How International Collaboration Keeps the World Safe from Cyberthreats

The nuclear industry faces a significant challenge in maintaining computer security owing to the widespread use of digital devices. This trend is evident in everyday life, where smart fridges, lighting and other devices controlled remotely via cloud computing have become commonplace. Many systems at nuclear facilities, which previously would not have had any digital components, now have digital elements. Their computational power, reprogrammable nature and ability to interconnect delivers unequalled efficiency in the support of operations, nuclear safety and nuclear security.

Small modular reactors and other new reactor designs are being developed in a digital-first world with an even more widespread use of computer systems than in previous designs. They may be designed to operate remotely or even autonomously, utilizing computer network infrastructure to communicate with a central operator. This approach can enable operators and automated systems to analyse large amounts of data to increase the operational efficiency of the nuclear facility.

However, this digital modernization of the nuclear industry creates more challenges as, without adequate computer security, weak points or vulnerabilities could be exploited by malicious actors as part of an attack against one of these facilities.

In order to address the challenges posed by the rapidly evolving digital technology landscape in nuclear facilities, and the need to support harmonized approaches between countries and facilities, the IEC has adopted a consequence-based and risk-informed approach aligned with the information and computer security guidance within the IAEA Nuclear Security Series (NSS). Rather than a prescriptive approach, we advise a graded approach, enabling organizations to determine the level of control required for a product or process based on the potential consequences of a cyberattack. For instance, the first step in a computer security programme is to review the functions of the nuclear facility, assess their impact on safety and security, and determine the appropriate level of security requirements.

Predicting how cyberattacks will evolve in the future is challenging, so the IEC has worked closely with the IAEA and developed standards that recommend that computer security programmes in nuclear facilities focus on detection, response and recovery, in addition to prevention. Even if elements of a cyberattack are successful, there should be mechanisms in place to restore and ensure the correct performance of the necessary functions to guarantee that safety and security are not compromised.

The rapid digitalization of our world, along with the growth of artificial intelligence and machine learning, can make computer security at nuclear facilities seem daunting. International collaboration is crucial in order to continue the safe and secure operation of these facilities, despite such challenges. For over half a century, the IAEA, the international community and the nuclear industry have collaborated on standardization to support the safety and security of peaceful nuclear technology. With global issues such as climate change and energy security becoming more pressing, many countries are looking to new and innovative nuclear technology as a way to generate low-carbon energy, making standardization even more important in maintaining the safety and security of nuclear facilities.

The IAEA and the IEC are essential contributors to the international effort to establish standards for information and computer security at nuclear facilities. The IAEA develops guidance publications within the NSS through international consensus, outlining concepts and norms for ensuring information and computer security as fundamental elements in achieving nuclear security objectives. The NSS provides guidance on organizing State resources and preparing industry regulations and concepts for implementing a cyber-informed engineering approach in nuclear facilities.

As an international standards organization that promotes best practices and knowledge sharing, the IEC works closely with the IAEA. Under the Memorandum of Understanding between the IEC and IAEA, scientists and experts working with the IEC develop standards and technical reports on implementing IAEA guidance through specific programmatic and engineering requirements. These requirements can be leveraged in the design and development of current and future digital systems, which can be certified against regulatory models aligned with IAEA guidance. Experts representing the nuclear industry’s experience in implementing IEC standards can then support the development of future iterations of IAEA guidance.

Scientists and experts contribute to the work of the IEC on a voluntary basis, and more volunteers are always welcome. The community of computer security experts in the nuclear field is relatively small, even on a global scale. Contributing to the IEC provides an opportunity to build standards that may be used globally to support the nuclear industry worldwide.