Dr Richard Piggin, discusses cyber security leadership in civil nuclear.
Note, this paper was written whilst Richard was a security consultant at Accenture, he recently joined ONR as a Nuclear Inspector.
Background
In May 2022, the Department for Business, Energy & Industrial Strategy published the second Civil Nuclear Cyber Security Strategy. It builds upon the developments made in the sector since the initial strategy was published in 2017, which focused upon ensuring that the civil nuclear sector can defend against, recover from, and be resilient to evolving cyber threats (Figures 1 & 2). This necessitates the challenge of protecting legacy facilities, new build projects and civil nuclear supply chains from cyber attacks that could compromise sensitive nuclear information, disrupt electricity supply, damage facilities, delay hazard and risk reduction, and adversely impact workers, the public or the environment.
Figure 1: Overview of the Nuclear Fuel Cycle - Civil Nuclear Cyber Security Strategy 2022
The 2017 strategy defined roles, responsibilities, commitments and expectations for HM Government, UK Civil Nuclear Dutyholders (responsible persons on nuclear sites subject to security regulation), the civil nuclear supply chain, and regulators including The Office for Nuclear Regulation (ONR) and the Information Commissioner. The 2022 strategy, developed with UK civil nuclear organisations, the ONR and the National Cyber Security Centre, continues the cross-sector partnership, and in early 2023 the ONR undertook a series of board briefings across the UK civil nuclear sector including laboratories, fuel production, generation and decommissioning.
The strategy outlines how the sector will deliver four key objectives by 2026:
- Appropriate prioritisation of cyber security as part of a holistic risk management approach, underpinned by a common risk understanding, and outcome-focused regulation
- Proactive action to mitigate cyber risks in the face of evolving threats, legacy challenges and adoption of new technologies
- Enhance resilience by preparing for and responding collaboratively to cyber incidents, minimising impacts and recovery time
- Collaborate to increase cyber maturity, develop cyber skills and promote a positive security culture
Figure 2: Civil Nuclear Sub-Sectors - Civil Nuclear Cyber Security Strategy 2022
This article, based upon the materials produced to support ONR’s executive briefings, highlights relevant good practice, relating it to the requirements of the nuclear sector, and has wide applicability to leadership in other organisations. Paul Shanes CSyP FSyI FBCS, ONR’s Head of Cyber Security Regulation, said:
“The briefings demonstrate ONR’s enabling approach to regulation. They provided an opportunity to communicate recent updates to the UK national and civil nuclear cyber security strategies whilst leveraging Accenture’s knowledge of relevant good practice from other critical national infrastructure sectors. This work supports our role as the UK’s independent nuclear regulator and is key to delivering our mission to protect society by securing safe nuclear operations.”
Introduction
Cyber security has become an encompassing term, with a variety of definitions and intended meanings. This is noted by the Cyber Security Body of Knowledge (CyBOK) project, funded by the UK National Cyber Security Programme. The CyBOK introduction concludes that a succinct and broad definition remains elusive in this new and emerging knowledge area. This is likely to be an issue for boards, where a common understanding is essential. However, the use of recognised cyber security frameworks can assist in communicating and managing cyber risk.
The CyBOK team highlight the almost exclusive focus upon information and related technical cyber security measures, often omitting the crucial areas of human behaviour and the impact of breaches from loss of information, safety or disruption of operations. They also consider networked control systems, where the imperative is to prevent unwanted physical actions.
‘Cyberspace’ is now being used to describe the operating environment, with virtual and real impacts. This topic has been introduced to a broader audience in the UK National Cyber Strategy 2022, from its original military use, describing the uniqueness of the cyber landscape and its physical impacts:
‘The cyber domain is a human-made environment and is fundamentally shaped by human behaviour. It amplifies such behaviours for better or worse, the impacts of which are usually also felt in the physical world.’
Organisations are now striving for cyber resilience, not just protection, with strategies that ensure durability and the opportunities it can provide as a business enabler. The World Economic Forum (WEF) distinguishes cyber resilience from cyber security as having a more strategic, long-term outlook, driven by leaders that recognise the importance of risk mitigation and proactive risk management. Organisational leaders that set the strategy are ultimately responsible and are increasingly being held accountable for cyber resilience.
Cyber resilience and strategy
The cyber-resilient organisation brings together the capabilities of cyber security, business continuity and enterprise resilience. It embeds security across the business ecosystem and applies fluid security strategies to respond quickly to threats, so it can minimise the damage and continue to operate under attack. As a result, the cyber resilient organisation can introduce innovation and operating models securely across the entire value chain, strengthening trust and instilling confidence.
The cyber security strategy provides objectives for an organisation’s desired future security state, and is integrated with the business strategy. This necessitates an understanding of the current state, with the strategy setting the course for achieving the desired future state within a defined period.
