Cybersecurity and Nuclear Facilities

Abstract

This chapter covers cyber threats to the nuclear enterprise and suggests ways that India and the United States can mitigate such dangers. Indian author Pulkit Mohan describes the Indian government’s evolving regulatory approach to the problem. Mohan argues for measures including the creation of an effective security culture, addressing supply-chain vulnerabilities, and strengthening cybersecurity agreements with like-minded countries. U.S. authors Clifford Glantz et al. explain the importance of cybersecurity to the protection of the U.S. nuclear enterprise. They discuss the evolving U.S. regulatory environment, U.S. approaches to cyber defense and supply-chain security, and the challenge of assessing cybersecurity.

7.1 An Indian Perspective

• Pulkit Mohan 

With the digital revolution, the interconnectedness between humans and machines has become significantly more complex. This has resulted in an exponential increase in the risks and vulnerabilities associated with the use of cyber technologies in our everyday lives. These cyber risks are no different in the case of nuclear materials and facilities. They present a unique and dynamic challenge to the nuclear security environment and therefore command attention. Effective nuclear security architectures are predicated upon accounting for vast and varied threats to nuclear materials and associated activities. Emerging threats in critical sectors such as nuclear have demonstrated the susceptibility of nuclear infrastructure to cyberattack. Such an attack can be disastrous, rendering many safety and security mechanisms ineffective.

The concern surrounding cyber threats to nuclear infrastructure has further been fueled by the sophistication of cyber operations employed to disrupt Iran’s nuclear activities, specifically the 2010 cyberattack on Iran’s Natanz uranium enrichment plant, which infiltrated the plant’s computer software and infected and damaged its nuclear centrifuges. With the rise in the number of instances of cyberattacks over the years, there has been an emphasis on a deeper integration of cybersecurity measures into nuclear security frameworks. In the Indian context, cybersecurity in nuclear infrastructure garnered substantial attention as a result of 2019 cyber breaches at the Kudankulam nuclear power plant in Tamil Nadu, as well as the Indian Space Research Organisation (ISRO) headquarters.

Cybersecurity can be understood as “the body of technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorized access. Cyber security may also be referred to as information technology security.”¹ Cyberattacks are a category of risk that may disrupt or seize control of nuclear facilities, their control systems, and administrative systems and provide access to the facility itself, nuclear materials, or associated systems.² Given this danger, states must deploy robust security measures to tackle cyber threats and their subsequent consequences.

India’s extensive nuclear infrastructure requires enhanced and dynamic safety and security measures to protect against associated threats, risks, and vulnerabilities. With the integration of cyber technologies into the fabric of India’s security architecture, the vulnerability to cyber threats is amplified. An effective response to the emerging cyber threats requires wide-ranging attention at national level, as well as cooperation with international organisations and actors with similar challenges. With the greater risks of nuclear escalations and the repercussions associated with cyberattacks, countries must strike a balance between protecting critical systems infrastructures and transparency in their cybersecurity safeguards and policies.

7.1.1 Identifying Risks and Vulnerabilities

To appropriately understand the cyber risks associated with nuclear facilities, a comprehensive analysis of possible negative outcomes is essential. A number of indicators can help us to make an informed risk assessment, increase protection of nuclear facilities, and decrease the likelihood of cyberattacks.³ These include:

• Importance of Instrumentation and Control (I&C) system functions for both safety and security

• The identified and assessed threats to the facility

• Attractiveness of the I&C system to potential adversaries

• Vulnerabilities of the I&C system

• Operating environment

• Potential consequences that could result from a compromise of the system⁴

Additionally, the IAEA Nuclear Security Series offers a technical guide, “Computer Security of Instrumentation and Control Systems at Nuclear Facilities,” which provides methods to implement cyber security programmes at nuclear facilities.⁵ The key systems that control processes and equipment at nuclear facilities require rigorous cybersecurity safeguards. These systems are:

• SCADA (supervisory control and data acquisition) systems

• Distributed control systems

• Centralized digital control systems

• Control systems composed of programmable logic controllers

• Micro-controllers and “smart” devices

• Systems using programmed logic devices (e.g., field programmable gate arrays, complex programmable logic devices, and application-specific integrated circuits)⁶

It is also important to identify the origin of cyber threats to nuclear facilities. Cyber threats, like other threats to nuclear facilities, can occur from state actors,⁷ non-state actors (such as terrorists, extremists, hackers, or lone-wolf actors), and insiders.⁸

One of the main challenges that cyberattacks present is the unpredictability of their effects on a country’s nuclear infrastructure. A cyberattack may directly affect a nuclear facility or its systems, or it may act as a precursor or supplement to a more catastrophic threat or attack. The impact of a cyberattack and the best ways to address them, therefore, need to be based on an assessment of high-risk scenarios. These scenarios include:

• Unauthorized access to/theft of radioactive sources, such as highly enriched uranium. Adversaries can use cyberattacks to distract authorities and facilitate efforts to steal such materials.

• Radiation discharge. Cyber infiltration of a nuclear facility’s instrumentation or control systems could enable an adversary to release radiation into the environment. This could pose a serious threat to nearby populations.

• Theft of sensitive/confidential information about specific facilities, including reactor designs. Theft of information on nuclear plants, their instrumentation, and plant controls, along with specifics of security measures and safeguards, can constitute a grave threat to a nuclear facility, with potential consequences reaching the national or international level. For example, adversaries could use this information to plan a direct physical attack on a nuclear facility. They also could use such information to build or improve their own nuclear capabilities.

• Cause for public panic. Incidents or accidents pertaining to nuclear facilities often incite intense public reactions. Knowledge of cyber infiltration at a nuclear facility could result in public hysteria, potentially leading to chaos or the spread of dangerous misinformation.

• Reputational damage. A cyberattack can undermine the reputation of a nuclear facility, or even of the state as responsible nuclear actor. This can damage crucial relationships with international organisations, other countries, contractors, and suppliers, as well as with the public.

• Economic and operational costs. The nuclear industry, its maintenance, and its safety and security are costly. A cyberattack exposes vulnerabilities in the entire system and could require extensive and expensive changes to the existing systems and mechanisms.

• Theft of personal information of employees/leaders. Cyber infiltration into administrative or employee networks by adversaries may provide access to sensitive or personal information of employees. Adversaries can use this information to threaten employees, forcing them to provide unauthorised access to additional confidential information, or even to plant controls and instrumentation.

7.1.2 Cybersecurity in India: An Overview

In India, cyber security poses a serious challenge; the country suffered an estimated 394,499 cyberattacks in 2019 alone.⁹ Yet, prior to 2013, India’s cybersecurity architecture received inadequate attention. Cybersecurity gained greater salience in India as a result of the information uncovered during the Snowden leaks in June 2013. This brought India’s attention to the United States National Security Agency (NSA)’s surveillance programs. India posited that the agency was spying on Indian citizens using digital surveillance tools.

