UK updates strategy to harden nuclear sector from cyberattacks
The UK on Friday released new plans to address the cyber risks to the country’s civil nuclear sector as the government helps orchestrate a shift towards net-zero carbon emissions.
In October 2021, the UK government published a lengthy policy paper outlining the critical strategies needed to remove carbon from energy sources by 2050. According to the document, Secretary of State for the Department for Business, Energy & Industrial Strategy (BEIS) Hon Kwasi Kwarteng predicted that the net-zero plans will support 440,000 jobs by 2030. However, as described in a press release from BEIS on Friday, the size increase in the civil nuclear sector puts it at a greater risk of cyberattacks from state-backed threat actors.
The strategy outlines four key objectives for the sector to meet by 2026 including; prioritizing cybersecurity management through outcome-focused regulation, proactively acting to mitigate cyber threats, minimizing recovery time by responding cohesively to cyber incidents, and collaborating within the sector to advance cyber skills and a positive security climate.
Given the rapid digitalization of the UK’s critical infrastructure — including the civil nuclear sector — and the heightened complexity and aggressiveness of cyber threats, the strategy calls on leaders to drive investments, resources, and commitments in cybersecurity. The government estimates that each organization must devote 5-10% of annual change capacity to cyber resilience to meet the marker of successful strategies.
The policy document goes into detail about the roles of each organization involved in the effort, including government organizations, supply chain management firms, and nuclear organizations. Additionally, the strategy provides annual benchmarks and a year-to-year roadmap of industry priorities — by the end of 2023, there should be an incident response exercise program targeted at the Senior Information Risk Owner (SIRO) level and a comprehensive review of Design Basis Threat (DBT) cyber planning assumptions, for example.
The U.S. has also set a long-term goal of reaching net-zero carbon emission by 2050 and published a cybersecurity framework specific to the country’s nuclear sector in May 2020. However, given the rise of cyberattacks amidst the Ukrainian crisis, CISA has frequently updated its protocol to extend across all organizations within the private and public sector. Similar to the UK strategy, it emphasizes proactive planning and collaboration between organizations.