Current and Future Cybersecurity Challenges: Understanding Change in the Nuclear Sector
At the annual meeting this year we had the chance to catch up with Robert Hoffman, Nuclear Cybersecurity Fellow at Idaho National Laboratory and Samuel Visner, Director, National Cybersecurity Federally Funded Research Center, The MITRE Corporation. Rob and Sam offered a super interesting discussion on the impact of cybersecurity on national security during the Wednesday morning plenary. These keynote speakers had a number of fascinating perspectives and insights on challenges associated with information security that do, and will continue to, have a large impact on nuclear facilities and their IT security. After the plenary, we sat down Rob and Sam to hear some more.
The overarching theme of the discussion was change. The keynote speakers noted that the information technology (and by extension, IT security) environment in which we exist is going to change, and that that change is irreversible. While it cannot be stopped, it can be managed, but in order for this to happen, the nuclear industry has to clearly understand how the global IT environment is changing.
One of the key challenges discussed was regarding the IT challenges associated with the purchase of turnkey nuclear facilities. In these cases, where a state procures an entire nuclear plant from another country, there may be an assumption that IT security has been taken into account during the design and build process. However, that assumption likely will not be accurate. Additionally, this raises questions about the maintenance of an IT security system if it has been put into place by the providing country – how can the purchasing state maintain certainty regarding the security of the turnkey IT system of the purchased facility? If the country that provided the facility and the IT security was involved in the design and implementation of the IT security system, it would be difficult to ensure that that state would not maintain a ‘backdoor’ to the system.
Furthermore, the discussion covered the fact that worrying about IT security in a nuclear plant is a rather – to summarize the context – privileged worry to have. In some states and instances, choices may not exist for the source of the equipment that will allow the plant to be connected.
Another challenge is the emergence of 5G networks. The way that this could impact the nuclear industry is based on the fundamentally different model that 5G comprises. 5G networks provide high speed and direct connectivity to the internet of things without any intervening wide area or local area network of your own. This means that facilities and businesses could lose the ability to manage their own networks – which poses clear IT security threats. This is already something that can be seen in the growing trend of corporations embracing platforms like Google or Amazon Cloud Services as opposed to in house management of its data services.
It was an interesting discussion and we thank Rob and Sam for their time. Possibly some of the questions we should be asking ourselves as nuclear materials management professionals are: Do we understand how cybersecurity will impact our research or technology development? And When should cybersecurity evaluated during the R&D lifecycle?
Katherine Bachner & Jay Disser