The Indian government’s Ministry of Electronics and Information Technology published the first and only “National Cyber Security Policy” in 2013. Through this policy, the government aims “to protect information and information infrastructure in cyberspace, build capabilities to prevent and respond to cyber threats, reduce vulnerabilities and minimize damage from cyber incidents through a combination of institutional structures, people, processes, technology and cooperation.”¹⁰ The policy identifies the need for a national nodal agency responsible for all matters pertaining to cybersecurity in India and lists out a set of objectives required to build an ecosystem. These objectives include¹¹:

• Creating a secure cyber ecosystem in the country, capable of generating adequate trust and confidence in IT systems and transactions in cyberspace and thereby enhancing adoption of IT in all sectors of the economy

• Creating an assurance framework for design of security policies and for promotion of compliance with global security standards and best practices by way of conformity assessment (product, process, technology, and people)

• Strengthening the regulatory framework for ensuring a secure cyberspace ecosystem

• Enhancing and creating national and sectoral level 24/7 mechanisms for obtaining strategic information regarding threats to ICT infrastructure and for creating scenarios for response, resolution, and crisis management through effective predictive, preventive, protective, response, and recovery actions; and enhancing the protection and resilience of the nation’s critical information infrastructure by operating a 24/7 National Critical Information Infrastructure Protection Centre (NCIIPC) and mandating security practices related to the design, acquisition, development, use, and operation of information resources

• Developing suitable indigenous security technologies through frontier technology research, solution-oriented research, proof of concept, pilot development, transition, diffusion, and commercialisation that leads to widespread deployment of secure ICT products/processes in general and specifically for addressing national security requirements

• Improving visibility of the integrity of ICT products and services by establishing infrastructure for testing and validating security of such products

• Creating a workforce of 500,000 professionals skilled in cybersecurity in the next 5 years through capacity building, skill development, and training

• Providing fiscal benefits to businesses for adoption of standard security practices and processes

• Enabling protection of information while in process, handling, storage, and transit so as to safeguard privacy of citizen's data and to reduce economic losses due to cybercrime or data theft

• Enabling effective prevention, investigation, and prosecution of cybercrime and enhancing law enforcement capabilities through appropriate legislative intervention

• Creating a culture of cybersecurity and privacy that enables responsible user behaviour and actions through an effective communication and promotion strategy

• Developing effective public-private partnerships and collaborative engagements through technical and operational cooperation and contributions for enhancing the security of cyberspace

• Enhancing global cooperation by promoting shared understanding and by leveraging relationships for furthering the cause of security of cyberspace

India’s cybersecurity policy is an effort to establish standard (best) practices, mechanisms of identification and classification of threats and risks, verification processes, and testing the effectiveness of this ecosystem and the security measures within. It endeavours to promote the welfare of the country’s public and private infrastructures through appropriate safeguards and institutions.

7.1.3 India’s Cyber and Nuclear Infrastructure

In India, the importance of integrating cyber security measures within nuclear security mechanisms has increased with the growing reliance on digital technologies across functions as well as the global uptick in cyber risks and incidents. In order to engage with cybersecurity in the context of India’s nuclear infrastructure, it is important to identify the key agencies and actors that are involved in maintaining the country’s cybersecurity architecture. Understanding the organisation structure and its integration with India’s nuclear security culture helps better understand the nexus in the Indian context.

One of the key institutions involved in building and maintaining cybersecurity mechanisms in India’s nuclear infrastructure is the Computer Information and Security Advisory Group (CISAG). CISAG is responsible for conducting periodic audits on information systems as well as providing guidelines for countering cyberattacks and mitigating their impact on India’s nuclear infrastructure.¹² Cybersecurity mechanisms are supplemented by agencies such as the national-level “Computer Emergency Response Team (CERT-In), National Technical Research Organisation (NTRO), and a Defence Cyber Agency (DCyA).”

CERT-In, operationalised in 2004, is the national nodal agency tasked with cybersecurity incidents in the form of analysis, emergency response measures, guidelines, and coordination on security practices, procedures, prevention, response, and reporting.¹³ The NTRO, which draws inspiration from the United States’ NSA, “reports to the national security advisor and is tasked with technical intelligence-gathering, signals interception, and influence operations.”¹⁴ CERT-In also conducts “cyber security exercises comprising of tabletop exercises, crisis management plan mock drills, and joint cyber security exercises with organizations from key sectors to enable participating organizations to assess their preparedness in dealing with cyber crisis situations” (Fig. 7.1).

Fig. 7.1

Types of security incidents handled in India

In 2014, the National Critical Information Infrastructure Protection Centre (NCIIPC), a unit within the NTRO, was set up. NCIIPC is responsible for protecting critical information infrastructure “from unauthorized access, modification, use, disclosure, disruption, incapacitation or distraction through coherent coordination, synergy and raising information security awareness among all stakeholders.”¹⁵ Additionally, the Defense Cyber Agency (DCyA), created in 2019, is a command within the Indian Armed Forces. DCyA handles all cyber threats pertaining to the military and develops and implements the security measures required to tackle cyber infiltration into India’s defence networks. The DCyA was created as a result of the joint doctrine released by the Indian Armed Forces, which brought significant emphasis on the importance of protecting India’s cyberspace and technologies, similar to the importance accorded to physical territories.¹⁶

The aforementioned institutions are key actors in India’s efforts to address cybersecurity concerns and threats. However, it is important to emphasise the need for enhanced inter-agency coordination and collaboration between cybersecurity institutions and the traditional establishments within India’s nuclear infrastructure. Institutions tasked with cybersecurity require extensive collaboration and coordination with key institutions such as the Atomic Energy Regulatory Board (AERB) and the Department of Atomic Energy and its many units.

7.1.4 Case Study: The Kudankulam Breach

The 2019 Kudankulam cyber breach can help us better to understand the Indian approach to protecting its nuclear facilities. The incident, which took place in September 2019, was an infection of a known malware called Dtrack, which had been used to attack financial institutions in India previously. According to government statements and reports, the breach did not directly attack the plant control and instrumentation system, and access was limited to the administrative network.¹⁷

The incident is important for a number of reasons. First, the incident received an unusual degree of public attention, given the relative lack of public information on cybersecurity in India’s nuclear facilities. There were considerable speculation and discussion around the causes of the incident and its level of severity. The malware attack was particularly concerning due to its potential ability to perform reconnaissance and gather sensitive information on plant systems.

Second, the breach was limited to administrative systems. The government explained that “the Kudankulam Nuclear Power Project (KKNPP) and other Indian Nuclear Power Plants Control Systems are stand alone and not connected to outside cyber network and internet. Any Cyber-attack on the Nuclear Power Plant Control System is not possible.”¹⁸ The fact that the control systems were not breached through the attack is noteworthy. This was the result of air gaps, which are a common method of cyber protection in which the main plant control system is not connected to the internet or intranet.¹⁹ It is important to note, however, that such air gaps, despite their apparent efficacy in this case, are not impossible to overcome.

Third, the breach resulted in a robust governmental response. CISAG and the CERT-In were called in to investigate the incident and strengthen cybersecurity. As a result, a number of measures were implemented. These included hardening of internet and administrative intranet connectivity, implementing restrictions on removable media, and blocking malicious websites and IPs.²⁰

The limited infiltration levels and the implementation of additional cybersecurity measures in this case are reassuring. Nonetheless, the case does highlight the need for robust and adaptive cybersecurity mechanisms to counteract inevitable vulnerabilities in critical infrastructure in nuclear systems.

7.1.5 Important Considerations and Recommendations

Nuclear security and safety are of paramount importance in India due to the severity of consequences as a result of accidents or incidents. The nuclear industry, however, has placed cybersecurity at a relatively low priority compared to traditional aspects of nuclear security like physical protection of facilities or insider threats. As the nuclear industry is heavily regulated, the incorporation of standardised cybersecurity rules, assessment, and training has been slow.²¹ Furthermore, the Indian discussion around cybersecurity and nuclear infrastructure is restricted due to the national security sensitivities associated with the nuclear industry. The limited information on cyber incidents within the nuclear industry may lead to the belief within the community that cybersecurity is not a real or immediate threat. Lack of engagement with cybersecurity and complacency regarding existing structures to counter the cyber threat are some of the biggest challenges to effective mitigation of cyber threats and attacks.