A cyber resilience strategy requires:
- An understanding of organisational risk
- Activities to secure personnel and systems to prevent and resist cyber attacks
- Preparation to ensure sufficient resilience in the event of a cyber attack, to minimise the impact and enable recovery
Nuclear security is not a subset of nuclear safety — they are interconnected, yet safety and security engineering disciplines are independent domains. It cannot be assumed that obscure, bespoke systems or air gaps can prevent attacks. Similar challenges have been observed in rail safety, with security guidance for safety engineers and managers published by CPNI (now the National Protective Security Authority). Convergence has been driven through common technologies, platforms and networking, where safe operation of complex systems requires appropriate security. The two disciplines may also conflict, creating new functionality, vulnerabilities and hazards that may require additional mitigations to reduce safety and security risk in the provision of critical services.
Widely published incidents across industrial sectors have demonstrated siloed approaches, focused on IT security, and omitting operational technology in particular, which expose potentially vulnerable systems. The IET Code of Practice: Cyber Security and Safety addresses this convergence and the necessity to integrate safety assurance and cyber security. The publication also considers where there may be tensions between safety and security requirements, such as creating security induced safety hazards (e.g. inability to log onto a safety system), and estimating static safety risks, whilst considering the rapidly changing security environment in light of dynamic threats and emerging vulnerabilities.
Nation state destructive malware disrupts shipping operations - 2017
The NotPetya malware infected almost 50,000 end-user devices and thousands of servers at the international shipping company they faced a company extinction event, and that being average at cyber security is not enough — you have to be good at it. Maersk intends to use cyber security to create competitive advantage and treat these attacks as business risks, not technology concerns.
The role and importance of cyber security strategy
Organisations pursuing cyber resilience require their senior stakeholders to proactively manage cyber risk alongside other enterprise risks. Leaders set the organisational intent and describe outcomes to be delivered in the strategy, which documents decisions and is used to control implementation and progress, whilst ensuring it aligns with the organisation’s business strategy.
A resilience focused strategy enables organisations to take advantage of digitisation and technological change, developing an approach that enables the business and provides a source of competitive advantage whilst maintaining value.
Aligning cyber security strategy with business priorities ensures that outcomes are proportionate to the risk faced by the business. The strategy quantifies organisational cyber risk appetite and tolerance, and identifies threats to the organisation. Using recognised cyber frameworks assists in the application of relevant good practice and meeting sector baselines and as such, it is also a regulatory requirement for dutyholders, being critical to effective implementation (Figure 3).
Figure 3: Cyber security strategy implementation
Security strategy principles
When we assist organisations in the implementation of their cyber resilience programmes, our approach is always:
- Business-centric: cyber resilience must be driven by business and organisational priorities. Our research showed this was a key differentiator of cyber resilient organisations, with significant financial advantages
- Enterprise-wide: cyber is an enterprise level issue, to be treated in a similar manner to other organisational risks. It isn’t just an IT, Operational Technology (OT) or technology issue. It is an operating environment with risk, just as a physical environment operates with physical risks
- Exposure focused: we must focus beyond compliance requirements to address actual exposure to be cyber resilient
- Extensive: systems implemented must be responsible for your extended eco-system, not just the immediate supply-chain. Recent events have demonstrated systemic risks flow from the complex nature of digital systems and the interconnectivity with other systems and organisations. The Colonial Pipeline, Solarwinds and NotPetya incidents illustrate systemic risks
- Agile: we seek to build cyber security organisations that can evolve and grow along with the business
- Technology enabled: we create a cyber resilient organisation that is technology enabled, not just full of technology. Your strategy should be technology agnostic, focusing on the desired outcomes whilst providing flexibility to keep pace with technological change
Overall, the cyber resilience strategy needs to align with the business strategy and its timeframe. Under two to three years is fundamentally operational planning, which is not strategic.
Governance and leadership
The governance function establishes and maintains the organisational framework, using supporting processes to ensure the security programme aligns with organisational goals and objectives. Our research has shown that a stronger alignment between cyber security practices and business strategy achieves better outcomes.
The board and senior-level leadership are ultimately responsible for your organisation’s cyber risk and resilience. The leadership team must be aware of their role and responsibilities, and are responsible for setting the tone for fostering and maintaining the organisational security culture, including managing cyber risk with safety. It is essential that all staff understand their responsibilities for security and cyber resilience. The leadership holds primary accountability for discharging legal, regulatory and mandatory requirements and as such, governance shortcomings may impact the individual too — especially where OT cyber risks could lead to physical harm.
