Session Title | Assuring Cybersecurity throughout the Nuclear Supply Chain

"Nuclear facilities are composed of several complex digital systems, subsystems and components, all of which could potentially provide an attack vector for a cyberthreat to carry out a cyberattack. Prior to the construction of a nuclear power plant (NPP), the supplier of the server for the control system has custody of the design of the control system, as well as the design for the NPP’s computer network. Should a cyberthreat gain access to the supplier’s network, access to this information would greatly simplify the planning of a cyberattack on the NPP.
A cyberthreat could, without detection, maliciously alter the software of the automated instrumentation and control (I&C) systems and perform a cyberattack after the NPP is in operation. Because this logic bomb (set of hidden malevolent instructions) has occurred before the introduction of any cybersecurity controls, the ability to mitigate attacks from the internet or from insiders would no longer be effective.
Given the huge amount of digital systems in a modern NPP facility, many hundreds or even thousands of suppliers can exist at different tiers, or levels, in the supply chain. Each of these suppliers represents a possible attack vector. Numerous examples exist of cyberattacks that have been carried out by exploiting the supply chain in other industries. In fact, some estimates suggest that up to 80% of all cyberattacks originate in some way from exploitation arising from the supply chain (Shackleford, 2015).
One of the challenges in today’s globalized world is that components for sensitive digital assets (SDAs) are often manufactured in other countries. If these arrangements cannot be brought within the oversight of the national nuclear regulatory authorities, then the NPP operator needs to put in place contractual requirements that provide assurance that suppliers at all levels of the supply chain have effective cybersecurity.
When software, physical components and sensitive information are being produced or stored within a State, personnel are typically vetted to establish their trustworthiness and suitability for work with this sensitive material. However, when SDAs are being produced outside of a State, it becomes difficult to successfully vet supplier employees, particularly as one moves down tiers through many different countries.
NPP operators should attempt to ensure that suppliers are carrying out an appropriate process of vetting, such as establishing that the character and background of supplier employees supports their access to SDAs. These actions, where possible, also provide assurance that the operators’ cybersecurity processes satisfy relevant regulations. If the employees of a supplier are not vetted and monitored appropriately, it is more likely that an attack by an insider working for a supplier could take place. If employees of a supplier have access to sensitive digital assets, for example on a cloud computing service, they could damage an organization just as much as an insider within the nuclear organization itself. Alongside vetting, a process of competency assessment also needs to be performed on supplier employees to provide assurance that they are maintaining appropriate cybersecurity.
A graded approach to cybersecurity risk management should be taken in relation to risk arising in the nuclear supply chain. Suppliers should be assessed based on the risk arising if the goods and services they supply compromise the cybersecurity of their client, and appropriate contractual standards and assurance should be put in place to mitigate this risk.
Finished components and software typically undergo a validation process whereby a component or piece of software is checked to ensure it is fit for purpose. Finished components and software also undergo a verification process to determine whether they meet their design specifications. These processes help to ensure that components and software are fit-for-purpose and have been designed correctly. They also provide assurance that the components and systems are not counterfeit. If the operator successfully carries out these processes, it becomes significantly more difficult for cyberthreats to introduce malware through the supply chain.
Validation and verification are generally undertaken regardless of cybersecurity concerns. For example, the software controlling a flow control system is tested to assure its performance in safety-related situations. Even testing with no focus on cybersecurity could catch malicious alterations to the software that impact safety performance. Incorporating an extra step focused on cybersecurity during this existing validation and verification process would provide assurance to the operator that the software does not contain any malicious code or backdoors (hidden code that allows cyberthreats to bypass security controls and gain a foothold in an organization moving laterally or escalating privileges).
As the supply chain moves downward and the components become simpler with less opportunity to hide malware, this extra step of focusing on cybersecurity becomes less important and ultimately becomes unnecessary.
An NPP operator may choose to only procure goods and services from suppliers that have been accredited by a trusted external organization. However, the operator then has to be assured that the accrediting organization is performing this process correctly and to a high standard.
One difference between a safety-focused process of validation and verification and a cybersecurity-focused process is the risk that components and software will be over-engineered. As more functionality and features are added to software and components, there is an increased chance for cyberthreats to hide malicious software and impair functionality or for suppliers to create unnecessary attack vectors. Suppliers often provide components with wireless functionality that has many benefits for industrial use but is completely inappropriate for systems significant for safety in a nuclear facility.
Operators need to use the process of validation and verification to provide assurance that the components are suitably hardened; in other words, that the components perform the intended purpose and that any unnecessary functionality is removed. Alongside hardening of OT systems, this process should also be performed on IT systems. For example, the email functionality on computers could be removed to eliminate the risk that employees will fall victim to phishing emails."