India’s nuclear industry must consider a number of challenges it faces as it becomes increasingly reliant on digital systems. At an industry level, there is insufficient interaction with cybersecurity experts from other industries; more collaboration to better understand how technology and technological advancements impact cybersecurity broadly would be beneficial for those charged with securing nuclear infrastructure. More investment into training personnel across nuclear facilities in India is also essential.

For the physical protection of nuclear facilities in India, a national Design Basis Threat (DBT)²² document helps individual facilities to counter both internal and external threats. Similar national guidelines are required to deal with cyber threats to nuclear systems, facilities, and security systems. Cybersecurity should be accorded similar standing in risk and threat assessments, and more resources should be invested into building a robust security plan to counter cyber threats. This would entail a deeper look into the vulnerabilities that come with any critical infrastructure, such as the complexity of design and systems, the lack of verification, periodic assessment, and appraisals. Additionally, the nuclear industry has to engage more deeply with regulatory authorities and promote information exchange to better assuage the concerns associated with cyber risks.

The human factor also impacts cybersecurity within India’s nuclear industry. The role of nuclear security culture, for example, is critical. Poor understanding of cybersecurity is detrimental to maintaining an effective security culture at facilities. This issue requires both the creation of a cadre of competent security personnel who are well acquainted with cybersecurity challenges and a larger effort to educate all nuclear facility personnel so they better understand why cybersecurity should be treated as a priority.

Complacency among nuclear plant personnel can impact cyber operations negatively as well. The lack of cognisance in terms of cybersecurity risks may lead to poor cyber practices among nuclear personnel, such as the use of personal electronic devices. The dangers of insider threats must also be acknowledged. Cyber threats can arise from deliberate malicious intentions of rogue or disgruntled employees at a nuclear facility. In the aftermath of the Kudankulam attack, the Indian nuclear industry has taken steps to restrict the exposure to cyber risks as a result of physical access to plant and security personnel.

In addition to the risks posed by facility personnel, India suffers from supply-chain vulnerabilities. Vendors, contractors, or subcontractors could exploit digital equipment during transport, assembly, or even within facilities. Cybersecurity measures must be incorporated into supply-chain management in order to reduce these dangers.

Finally, India’s nuclear infrastructure would benefit greatly from strengthening international cooperation and agreements regarding cybersecurity issues. India is party to a number of these agreements. In 2020, for example, India and Japan finalised an agreement to “boost cooperation on 5G technology and critical information infrastructure, and the two countries pledged… to work for a free and open Indo-Pacific with diversified supply chains.”²³ Further, the United States and India have engaged in an annual Cyber Dialogue, dedicated to “exchanging and discussing international cyber policies, comparing national cyber strategies, enhancing our efforts to combat cybercrime, promoting capacity building and R&D, thus promoting cybersecurity and the digital economy.”²⁴ More such agreements and discussions would be helpful, particularly if they focus specifically on the cyber threat to nuclear infrastructure.

Deeper bilateral engagement is helpful in learning from the cybersecurity experiences and expertise of similar countries. Additionally, India has civil nuclear cooperation with several countries, including the United States and Japan. Given the scope for cooperation with like-minded partners, India can engage more deeply to boost information and knowledge exchange to improve its cyber-nuclear infrastructure. Additionally, international organisations like the IAEA provide guidance and training to develop comprehensive measures. The IAEA “conducts advisory missions, trains inspectors, and provides planning expertise in conducting computer security exercises as part of the nuclear security programme.”²⁵ Engaging with international organisations, multilateral forums, and regulatory frameworks is essential to a building robust cybersecurity mechanisms and practices.

7.1.6 Conclusion

The challenges posed by digital technologies and their advancement will continue to grow as an essential aspect of nuclear security that must be managed. The acknowledgement of cyber risks as a real and present threat to India’s nuclear infrastructure must lead to increased awareness of the challenge and to more robust efforts to counter it. Particularly against the backdrop of the 2019 incident at the Kudankulam Nuclear Power Plant, developing appropriate guidelines to enhance the visibility and importance of cyber in nuclear security culture and in risk assessment methods is vital. Effective security measures are required to tackle the industrial, technical, and cultural challenges associated with cyber risks. Given the dynamic nature of cyber risks and threats, complacency regarding cybersecurity mechanisms and practices is dangerous. As India expands its nuclear industry, assessing the risks, vulnerabilities, and areas for improvement must be a fundamental part of its nuclear security practice.

7.2 A U.S. Perspective

• Cliff Glantz,
• Guy Landine,
• Sri Nikhil Gourisetti &
• Radha Kishan Motkuri 

Cybersecurity is the “art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability” of digital devices and information (U.S. Cybersecurity & Infrastructure Security Agency [CISA] 2019). The threat of cyberattacks is a growing concern for national, regional, and local governments; industry; and the public. Effective cybersecurity programs are needed to secure all types of critical infrastructure, including nuclear facilities.

Reports of criminal organizations mounting cyberattacks against critical infrastructure are common. Cyberattacks attributed to nation-states, with the goal of gathering information or in some cases disrupting the operation of critical infrastructure, have been reported by government agencies, industry, and the news media. Ransomware and extortion attempts are a significant concern, made worse by the advent of electronic currency, making the tracking of payments and the identification of specific attackers exceedingly difficult. In this threat environment, it has become imperative for governments and industries to focus on resources to assess and address cybersecurity risks. This problem is exacerbated for the nuclear sector by the growing prevalence of digital control systems deployed in all aspects of nuclear facility operation.

This chapter discusses the potential perpetrators of cybersecurity threats against nuclear facilities; cybersecurity risks that nuclear facilities face, including vulnerabilities in their information technology (IT) and operational technology (OT) systems; and risk-based, cost-effective methods to protect nuclear facilities.

As leaders and innovators in cybersecurity, the U.S. and India need to support nuclear cybersecurity programs and provide impactful nuclear cybersecurity guidance in their respective countries. The U.S. and India also need to work together to support and assist other countries in developing and implementing appropriate nuclear cybersecurity programs. This effort can involve the publication of technical guidance documents, the presentation of training courses, the development and sharing of cybersecurity technologies, and the implementation of effective supply-chain security programs.

7.2.1 Background

Twenty years ago, many in the U.S. nuclear sector discounted the cybersecurity threat to nuclear facilities because of the largely analog nature of facility control systems, the perceived isolation of those digital control systems that were present, and the lack of any credible cyberattacks on the nuclear industry. Today, none of those arguments are compelling. Many control systems at nuclear facilities are now digital and use contemporary operating systems, communication protocols, and commercial-off-the-shelf hardware and software. This has increased efficiencies and capabilities for nuclear operations, engineering, and maintenance. It has also raised significant security challenges owing to the vulnerabilities inherent in these technologies. This problem is further complicated by the rapid pace in the evolution of technologies and the increasing capabilities of cyberattackers. As a result, cybersecurity regulations and guidance must also rapidly evolve to maintain an appropriate and up-to-date level of protection. This creates a substantial burden for both the competent regulatory authority and the licensees they support.

To understand the need for cybersecurity at nuclear facilities, it is helpful to review selected incidents that have occurred within the last 20 years. In 2003, the SQLSlammer worm infected Ohio’s Davis-Besse Nuclear Power Plant. The worm traveled from a contractor’s system to the operating utility’s corporate network (using a connection that bypassed the protecting firewall) before arriving at the process control network for the plant (U.S. Nuclear Regulatory Commission [NRC] Office of Nuclear Reactor Regulation 2007). The traffic generated by the worm clogged the plant control network and other systems. For nearly five hours, plant staff could not access the Safety Parameter Display System, as the worm interfered with, and eventually crashed, the system along with other monitoring systems at the nuclear plant. Fortunately, there were no immediate safety implications from this event because the plant was down for extensive repairs when the incident occurred (Markey 2003).

