Tony Berning, senior manager, OPSWAT writes on why the nuclear industry is a good cyber-security example.
I recently attended a workshop for the Nuclear Information Technology Strategic Leadership (NITSL) in Minneapolis. The focus of the workshop was to discuss IT-related issues in the nuclear industry as well as define and share best practices for the implementation of IT systems. A significant consideration in the implementation of such systems is the concern over securing them against threats, which can be addressed by malware detection and data sanitization solutions.
The nuclear industry is a prime example of a regulated industry that has adopted practices to help facilities easily achieve compliance through education and transparency. Though not all industries are regulated, they can still learn a lot from the nuclear industry. Here are a few things I noticed at the conference that this industry does particularly well.
1. Sharing
One of the things the nuclear industry does well is promoting the exchange of information between different facilities on what has been working, what hasn’t been working, and what has been identified as an area for improvement. This allows the entire industry to learn from each operator so that best practices from across the industry can be applied at all sites. In an industry where there is very little margin for error, and the impact of a cyber-security breach could be extremely severe, this information sharing is a vital element of the industry’s protection against cyber-attacks.
The Nuclear Regulatory Commission (NRC) is the US regulatory body for the nuclear industry and has established a timeline for when plants must implement different cyber security elements. Plants are then inspected by the NRC to see whether those requirements are met, and then an inspection report is generated to show which requirements have been satisfied and which have not. Although different facilities are at different stages in the implementation process with regards to cyber security requirements, results from each inspection are shared in an open manner with all nuclear operators.
2. Learning from within industry
One of the session topics at NITSL covered details on how a specific inspection had gone last month at one of the plants. This inspection was a ‘pilot’ inspection to test the procedure of inspecting plants for the requirements in one of the later cyber-security requirements. Although the inspection was only done at a single plant, the results were shared in a public forum to the entire industry, demonstrating their commitment to making sure that there is visibility across the industry. In addition to workshops like this, there were also regular standing meetings between those responsible for implementing cyber-security plans to discuss best practices as well as ad hoc meetings whenever significant issues come up.
3. Learning
In addition to learning from other plants, the US nuclear industry promotes learning from nuclear operators in other countries. A recent example of this involved the implementation of additional requirements for the industry as a result of the Fukushima disaster in Japan. Although there are no nuclear facilities in the United States that could have failed in exactly the same way as the plant at Fukushima Daichi, the US nuclear industry has spent a lot of time studying how the disaster happened and determining how additional safeguards may prevent something similar from happening. As a result, plants are now even better prepared than they were before that investigation.
Another example of where the US nuclear industry has taken lessons from another country is the reaction to the discovery of the Stuxnet worm. Stuxnet targeted the Iranian nuclear industry, which has very different origins and operating goals compared to civilian nuclear operators in the United States. Even so, the US nuclear industry has since implemented a number of controls on the handling of physical media, which was the attack vector used to spread the Stuxnet worm in the Iranian nuclear facilities. Malware detection solutions are primarily used within the industry to implement secure data workflows that protect against such threats on physical media.
Conclusion
Organisations in other industries can learn a lot from the approach the nuclear industry takes to preventing cyber-threats. It is not enough to just fix vulnerabilities that have already been identified in an organisation. A good security officer also needs to proactively identify threats by monitoring attacks that occur against their own industry as well those attacks that target organisations in other industries. Every time there is a new type of threat that is reported, security officers should be evaluating it to see if there are any improvements to their security policies that they should be making. Malware is constantly evolving and becoming more sophisticated, and attackers are always looking for new ways to penetrate organisations. A security officer needs to be just as proactive in identifying any potential threats and implementing measures to block them before they are actually used against the organisation.
