Cybersecurity of Civilian Nuclear Infrastructure | IGF 2023 WS #220
Table of contents
Disclaimer: It should be noted that the reporting, analysis and chatbot answers are generated automatically by DiploGPT from the official UN transcripts and, in case of just-in-time reporting, the audiovisual recordings on UN Web TV. The accuracy and completeness of the resources and results can therefore not be guaranteed.
Knowledge Graph of Debate
Session report
Full session report
Giacomo Persi Paoli
The Open-Ended Working Group (OEWG) was established to ensure greater visibility and active participation in discussions dealing with international cybersecurity. It has had six iterations, with each iteration involving approximately 20 countries, including the permanent members of the Security Council. The OEWG is seen as more transparent, as everything is open to the public. Furthermore, if consensus isn’t reached on a report, the chair has the authority to publish a summary.
The OEWG has focused on the protection of critical infrastructure, which has been a prevalent subject of discussion. As part of the framework for responsible state behaviour in cyberspace, critical infrastructure is a focal point of multiple norms. States are called to protect their own critical infrastructure and are encouraged not to target the critical infrastructure of others. International assistance is also encouraged for states whose critical infrastructure is targeted by cyber attacks.
However, the OEWG may not be the right forum for detailed discussions on how general norms apply to specific sectors or types of infrastructure. It is viewed as more suitable for discussions on evolving threats, norm implementation, and international impact. There is a need for a dedicated forum to discuss the implementation of general purpose norms for cyber nuclear security. Discussions within the OEWG have covered various aspects of critical infrastructure, such as medical infrastructure, energy, and financial sectors. However, the limited time available has made it challenging for states to deeply explore any of these topics.
Concerns regarding threats to civilian nuclear infrastructure by cyber operations are growing, as states have flagged their increasing concerns over cyber threats to the Secretary General. Cyber attacks have also been on the rise during the pandemic, affecting all sectors of society, including critical infrastructure.
The private sector can play a significant role in helping states develop cyber resilience. The private sector has capacities and capabilities that can contribute to enhancing cyber resilience efforts. Public-private partnerships have been suggested as a tool to increase cyber resilience and have been flagged as a way forward.
In conclusion, the OEWG serves to enhance visibility and participation in discussions on international cybersecurity. It has addressed the crucial issue of critical infrastructure protection. However, it may not be the ideal platform for discussing specific sectors or types of infrastructure. The need for a dedicated forum for discussing the implementation of general purpose norms for cyber nuclear security has emerged. Concerns about threats to civilian nuclear infrastructure by cyber operations are growing, and the involvement of the private sector in developing cyber resilience is seen as significant. Public-private partnerships are also being considered to increase cyber resilience.
Rowan Wilkison
Concerns have been raised regarding the security failures within the IT networks of nuclear plants. These concerns arise from the potential harm and disastrous outcomes that could result from such failures. It is imperative to address these shortcomings and take measures to prevent any adverse consequences.
The modernization of cybersecurity and civilian nuclear infrastructure is seen as a high priority in mitigating the risks associated with these security failures. This would involve implementing advanced and robust security measures to safeguard the IT networks of nuclear plants. By prioritising the improvement of cybersecurity, the likelihood of breaches and potential threats can be significantly reduced.
Furthermore, gaining a better understanding of the threat landscape is crucial. This entails identifying potential vulnerabilities and weak points within the IT systems of nuclear plants and staying updated on the latest cyber threats. By doing so, appropriate measures can be taken to prevent any breaches or malicious activities.
It is worth noting that these issues align with various Sustainable Development Goals (SDGs). Specifically, they relate to SDG 9 – Industry, Innovation and Infrastructure, as the modernisation of cybersecurity and civilian nuclear infrastructure falls within the scope of enhancing industry and infrastructure. Additionally, these concerns also relate to SDG 13 – Climate Action, as the disastrous outcomes of security failures within nuclear plants can have severe environmental implications due to the link to radiation.
Moreover, the issues raised have implications for SDG 16 – Peace, Justice, and Strong Institutions. By addressing the security failures in nuclear plant networks, stronger justice systems and institutions can be established to ensure the safety and security of critical infrastructure. This, in turn, contributes to promoting peace and stability.