In August 2006, the Browns Ferry Nuclear Power Plant underwent a manual shutdown because of an overload of network traffic. This overload resulted in the failure of reactor recirculation pumps and the condensate demineralizer controller because microprocessors are prone to failure in high traffic environments. Although the failure of these controllers was not the result of a cyberattack, this incident shows that a cyberattack on the plant network can affect the operation of key systems even if those systems are not directly targeted (U.S. NRC 2007).

In March 2008, the Hatch Nuclear Power Plant experienced an automatic shutdown after a software update on its business network. The update was intended to synchronize data collection between a diagnostic system and the process control network. When the business network computer was rebooted, it reset the data on the control network, triggering an automatic plant shutdown. This incident was not a cyberattack, but it illustrated how changes to business network systems could affect the operation of process control networks for the facility in ways that plant personnel might not anticipate (U.S. NRC 2011).

In 2010, Iran’s Natanz nuclear facility was infected by the Stuxnet computer worm. Stuxnet targeted the Siemens control systems operating the facility’s centrifuges, damaging this equipment. The worm exploited several previous unknown and/or unpatched vulnerabilities and appeared to have spread to the controllers via malware on infected USB flash drives (U.S. CISA 2010; Hemsley and Fisher 2018).

In December 2014, a cyber incident was reported by the Korea Hydro and Nuclear Power Company. A cyberattack exfiltrated information on the design and operation of the South Korea company’s nuclear reactors. The attack began with phishing emails. An employee’s accidental click on the malicious link given in the email allowed malware to download, infecting the company network (U.K. National Cyber Security Centre 2016).

In March 2018, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) reported that Russian-government cyber actors targeted multiple U.S. critical infrastructure sectors, including the energy and nuclear sectors (U.S. CISA 2018). CISA did not release specific information on targeted nuclear facilities. The report states that attacks first involved “peripheral organizations” such as trusted third-party suppliers with less secure networks. The attackers used these initial attacks to access systems within the networks of critical infrastructure facilities, conduct reconnaissance, and collect information. It was not reported whether the malware had the capability to allow the attackers to affect nuclear power operations if activated during a future international confrontation.

In September 2019, a cyberattack on the Kudankulam Nuclear Power Plant in Tamil Nadu, India, was reported by the Nuclear Power Corporation of India. They stated that the nuclear plant’s administrative network was breached in the attack, but it did not cause any operational, safety, or critical damage. In theory, information acquired in this type of cyberattack at a nuclear plant could assist attackers in planning a future attack focusing on the critical systems within that nuclear plant. In reassuring the public about the Kudankulam cyberattack, plant officials stated that their nuclear power plants are “stand alone” and are not connected to any outside cybernetwork or the internet. They further asserted that any cyberattack on the plant’s control system was impossible (India Department of Atomic Energy 2019). While air gapping is an excellent way to reduce cybersecurity risks, it is not foolproof. Air-gapped systems, like those targeted by Stuxnet, can be compromised when data, software, firmware, etc., are physically exchanged (e.g., using memory sticks or direct connections to portable devices) between infected and air-gapped devices or systems as part of routine operations and maintenance.

7.2.2 Threat Agents and Vulnerabilities

Cyber threats to nuclear facilities may come from different categories of adversaries. The traditional list of cyber threat actors includes²⁶:

• Nation-States: They may be part of a government organization or receive direction, funding, or technical assistance from a nation-state. Nation-state adversaries can be well resourced and patient in their activities. They may be motivated to gather sensitive information, steal intellectual property, or install malware that can be activated during a future conflict. Their goals could be military, political, or economic. They may be assisted by insiders motivated by financial, political, or other motives.

• Cybercriminals: They may be individuals or large groups that are financially motivated. They may have the resources to acquire significant capabilities and to recruit or coerce insiders. They may be willing to extort money from their victims, manipulate financial markets, or steal intellectual property.

• Terrorists: They may have motivations equivalent to that of nation-states or cybercriminals. Their capabilities and resources may be less than that of nation-states but could still be significant. Like criminal organizations, they may be able to hire or coerce the support of technical experts of nuclear facility insiders. Limited offensive cyber activity is typically disruptive or harassing in nature. The terrorist organization primarily uses the internet for communications and recruitment.

• Hacktivists: They are politically, socially, or ideologically motivated and may mount cyberattacks to harm a company, influence public opinion, or cause a political change. Hacktivists typically have fewer resources and capabilities than nation-states or larger criminal organizations, but they may acquire significant attack capabilities, and they may entice insiders to provide support.

• Insiders: They are current or former employees, contractors, or other partners who have access to an organization's networks, systems, or data. Insiders may intentionally perform malicious actions, be enticed or coerced to support other categories of attackers, or perform actions without malicious intent that can permit or support a cyberattack. Malicious insiders might take actions to seek revenge or financial gain.

Threat agents exploit vulnerabilities to execute an attack. “Vulnerability” may be defined as a weakness in a system, process, or a procedure that could be exploited by a threat source. Vulnerabilities may exist at the business level (or management level) and at the system or network level. An example of a business-level vulnerability is the lack of well-defined policy for organization-wide access control. An example of a system-level vulnerability is the use of default or simplistic passwords (e.g., “password,” “0123456”) on digital devices.²⁷

Vulnerabilities can be introduced unwittingly by suppliers/vendors. An example of a vulnerability introduced by the supplier might be a flaw or “bug” in the firmware or software that a cyberattack could exploit. Most systems are built with several hardware, software, and firmware subcomponents and libraries. They are often procured from other suppliers, rather than developed at the vendor location, because it is cost-effective to the vendor. Therefore, it is not uncommon to find vulnerabilities associated with inadequate supply-chain security. At the time of the product’s release, vendors are expected to address any known vulnerabilities. However, new vulnerabilities may be discovered after the system is widely deployed. These new vulnerabilities are referred to as the zero-day vulnerabilities.²⁸ To address these newly discovered vulnerabilities, vendors often release software and firmware patches. To ensure secure design and development of a system, vendors should follow security best practices throughout the system life cycle.

Vulnerabilities can be introduced unwittingly by users, who must be careful to protect their systems from cyberattack. A misconfiguration or other error can increase the risks from a cyberattack. Users are expected to follow network-level and system-level best practices to protect their systems (e.g., implementing network segregation, using principle of least privilege, applying need-to-know security controls). Users also are expected to maintain good cyber hygiene by applying strict password rules, multi-factor authentication, and if possible, using zero trust architecture. Users should use external information sources (e.g., Industrial Control System-Cyber Emergency Response Team [ICS-CERT], U.S.-Computer Emergency Response Team [US-CERT]) to stay up to date on security alerts and to immediately develop mitigations to address a relevant alert. When vendors release a patch, users should perform thorough testing and implement the patch accordingly.²⁹

7.2.3 U.S. Regulatory Approach

The U.S. is often viewed as a model within the international nuclear community for nuclear cybersecurity. Many nations have taken their lead from the cybersecurity rule and regulatory guidance published by the U.S. Nuclear Regulatory Commission (NRC). Therefore, it is instructive to review the history of the U.S. cybersecurity program and regulatory actions.

The U.S. approach to cybersecurity for the nuclear sector has evolved as the U.S. Nuclear Regulatory Commission (NRC) issued cybersecurity regulations and guidance, observed real-world outcomes, and strived to incorporate lessons learned.

