Countering Threats in an Increasingly Digitized World

In May 2022, the Austrian Institute of Technology (AIT) became the first IAEA Collaborating Centre for information and computer security for nuclear security. The AIT provides support for international and regional training courses and exercises in computer security for nuclear facilities and activities, develops technical demonstration modules for enhancing awareness about cyberthreats, and contributes to the development of training materials for the new Nuclear Security Training and Demonstration Centre at Seibersdorf. To better understand this cooperation, we talked to Helmut Leopold, Head of the Center for Digital Safety and Security at the AIT.

Q: What are the emerging risks and threats in computer security in general?

A: Many modern digital devices today are being built with more extensive networks in mind. Many of them need access to the Internet to function. Every software development includes potential errors that can lead to vulnerabilities. Poorly protected interfaces and users acting irresponsibly increase the number of security threats to the operation of information technology (IT) systems. Attackers exploit the vulnerabilities of digital systems in order to gain access.

Attack methods and tools develop in line with the development of digital innovation processes. Software for hackers is now readily available on the Internet, making attacks easier — even for less qualified attackers.   We are confronted with a diverse cyberattack ecosystem driven by organized crime, economic and industrial espionage, and cyberterrorism.

Today, therefore, a broad spectrum of cyberattacks threatens users, companies and authorities, and can attack the digital infrastructure of entire States in conjunction with targeted disinformation campaigns, shaking the foundations of our societies.

Q: Does the nuclear industry face the same challenges?

A: Businesses and individual consumers primarily use data-driven and communication-oriented Information Technology (IT). By contrast, production facilities and critical infrastructures use so-called Operational Technology (OT) that monitors and controls the behaviours and outcomes of defined production processes. OT has traditionally been much less interconnected than IT, however, with the progression of technology, the two fields have converged, and OT software and devices are increasingly being plugged into broader networks.

This development is problematic, as cybersecurity awareness is less widespread in OT than in IT.

Thus, these new threats to IT security become relevant for the OT of industrial production and critical infrastructure. This also becomes increasingly relevant for the nuclear industry, which traditionally had a conservative approach and kept control systems isolated.

Q: What activities does the AIT conduct to enhance cybersecurity in nuclear security?

A: The AIT research programme scrutinizes how evolving threat scenarios could impact OT systems and aims to develop know-how and new solutions to increase the resilience of critical infrastructures against cyberattacks. This work is the basis for developing new global security standards, certification procedures for critical system elements and new system architectures to embed solid cybersecurity measures into OT systems from the start of their design.

The AIT also offers comprehensive training and education to prepare against cybersecurity attacks. In complex simulations of ‘virtualized’ IT systems, so-called ‘cyber ranges’, users, system developers, operating personnel and government representatives react to realistic cyberattack scenarios. Such simulations are crucial to ensuring resilient IT and OT systems that can effectively fend off cyberthreats.

Q: What are the advantages of the virtual learning environment developed by the AIT and the IAEA?

A: Practical experience is the most effective learning process. The AIT and the IAEA developed a ‘cyber range’ that offers the creation of ‘digital twins’ of existing critical digital infrastructures, and that also offers training in highly realistic application scenarios.

Here users from government and industry can evaluate and test the effectiveness of protection mechanisms and business processes.

Experiences from the ‘cyber range’ support the establishment of sustainable defensive capabilities of public and private organizations alike.

Q: Besides virtual training, how does the AIT’s work and expertise in computer security advance nuclear security?

A: We can help to defend against attackers, for example, by developing software to monitor “edge” devices that typically link organizations’ internal networks to the Internet. Attackers often use these devices as system entry points before they do damage.

We use our experience in anomaly detection to train analysis software that monitors edge devices typically used in a particular type of nuclear facility.

 Such a software can set off an alarm or take countermeasures if a device is acting in a strange way. As a result, operators can swiftly detect and deter cyberattacks before they can do significant harm.

Q: One year ago, the AIT was designated as the IAEA’s first Collaborating Centre in computer security for nuclear security and remains the only such Centre today. What does this mean for the AIT’s work?

A: We are incredibly proud of our designation as a Collaborating Centre and continue to support the delivery of a regional training course on computer security for instrumentation and control systems in the nuclear sector. The course was held twice in 2022, using some of the outcomes from our joint venture to develop a virtual learning platform.

We have also participated in activities on computer security in developing small modular reactors.

Currently, we are assisting the IAEA in preparations for the 2023 International Conference on Computer Security in the Nuclear World: Security for Safety, where we will perform demonstrations of our virtual training platform, chair panel sessions and present papers that are related to our research in the sector, and more.

Q: What is the AIT’s involvement at the Nuclear Security Training and Demonstration Centre (NSTDC)?

A: We have been working closely with our colleagues at the IAEA to develop training modules, demonstrations and exercises for the NSTDC. We incorporate computer security modules into the training courses associated with the physical protection of nuclear and other radioactive materials, and also those associated with the detection and response to nuclear and other radioactive material out of regulatory control. This arrangement seeks to reinforce the concept of computer security as an integral and inseparable element of nuclear security.