Since more people—and even nations—face threats in the digital world, cybersecurity is critical. In the energy sector, nuclear plants have years of success and expertise in cybersecurity that allow them to stand among the most secure facilities in the country.
Last week the Fissile Materials Working Group (FMWG)—an organization committed to preventing proliferation—and the Stimson Center released a joint report, urging cyber and nuclear security stakeholders around the globe to “come together to share information, experiences, knowledge and best practices.”
The report’s recommendation makes me think about how I’ve seen the U.S. industry evolve into a cybersecurity leader over my career in this field.
The U.S. nuclear industry began looking at the potential consequences with the increasing adoption of digital technologies just over 20 years ago with the excitement around the turn of the millennium, Y2K. (For a fun read, check out some of the concerns about the world coming to an end.) Nuclear utilities did not sit on the sidelines for Y2K—we got active. We stood up an informal team of industry experts to assess the potential impact and to implement remediation strategies and, as a result, there was no impact to our sector. Tragedy averted.
On Sept. 11, 2001, that whole story changed. The whole world changed. Our attention swung from innocent computer challenges to cybersecurity. While computer security was a rapidly developing field, the concept of industrial cybersecurity was not even in its infancy. There was nothing, nada, zilch.
From 2001 onward, the industry developed and implemented regulations, guidance and protections for the industry as whole. I have not been shy about talking about what the industry has done to advance their programs to meet evolving threats and requirements from the U.S. Nuclear Regulatory Commission. Nuclear plants are the most well-protected critical infrastructure in the United States.
If I could boil down our 20 years of experience, I would have two key takeaways:
1. Cybersecurity programs must be informed by the threat.
It is vital to have a solid understanding of the threat we face, including its objectives and capabilities. It underpins our process for identifying the computer systems we will protect, and it informs the protective and detective features we put into place. The inverse is also true: We must be able to look at all elements of the program—the assets we are protecting and the protective measures—and adjust to align with the threat environment.
In the U.S., we are poised to re-evaluate our programs based on the threat environment. We go above and beyond protecting mission critical assets. But we are also protecting assets that are simply not attractive to the adversary and, in some cases, we are implementing protective measures that are not adding value. We need to focus our programs as soon as we can on significant, likely targets.
2. Nuclear regulatory frameworks must be flexible to meet the cyber threat.
The NRC has two elements that are vital to ensuring effective nuclear cybersecurity:
- Cyberattacks are integrated into the scope of what the agency evaluates against (also known as the design basis threat), and
- Regulations have specific performance-based cybersecurity program requirements.
The NRC and the industry have a shared responsibility to ensure that regulatory guidance and oversight activities do not stifle cyber program innovation. As the FMWG report identifies, “[i]t has been shown that compliance does not necessarily equate to security.”
We must ensure we don’t end up with static programs that cannot be easily adapted to align with the best available understanding of the threat.
Our industry cybersecurity task force is focused on continuous improvement. As we move through 2019, they are engaged in evaluating all elements of the cyber program to ensure that we are protecting the right computer systems and the protective measures are efficient and effective.
Photo credit: shutterstock/Gorodenkoff