Several months after the September 11, 2001, terrorist attacks, an NRC security order (EA-02–026, “Interim Safeguards and Security Compensatory Measures for Nuclear Power Plants”) directed nuclear power plant licensees to address issues concerning cybersecurity. A year later, another NRC security order (EA-03-086, “Design Basis Threat for Radiological Sabotage”) directed nuclear power plants to address cyberattacks in their design basis threat assessments. After conducting series of pilot cybersecurity assessments at several nuclear facilities, in October 2004, a cybersecurity team from Pacific Northwest National Laboratory in October 2004 published NUREG/CR-6847, “Cyber Security Self-Assessment Method for U.S. Nuclear Power Plants.”

The Nuclear Energy Institute (NEI) is the policy organization of the U.S. nuclear technologies industry. NEI's members include companies that operate nuclear power plants, reactor designers, engineering firms and manufacturers, fuel suppliers and service companies, consulting service companies, and others (https://www.nei.org/about-nei). The NEI cybersecurity task force developed guidance (NEI 04-04 Rev. 1, “Cyber Security Program for Power Reactors”) to provide a programmatic framework to manage a nuclear power plant’s cyber security program. It included support for use of NUREG/CR-6847 and outlined defensive strategies and techniques to protect nuclear plants from cyber threat. The NRC staff evaluated NEI 04-04 and in December 2004 determined it to be an acceptable approach for licensees to formulate their cybersecurity programs. The U.S. nuclear industry uniformly embraced the use of NEI 04-04 and voluntarily agreed to implement the program—in part to make it unnecessary for the NRC to implement cybersecurity regulatory actions.

In January 2006, the NRC released Regulatory Guide 1.152 Rev. 2, “Criteria for Use of Computers in Safety Systems of Nuclear Power Plants.” The guidance provided the licensee with security controls that could be embedded within the safety system development process to address potential security vulnerabilities in each phase of the digital safety system life cycle. In March 2007, the NRC released Branch Technical Position (BTP) 7-14 Rev. 5, “Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems.” This position paper provided guidelines for evaluating software life-cycle processes for computer-based instrumentation and control systems. Also, in 2007, the NRC conducted composite reviews at several U.S. nuclear facilities to determine whether licensees were faithfully implementing the programmatic requirements and cybersecurity measures specified within NEI 04-04 Rev. 1. The reviews identified significant deficiencies within the licensees’ implementation of their agreed-to program. As a result, the NRC initiated rule-making activities to institute a regulation addressing cybersecurity for power reactors.

In March 2009, the NRC, with technical assistance from PNNL, issued 10 CFR 73.54 “Protection of Digital Computer and Communication Systems and Networks.” This two-page performance-based rule required licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyberattacks, up to and including the design basis threat. It included requirements to incorporate the cybersecurity program as a component of the physical protection program, maintain defense-in-depth protective strategies, mitigate the adverse effects of cyberattacks, ensure that critical functions are maintained, provide cybersecurity training and awareness, assess cyber risks, test system modifications prior to deployment, and develop and maintain a detailed cybersecurity plan.

Prior to the publication of 10 CFR 73.54, PNNL and NRC began work on Draft Guide (DG) 5022, “Cyber Security Programs for Nuclear Facilities,” to outline a detailed, performance-based (i.e., risk-based), defense-in-depth method for implementing nuclear cybersecurity. Based on material in NEI 04-04 and NUREG/CR-6847, it included a description of a network security architecture that could be used for the protection of plant systems and networks and incorporated the use of a defensive model that defined formal communication boundaries (or security levels) where defensive measures could be deployed to detect, prevent, delay, mitigate, and recover from cyberattack. Also included in DG-5022 was a compendium of defensive strategies that could be utilized by licensees to address a variety of issues common to the application of cybersecurity within a nuclear plant environment.

In June 2008, the NRC released a first draft of DG-5022 and subsequent versions were released later that year and in January 2009. After receiving extensive stakeholder comments, the NRC opted to take a different approach. Rather than continuing with the performance-based approach outlined in DG-5022, the final version of the document, now entitled Regulatory Guide (RG) 5.71, “Cyber Security Program for Nuclear Facilities,” embraced a compliance-based approach to cyber security. RG 5.71 was published in January 2010 and lists over 100 security controls (obtained from NIST SP 800-53 Rev 2, “Recommended Security Controls for Federal Information Systems”) for application to each critical digital asset (CDA) in the nuclear facility. A CDA is a component of a “critical system” that consists of or contains a digital device, computer, or communication system or network. A critical system performs or is associated with a “safety-related, important-to-safety, security, or emergency preparedness function.” At a nuclear power plant, there may be hundreds to thousands of CDAs.

Licensees experienced difficulties attempting to apply all the security controls identified in the RG 5.71 compliance-based approach. While the concept of “more security equals better security” sounds plausible, in some cases it is actually contrary to good security engineering practices. The blanket application of security controls without analysis of their benefits and drawbacks can result in unintended consequences that can negatively impact system performance and cybersecurity. The following are examples of the drawbacks to the compliance-based approach in RG 5.71:

• Not all controls can be applied in all situations. For instance, implementing virus protection on a real-time operating system (RTOS) is often impossible because technical limitations prevent installation of antivirus elements into an RTOS environment. In cases like these, RG 5.71 directs the licensee to perform an engineering justification analysis and identify an “alternative” control that is as “effective or better than the original control.” Unfortunately, there is no guidance on what “alternative” controls are acceptable and what they must achieve. Licensees complain they are spending an inordinate amount time and resources explaining why they cannot apply a particular control or set of controls, rather than using those resources to reinforce existing, or investigate new types, of security controls.

• The compliance-based approach of RG 5.71 does not consider cost-benefit ratios. RG 5.71 requires the application of all its specified security controls to each CDA, and little discretion is allowed regarding the use of alternative, creative, cost-effective solutions. As a result, the compliance-based approach does not permit performance-based decisions that would divert resources from ineffective security controls toward measures that would provide much greater risk reductions.

• The only time that a licensee is required to perform an analysis of security controls for a CDA is when a required security control cannot be applied. This can limit creativity and flexibility in applying security controls. RG 5.71’s compliance-based approach does not provide incentives for doing more to address pressing cybersecurity issues (Securicon 2020).

• RG 5.71 specifies that a digital asset that acts to protect a CDA also becomes a CDA. This circular logic can cause confusion in the evaluation process, dramatically expanding the number of CDAs at the licensee’s facility, and unnecessarily complicating their cybersecurity program. If a CDA is defined by its ability to impact the design base function of a compromised critical system, how can the same be said of a digital asset used to protect the critical system?³⁰

• Security controls often involve digital hardware or software that may contain their own vulnerabilities. One recent example of this is the SolarWinds attack detected in late 2020. The SolarWinds Orion platform monitors the health, security, and performance of a system’s network. Investigators determined that an adversary infiltrated the supply chain of SolarWinds, inserting a backdoor into the product. As customers downloaded installation and update packages from SolarWinds containing the malware, the attackers were able to access the systems running the SolarWinds product(s). This example illustrates that the implementation of some security controls may introduce new vulnerabilities that attackers can exploit.³¹

Having a performance-based rule (10 CFR 73.54) supported by a compliance-based regulatory guide (RG 5.71) creates a mismatch. Compliance-based approaches are easy for regulators to assess and work in situations where the domain is understood and relatively static. However, these approaches do not fare well for problems like cybersecurity, where the domain is not well understood and the conditions are dynamic.