In conclusion, the concerns surrounding security failures in IT networks of nuclear plants highlight the need for immediate action. Modernizing cybersecurity and civilian nuclear infrastructure is crucial not only for the industry but also for addressing environmental concerns and maintaining peace and justice. By prioritising these areas and adopting proactive measures, the risks posed by security failures can be effectively mitigated.
Priya Urs
The analysis examines the issue of cyber operations targeting civilian nuclear infrastructure within the framework of international law. The first argument highlights the absence of specific rules in international law that directly address cyber operations on civilian nuclear infrastructure. While states recognize the importance of protecting civilian nuclear infrastructure as critical infrastructure against cyber operations, there is a lack of concrete legal protections.
The second speaker argues that while general rules of international law, including treaties and customary international law, may potentially apply to this context, their specific application presents challenges. These general rules encompass aspects such as the use of force by states, the prohibition of intervention in another state’s affairs, respect for state sovereignty, and the due diligence obligations of states. However, it is important to note that these rules were not designed with cyber operations in mind.
The third and fourth arguments focus on the prohibition of intervention, a principle agreed upon by states, but with variations in the definition of activities that constitute intervention. The generally accepted requirements for intervention to be deemed unlawful are that it must address the internal or external affairs of a state and that it should coerce the targeted state. However, there are disagreements among states regarding the specific activities that fall under this prohibition.
The fifth speaker emphasizes that a cyber operation that disrupts the production of nuclear energy can be seen as coercive and may therefore constitute unlawful intervention. This reflects the belief that if a state adopts a policy regarding the generation of nuclear energy, a cyber operation that disrupts its production would be deemed coercive and thus unlawful.
On the other hand, the sixth speaker argues that cyber operations such as surveillance or data breaches may not be perceived as coercive since they do not directly hinder a state’s policy implementation. These types of operations, which do not interrupt the implementation of a state’s policy, may not be considered unlawful intervention.
The analysis also highlights the importance of preventative measures in cybersecurity and the need for legal accountability. It emphasizes the significance of addressing the cybersecurity problem from multiple angles, including proactive measures and holding accountable those responsible for incidents.
In conclusion, the analysis underscores the lack of specific rules in international law regarding cyber operations on civilian nuclear infrastructure. While general rules of international law may have some relevance, applying them in the context of cyber operations poses challenges. The debate surrounding the definition and scope of intervention further complicates the issue. The analysis also emphasizes the complexity of distinguishing between coercive and non-coercive cyber operations. Finally, it underscores the necessity of comprehensive cybersecurity measures and legal accountability in addressing this complex issue.
Talita Dias
Increased cyber and nuclear risks present a significant threat to national security and global stability. Cyber operations are targeting critical sectors such as healthcare and energy, as well as civilian and military nuclear systems worldwide. It is urgently necessary to develop international technical standards, rules, principles, and non-binding norms to ensure the cybersecurity of civilian nuclear infrastructure. This is particularly crucial given the growing use of small modular reactors and artificial intelligence, which could expand the potential targets for cyber operations.
The International Atomic Energy Agency (IAEA) plays a vital role in this area by providing guidance and recommendations for computer security measures. They also conduct ongoing security audits and assessments to detect vulnerabilities and offer training sessions for nuclear facility operators. However, there is some debate surrounding the binding nature of the IAEA’s recommendations.
To enhance cyber resilience, it is essential to foster multi-stakeholderism and public-private partnerships. The private sector’s involvement in assisting states in building their cybersecurity capacities is recognised, and public-private partnerships are seen as a robust strategy for enhancing the cyber resilience of member states.
One area of contention involves determining what constitutes intervention in the cyber landscape regarding civilian nuclear infrastructure. Understanding the threat landscape in both the cyber and nuclear sectors is critical, as accidents within the nuclear sector can have significant consequences.
Improved dialogue between the cyber and nuclear sectors is necessary to effectively address these risks. Through dialogue, stakeholders can exchange knowledge and best practices, identify potential gaps in cybersecurity measures, and collaborate on developing effective strategies to mitigate cyber threats.
The need for specific cyber nuclear norms, rules, or best practices is currently being debated. The current feedback on this issue indicates a score of 6.4, highlighting the ongoing discussions and varying perspectives on the necessity of such measures.
