Strengthen Cybersecurity at Nuclear Facilities

Finding

Cybersecurity regulations are slowly adapting to the growing cyber threat to nuclear facilities, but the adoption of these requirements continues to trail the urgency of the threat.

Data Highlights

• Since 2016, when the Cybersecurity indicator was first introduced in the Index, 43% of the 47 countries with nuclear materials and/or facilities that were in previous editions of the sabotage ranking have improved their scores in Cybersecurity.^[1] In 2020, 55% of countries scored 50 or above, an increase from 34% in 2016.

• However, in 2020, only Romania and Taiwan receive a full score for Cybersecurity, and 24% of 49 countries with nuclear materials and/or facilities score a zero, meaning they require none of the basic cybersecurity measures included in the Index.
• The percentage of countries that have a basic requirement to protect against cyber attacks has substantially improved—from 57% in 2016 to 73% in 2020.

• Countries are still lacking more specific cybersecurity measures. Only 47% of countries require a response plan for a cyber incident, which is a critical preparatory step in planning for a cyber attack. Only 22% of countries require licensees or operators to have a cybersecurity awareness program for all personnel with access to digital systems, which helps to address the human factor in cybersecurity.

Recommendation

Given the rapid pace with which cyber threats evolve, countries should prioritize actions to strengthen cybersecurity at nuclear facilities to prepare for, protect against, and respond to cyber threats.

• Regulators should require facilities to protect against cyber attacks, to integrate physical protection and cybersecurity, and to protect critical digital assets, such as systems related to physical protection, control, accounting, or safety.
• Threat assessments and a country’s Design Basis Threat should take into account the potential for cyber attacks at nuclear facilities, as well as combined cyber-physical attacks. Regular tests and assessments should be required to identify weaknesses and to make continuous improvements.
• Countries should require a cybersecurity response plan to prepare for and understand how best to mitigate the consequences of a cyber attack. Response plans can limit the damage and reduce recovery times should a facility be successfully attacked.
• Addressing the human factor is also important for cybersecurity when insiders could unwittingly introduce or exacerbate cyber vulnerabilities. Nuclear facilities should require all personnel with access to computer systems to complete programs to strengthen their awareness of cyber threats and help mitigate insider threats.
• Given the uneven capacity to address cybersecurity globally, greater effort is needed to fill capacity gaps in cooperation with other countries. This includes steps to develop, maintain, and retain the necessary capacity. Countries should contribute financial and human resources to the IAEA to support its work developing cybersecurity resources, providing training, and conducting reviews of security arrangements.
• One initiative NTI is leading to strengthen the cybersecurity of facilities addresses the fact that there are a limited number of true cyber-nuclear experts around the world. NTI hosts a Cyber-Nuclear Forum that brings together some of the few, experienced cybersecurity leaders at nuclear facilities around the world to share best practices and problem solve. 

For more on the challenges posed by technology to nuclear security, including cyber vulnerabilities, see Balancing the Risks and Rewards of Updated Digital Technologies in Nuclear Facilities.

[1] This percentage is calculated using 47 countries instead of 49. Jordan and the United Arab Emirates were added to the sabotage ranking in 2020 and do not have scores for previous editions of the NTI Index.