Cybersecurity of Civilian Nuclear Infrastructure | IGF 2023 WS #220

Knowledge Graph of Debate

Session report

Giacomo Persi Paoli

The Open-Ended Working Group (OEWG) was established to ensure greater visibility and active participation in discussions dealing with international cybersecurity. It has had six iterations, with each iteration involving approximately 20 countries, including the permanent members of the Security Council. The OEWG is seen as more transparent, as everything is open to the public. Furthermore, if consensus isn’t reached on a report, the chair has the authority to publish a summary.

The OEWG has focused on the protection of critical infrastructure, which has been a prevalent subject of discussion. As part of the framework for responsible state behaviour in cyberspace, critical infrastructure is a focal point of multiple norms. States are called to protect their own critical infrastructure and are encouraged not to target the critical infrastructure of others. International assistance is also encouraged for states whose critical infrastructure is targeted by cyber attacks.

However, the OEWG may not be the right forum for detailed discussions on how general norms apply to specific sectors or types of infrastructure. It is viewed as more suitable for discussions on evolving threats, norm implementation, and international impact. There is a need for a dedicated forum to discuss the implementation of general purpose norms for cyber nuclear security. Discussions within the OEWG have covered various aspects of critical infrastructure, such as medical infrastructure, energy, and financial sectors. However, the limited time available has made it challenging for states to deeply explore any of these topics.

Concerns regarding threats to civilian nuclear infrastructure by cyber operations are growing, as states have flagged their increasing concerns over cyber threats to the Secretary General. Cyber attacks have also been on the rise during the pandemic, affecting all sectors of society, including critical infrastructure.

The private sector can play a significant role in helping states develop cyber resilience. The private sector has capacities and capabilities that can contribute to enhancing cyber resilience efforts. Public-private partnerships have been suggested as a tool to increase cyber resilience and have been flagged as a way forward.

In conclusion, the OEWG serves to enhance visibility and participation in discussions on international cybersecurity. It has addressed the crucial issue of critical infrastructure protection. However, it may not be the ideal platform for discussing specific sectors or types of infrastructure. The need for a dedicated forum for discussing the implementation of general purpose norms for cyber nuclear security has emerged. Concerns about threats to civilian nuclear infrastructure by cyber operations are growing, and the involvement of the private sector in developing cyber resilience is seen as significant. Public-private partnerships are also being considered to increase cyber resilience.

Rowan Wilkison

Concerns have been raised regarding the security failures within the IT networks of nuclear plants. These concerns arise from the potential harm and disastrous outcomes that could result from such failures. It is imperative to address these shortcomings and take measures to prevent any adverse consequences.

The modernization of cybersecurity and civilian nuclear infrastructure is seen as a high priority in mitigating the risks associated with these security failures. This would involve implementing advanced and robust security measures to safeguard the IT networks of nuclear plants. By prioritising the improvement of cybersecurity, the likelihood of breaches and potential threats can be significantly reduced.

Furthermore, gaining a better understanding of the threat landscape is crucial. This entails identifying potential vulnerabilities and weak points within the IT systems of nuclear plants and staying updated on the latest cyber threats. By doing so, appropriate measures can be taken to prevent any breaches or malicious activities.

It is worth noting that these issues align with various Sustainable Development Goals (SDGs). Specifically, they relate to SDG 9 – Industry, Innovation and Infrastructure, as the modernisation of cybersecurity and civilian nuclear infrastructure falls within the scope of enhancing industry and infrastructure. Additionally, these concerns also relate to SDG 13 – Climate Action, as the disastrous outcomes of security failures within nuclear plants can have severe environmental implications due to the link to radiation.

Moreover, the issues raised have implications for SDG 16 – Peace, Justice, and Strong Institutions. By addressing the security failures in nuclear plant networks, stronger justice systems and institutions can be established to ensure the safety and security of critical infrastructure. This, in turn, contributes to promoting peace and stability.

In conclusion, the concerns surrounding security failures in IT networks of nuclear plants highlight the need for immediate action. Modernizing cybersecurity and civilian nuclear infrastructure is crucial not only for the industry but also for addressing environmental concerns and maintaining peace and justice. By prioritising these areas and adopting proactive measures, the risks posed by security failures can be effectively mitigated.

