Reconceptualizing Nuclear Security Culture: Evolving Cyber Vulnerability

As pivotal as the use of nuclear technology is, so is its abuse. In this context, the term ‘abuse’ refers to attempts to acquire illegal access to nuclear or radioactive material and related technology for malicious activities. To strengthen the physical protection of nuclear technology, the term ‘Security Culture’ was introduced in the year 2000 during a discussion to revise the Convention on the Physical Protection of Nuclear Material (CPPNM). Since then, security culture along with safety culture remains a basic principle of the International Atomic Energy Agency IAEA’s Code of Conduct for Safety & Security of Radioactive Sources. The Hague Communiqué of 2014 listed nuclear security culture as the first of its three pillars of nuclear security, while physical protection comes second and is the underlying one.

Nuclear security refers to the prevention of unauthorized access, transfer, use and commission of all other illegal acts involving nuclear fissile material, radioactive substances and their concerned facilities; thus, it deals predominantly with the physical protection of all concerned material and equipment. Nuclear security culture refers to the set of means, actions, customs, regulations and measures taken to strengthen nuclear security; it is characterized by the duties and responsibilities of personnel, organizations, states and the international community. The concept of nuclear security culture is widely understood as dealing with the prevention of ‘unauthorized physical control over nuclear power’. With increasing cyber-vulnerability and frequency of cyber-attacks on nuclear facilities, there is a dire need to shed more light on the cyber domain of nuclear security.

With continued stress on physical protection, cyber attacks – despite being a major contemporary threat to information and data regarding nuclear technology and operations – remain outside the realm of nuclear security culture. Sabotage and accidental events are examples of major risks posed by cyber attacks on any nuclear facility. Such attacks could cause a range of problems, from disabling whole reactor to causing calamitous radiation release. As crucial as the possession of nuclear technology is, establishing a control system is equally vital, thus making it the utmost priority to be included as a necessary aspect of nuclear security culture.

A security framework is as successful as its ability to detect, prevent and counter each and every existing threat in time. Physical protective measures taken by nuclear technology authorized states against terrorist attacks are satisfactory enough and regulated according to the need. On the contrary, cybersecurity has given due importance to emerging cyber vulnerabilities, yet it has not been made a substantial aspect of nuclear security culture. The rise in the number of global cyber breach events, whether successful or not, underscores the urgency of re-strategizing nuclear security culture while adding the cyber domain to the sphere. There are a number of diluting facts which promote cyberspace inclusion in nuclear security culture. For instance, this security culture itself promotes operators’ and an organizational role in security plan implementation. Concurrently, according to the Stimson Center’s Nuclear-Cybersecurity Workshop Report 2018, the frontline dealers of cyber threats are the operators and internal administration of a facility. Thus, these are the people who better understand the vulnerabilities of their own system, as compared to outside regulators; this creates the basis for including cybersecurity in nuclear security culture.

This month, India confirmed a cyber attack on the Kudankulam nuclear power plant. Although Indian authorities claim that only the administrative system was breached while the control system stands alone and perfectly air-gapped, what if still some crucial information has been compromised in the attack? Are the air-gaps reliable enough in growing digitized systems? We are not unaware of cyber attacks such as Stuxnet (Iran) or Sony Hack (South Korea KHNP) from recent past. What is more beneficial in the event of such a security breach: maintaining transparency or keeping the secrecy?

Recent evidences of cyber threats demonstrate an inconsistent approach towards ensuring cybersecurity, primarily due to consideration for reputations. Nuclear terrorism is taken as a common threat, and cyberattacks must be dealt with similarly. Although the international community through various reports and workshops insisted upon collaboration in the cyber security of nuclear facilities, yet there is a reluctance to share information and take collaborative measures; this limits understanding of patterns that can be identified to counter cyber threats. Nuclear facilities with the least cyberattack exposure stood more vulnerable to potential threats; experienced facilities can help mitigate the threat by sharing relevant prevention and security enhancing information. For this purpose, joint cyber risk management exercises, workshops and reports could also be advantageous.

It is due to the rarity and unsuccessful attempts of cyber attacks that a facility can only learn with experience. To better tackle the issue, cyber drills are a way of practicing responses to attacks in a controlled environment. The facility can generate cyber exercises under the supervision of the IAEA, which would help in predicting the nature of the expected attack and elevating the plant’s capability to respond effective.

An organizational approach, promoted under the IAEA’s security culture for physical protection, is also applicable in enhancing cybersecurity in the nuclear industry. Training cyberspace operators, IT system managers and control system operators within each nuclear facility is highly recommended. Furthermore, nuclear security promotes operator-regulator interface to make an account of nuclear security matters. It is required in related cybersecurity matters as well.

Cyberspace, as an area potentially vulnerable to threat in the nuclear industry, is an integral domain of security assurance. Where the physical security system of nuclear technology is responsibly made highly impenetrable around the globe, information and data related to its control system and proper functioning still seems to be accessible. The absence of cyberspace from nuclear security culture is not only a sign of inconsistency in cybersecurity efforts by states, but also depicts the ignorance of the international nuclear regulatory authority towards cyber vulnerability. To better counter the cyber abuse of nuclear technology, there is a need to revise nuclear security culture and assimilate cyberspace vulnerability as a substantial sector.