In contrast, performance- or risk-based approaches, like that described in NIST SP 800-37 (U.S. NIST 2018), are more difficult for regulators to inspect. However, these approaches may be more helpful and cost-effective for organizations because they encourage the licensees to:

• Explore new approaches to keep up with the evolving threats, vulnerabilities, and security technologies

• Prioritize their security efforts to focus resources on the most productive and cost-effective security controls for their facility

• Prioritize their security efforts to focus on the most at-risk systems and spend correspondingly less time and resources on those systems that pose low risks

• Eliminate excessive paperwork needed to document in detail why some security controls may not be applicable for specific devices and systems

• Connect cybersecurity and other business risks so that cybersecurity can be seen in the broader context of the facility’s operation, as part of its risk-management program (Securicon, 2020).

Recognizing the limitations of a compliance-based approach to cybersecurity, the NRC is working on transitioning to an approach that adopts risk-based elements into its compliance-based program. In this regard, the NRC may be somewhat behind some other nations. For example, the United Kingdom already incorporates risk-based elements in its cybersecurity regulations.

7.2.4 Potential Risks from a Cyberattack

Cyberattacks may jeopardize the confidentiality, integrity, and availability of nuclear facility assets, systems, or networks. Confidentiality is protecting information from unauthorized access or disclosure (https://csrc.nist.gov/glossary/term/confidentiality). “Integrity” is defined as the “quality of a system reflecting the logical correctness and reliability of the operation of the system, the logical completeness of the hardware and software implementing the protection mechanisms, and the consistency of the data structures and occurrence of the stored data. Additionally, integrity includes protection against unauthorized modification or destruction of information” (U.S. NRC 2010). “Availability” is defined as “the property of being accessible and usable upon demand by an authorized entity” (International Atomic Agency [IAEA] 2011).

For information systems, the “confidentiality” of information is typically the most important thing to protect. However, for operational technology, integrity and availability of these control systems are typically more important than the confidentiality of their information (IAEA 2017).

When the confidentiality, integrity, or availability of a system at a nuclear facility is compromised, there may be significant consequences. These may involve:

• Impacts on worker health and safety—for example, from cyberattacks that manipulate control systems and result in an explosion or fire within the facility

• Impacts on public health and safety such as the release of radioactive or hazardous chemicals outside the facility owing to the cyber manipulation of plant systems, and radiological exposure resulting from the theft, diversion, or misuse of radiological materials

• Environmental impacts resulting from the release of radiological or hazardous materials to the environment fully or partly facilitated by a cyberattack

• Damage to the facility and equipment, requiring expensive replacements and repairs

• Economic impacts such as an extended shutdown of a nuclear facility with the resulting loss of revenue or facility productivity, payment of ransom to cyberattackers, or cyber theft of valuable intellectual property

• Public perception impacts, such as loss of public confidence in the nuclear facility, which could undermine public support for the continued operation of the facility or for new facility construction

• Regulatory impacts, making operation of the facility more difficult and expensive

Regulatory compliance might focus on activities to protect human health and safety and pay little attention to other potentially costly impacts for the nuclear facility, such as extensive downtime from facility operation. As a result, organizations operating nuclear facilities often need to take risk-based actions in their cybersecurity program that exceed regulatory requirements or address systems not covered by their regulator.

The existence of a vulnerability does not by itself increase the risk to the organization. Instead, risk increases if the existence of a vulnerability is combined with the existence of a threat actor capable of exploiting that vulnerability. Therefore, when a nuclear facility reviews its known vulnerabilities, it should seek to mitigate risk in the context of threat-actor capabilities.

There are three types of cybersecurity risk analysis:

1. 1.

   Quantitative risk analysis

2. 2.

   Qualitative risk analysis

3. 3.

   Relative-quantitative or hybrid risk analysis.

The first two types of analysis are commonly discussed in the literature, but the third type is an evolving topic. Performing quantitative risk analysis involves probabilistic analysis. Most forms of quantitative risk analysis require at least the estimated values of the assets and probabilities pertaining to vulnerability exploration and impact.³²

Because quantitative risk analysis requires extensive information, some of which may be difficult to quantify, a less intensive and more subjective qualitative risk analysis approach is often used. This often involves round-table discussion between subject matter experts (SMEs) using well-recognized cybersecurity frameworks. Examples of such frameworks are the NIST Cybersecurity Framework (CSF) and the U.S. Department of Energy’s cybersecurity capability maturity model (C2M2).³³

To minimize the subjectivity pertaining to qualitative risk analysis, researchers have been experimenting with methods to combine the best attributes of quantitative and qualitative approaches. This combination is often referred to as hybrid risk analysis. Hybrid models include:

1. 1.

   C2M2- and CSF-driven hybrid risks analysis: The method uses the qualitative outcomes from frameworks such as C2M2/CSF and transforms the outcomes to relative-quantitative values.³⁴ The quantities obtained are used to prioritize mitigations. This method reduces the financial cost of risk reduction.

2. 2.

   Consequence-driven hybrid risk analysis: This method focuses on the potential consequences of exploiting a vulnerability and prioritizes the mitigation of such vulnerabilities based on their potential cost.³⁵

3. 3.

   Vulnerability-driven hybrid risk analysis: This method uses widely agreed-upon numerical factors associated with system-level vulnerabilities.³⁶ These numerical factors are defined under the common vulnerability scoring system (CVSS) and are assigned to all the discovered common vulnerabilities and exposures.³⁷

After performing risk analysis, the nuclear facility should make risk management decisions. This involves determination of its risk tolerance and takes proactive actions based on the available resources and organizational constraints. Nuclear facilities can make risk management decisions to exceed minimum regulatory compliance because such decisions lower risks and reduce the likelihood of negative events/outcomes over the lifetime of the facility.

7.2.5 Defense and Response

Cybersecurity is a shared responsibility between nuclear facilities; their larger organizational entities such as companies; and government, including competent authorities, review boards, commissions, and other agencies. Effective cybersecurity involves addressing the vulnerabilities associated with people, processes, and technology. It also involves an appropriate integration with other types of security, including physical security and information security (IAEA 2011).

The key to effective cybersecurity is to take actions to deter, detect, delay, and deny attacks and to be resilient in the face of a cyberattack. All of these important capabilities should be part of an effective cybersecurity program, and all have long been addressed in the physical security programs for nuclear facilities. In support of deterrence, warning signs, fences, other barriers, and the visible presence of security guards are used to deter physical attacks. The same holds for cybersecurity. Screen warning messages for those attempting to log into computer systems, video cameras monitoring access to key computers, and training that informs facility workers that computer usage is being monitored are examples of cybersecurity deterrence activities.

Detection of unauthorized or abnormal activities on computer systems is needed to trigger a defensive response. The physical security analogy is having watchmen in the towers of a castle. Thick walls are an excellent defense for a castle, but if you cannot spot a group of engineers digging a tunnel under your walls or see an approaching army before it starts scaling your walls, your defensive capabilities become ineffective. An effective cybersecurity program should detect malicious activity in a timely matter. Continuous monitoring programs, automated assessment of computer logs, network and host intrusion detectors, and other approaches support attack detection.

Delay is important because it allows time for defenders to respond to an attack and bring additional defensive measures online before the attackers can achieve their goals. Multiple defensive boundaries, honeypots to lure attackers and study their efforts, and other measures can delay an attack in addition to supporting other defensive goals.

Denial is the successful defense against a cyberattack. It means that the attackers are unable to achieve their goals and the nuclear facility is able to maintain safe and secure operations. A comprehensive and integrated cybersecurity program is needed to deny attacks.

The resilience capability is an often neglected but critically important approach for dealing with a cyberattack. Resilience includes both robustness, defined as the ability to resist a successful attack and to fail safely and securely if a system is affected, and recovery, defined as the ability to safely, quickly, and efficiently restore operations after an attack.