Priya Urs

The analysis examines the issue of cyber operations targeting civilian nuclear infrastructure within the framework of international law. The first argument highlights the absence of specific rules in international law that directly address cyber operations on civilian nuclear infrastructure. While states recognize the importance of protecting civilian nuclear infrastructure as critical infrastructure against cyber operations, there is a lack of concrete legal protections.

The second speaker argues that while general rules of international law, including treaties and customary international law, may potentially apply to this context, their specific application presents challenges. These general rules encompass aspects such as the use of force by states, the prohibition of intervention in another state’s affairs, respect for state sovereignty, and the due diligence obligations of states. However, it is important to note that these rules were not designed with cyber operations in mind.

The third and fourth arguments focus on the prohibition of intervention, a principle agreed upon by states, but with variations in the definition of activities that constitute intervention. The generally accepted requirements for intervention to be deemed unlawful are that it must address the internal or external affairs of a state and that it should coerce the targeted state. However, there are disagreements among states regarding the specific activities that fall under this prohibition.

The fifth speaker emphasizes that a cyber operation that disrupts the production of nuclear energy can be seen as coercive and may therefore constitute unlawful intervention. This reflects the belief that if a state adopts a policy regarding the generation of nuclear energy, a cyber operation that disrupts its production would be deemed coercive and thus unlawful.

On the other hand, the sixth speaker argues that cyber operations such as surveillance or data breaches may not be perceived as coercive since they do not directly hinder a state’s policy implementation. These types of operations, which do not interrupt the implementation of a state’s policy, may not be considered unlawful intervention.

The analysis also highlights the importance of preventative measures in cybersecurity and the need for legal accountability. It emphasizes the significance of addressing the cybersecurity problem from multiple angles, including proactive measures and holding accountable those responsible for incidents.

In conclusion, the analysis underscores the lack of specific rules in international law regarding cyber operations on civilian nuclear infrastructure. While general rules of international law may have some relevance, applying them in the context of cyber operations poses challenges. The debate surrounding the definition and scope of intervention further complicates the issue. The analysis also emphasizes the complexity of distinguishing between coercive and non-coercive cyber operations. Finally, it underscores the necessity of comprehensive cybersecurity measures and legal accountability in addressing this complex issue.

Talita Dias

Increased cyber and nuclear risks present a significant threat to national security and global stability. Cyber operations are targeting critical sectors such as healthcare and energy, as well as civilian and military nuclear systems worldwide. It is urgently necessary to develop international technical standards, rules, principles, and non-binding norms to ensure the cybersecurity of civilian nuclear infrastructure. This is particularly crucial given the growing use of small modular reactors and artificial intelligence, which could expand the potential targets for cyber operations.

The International Atomic Energy Agency (IAEA) plays a vital role in this area by providing guidance and recommendations for computer security measures. They also conduct ongoing security audits and assessments to detect vulnerabilities and offer training sessions for nuclear facility operators. However, there is some debate surrounding the binding nature of the IAEA’s recommendations.

To enhance cyber resilience, it is essential to foster multi-stakeholderism and public-private partnerships. The private sector’s involvement in assisting states in building their cybersecurity capacities is recognised, and public-private partnerships are seen as a robust strategy for enhancing the cyber resilience of member states.

One area of contention involves determining what constitutes intervention in the cyber landscape regarding civilian nuclear infrastructure. Understanding the threat landscape in both the cyber and nuclear sectors is critical, as accidents within the nuclear sector can have significant consequences.

Improved dialogue between the cyber and nuclear sectors is necessary to effectively address these risks. Through dialogue, stakeholders can exchange knowledge and best practices, identify potential gaps in cybersecurity measures, and collaborate on developing effective strategies to mitigate cyber threats.

The need for specific cyber nuclear norms, rules, or best practices is currently being debated. The current feedback on this issue indicates a score of 6.4, highlighting the ongoing discussions and varying perspectives on the necessity of such measures.