An outcome-based approach, such as the ONR’s Security Assessment Principles and the National Cyber Security Centre’s Cyber Assessment Framework places the onus upon boards to manage risk and apply suitable judgement to achieve specified outcomes. Combining an outcome focus with risk management and the application of recognised cyber security frameworks provides greater business resilience and benefits than just chasing compliance; such implementations showcase enhanced risk understanding and identification of strengths and areas for improvement, more informed risk tolerance, clearer prioritisation of security remediation, and better facilitated resource allocation and security budget setting.
Good governance should ensure accountability for decisions, their implementation and the measurement of progress with KPIs, which enable course corrections and the provision of feedback to senior stakeholders. An organisation wide governance structure and cyber security strategy supports the delivery of cyber resilience and demonstrate due care and diligence.
Nation state targeted attack on petrochemical safety system - 2017
Dubbed Triton, Trisis or Hatman, this malware specifically targeted Schneider Electric’s Triconex Safety Instrumented System with the intent to manipulate industrial control systems in a Middle Eastern petrochemical plant. Safety systems are used to protect systems and provide emergency shutdown, and industrial safety systems run independently from the main control system in order to monitor and prevent potentially dangerous conditions. This malware was designed to compromise the system and manipulate the controller to override the safety system and cause a failure that would lead to a dangerous physical incident.
Cyber resilience and effective cyber risk management are critical challenges for many organisations. The consequences of poor security strategy can lead to reputational damage, loss in shareholder value, safety incidents and governance issues. Boards often say they lack both tools and competencies to manage cyber risks in the same way they approach other risks. Cyber security vocabulary is frequently a challenge in developing mutual understanding between boards and specialists. Ensuring a common frame of reference, with case studies or stories, can help. Raising cyber security competency, with access to specialist expertise, helps to develop senior stakeholders’ knowledge, ensuring effective oversight.
Accenture research identified four levels of cyber resilience (Figure 4). Cyber Champions—organisations that not only excel at cyber resilience but also align with the business strategy to achieve better outcomes — are successful in at least three out of four cyber resilience performance criteria: stopping attacks, finding and fixing breaches quickly, and reducing their impact.
Figure 4: Four levels of cyber resilience - Accenture State of Cybersecurity Resilience 2021
Risk Management
Senior stakeholders set desired priorities, goals and outcomes by managing risk and determining the level of acceptable risk or risk tolerance, which is the level of risk the organisation will bear after risk measures have been put in place. Expressing risk appetite in financial terms will inform decision making. Risk tolerance is more granular, focused on specific risks, and how the organisation would cope if they deviated from the risk appetite. Stakeholders should regularly ensure organisational risk tolerance is consistent with organisational risk appetite. An example of risk identification and assessment is shown in Figure 5.
When undertaking risk assessments, an organisation will identify, assess, and seek to understand security risks to critical systems, both in IT and OT. It is important to assess the methods that might be used by attackers. The MITRE ATT&CK® knowledgebase illustrates adversary tactics and techniques, from initial access through to impact in IT and OT environments. Tables 1 & 2 show the different potential impacts in IT and OT (industrial control systems or ICS) environments. Organisations then need to put measures in place to specifically defend against them, and monitor progress with suitable KPIs to measure risk reduction. An example would be privileged account management and relevant KPIs including the number of users, the number of newly created users, and the number of roles relative to the number of departments.
Tables 1 & 2: Potential impacts in IT and OT (industrial control systems or ICS) environments
The risk management topic also includes the organisational approach to risk, including governance and management accountability for reporting cyber risk to the board. This forms the foundation of the governance operating model, which brings the security strategy and business objectives together and is used to operationalise the governance programme to monitor and support your cyber security initiatives. The implementation should provide end to end traceability of cyber security, business risk and threat management through defined governance, policy and control monitoring.
Figure 5: Risk management - likelihood and impact examples
Cyber security strategy components
Outlining the purpose, vision and mission are the starting points for a cyber security strategy. These capture how security will be an enabler to the organisation, unpinning strategic business objectives. An end to end understanding of how the organisation delivers value is an important lens when considering the risk and threats faced. This process will identify how various functions support activities in the value chain, shape the security strategy, and help address risks and threats.
Security concerns such as confidentiality, integrity, availability or safety will drive security, and their emphasis will differ across the value chain and their various environments. For example OT requires different security approaches due to control systems and their physical interaction. An understanding of the degree of risk/consequence across the value chain is necessary to make informed decisions regarding security investments and strategic next steps. Thus, planning to protect what is important is often referred to as ‘identifying the crown jewels.’
