How Computer Security Exercises Help Increase Readiness for Response to Cyberattacks in Nuclear Security

Historically, nuclear facilities have focused on securing their nuclear material against malevolent attacks by putting in place physical protection measures such as guns, guards and gates. These measures are still used to successfully build fortresses around nuclear facilities, preventing theft of nuclear or other radioactive material, sabotage or unauthorized access to control systems. However, in recent decades, the threat of cyberattacks has escalated in our increasingly digital world. Any country, even those with the most advanced nuclear power and research programmes, can be vulnerable to attack. The development of national frameworks for computer security and response against cyberthreats to nuclear facilities have become necessary. Through large-scale exercises, the IAEA assists countries in improving their protection against cyberattacks and helps them improve their detection of and response strategies to cyberattacks against nuclear facilities.

The IAEA has developed computer security exercises for nuclear power plants and radiological facilities, which have been carried out at a national level around the world. These exercises enable countries to practise and prepare their response to the worst-case scenario of a breach of cybersecurity at a nuclear facility. The theoretical scenarios can pinpoint weaknesses in policies, procedures and processes; and identify gaps that need to be filled through mitigation techniques, capacity building and/or organizational change. As well as assisting States in carrying out large-scale exercises to test computer security at nuclear facilities, the IAEA’s nuclear security guidance on computer security also provide an essential resource that can enable countries to put important computer security measures in place to detect, prevent and respond to cyberattacks.

“It is crucial to develop policies, defined roles and responsibilities, and detailed procedures for a response to computer security incidents before an incident occurs,” said Trent Nelson, Senior Information and Computer Security Officer in the IAEA’s Division of Nuclear Security. “That is where the IAEA can assist in many aspects: from exercises and guidance, to sharing best practices and procedures to ensure effective communication and robust security protection.”

Factors that make nuclear facilities vulnerable to cyberattacks include people, the complexity of the supply chain and sensitive information shared among multiple stakeholders who use the computer-based systems that support nuclear functions.  

“Consider an attack that compromises a supplier and falsifies a work order, causing a trusted technician with authorized access to make a subtly incorrect action,” said Trent Nelson. “This is just one way malicious actors could find ways to bypass security systems.”

An important element in reducing the potential impact of any cyberattack is awareness and effective communication between stakeholders, as any one of these groups, or individuals within these groups, may be targeted by malicious actors. There are four key players when it comes to the defence of nuclear facilities: the regulatory body; the operator of the facility; technical support organizations (computer security incident response teams (CSIRTs) and/or computer security operations centres); and third-party organizations, such as vendors and support organizations. Carrying out exercises is a good way to test communications, reporting and notifications between stakeholders, and to verify and validate the safety and security of organizational structures.

While in an ideal scenario cyber attackers would find it impossible to penetrate computer security systems at nuclear facilities, the evolving nature of malicious actors, and the fallibility of human nature, means it is almost impossible to predict how the next large-scale attack will unfold. Therefore, the timely detection of attacks is key. In a recent exercise in Slovenia, a theoretical cyberattack helped to verify and validate detection and response capabilities to defend against cyberattacks.

“Computer security is not a project or a process, but rather a lifelong journey that requires continuous effort, attention and practice,” said Samo Tomažič, Head of the Cyber Security Division of the Slovenian Nuclear Safety Administration. “Exercises such as the one carried out in Slovenia enable all relevant entities in the nuclear sector to assess how robust their incident response plans are in the event of a successful cyberattack.”

In the case of a serious computer security incident, which could potentially contribute to a nuclear safety or security event, a CSIRT should be involved, in addition to the usual stakeholders at a nuclear facility. Such an incident could entail, for example, the violation of security policies or security procedures; impacts on sensitive digital assets or systems; or the loss of sensitive information and control of critical functions for nuclear safety.

In this case, once a computer security incident or compromise is identified, the CSIRT works with the stakeholders of the facility to investigate the incident, gather forensic data, analyse what happened and where, and assist in containing and eradicating the intrusion to help operators bring the nuclear facility back online. At the end of the response, computer forensics evidence is gathered to aid any criminal investigation into the attack, and to ensure effective information sharing to further strengthen computer security measures at
the nuclear facility in the future.

In the Slovenia exercise, the detection of cyberattacks was essential to be able to respond to this theoretical security incident and test and validate incident response procedures. These exercises support the testing of the relationship between safety, security and emergency preparedness, and strengthen nuclear security regimes by identifying potential weaknesses and developing necessary changes to improve their overall preparedness for potential cyber-security threats. Additionally, these exercises provide an opportunity to test national and international communication channels for notifications and reporting. Overall, conducting computer security exercises regularly is an important aspect of maintaining the security of nuclear facilities.