In conclusion, the increasing cyber and nuclear risks pose significant threats to national security and global stability. Developing international technical standards, rules, principles, and non-binding norms is crucial to safeguarding the cybersecurity of civilian nuclear infrastructure. Collaboration between stakeholders, including public-private partnerships, is necessary to enhance cyber resilience. Clarifying the prohibition on intervention in the cyber landscape and understanding the threat landscape in both the cyber and nuclear sectors are key areas of focus. The necessity of cyber nuclear specific norms, rules, or best practices is subject to ongoing debate and discussions.

Tomohiro Mikanagi

The interpretation of sovereignty in relation to cyber attacks varies among different countries. The UK does not see any standalone obligation arising from sovereignty apart from the non-intervention rules, while France views any cyber operation causing an effect within its borders as a violation of sovereignty. The US, Germany, and Japan believe a certain level of harmful effect needs to be caused in their territory for it to be considered a violation of sovereignty.

In terms of cyber attacks targeting nuclear facilities, it is argued that they could have severe effects and are likely to be considered unlawful under international law. Mikanagi believes that there needs to be a consensus on what constitutes a harmful effect in a cyber attack in order to determine if a violation of sovereignty has occurred. Additionally, the due diligence obligation in international law is not clearly defined, leading to uncertainty among states as to whether this obligation applies to cyber operations.

Furthermore, there is no clear application for the territorial state’s due diligence obligation in the area of nuclear security, and discussions on this matter are ongoing.

The existing Convention on the Physical Protection of Nuclear Materials could potentially cover sabotage through cyber attacks, despite not explicitly mentioning cybersecurity. Given this, it may be more feasible to discuss cyber security issues related to nuclear facilities within the context of established conventions such as this one.

Overall, the varying interpretations of sovereignty and the lack of consensus, clarity, and application of international laws and conventions contribute to the complexity of addressing cyber security issues effectively.

Michael Karimian

The tech sector plays a central role in providing digital solutions for safety, security, and everyday processes, including nuclear systems. It provides ICT infrastructure that is crucial for these purposes. However, the tech sector’s involvement also increases the risk of cyber threats due to the many entry points into its IT systems. Therefore, it is essential for the tech sector to prioritize cybersecurity by design.

One of the main arguments is the ever-evolving threat landscape. The continuous advancements in technology result in a constantly changing and sophisticated threat landscape. Thus, the tech sector must prioritize cybersecurity measures to effectively combat these threats.

Continuous innovation and transparency in threat sharing are also considered crucial. Actively researching and sharing threat intelligence is essential to stay ahead of cyber threats. By engaging in innovation and sharing information, the tech sector can contribute to creating a safer online environment.

Education and training in cybersecurity are also highlighted. Tech companies can provide guidance on cybersecurity best practices, contributing to the education of individuals and organizations in protecting themselves against cyber threats. This emphasizes the importance of quality education and training for ensuring cybersecurity.

The significance of multi-stakeholder engagement and collaboration in addressing cybersecurity challenges is underscored. Collaboration between the tech sector, governments, civil society, and other companies is seen as essential to effectively tackle cybersecurity issues. By working together and sharing knowledge and resources, it becomes easier to address the complex nature of cyber threats.

Microsoft’s stance is mentioned, as they believe in proactively taking steps to address cybersecurity risks. As part of their commitment, they are involved in initiatives like the Cyber Security Tech Accord, which aims to improve cybersecurity across the industry. Microsoft’s active involvement showcases the importance of industry leaders taking responsibility and actively addressing cybersecurity challenges.

Basic cyber hygiene practices are also highlighted. It is mentioned that good yet basic cyber hygiene can significantly reduce the risk of cyber threats. This includes practices such as protecting user identities, applying updates as soon as possible, using advanced anti-malware, enabling auditing resources, and preparing incident response plans. Following these practices allows individuals and organizations to mitigate many cybersecurity risks.

In terms of technology solutions, cloud-based systems are recommended over on-premises systems for better cyber protection. Cloud-based systems offer holistic, adaptive, and global cyber protection, which is facilitated better compared to on-premises systems.

Lastly, the summary emphasizes the importance of adherence to general guidance for cybersecurity across all sectors, including the nuclear sector. Protecting user identities, applying updates as soon as possible, using advanced anti-malware, enabling auditing resources, and preparing incident response plans are considered essential for all sectors. The International Atomic Energy Agency’s guidelines align with this general guidance, further emphasizing the importance of adherence to cybersecurity measures across sectors.