A key element in supporting cybersecurity is embodied in the concept of “defense-in-depth.” The U.S. NRC defines defense-in-depth as “an approach to security in which multiple levels of security and methods are deployed to guard against failure of one component or levels” (U.S. NRC 2010). Defense-in-depth is implemented primarily by combining a number of independent levels of protection that would have to be circumvented before the compromise of a computer system could occur. If one level of protection or barrier were to fail, the subsequent level or barrier would remain to protect key assets. When properly implemented, defense-in-depth ensures that no single failure of people, processes, or technology could lead to an unacceptable compromise. It also reduces the likelihood that combinations of failures could give rise to a cyber incident. The independent effectiveness of the different levels of defense is a necessary element of defense-in-depth.

Defense-in-depth can be visualized as a series of concentric layers of security in which the vulnerabilities in a given layer are prohibited from existing within the adjacent layers. An attacker seeking to penetrate such a system would be forced to identify and exploit nonidentical vulnerabilities existing at each successive layer, as illustrated in Fig. 7.2.

Fig. 7.2

Illustration of defense-in-depth. Multiple barriers must be overcome before the attacker can reach its objective

One way to implement defense-in-depth is to use a graded, risk-based approach for the security of computer systems. A graded approach applies security measures proportional to the potential consequences of an attack. One practical implementation of the graded approach is to divide computer systems into zones, where graded protective principles are applied for each zone based on safety, operations, and business concerns (IAEA 2020).

Security levels are abstractions that define the degrees of protection required by various computer systems in a facility. Each level in a graded approach will require different sets of protective measures to satisfy the computer systems in all levels, while others are specific to a certain level(s). The security-level model allows easier assignment of protective measures to various computer systems, based on the categorization of the system and the definition of the set of protective measures appropriate to that level.

Zones are a logical and physical concept for grouping computer systems for administration, communication, and application of protective measures. The zone model allows computers with the same or similar importance concerning the safe and secure operation of the plant to be grouped together for administration and application of protective measures, as illustrated in Fig. 7.3 (Pacific Northwest National Laboratory 2015).

Fig. 7.3

Concentric security levels and the sorts of systems assigned to them

The application of a zone model should comply with the following guidelines:

• Each zone comprises systems that have similar importance for the facility’s security and safety.

• Systems belonging to a zone have similar demands for protective measures.

• Different computer systems belonging to one zone build a trusted area for internal communication within that zone.

• Zone borders featured decoupling mechanisms for data flow built on zone-dependent policies.

• Zones can be partitioned into subzones to improve the configuration (Pacific Northwest National Laboratory 2015).

Because zones are comprised of systems with the same or comparable importance for facility safety and security, each zone can have a level assigned, indicating the protective measures to be applied for all computer systems in that zone. However, the relationship between zones and levels is not one-to-one; a level may have multiple zones assigned to it when multiple zones require the same degree of protection (see Fig. 7.4). Zones are a logical and physical grouping of computer systems, while levels represent the degree of protection required. Each level consists of graded security requirements, such as limits on the communication permitted between different security levels. The graded approach assists the nuclear facility in directing the application of limited security resources to those zones and levels that perform the most critical functions (IAEA 2020).

Fig. 7.4

Conceptual model of computer security level and zones (IAEA NR-T-3.30)

Level 1 includes computer systems and assets vital to the safe and secure operation of the facility. Level 2 includes operational control systems and other systems that require a high level of security. Level 3 includes process and other real-time systems not required for operations. Level 4 includes technical data management systems used for maintenance or operation activity, such as work permit, work order, tag out, and documentation management. Level 5 includes systems not directly important to technical control or operational purposes, such as business systems like email, calendars, and financial accounting (IAEA 2011).

Only one-way data flow is allowed from Level 1 to Level 2 and Level 2 to Level 3. Two-way communication is allowed between Levels 3, 4, and 5. However, the initiation of communications between levels can only occur from an inner level, with higher security, to an outer level, whistleblower security. Data only flow from one level to other levels through a device or devices that enforce security policy between each level (U.S. NRC 2010).³⁸

Although cybersecurity threats are evolving and exhibiting increasing sophistication, so are security technologies that can provide defense-in-depth capabilities. In the past, communication between security levels was restricted by firewall devices that rely on complex rule sets to permit and prevent certain types of communications. Firewalls are only as effective as their technology and rule sets permit. A poorly implemented a firewall poses little challenge to a skilled attacker. New technologies, such as data diodes, can be more effective than firewalls. Data diodes are hardware-based devices that enforce unidirectional communication. Data flows only in a single pre-defined direction, from a more secure-level to a less secure-level network. They contain no physical mechanism that could permit communication in the reverse direction. The design of the data diode “makes it invulnerable to mismanagement by any user” or IT or OT system (Siemens 2020).

7.2.6 Supply-Chain Security

Supply-chain security has long been a concern of nuclear facilities and governing regulatory bodies. The IAEA notes that “Effective and efficient oversight of the global nuclear supply chain is crucial in both nuclear new build and operating nuclear facilities… In recent years, both the construction and operation of nuclear power plants have experienced difficulties related to their supply chains.”³⁹

An example of a breakdown in supply-chain security is the 2020 SolarWinds cyberattack. SolarWinds is a software company that primarily deals in systems management tools used by IT professionals. In 2020, the most widely deployed SolarWinds product was Orion, a network management system that monitored and managed computer systems for tens of thousands of customers. Attackers broke into the SolarWinds computer systems and inserted malware into Orion software. The corrupted software was deployed to customers as part of an update from SolarWinds servers. The malware opened a backdoor pathway into the infected computer systems. The attackers used this to install additional malware that collected and transmitted valuable internal data to the attackers (U.S. CISA 2021).

The United Kingdom (U.K.) National Cyber Security Centre proposed 12 principles for effective control and oversight of supply-chain security. These principles hold for a nuclear supply chain that includes hardware, firmware, and software products purchased from vendors or supplied by contractors. These principles cannot eliminate all supply-chain security risks, but their diligent application will reduce cybersecurity risks. The 12 principles are:

1. 1.

   Understand what needs to be protected and why. This includes assessing the sensitivity of the information in the contract and understanding the value of the nuclear facility’s information or assets that the suppliers will hold as part of the contract.

2. 2.

   Know who the suppliers are and build an understanding of their security. This includes knowing the maturity and effectiveness of your suppliers’ current security arrangements and what they expect from their subcontractors.

3. 3.

   Understand the security risk posed by the supply chain. Assess the risks these arrangements pose to your information or assets, to the products or services to be delivered, and to the wider supply chain.

4. 4.

   Communicate security needs to suppliers and contractors.

5. 5.

   Set and communicate minimum security requirements for all suppliers and contractors.

6. 6.

   Build security considerations into the contracting processes and require suppliers to do the same.

7. 7.

   Follow the same security requirements when serving as a supplier and service provider to others.

8. 8.

   Raise awareness of security within the supply chain.

9. 9.

   Provide support for security incidents.

10. 10.

    Build assurance activities into supply-chain management. This includes requiring suppliers to report their security performance, adhering to any cybersecurity risk management policies and processes, and accepting your right to audit suppliers and contractors to ensure they are meeting their cybersecurity performance requirements.

11. 11.

    Encourage the continuous improvement of security within the supply chain.

12. 12.

    Build trust with suppliers. This includes building strategic partnerships with key suppliers, sharing issues with them, and encouraging and valuing their input.⁴⁰

A bill of materials (BOM) is an emerging concept to support supply-chain security, including cybersecurity for nuclear facilities. It is applicable for the purchase of digital assets, including hardware, firmware, and software. A software bill of materials (SBOM) is a “formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships” (U.S. National Telecommunications and Information Administration [NTIA] 2021). The primary purpose of an SBOM is to uniquely and unambiguously identify software components; document where each component was obtained; and characterize the relationship between components. At a basic level, an SBOM is akin to an ingredients list like one found on a box of food purchased at your local grocery store (U.S. NTIA 2021).

