On the March 15, I was lucky enough to be invited to a round table event at Chatham House in London titled, Security by Design: Mitigating Cyber Security Risks in the Civil Nuclear Infrastructure in the Gulf. This event came off the back of the recent publication – also by Chatham House – on cybersecurity at civil nuclear facilities.
The event raised a number of interesting points, both around the nuclear sectors collective approach to cybersecurity in general as well as the role that cyber situational awareness could play in the defense of the nuclear sector in the future.
While it is apparent that the nuclear sector is taking cybersecurity seriously, it is fair to say that this industry sector as a whole is coming late to the cybersecurity party.
Clearly, security and safety issues have always been a major concern for the nuclear sector, and retrospective modifications of nuclear facilities as flaws are detected and new standards are implemented would appear to have been common practise for decades. As such, a logical assumption is that implementing common cybersecurity standards is really in the same ball park as the fixes applied to physical infrastructure that one delegate elegantly referred to as “in service modifications.” However, I believe that these are different in two ways.
Firstly, in service modifications to physical infrastructure, I would assume, are mostly stimulated by safety issues and based around a perception of increased risk. Conversely, software patching is conducted primarily on the perception of an increased threat to a vulnerable system. The separation between risk and threat is more than just mere wordplay, with the critical differentiator being that the word ‘threat’ implies the presence of an actor with malicious intent, whereas risk does not.
The second key difference between in service modifications and patching lies within the implicit process that surrounds them, and the stimuli for conducting these activities – namely, the frequency of the occurrence of risks significant enough to stimulate remedial action. Within software patching, the risk is created in the most part by the threat, which has a far greater rate of occurrence within software systems than physical industrial system. In plain terms, I am proposing that dealing with cybersecurity within the nuclear sector required a different approach to the ones inherent within the physical and operational security cultures currently within the industry. Additionally it is my belief that cyber situational awareness – and its derivate threat intelligence – could play a critical part within this cultural change.
So what could cyber situational awareness contribute to the nuclear industries approach to cybersecurity? The most immediate contribution would be within how the nuclear industry perceives the threat in the first instance. Within the area of threat perception, Stuxnet casts a long shadow. Although the incident was an attack on a nuclear supply chain, the incident has created a perception of a high level of cyber risk around the safety critical elements of the nuclear system and that attacking computer systems associated with nuclear infrastructure was the preserve of the nation state.
Neither of these perceptions hold true within the light of informed cyber situational awareness and strategic logical analysis of the true cyber threat. Not only would creating a failure that would result in a meltdown incident within a nuclear facility via a computer attack be technically difficult, but it would also be strategically highly undesirable for even the most belligerent of nation state actors. An overemphasis on nation states conducting destructive attacks on nuclear infrastructure could overshadow more realistic threat scenarios, such as a cybercriminal hosting bitcoin miners on unsecured systems that could, in turn, cause a reactor shutdown.
Cyber situational awareness at its core seeks to create an accurate picture of the threat landscape and the actors within it. For modern threat led cybersecurity this is a critical piece of the wider cybersecurity puzzle.