Cyber security frameworks can be used as a systematic approach to managing cyber risk. These functions are regarded as the essential pillars of a holistic cyber security programme:
- Identify: understanding and managing risk to systems, people, assets, data, and capabilities
- Protect: implementing safeguards and limiting the impact of cyber security incidents
- Detect: identifying cyber security threats and supporting timely discovery of incidents
- Respond: acting when a cyber security incident is detected to contain its impact
- Recover: resilience and restoration planning and activities for the timely recovery of capabilities or services impaired following a cyber security incident
Frameworks can be used to define cyber resilience functions, with a collection of lower-level contributing cyber security and resilience outcomes. These are illustrated using the US National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF), which is mapped to the ONR Security and Assessment Principles (SyAPs) in Figure 6.
The states that dutyholders must implement and maintain effective cyber security and information assurance arrangements to protect Sensitive Nuclear Information (SNI) and technology. SyAPs are also outcome focused and used by ONR to assess dutyholder’s security arrangements.
The National Cyber Security Centre (NCSC) guidance, known as the Cyber Assessment Framework (CAF) has deliberate similarities with the US National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF). Both the NIST CSF and NCSC CAF refer to relevant good practice, including ISO/IEC 27001/27002 standard series and IEC 62443 series for control systems or OT.
Figure: 6. Relevant good practice: NIST CSF mapped to ONR’s SyAPs
The NIST CSF and NCSC CAF both provide a common language and mechanism to describe an organisation’s current state and future target states. They also help to identify and prioritise improvements, measure progress and communicate cyber security risks.
Colonial Pipeline disruption, 2021
This Darkside ransomware attack impacted IT systems, but OT systems controlling the pipeline were shut down as a precautionary measure. This interrupted the supply of 2.5 million barrels of aviation fuel, diesel and petroleum daily across the entire US East Coast. The ransomware gang used remote access account credentials which were available on the dark web. The majority of the $5 million ransom was recovered by the FBI ($2.4m after bitcoin fluctuation). The incident led to operational disruption with an international impact upon aviation, with panic buying of petroleum and lawsuits. Account management failings facilitated the initial access of the gang.
Security culture
Convergence has increased the need to manage cyber security and develop a security-informed approach to safety, where security considerations are integrated into the management of safety risks. Security threats that impact safety must be considered to ensure a security minded engineering approach, which addresses security threats and vulnerabilities throughout the lifecycle.
Embedding a proactive cyber security culture and mindset is essential to enabling the digital enterprise. A positive security culture will mitigate security risks where technology alone is insufficient. Human error remains the principal source of cyber security breaches, due to lack of awareness and suitable training. The senior leadership needs to define, demonstrate, and inspire a positive security culture and encourage collaboration across disciplines.
Organisations should focus on the following areas to build a proactive cyber security culture:
- Strategic executive alignment is critical to building a cohesive ownership of cyber security across IT and OT and resolving potentially incompatible approaches to addressing cyber risk
- Upskilling of IT and OT cyber security ‘joint taskforce’ professionals with the right skills to enable and sustain cyber security across the organisation
- Establishing incentive and disincentive policies to promote and enforce cyber resilient behaviours across the organisation
- Implementing continuous, interactive and human centred awareness and learning programmes to build user alertness, including new joiners and third parties
- Driven by data analytics, use predictive models as opposed to traditional approaches to measure behavioural change against vulnerabilities
- Leaders to lead by example and inspire their teams to demonstrate cyber resilient behaviours
Clear expectations should be set for staff behaviour, with an acceptance that incidents will arise, but that staff feel encouraged to report issues so they can be rectified swiftly without threat of blame or criticism. The security culture should be the foundation of daily life in the organisation, where poor cyber security is simply not acceptable, and it is important for organisations to ask themselves these questions:
- Is there an open approach to assess security in a no-blame manner?
- What level of training and awareness do employees have?
- How could employees or an insider cause an incident, intentionally or by accident?
- Does the culture enable cyber resilience to be used as a justification?
A security minded approach for the whole cyber environment?
It is important for the strategy scope to cover the entire cyber environment, including information systems, control systems, safety systems, security systems, building management systems and the Internet of Things (IoT Sensors/Actuators). An integrated approach must incorporate security into safety cases to address security issues, technology convergence and deal with the potential tensions between safety and security that may arise. This necessitates creating a common understanding across safety and security disciplines, emphasising the importance of leadership and a positive security culture. Leadership teams have a legal responsibility to manage safety and security risks, and shortcomings will have inevitable consequences for accountable individuals.
Acknowledgement
It is acknowledged that the briefing materials this article is based upon were commissioned by the Office for Nuclear Regulation in support of the 2022 Civil Nuclear Cyber Security Strategy.
The article contains public sector information licensed under the Open Government Licence v3.0. http://nationalarchives.gov.uk/doc/open-government-licence/version/3/
This article was originally published by BCS: Cyber Security Strategy for Executives in the UK Nuclear Sector online:
https://www.bcs.org/articles-opinion-and-research/cyber-security-strategy-for-executives-in-the-uk-nuclear-sector/