CS Mar-Apr 2024

More documents

Recommendations

Info

energy industry GONE NUCLEAR SECURITY ISSUES AT UK CIVIL NUCLEAR FACILITIES HAVE BEEN ON THE UP, WHILE INSPECTION LEVELS FALL AWAY. HOW VULNERABLE IS THAT LEAVING THE UK TO ACCIDENTS OR WORSE? The number of formal reports that document security issues at the UK's civil nuclear facilities has hit its highest level in at least 12 years amidst a decline in inspections, according to The Guardian newspaper. Experts say that the worrying news raises concerns about the regulator's capacity to cope with planned expansion in the sector. How serious might the problem be? Very, it would appear, considering a total of 456 incident notification forms documenting security issues at UK nuclear facilities were submitted to the Office for Nuclear Regulation (ONR) during 2021 alone. That is according to information obtained by The Guardian and investigative journalism organisation Point Source. This is 30% higher than the 320 reports filed during the whole of 2020 and more than double the 213 reports that were filed in 2018. Incidents include physical security issues, such as unauthorised people gaining unsupervised access to secure areas, as well as cybersecurity issues such as attacks by malicious software. Dr Paul Dorfman, the chair of the Nuclear Consulting Group and a former secretary of the government's committee examining radiation risks of internal emitters (Cerrie), says operators and the regulator needed to take action to address the rise in reported incidents. "The higher number of security issues that we are seeing documented at nuclear facilities is extremely concerning. These figures seem to show a relaxation in security standards when it comes to the operation and regulation of sites that have the potential to cause great human and environmental harm. When the stakes are so high, it is important that ONR takes all these security incidents seriously, looks at why they happened, tries to address the relevant issues, and reduces the number of incidents that are occurring." He adds: "The broader picture raises significant concerns about ONR's technical and human capacity to regulate and monitor what is potentially a very risky industry. This is especially concerning in the context of the UK's ageing nuclear fleet as well as the new-build plans the govern-ment is currently pushing." During 2021, there was an increase in the number of "moderate" security incidents reported, according to the data obtained from the ONR using freedom of information legislation. Over the year, 42 security incidents documented were rated as "moderate", up from the 24 moderate 26 computing security March/April 2024 @CSMagAndAwards www.computingsecurity.co.uk
energy industry incidents in 2020 - the highest number recorded in at least 12 years. Moderate is the second-most severe category and is described by the ONR as an incident where there has been "a significant departure from expected standards". The rising number of reported incidents comes amid a fall in security inspections carried out by the regulator. There are concerns that during 2021 the frequency of nuclear security inspections carried out by the ONR may have fallen to its lowest level in at least four years. Data obtained in a separate freedom of information request shows that in 2021, up to 17 December, just 136 security inspections had been carried out by the ONR, down from the full-year figure of 144 in 2020 and 169 in 2019. Information security inspections are among the types to have seen the biggest decline, with only 40 carried out in 2021 up to 17 December, down from 74 over the whole of 2020. Dorfman said this was particularly worrying, given the growing risk of cyberattacks on nuclear infrastructure. "There is no question that nuclear is operating in an increasingly dangerous and unstable world where the threat of statesponsored or non-state cyber-attacks is increasing." In a statement, the ONR commented: "We welcome the increase in reported events, as our analysis indicates that this reflects improvements in security awareness and culture across the industry. The vast majority of reported events (80-90%) are minor breaches of security arrangements, which have been proactively reported to us." The regulator also said it believed its engagement with nuclear operators had increased over recent years, despite the decline in official inspections. It added: "The data we provided under freedom of information law relates only to on-site compliance inspections and does not include other assessment work. This separate regulatory scrutiny, which is not represented in the data, is essential to ensure site security arrangements comply with the law and includes site visits to reinforce regulatory judgments." COMPLEXITY OF CRITICAL INFRASTRUCTURE According to Allianz, critical infrastructure systems like those driving power generation, water treatment, electricity production and other platforms are interconnected to form the energy 'grid'. Although beneficial to the public, this grid is vulnerable to cyber-attack by 'hacktivists' or terrorists. Imagine, during a particularly harsh winter, a group of hacktivists spreading panic by bringing down the US power grid, millions of homes and businesses plunged into darkness, communications cut, banks going offline, hospitals closing and air traffic grounded. While such a scenario sounds apocalyptic, it is a realistic threat, according to Idan Udi Edry, chief executive officer at Nation-E, a provider of cyber security solutions that safely allow customers to connect their infrastructure to the internet, thereby enabling them to connect and control critical assets remotely and safely. Critical infrastructure, like power generation and distribution, is becoming more complex and reliant on networks of connected devices. Just decades ago, power grids and other critical infrastructure operated in isolation. Now they are far more interconnected, both in terms of geography and across sectors. As the US power grid scenario highlights, the failure of one critical infrastructure could result in a devastating chain reaction, says Edry. Unsurprisingly, the vulnerability of critical infrastructure to cyber-attacks and technical failures has become a big concern. And fears have been given credence by recent events. In December 2015, the world witnessed the first-known power outage caused by a malicious cyber-attack. Three utilities companies in Ukraine were hit by BlackEnergy malware, leaving hundreds of thousands of homes without electricity for six hours. Cyber security firm Trend Micro says the malware targeted the utility firms' SCADA (supervisory control and data acquisition) systems and probably began with a phishing attack. The blackout was followed two months later by the news that the Israel National Electricity Authority had suffered a major cyber-attack, although damage was mitigated after the Israel Electricity Corporation shut down systems to prevent the spread of a virus. The energy sector is one of the main targets of cyber-attacks against critical infrastructure, but it is far from being the only one, of course. Transport, public sector services, telecommunications and critical manufacturing industries are also vulnerable. In 2013, Iranian hackers breached the Bowman Avenue Dam in New York and gained control of the floodgates. Oil rigs, ships, satellites, airliners, airport and port systems are all thought to be vulnerable, and media reports suggest that breaches have occurred. SOARING CYBER-ATTACKS Cyber-attacks against critical infrastructure and key manufacturing industries have soared, according to US cyber-security officials at Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the US government body that helps companies investigate attacks against ICS and corporate networks. It reported a 20% increase in cyber investigations in 2015 and a doubling of attacks against US www.computingsecurity.co.uk @CSMagAndAwards March/April 2024 computing security 27
Page 1: Computing Security Secure systems,
Page 4 and 5: Secure systems, secure data, secure
Page 6 and 7: news TORSION ANNOUNCES FILING OF PA
Page 8: news Greg Wetmore, Entrust. TIME TO
Page 11 and 12: legal focus GETTING YOUR ACT TOGETH
Page 13 and 14: artificial intelligence stratospher
Page 15 and 16: artificial intelligence "In an intr
Page 17 and 18: Computing Security Secure systems,
Page 19 and 20: 2024 predictions ?? ? actors can so
Page 21 and 22: 2024 predictions ?? ? security is t
Page 23 and 24: iometric cybersecurity the previous
Page 25: data management NEW DATA STATS ARE
Page 29 and 30: ansomware NEW THREAT ACTORS SEND RA
Page 31 and 32: penetration testing I.T. SYSTEMS RE
Page 33 and 34: endpoint protection GETTING STRAIGH

CS Mar-Apr 2024

Create successful ePaper yourself

Delete template?

Save as template?