Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
News
Risk & Compliance
Technology & Solutions
Threat Landscape

New UK ‘2022 Civil Nuclear Cyber Security Strategy’ focuses on building cybersecurity across the sector

May 17, 2022
New UK ‘2022 Civil Nuclear Cyber Security Strategy’ focuses on building cybersecurity across the sector

The U.K. has rolled out a five-year roadmap of activities to manage and mitigate cyber risks in a collaborative and mature manner, while remaining resilient in responding to, and recovering from, incidents when they occur. The 2022 Civil Nuclear Cyber Security Strategy has been developed and endorsed jointly with U.K. civil nuclear organizations, the Office for Nuclear Regulation, and the National Cyber Security Centre (NCSC), along with the U.K. Department for Business Energy and Industrial Strategy to strengthen the cybersecurity posture of the country’s civil nuclear sector. 

As the sector’s strategic importance and size increases, it is more crucial than ever that civil nuclear organizations and their suppliers protect themselves against cybersecurity threats, and plan effectively for cyber incidents. The 2022 Civil Nuclear Cyber Security Strategy succeeds the U.K. government’s initial ‘Cyber Security Strategy’ to step up Britain’s defense and resilience and set out the path for the government’s approach to building a cyber-resilient public sector. The move will work towards strengthening Britain’s public services to further protect them from the risk of being shut down by hostile cyber threats.

Civil nuclear is recognized as one of the U.K.’s critical national infrastructure sectors and is robustly regulated to ensure that safety, security, and safeguarding arrangements are effective. 

“As both the cyber threat and digital technologies continue to evolve, it is crucial that we make a step change to stay ahead of the curve,” Greg Hands, U.K. Minister of State for Energy, Clean Growth and Climate Change at the Department for Business Energy and Industrial Strategy said in the document. “Managing cyber risks requires a whole-of-organisation effort, underpinned by strong regulation, supported by sector-wide collaboration, and a positive security culture. The commitments set out in this strategy seek to collectively deliver that shared ambition, ensuring that the UK’s civil nuclear sector will continue its legacy long into our net zero future,” he added.

Building on a comprehensive understanding of current sector strengths and challenges, the Civil Nuclear Cyber Security Strategy outlines four key objectives which the sector should achieve by 2026. The sector appropriately prioritizes cybersecurity as part of a holistic risk management approach, underpinned by a common risk understanding, and outcome-focused regulation. The sector and its supply chain take proactive action to mitigate cyber risks in the face of evolving threats, legacy challenges, and the adoption of new technologies. The sector also enhances its resilience by preparing for and responding collaboratively to cyber incidents, minimizing impacts and recovery time. Finally, the sector collaborates to increase cyber maturity, develop cyber skills and promote a positive security culture.

These objectives will be delivered by a range of priority and supporting activities and overseen by a programmatic approach to delivery. The key commitments include rolling out Cyber Adversary Simulation (CyAS) assessments and other threat-informed testing activities across the sector’s critical information technology (IT) and operational technology (OT) systems. It also works towards setting baseline cybersecurity standards for the civil nuclear supply chain, and delivering a sector-wide live cyber incident response exercise with the NCSC, alongside an exercising program targeted at senior decision-makers. It also aims to collaborate across the sector on third-party and component assurance and management and works with developers of advanced nuclear technologies to support cybersecurity by design.

The document evaluates that as the civil nuclear sector’s importance continues to grow, becoming more digitized and interconnected, it cannot be complacent about keeping pace with the cybersecurity threats facing the U.K.’s critical national infrastructure. “The range of malicious cyber actors, from cybercriminals to hostile state actors, continues to expand, whilst the cyber threat is quickly evolving in terms of capability, new technology, and its global-to-local reach. Impacts can be targeted or indiscriminate, as demonstrated by notable cyber incidents occurring globally and in the UK,” it added.

“At the same time, increasing digital transformation provides significant opportunities for the UK, and its civil nuclear sector, to be world-leading in efficiency, safety, security, and innovation,” the Civil Nuclear Cyber Security Strategy said. “Good security enables individual organisations and the sector as a whole maximise use of information and technology to achieve their wider goals,” it added.

“The nature of cyberspace and the challenges faced mean that this strategy cannot be delivered by any organisation alone, and has therefore been developed jointly with leaders from public and private sector civil nuclear organisations, the Office for Nuclear Regulation, and the National Cyber Security Centre,” the document said. Its success hinges on joint delivery and continued co-operation across all partners, it added.

Over the five years, the Civil Nuclear Cyber Security Strategy will provide priority and support activities on risk management by ensuring appropriate engagement and accountability at a senior level within organizations across the sector, supporting a holistic risk management approach to cybersecurity, and delivering mature governance structures. It will also maintain a shared understanding of cyber threats and vulnerabilities, and ensure a continued proportionate and outcome-focused regulatory approach.

The sector can also mitigate the specific risks posed to the IT and OT environments, including new technologies and the supply chain. The activities which will help achieve the objective in the next five years, include mitigation of cyber risks within and across IT and OT domains, ensuring cybersecurity is embedded into the deployment of new nuclear and digital technologies, effective management of supply chain cyber risk by the nuclear sector, and supporting the nuclear supply chain to take appropriate action to manage their own cyber risk.

To enhance its resilience by preparing for, and responding collaboratively to cyber incidents, minimizing impacts and recovery time, the Civil Nuclear Cyber Security Strategy plans over the next five years to strengthen exercise programs, improve network monitoring, logging and identification of trends, and respond and coordinate during cyber incidents.

The sector also plans to collaborate on increasing cyber maturity, developing cyber skills, and promoting an inclusive and security-minded culture. With budgetary and personnel resource constraints, this objective is increasingly important for the Civil Nuclear sector’s cyber security maturity. During the five-year life of the strategy, the document proposes to collaborate across the sector to tackle common challenges, improve the skills and experience of nuclear cybersecurity professionals, and embed cybersecurity training and accountability across organizations.

There have already been cyber intrusions against nuclear installations. Industrial cybersecurity firm Dragos revealed in February that the company identified the Wassonite threat activity group targeting the Kudankulam Nuclear Power Plant (KKNPP) in India. Subsequent intelligence research combined with public announcements from KKNPP confirmed that adversaries had breached its IT network.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape