Out-Law / Your Daily Need-To-Know

Cyber risk accountability focus grows in UK civil nuclear sector

Out-Law News | 18 May 2022 | 2:46 pm | 3 min. read

Directors at businesses operating in the UK’s civil nuclear sector can expect to be held accountable for the decisions they make that impact cybersecurity, according to a newly published cybersecurity strategy for the sector.

Increased accountability for cyber risk management was just one area of focus in the strategy, which was jointly developed by the UK government, the Office for Nuclear Regulation (ONR) and industry, and which outlined a series of pledges to be delivered by the end of 2026.

The strategy detailed the need for the sector to address cyber risk given the importance of nuclear power to the UK’s energy security and its role during the UK’s transition to a ‘net zero’ emissions economy.

“As the civil nuclear sector’s importance continues to grow, becoming more digitalised and interconnected, it cannot be complacent about keeping pace with the cybersecurity threats facing UK critical national infrastructure,” according to the strategy. “The range of malicious cyber actors, from cyber criminals to hostile state actors, continues to expand, whilst the cyber threat is quickly evolving in terms of capability, new technology, and its global-to-local reach.”

“Impacts can be targeted or indiscriminate, as demonstrated by notable cyber incidents occurring globally and in the UK. At the same time, increasing digital transformation provides significant opportunities for the UK, and its civil nuclear sector, to be world-leading in efficiency, safety, security, and innovation. Good security enables individual organisations and the sector as a whole maximise use of information and technology to achieve their wider goals,” it said.

Cyber risk expert Stuart Davey of Pinsent Masons welcomed the government’s focus on cybersecurity in the civil nuclear sector. He highlighted that the first of five core pillars in the national cybersecurity strategy relates to initiatives to strengthen the UK cyber ecosystem, invest in people and skills and deepening the partnership between government, academia and industry, and welcomed the provision of new guidance in the civil nuclear cybersecurity strategy for sector organisations: one of the aims of the new strategy is for the sector and supply chain to take “proactive action to mitigate cyber risks in the face of evolving threats, legacy challenges and adoption of new technologies”.

A recent government study found that  just 14% of UK businesses monitor risks from suppliers or the wider supply chain despite the fact that hackers are increasingly looking to suppliers for access to corporate systems and data.

The strategy confirmed that new cyber and information security requirements are to be built into the design assessment process that the ONR oversees for prospective new reactors, while suppliers to nuclear organisations can also expect to be subject to “baseline cyber and information security standards”.

The new strategy also called for cybersecurity in the civil nuclear sector to be appropriately prioritised “as part of a holistic risk management approach”. Examples of cyber attacks to have impacted other organisations were detailed in the strategy to emphasise the need for action.

Davey said: “Critical national infrastructure is a prime target for those organised crime groups and nation state sponsored actors seeking to caused significant disruption. Notable examples include the 2017 Ukraine ransomware attacks, the 2017 Triton malware attack, the 2020 attack on an Israeli water facility and 2021 attack on Colonial Pipeline.”

The report further identified the growing intent and capability to target Industrial Control System (ICS) environments.

It said: “Closer to the nuclear sector, the 2020 ransomware attack on the Scottish Environmental Protection Agency (SEPA) illustrated the growing sophistication of cyber attacks which can go undetected by even the most cyber mature organisations. The response to this multi-faceted risk environment must go beyond regulatory compliance towards a holistic risk management approach to cyber; recognising the role of cyber as a business enabler and an organisation-wide responsibility.”

The strategy advocated cyber training and threat briefings for senior executives in the industry and encouraged mentoring schemes to improve the skills and experience of nuclear cybersecurity professionals. It also highlighted the importance of organisational culture to effective cybersecurity practices and endorsed measures to challenge group-think and improve diversity of thought.

The focus on skills in the strategy comes just days after an annual study by the UK government found “ongoing lack of basic cyber skills among half of all UK businesses”. The report also cited ongoing problems in diversifying the cyber workforce and growing concern within organisations that they lack the skills necessary to manage cyber incidents.

The importance of incident planning and response was highlighted in the civil nuclear cybersecurity strategy. Among the initiatives to address incident management, a sector-wide live cyber incident response exercise is planned with the National Cyber Security Centre, alongside an exercising programme targeted at senior decision-makers.

Specific guidance is to be produced to help organisations in the sector recover from ransomware attacks too. Both the UK’s Information Commissioner’s Office and the National Cyber Security Centre (NCSC) have identified a rise in ransomware-related incidents in the UK in recent months. Consistent with that, 31% of Pinsent Masons’ cyber team caseload over the most recent 12-month period analysed concerned ransomware incidents, up from just 16% in 2020.

The strategy also revealed that the government is considering requiring nuclear power plants to achieve minimum levels of electricity provision to the National Grid.

Publication of the civil nuclear cybersecurity strategy builds on the UK’s overarching cybersecurity strategy issued last year. It has also been released in the aftermath of new guidance from the UK’s Centre for the Protection of National Infrastructure (CPNI) on supply chain security.

Davey said: “Not only may the nuclear sector be deliberately targeted, organisations can be affected by broader supply chain attacks. The far-reaching risks from supply chain attacks were clearly illustrated by the 2020 Trojan attack on software company SolarWinds, and the impact on organisations across various sectors.”

In advice to business leaders, the CPNI said: “Supply chain attacks can result in the compromise of entire organisations and pose a potentially terminal risk to businesses. Hostile actors are looking for vulnerabilities in organisations of every size across a broad range of sectors.”

“Supply chains are not just compromised by cyber-attacks. An insider can provide damaging access and insight, or organisations could be unwittingly handing over parts of their business to a state-controlled organisation through offshoring or foreign direct investment in their suppliers. By giving suppliers access to information without setting expectations about how it should be protected, you are exposing your business to a range of security threats,” it said.

“Act now to develop your supply chain security, avoid business disruption, and protect your business,” it said.