Overall, the summary highlights the tech sector’s importance in providing digital solutions for safety, security, and everyday processes. It emphasizes the need for prioritizing cybersecurity by design, continuous innovation and transparency in threat sharing, education and training, multi-stakeholder engagement and collaboration, adherence to basic cyber hygiene practices, and the use of cloud-based systems. These measures are crucial to mitigating cyber threats and creating a secure online environment.

Marion Messmer

The analysis explores the topic of cybersecurity risks in nuclear facilities and their potential impact. It highlights that cyber attacks can target civilian nuclear facilities either due to their specific role in nuclear systems or their importance to a country’s power supply. Given that nuclear power plants are a crucial part of a nation’s energy infrastructure, any disruption or compromise can have significant consequences.

The analysis notes that awareness of these risks has evolved over time, indicating a need for improved security measures. It mentions that older nuclear power plants initially believed they were safe from cyber threats due to their bespoke IT infrastructure. However, as plants updated and integrated off-the-shelf IT systems, they also had to incorporate cybersecurity measures. Consequently, new regulations and training procedures were required to address these emerging risks.

Moreover, the addition of cybersecurity concerns to the nuclear energy sector, where physical safety has always been of utmost importance, has changed the game. This realization of cyber threats has caused worry among many individuals and organizations involved in the nuclear energy sector.

The analysis also highlights the risks and opportunities presented by new developments in the nuclear sector, such as small modular reactors and microreactors. While these developments can provide a stable power supply to remote regions, they also increase the risk due to the presence of more reactors. The diversification and length of the supply chain in these systems can introduce cybersecurity vulnerabilities. However, the analysis emphasizes that newer reactors are designed with a focus on safety, and awareness of cybersecurity in these systems is more advanced than before. Advancements in design and operator training contribute to reducing the potential risks associated with these developments.

Notably, the war in Ukraine has brought new risks to civilian nuclear infrastructure. The analysis mentions the Saporizha power plant in Ukraine, which has been directly affected by the conflict. Regular physical and cyber attacks on the power plant underline the vulnerability of such infrastructure during times of conflict. The analysis also notes that managing these risks requires particular attention to potential disruptions to the cooling system for the reactors. A disconnection from the grid, for example, could interfere with the cooling system, leading to a reactor meltdown. Backup generators have been put in place at the Saporizha power plant to ensure that cooling can still occur.

The International Atomic Energy Agency (IAEA) has had a positive impact by actively supporting the personnel operating the power plant. Their monitoring and actions have played a crucial role in mitigating risks. It is evident that their involvement is essential in maintaining the security and safety of nuclear facilities.

Additionally, the analysis emphasizes the importance of addressing environmental, health, reputational, and equipment risks associated with nuclear energy. While it may be challenging to determine the exact likelihood of these risks, the potential severe outcomes warrant preventive measures.

Marion Messmer, a noteworthy figure referenced in the analysis, offers insights into the topic. Messmer finds reassurance in the current safety operations and mitigating actions being taken, particularly in the case of the Saporizha power plant. This implies that efforts are being made to address the risks involved in nuclear facilities caught in conflicts. Furthermore, Messmer highlights the significance of reactor design in reducing the likelihood of a Chernobyl-like incident.

It is essential to consider potential scenarios as nuclear energy becomes more prevalent due to the energy transition. Conflicts involving power plants could increase, necessitating effective management strategies for such situations.

Lastly, the analysis raises concerns about putting reactors underwater, as even small modular reactors can pose severe consequences for the environment in the event of a radiological incident. While the idea of hiding reactors underwater may seem appealing, the potential spread of radiation due to water mixing remains a significant risk.

In conclusion, the analysis provides a comprehensive overview of cybersecurity risks in nuclear facilities. The increasing awareness of these risks has led to improved security measures and regulations. New developments in the nuclear sector offer both opportunities and risks, which are being addressed through advancements in design and operator training. The war in Ukraine and the associated risks to civilian nuclear infrastructure highlight the need for managing potential disruptions to cooling systems. The involvement of organizations such as the IAEA has proven valuable in mitigating these risks. Additionally, the analysis emphasizes the significance of preventive measures to address environmental, health, reputational, and equipment risks in the nuclear energy sector. Marion Messmer’s insights further contribute to the discussion, emphasizing the importance of safety operations, reactor design, and effective management strategies.

