IAEA Assists African Countries in Developing Computer Security Regulations

Africa’s demand for radioisotopes is expected to grow in the coming years as more countries scale up their peaceful use of nuclear technology. Increasing rates of cancer have led to greater demand for radiotherapy, radiology, and nuclear medicine. Reliance on nuclear applications for industry, agriculture, and science has grown. This has created a demand for a heightened production of radioisotopes in research reactors. These essential reactors operate on computer-based systems which could be vulnerable to cyber-attacks. Like nuclear power plants, research reactors are nuclear facilities which require similar protection plans to prevent, mitigate and respond to potential malicious attacks. Protecting all types of nuclear facilities from such potential attacks is an essential element of the safe and secure use of nuclear technology in Africa.

Working to counter these threats, many countries in Africa are learning from experience in Egypt, Ghana and Nigeria, each of which owns and operates a nuclear research reactor. With the support of the IAEA, these three countries are developing and strengthening computer security regulations and implementing programmes to properly secure their facilities against malicious computer-based acts that could potentially have an impact on the nuclear security and safety of the facilities.

“Computer security continues to grow in importance as digital technologies and computer-based systems are integrated in nuclear safety, nuclear security, and operational aspects of nuclear and other radioactive material facilities and operations,” said Trent Nelson, Senior Information and Computer Security Officer at the IAEA’s Division of Nuclear Security. “The IAEA works with countries in Africa to develop, review and enhance computer security regulations.”

In Egypt, the IAEA works with the Egyptian Nuclear and Radiological Regulatory Authority (ENRRA) to review existing computer security regulations and address potential gaps in regulatory aspects. A national training course was organized in 2022 to develop national capacities for conducting computer security inspections in nuclear facilities. Using the IAEA Nuclear Security guidance and techniques available to inspectors, the course equipped the participants with the knowledge and practical expertise to better assess the effectiveness of computer security at nuclear and radiological facilities.

Nadia M. Nawwar, computer engineer at the Radioisotope Production Facility (RPF) in the Egyptian Atomic Energy Authority (EAEA), was one of the 22 participants in this course. “I learned how the regulatory body performs computer security inspections and what are the necessary computer security arrangements that the operator needs to have in place,” she said. “Since taking part in the course, we have been able to review and validate the Computer Security Regulation Elements more effectively. The course helped us to develop and implement a computer security programme in order to protect the facility’s sensitive information, and sensitive digital assets vulnerable to cyber-attacks.”

In Ghana, the IAEA conducted an expert mission in April 2023 to assess the Ghana Nuclear Regulatory Authority's (GNRA) current national computer security regulations and inspections programme.

“The development of computer security in Ghana posed several challenges, including the absence of local technical knowledge on the subject matter, the merging of the legal issues and technical know-how, and how to manage the resources required,” said Nelson Kodzotse Agbemava, Team Leader of the Nuclear Cyber Security Section of GNRA. “During the regulatory development process, expert review support was sought from the IAEA and other countries to ensure a comprehensive and systematic approach to computer security.”

Similarly, the IAEA also conducted an expert mission in Nigeria in October 2022. “The need for an effective legislative and regulatory framework for computer security was identified in 2019 by the IAEA-led Integrated Nuclear Security Support Plan (INSSP) review in the country,” said Ethel Ofoegbu, Chief Regulatory Officer from the Nigerian Nuclear Regulatory Authority (NNRA). “Consequently, the IAEA assessed the national computer security regulations, identified gaps and provided necessary advice. One of the outcomes was the development of the draft Nigerian Computer Security Regulations for Nuclear and Radiological Facilities and Activities.” Currently, Nigeria is reviewing the draft regulations and is planning a training course on computer inspections.

Taking into consideration the growing number of assistance requests from countries, the IAEA is developing a technical document to help countries establish the key elements of computer security regulations. The IAEA is also ready to assist many more countries draft regulations in the area of computer security when the IAEA Computer Security Regulation Elements Drafting School is launched in August 2023. The School aims to help multiple countries simultaneously develop their specific national computer security regulations, rather than the IAEA assisting individual countries one at a time. After the initial workshop in August, the School will be organized semi-annually across all regions. Together, participants will have the opportunity to draft their national strategy for computer security - the regulatory foundation of a robust computer security programme.