Addressing Computer Security Threats: The Evolution of the IAEA’s Assistance Programme

The shift to digitally networked societies, where daily activities are interlinked with the help of computer-based systems, artificial intelligence (AI) and digital technologies, is having a huge impact on nuclear safety and security. The essential role of digital technologies in maintaining safety and security functions at facilities handling nuclear material or other radioactive material cannot be overstated. 

“Computer-based systems and digital technologies are vital for facilities and associated activities where nuclear and other radioactive material is used,” said Elena Buglova, Director of the IAEA’s Division of Nuclear Security, emphasizing the need for all countries to implement computer security programmes and improve nuclear security defence in depth. “As technology advances, protecting the confidentiality, integrity and availability of sensitive information and assets requires continuous vigilance to prevent and mitigate risks, and a robust information and computer security programme.”

The need for addressing computer security threats, malicious cyberattacks and any potential vulnerabilities that digital technologies may introduce, as well as the importance of computer security for nuclear security, was first identified in a nuclear security resolution adopted by the IAEA’s General Conference at its 55^th regular session in 2011. It noted the IAEA’s efforts “to raise awareness of the growing threat of cyber attacks and their potential impact on nuclear security”. This resolution also encouraged the IAEA to develop appropriate guidance documents, provide training courses, and host further expert meetings specific to cyber security at nuclear facilities to assist countries in protecting themselves against cyberattacks.

“Following up on the 2011 General Conference resolution, IAEA activities focused on improving computer security capabilities at the State and facility levels,” said Buglova, adding that these activities were then included in the IAEA’s subsequent Nuclear Security Plans, including the details for the current implementation of the IAEA computer security activities which are outlined in the Nuclear Security Plan 2022–2025.

The establishment of a robust and up-to-date computer security programme is a key element to guard countries against cyberattacks in all types of critical infrastructure. The IAEA has been agile in providing assistance to countries at all stages of developing national information and computer security programmes, including the provision of guidance documents and training. 

Four IAEA Nuclear Security Series guidance publications and three additional technical publications provide guidance on information and computer security. The guidance can be used as the basis for the development of national computer security frameworks, including national strategies, as well as for computer security regulations and training.

A key principle of the IAEA’s guidance is to preserve the critical functions at nuclear facilities by protecting information and computer-based systems to maintain a safe and secure environment for both the facilities and the materials. This is achieved by developing a computer security programme; identifying nuclear security functions; using risk management to determine the potential consequences of compromised security; defining the level of computer security required for sensitive digital assets; and implementing a graded approach and defence in depth concepts in computer security. These elements should be designed and implemented in a way to prevent compromise, and to help increase the operator’s ability to detect and respond to intrusions as well as to mitigate the potential impact of cyberattacks.

Upon countries’ requests, the IAEA offers various training opportunities to a range of audiences. These audiences include competent authorities, operators, vendors and other entities that may have responsibilities for computer security implementation. They could also benefit from the IAEA’s expertise in conducting computer security exercises as part of the nuclear security programme.

In addition, four e-learning courses on computer security are freely accessible and available in Arabic, Chinese, English, French, Russian and Spanish on the IAEA’s Cyber Learning Platform for Network Education and Training, and can be accessed by registration or via a NUCLEUS account. An innovative, new virtualized training platform will also be available soon.

In parallel, the IAEA supports national or regional computer security exercises as part of its efforts to raise awareness of the threat of cyberattacks, and their potential impact on nuclear security. The exercises feature different scenarios in which sensitive information and computer-based systems are targeted directly or indirectly as part of an attack on both physical protection and electronic systems.

Research complements the IAEA’s computer security activities, mainly through the well-established mechanism of coordinated research projects. Coordinated research projects have been launched in recent years to advance the efforts of the global research community in information and computer security and increase the readiness for addressing emerging challenges and risks.

 The IAEA’s computer security programme for nuclear security is constantly evolving. The reliance of small modular reactors and advanced reactors on advanced technologies and digital instrumentation, the anticipated impact of AI and the emergence of virtualized learning environments present challenges and areas for expanded support to States.

“We are witnessing an increasingly heightened awareness of the potential or actual implications for nuclear safety and security among countries, regulatory bodies, operators and other stakeholders,” said Buglova. “The anticipated significant growth in the use of peaceful nuclear applications, specifically nuclear power programmes, makes it imperative to consider information and computer security as an integral part of nuclear security.”

Cyberattack

The term ‘cyberattack’ is used to describe a malicious act with the intention of stealing, altering, preventing access to or destroying a specified target through unauthorized access to (or actions within) a susceptible computer-based system. Cyberattacks jeopardize the confidentiality, integrity or availability (or a combination of these properties) of the sensitive information within a sensitive digital asset, or of the sensitive digital asset itself, and might be used to carry out or facilitate a malicious act against a facility or activity or other criminal or intentional unauthorized act involving nuclear or other radioactive material.

A cyberattack can be carried out through direct physical access to the information or information assets or through electronic access, or a combination of the two, and can be carried out directly by an adversary or by (or with the assistance of) an insider knowingly or unknowingly influenced by an adversary.

Cyberattacks, once detected, should be treated as computer security incidents.

This definition is taken from the Computer Security for Nuclear Security (IAEA Nuclear Security Series No. 42-G)