UK government sets out new nuclear cybersecurity strategy

The UK government has announced cybersecurity plans for the nation’s civil nuclear sector as part of its National Cyber Strategy 2022. The UK government stated its aim to build a comprehensive understanding of current sector cybersecurity strengths and challenges with key objectives to be achieved by 2026.

UK government seeks collaborative approach to nuclear cybersecurity

In 2022 Civil Nuclear Cyber Security Strategy, the UK Government outlined its goal of creating a UK civil nuclear sector which effectively manages and mitigates cyber risk in a collaborative and mature manner, with resilience in responding to and recovering from incidents and an inclusive culture for all. “The nature of cyberspace and the challenges faced mean that this strategy cannot be delivered by any organisation alone and has therefore been developed jointly with leaders from public and private sector civil nuclear organisations, the Office for Nuclear Regulation, and the National Cyber Security Centre. Its success hinges on joint delivery and continued cooperation across all partners,” the report read.

Greg Hands, minister of state for energy, clean growth and climate change, Department for Business Energy and Industrial Strategy, wrote, “This vision cannot be achieved by any organisation in isolation, so I am delighted that the strategy has been developed and endorsed jointly with UK civil nuclear organisations, the Office for Nuclear Regulation and the National Cyber Security Centre. I look forward to working together with them to strengthen the cyber security of the UK’s civil nuclear sector.”

As the cyber threat landscape and digital technologies continue to evolve, it is crucial that the sector takes a step change to stay ahead of the curve, Hands added. “Managing cyber risks requires a whole-of-organisation effort, underpinned by strong regulation, supported by sector-wide collaboration, and a positive security culture. The commitments set out in this strategy seek to collectively deliver that shared ambition, ensuring that the UK’s civil nuclear sector will continue its legacy long into our net zero future.”

Plans build on existing nuclear cybersecurity strategies, introduce four new objectives

The new plans build on existing understanding surrounding nuclear cybersecurity and introduce four key objectives which the sector should achieve within the next four years:

• Appropriately prioritise cybersecurity as part of a holistic risk management approach, underpinned by a common risk understanding, and outcome-focused regulation.
• Take proactive action to mitigate supply chain cyber risks in the face of evolving threats, legacy challenges, and adoption of new technologies.
• Enhance resilience by preparing for and responding collaboratively to cyber incidents to minimise impacts and recovery time.
• Collaborate to increase cyber maturity, develop cyber skills, and promote a positive security culture.

These objectives will be delivered via several priority and supporting activities and overseen by a programmatic approach to delivery, the report added. These include:

• Cyber Adversary Simulation (CyAS) assessments and other threat informed testing activities across the sector’s critical IT and OT systems
• Baseline cybersecurity standards for the civil nuclear supply chain
• A sector-wide live cyber incident response exercise with the National Cyber Security Centre, alongside an exercising programme targeted at senior decision-makers
• Collaboration across the sector on third party and component assurance and management
• Working with developers of advanced nuclear technologies to support cybersecurity by design