Tariq Rauf

The International Atomic Energy Agency (IAEA) has issued more than 30 documents providing guidance and recommendations on nuclear security. These documents primarily focus on the integrity of the control systems, containment and control of nuclear materials, and ensuring the safety of nuclear facilities. The IAEA plays a significant role in promoting nuclear security.

However, the primary responsibility for nuclear security lies with states and operators. While international conventions like the Convention on the Physical Protection of Nuclear Material do exist, states and operators are responsible for ensuring the security of their nuclear facilities. The Convention primarily focuses on nuclear security and aims to protect nuclear material during international transport.

Cybersecurity is a crucial aspect of nuclear security and safety. A malicious cyber attack can lead to serious consequences, including the compromise of the cooling system of a nuclear facility. There have been incidents suspected to be caused by cyber attacks that have resulted in leaks in the cooling system of operating nuclear facilities. It is crucial to implement robust cybersecurity measures to prevent, respond to, and recover from such attacks.

Small modular reactors (SMRs) and sealed reactor units are seen as more secure options compared to larger nuclear power plants. SMRs are compact and have sealed reactor units that do not require frequent refueling. This enhances their security and reduces the risk of accidents or material misuse.

The IAEA plays a pivotal role in providing IT security guidance to nuclear facilities. It collaborates with its member states to produce comprehensive cybersecurity measures, which include defense in depth approaches, risk assessment, security policies and procedures, access controls, network security, and incident detection and response protocols.

Capacity building and international cooperation are essential elements in improving nuclear security. The IAEA facilitates capacity building by conducting training sessions at various locations to enhance the skills of nuclear facility operators. It also encourages participation in security audits and assessments to discover new vulnerabilities.

While the Convention on the Physical Protection of Nuclear Material (CPPNM) is an important international instrument for nuclear security, it is not universally binding. Only countries that have acceded to the CPPNM are subject to its provisions. However, the CPPNM amendment in 2005 extended its scope to cover nuclear materials in peaceful uses, domestic storage, and transport.

There is significant concern regarding the potential risks associated with cyber attacks on nuclear facilities. Fukushima and Chernobyl disasters have highlighted the transboundary effects of nuclear accidents. The release of radiation resulting from cyberattacks on nuclear facilities is a major concern. Balancing the protection of national sovereignty and the prevention of widespread radiation is a challenging task.

It is argued that every nation, especially those with nuclear power plants, should accede to the CPPNM to promote international safety. Iran, for example, operates a nuclear power plant but has not yet acceded to the convention. After the Fukushima accident, there were efforts to make the CPPNM mandatory for all 31 states that operate nuclear facilities.

The involvement of the private sector in nuclear security is increasing. International organizations like the IAEA are interacting more with industry, which provides expertise and technology solutions to enhance overall nuclear security efforts.

However, international organizations like the IAEA face the risk of system penetration by state actors. The IAEA deals with highly classified information about the nuclear activities of more than 180 states. State-originated cyber attacks like Stuxnet and Olympic Games on Iran’s enrichment facilities have underscored the need to address this challenge.

Building trust and cooperation with industry is crucial for the IAEA. While the organization has purchased commercial products for managing big data, its IT experts may not match the expertise and capabilities of states. Strengthening cooperation with industry can help overcome suspicion and further enhance nuclear security efforts.

The conclusion drawn from the analysis suggests that the IAEA should have the authority to regulate nuclear security and cybersecurity. An international, legally binding framework for cybersecurity in nuclear facilities is necessary to address the current reliance on national responsibility. Conventions for liability also need to consider damage resulting from cyber incidents at nuclear facilities.

Overall, the summary highlights the importance of nuclear security, the role of the IAEA and international conventions, the need for robust cybersecurity measures, and the challenges posed by cyber attacks. It emphasizes the significance of trust, cooperation, and capacity building to enhance nuclear security and promote international safety.

Speakers