Commercially available firmware and software are directly purchased by nuclear facilities or installed on computers and other digital devices purchased by the facility to play an operational role in a nuclear facility. These software products often include third-party components, such as libraries, executables, or source code. If nuclear facilities don’t know what components are in software they are purchasing, it is extremely difficult to identify vulnerabilities or determine if the software contains a component that comes from a potential adversary. This makes it extremely difficult for a nuclear facility to determine the level of risk associated with using acquired software. This lack of transparency increases cybersecurity risks and can result in unexpected costs during a product’s operational life cycle (U.S. NTIA 2020).

Given the significance of this problem, guidance is being prepared to help organizations identify the components in hardware and software, determine their purpose and where they came from, and evaluate the cybersecurity risks associated with their use.

7.2.7 Assessing Cybersecurity

Assessment and auditing play a key role in cybersecurity programs. Assessment is “the testing or evaluation of policies, procedures, or controls to determine the extent to which the policies, procedures, or controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the cybersecurity requirements” (U.S. NRC 2010). Audits are conducted by the competent authority or other government or industry regulator to determine whether requirements are being met. Deficiencies are reported, and facility actions are monitored until the issue is resolved. In some cases, severe penalties can be imposed for failure to meet requirements.⁴¹

Auditors will typically conduct checklist-based inspections to assess regulatory compliance. Nuclear facilities and their governing organizations will want to self-assess their performance against regulatory requirements. Still, they should also perform risk-based assessments to implement and maintain a cybersecurity program that meets regulatory requirements and protects the facilities against undue operational and business disruptions that are not covered by regulations.

U.S. NUREG/CR-6847 was specifically designed for cybersecurity self-assessments of nuclear facilities. The method outlined in NUREG/CR-6847 provides a systematic and phased approach that enables organizations to conduct a thorough assessment of cybersecurity at their respective facilities to understand their relative cybersecurity posture. While the focus of the assessment method concentrates on systems associated with safety, security, and emergency preparedness, it can also be extended to other systems within a nuclear facility. These include operational control systems associated with secondary or balance-of-plant operation, traditional IT systems related to business functions, and systems related to business continuity.

The NUREG/CR-6847 assessment method allows the users a fair amount of latitude in the selection of tools and techniques that work best for their specific needs. Completed assessments may be used to support or validate the selection of security controls to mitigate cyber threats as well as demonstrate compliance with established regulations. The assessment method can be incorporated as part of the organization’s ongoing cybersecurity program.

The method begins with the formation of a multidisciplinary assessment team and continues with the following six steps:

1. 1.

   Examine facility-wide cybersecurity practices. In this stage, the assessment team gathers information on the facility's cybersecurity policies, procedures, and practices. Information is also gathered on facility resources that can play a role in the cybersecurity of critical systems.

2. 2.

   Identify critical systems and assets to be assessed. These will include systems associated with safety, security, and emergency preparedness. Other systems important to facility operation may also be assessed. These systems are then analyzed and decomposed by the team to understand and identify the digital assets that comprise the design base function of the system. An initial consequence analysis for each identified critical system or asset is performed to determine whether the system and facility's potential consequences could compromise confidentiality, integrity, or availability.

3. 3.

   Conduct tabletop reviews and validation testing. In this stage, the team works with various facility personnel responsible for designing, operating, and maintaining identified critical systems and assets. Validation involves physical inspections (walk-downs) and electronic testing of critical systems.

4. 4.

   Conduct assessments of susceptibility. The team uses tabletop reviews and validation testing results to assess each critical system and asset's susceptibility to cyber exploitation. Pathway analysis is used to understand the various vectors of attack that may exist for the system. Both direct and indirect pathways of compromise are considered. The product of this stage is an estimate of the overall susceptibility level for each critical system and asset.

5. 5.

   Conduct risk assessment activities. The team reassesses the initial consequence analyses that were performed in Stage 2 and uses these results in conjunction with the results of susceptibility assessments to estimate the risks of cyber exploitation for each identified critical system and asset.

6. 6.

   Conduct risk management activities. In this stage, the team identifies and characterizes potential new security controls that could be implemented to enhance cybersecurity. A cost–benefit analysis is performed to identify those countermeasures that maximize adequate protection and minimize risk to the operation. Effective risk management options and recommendations are prepared for senior facility management approval and implementation (U.S. NRC 2004).

The NUREG/CR-6847 has been successfully applied at nuclear facilities, such that those applying the method have typically performed at the top of their class during audits by their competent authority.

7.2.8 Summary and Conclusions

The threat of cyberattacks is a growing concern for governments, industry, and the public. Effective cybersecurity programs are needed to secure all types of critical infrastructure, including nuclear facilities. As leaders and innovators in cybersecurity, the U.S. and India must support nuclear cybersecurity programs and provide impactful nuclear cybersecurity guidance in their respective countries. The U.S. and India should work together to support and assist other countries in developing and implementing appropriate nuclear cybersecurity programs. This effort can involve the publication of technical guidance documents, the presentation of training courses, the development and marketing of cybersecurity technologies, and the implementation of effective supply-chain security programs.

Risk assessment and management should go beyond simple compliance activities to appropriately protect nuclear facilities from cyberattack. In addition to the human health and environmental concerns, nuclear facilities should consider the cybersecurity risks associated with potential damage to their facility and equipment, economic impacts, public perception impacts, and the governmental response to an attack—consequences that are generally not factored into the compliance requirements issued by the competent authority or other regulatory agencies. Models and tools exist to help nuclear facilities evaluate their risks and guide them in making effective risk management decisions. These include simple qualitative models, more sophisticated quantitative models, and hybrid approaches that can assist facilities in characterizing risks and making risk-based and cost-effective cybersecurity decisions.

Effective cybersecurity involves addressing the vulnerabilities associated with people, processes, and technology. It also involves an appropriate integration with other types of security, including physical security and information security. The key to effective cybersecurity is to take actions to deter, detect, delay, and deny attacks and to be resilient in the face of a cyberattack. All these important capabilities are not new for nuclear facilities—they should already be part of mature physical security programs.

One key design consideration for cybersecurity is to employ defense-in-depth—a graded, risk-based approach to secure computer systems. This involves categorizing computer systems into zones, where graded protective principles are applied for each zone based on the required level of security given safety, operations, and business concerns (IAEA 2020).

Supply-chain security has long been a concern of nuclear facilities and governing regulatory bodies. The UK National Cyber Security Centre proposes 12 principles for effective control and oversight of supply-chain security. These principles hold for a nuclear supply chain that includes hardware, firmware, and software products purchased from vendors or supplied by contractors. These principles cannot eliminate all supply-chain security risks, but their diligent application will reduce cybersecurity risks.

A bill of materials is an emerging concept to support supply-chain security, including cybersecurity for nuclear facilities. Its primary purpose is to uniquely and unambiguously identify components, document where each component was obtained, and characterize the relationship between components.

Assessment and auditing play a key role in cybersecurity programs. Auditors will typically conduct checklist-based inspections to assess regulatory compliance. Nuclear facilities and their governing organizations will want to self-assess their performance against regulatory requirements and assess their ability to protect their facilities from undue operational and business disruptions that are not covered by regulations. The NRC has developed a method (U.S. NRC 2004) that can assist nuclear facilities in conducting cybersecurity self-assessments.