nuclear sector and individuals with no or limited Operational Technology (OT) experience. The training would also benefit CISOs and SIROs looking for a better understanding of cybersecurity and in particular the balance of IT versus OT.
There were 24 delegate places available. Nuclear industry professionals including female practitioners from diverse backgrounds and people with diverse gender identities were encouraged to apply.
Process
The course was delivered by a team of tutors with extensive and first hand knowledge of cybersecurity in the UK and International nuclear sector. Discussion also focused on relevant cybersecurity incidents and the lessons learned from these events and the lectures used scenario-based discussions, demonstrations and group exercises related to implementing and managing cybersecurity at a fictitious nuclear power plant to embed the learning. Participant discussions and questions were greatly encouraged.
The training course was held in English. As with all WINS events, the discussions were unclassified but subject to Chatham House rules (what was said can be reported, but not attributed).
The venue for the training course was The School of Computing and Communications, InfoLab21, Lancaster University, Lancaster, United Kingdom LA1 4WA
Note: Refreshments and food were provided during the course and a soiree social evening was organised in the InfoLab21 Skylounge on one of the evenings. Dietary intolerances should be advised during registration for attending the training course, so these could be accommodated.
The per delegate fee for attending the training course was 2850.00 GBP
Delegates also needed to arrange suitable travel and accommodation. It was recommended that delegates book as early as possible to secure accommodation in close proximity to the Lancaster University (LU) campus. The closest hotel is Lancaster House Hotel, which is situated next to the LU south campus, with footpath connection and a 5 minute walk to InfoLab21. Alternatively, on the LU campus and 10-minute walk to InfoLab21 is the is onsite: Bed & Breakfast - Lancaster University Additional hotels are available in Lancaster, approximately 10 minutes drive from the LU Campus.
Registration was requested as soon as possible for delegate places to be secured. Once registration is confirmed this will be followed up for invoicing and payment to be made prior to attending the training.
