As nuclear operations become increasingly digitized, so does the demand for assistance from the IAEA in the field of cyber security. Identifying computer-based systems that must be secured against a cyber-attack can be challenging for many nuclear operators, participants agreed at a recent IAEA Technical Meeting on Computer Security Approaches and Applications in Nuclear Security.
At the meeting, 146 operators, regulators, and government officials from 67 IAEA Member States discussed approaches to strengthening defenses against cyber-attacks at facilities ranging from nuclear power plants and research reactors to cancer treatment clinics.
“The operational controls of the first power plants were purely mechanical – computers were far from capable of controlling such a complex system,” said Dirk Meyer, Director General for Central Functions, Administration, Budget, Research and Digitization at the German Federal Ministry for the Environment, Nature Conservation and Nuclear Safety. “We have gone from analogue technology to the digital age within mere decades. With the creation of the internet in the 1990s, a whole world of new and previously unthinkable possibilities opened up.”
However, the benefits of greater connectivity go hand in hand with increased risk of cyber-attacks, participants agreed. Perpetrators exploiting the vulnerabilities of a facility’s digital systems could lead to disruptions of operations, unauthorized access, and potentially the loss of nuclear or other radioactive materials.
“Computer-based systems play an essential role in the safe and secure operation of facilities and activities using, storing and transporting nuclear material and other radioactive material. This includes the maintenance of physical protection and measures for detection of, and response to, material out of regulatory control,” said IAEA Deputy Director General Juan Carlos Lentijo, Head of the Department of Nuclear Safety and Security. “These computer-based systems therefore need to be secured against malicious acts.”
Participants shared experiences of incorporating computer security in the digitization of operations at facilities where nuclear or other radioactive material is used or stored. In an interactive exercise based on a scenario at a fictional facility, participants identified which digital assets must be protected by analysing the functions of computer-supported systems and their relation to maintaining safe and secure operations.
“One of the biggest lessons learned is that when thinking about cyber and computer security, we need to start with determining the function of a particular digital asset, and then determine the appropriate degree of protection based on the criticality of that asset to safe and secure operations,” said Nelson Agbemava, IT and Computer and Information Security Analyst at Ghana’s Nuclear Regulatory Authority. “We need a systematic approach for performing this functional analysis.”
The discussions at the Technical Meeting, held in Berlin from 23 to27 September 2019, will contribute to the development of an IAEA nuclear security guidance publication on Information and Computer Security for Activities Involving Radioactive Material, and other guidance publications on radioactive materials outside of regulatory control as part of the IAEA Nuclear Security Series.
The IAEA also supports Member States, upon request, with capacity building assistance related to computer and information security.
