The issues and concerns related cybersecurity, especially in the nuclear industry seems to grow larger with every working day. As soon as one threat is dealt with, a new one seems to emerge. As a result of this, the resources, personnel, and hardware/software, that are required to deal with the constantly changing environment are becoming increasingly costly. Software and hardware are constantly evolving, which requires frequent upgrades to stay ahead of those with malicious intent. Because of all these needs, company executives are not overly happy when the cybersecurity group is constantly seeking additional funding for their work. They also recognize that while security is costly, a company that is successfully attacked can be the end for them. It is a true dilemma for those in the C-suite in our nuclear organizations.
What can we do to strengthen the defenses of our digital systems in the industry? As system administrators, here are a few general thoughts to keep in mind:
1. Informed executives feel more comfortable providing resources for something they understand. (Educate your management because you will eventually need a champion)
2. Hire people who have training and experience in cybersecurity. Establish procedural guidance about how your cybersecurity organization works.
3. Evaluate every digital device within your organization for vulnerabilities.
4. Evaluate every digital purchase and include cybersecurity in the specifications. (It is not a bargain if a cybersecurity risk and the supply chain is a major threat vector)
While no cybersecurity system is invulnerable, these are just some general areas to think about to help thwart the ‘bad guys’. Most companies, especially small businesses, will base cybersecurity costs on what they can afford to spend. However, in regulated industries such as ours, the amount you spend will be based on the regulator’s requirements. The regulator usually will audit your program and ensure it meets their standards. If you are not up to par, then you must spend what it takes to comply or shutdown.
Nuclear stations in America are leading the power industry in cybersecurity efforts. The Nuclear Regulatory Commission (NRC) determines the cybersecurity requirements that nuclear power plants must follow. The cost of implementation of NRC regulations is not a consideration to the regulator as they are only concerned that the nuclear stations are operated safely.
Even though the NRC defines the cybersecurity regulations, the nuclear industry has to think about every one of the requirements to determine the least costly way to meet regulation. They have a responsibility to save money for their customers, provide for their investors, meet the NRC regulations, and at the same time, operate the plant safely. This can be a difficult balance to attain, especially with the constantly evolving cybersecurity environment where a policy or mitigation technique can be effective one month, but not the next. Responsibilities to stakeholders is important, but the ultimate responsibility is safety to our society.
If you would like to start an exciting new career in cybersecurity, the NCI offers programs and courses to get you started.
Join us on Twitter!