In conclusion, the increasing cyber and nuclear risks pose significant threats to national security and global stability. Developing international technical standards, rules, principles, and non-binding norms is crucial to safeguarding the cybersecurity of civilian nuclear infrastructure. Collaboration between stakeholders, including public-private partnerships, is necessary to enhance cyber resilience. Clarifying the prohibition on intervention in the cyber landscape and understanding the threat landscape in both the cyber and nuclear sectors are key areas of focus. The necessity of cyber nuclear specific norms, rules, or best practices is subject to ongoing debate and discussions.
Tomohiro Mikanagi
The interpretation of sovereignty in relation to cyber attacks varies among different countries. The UK does not see any standalone obligation arising from sovereignty apart from the non-intervention rules, while France views any cyber operation causing an effect within its borders as a violation of sovereignty. The US, Germany, and Japan believe a certain level of harmful effect needs to be caused in their territory for it to be considered a violation of sovereignty.
In terms of cyber attacks targeting nuclear facilities, it is argued that they could have severe effects and are likely to be considered unlawful under international law. Mikanagi believes that there needs to be a consensus on what constitutes a harmful effect in a cyber attack in order to determine if a violation of sovereignty has occurred. Additionally, the due diligence obligation in international law is not clearly defined, leading to uncertainty among states as to whether this obligation applies to cyber operations.
Furthermore, there is no clear application for the territorial state’s due diligence obligation in the area of nuclear security, and discussions on this matter are ongoing.
The existing Convention on the Physical Protection of Nuclear Materials could potentially cover sabotage through cyber attacks, despite not explicitly mentioning cybersecurity. Given this, it may be more feasible to discuss cyber security issues related to nuclear facilities within the context of established conventions such as this one.
Overall, the varying interpretations of sovereignty and the lack of consensus, clarity, and application of international laws and conventions contribute to the complexity of addressing cyber security issues effectively.
Michael Karimian
The tech sector plays a central role in providing digital solutions for safety, security, and everyday processes, including nuclear systems. It provides ICT infrastructure that is crucial for these purposes. However, the tech sector’s involvement also increases the risk of cyber threats due to the many entry points into its IT systems. Therefore, it is essential for the tech sector to prioritize cybersecurity by design.
One of the main arguments is the ever-evolving threat landscape. The continuous advancements in technology result in a constantly changing and sophisticated threat landscape. Thus, the tech sector must prioritize cybersecurity measures to effectively combat these threats.
Continuous innovation and transparency in threat sharing are also considered crucial. Actively researching and sharing threat intelligence is essential to stay ahead of cyber threats. By engaging in innovation and sharing information, the tech sector can contribute to creating a safer online environment.
Education and training in cybersecurity are also highlighted. Tech companies can provide guidance on cybersecurity best practices, contributing to the education of individuals and organizations in protecting themselves against cyber threats. This emphasizes the importance of quality education and training for ensuring cybersecurity.
The significance of multi-stakeholder engagement and collaboration in addressing cybersecurity challenges is underscored. Collaboration between the tech sector, governments, civil society, and other companies is seen as essential to effectively tackle cybersecurity issues. By working together and sharing knowledge and resources, it becomes easier to address the complex nature of cyber threats.
Microsoft’s stance is mentioned, as they believe in proactively taking steps to address cybersecurity risks. As part of their commitment, they are involved in initiatives like the Cyber Security Tech Accord, which aims to improve cybersecurity across the industry. Microsoft’s active involvement showcases the importance of industry leaders taking responsibility and actively addressing cybersecurity challenges.
Basic cyber hygiene practices are also highlighted. It is mentioned that good yet basic cyber hygiene can significantly reduce the risk of cyber threats. This includes practices such as protecting user identities, applying updates as soon as possible, using advanced anti-malware, enabling auditing resources, and preparing incident response plans. Following these practices allows individuals and organizations to mitigate many cybersecurity risks.
In terms of technology solutions, cloud-based systems are recommended over on-premises systems for better cyber protection. Cloud-based systems offer holistic, adaptive, and global cyber protection, which is facilitated better compared to on-premises systems.
Lastly, the summary emphasizes the importance of adherence to general guidance for cybersecurity across all sectors, including the nuclear sector. Protecting user identities, applying updates as soon as possible, using advanced anti-malware, enabling auditing resources, and preparing incident response plans are considered essential for all sectors. The International Atomic Energy Agency’s guidelines align with this general guidance, further emphasizing the importance of adherence to cybersecurity measures across sectors.
Overall, the summary highlights the tech sector’s importance in providing digital solutions for safety, security, and everyday processes. It emphasizes the need for prioritizing cybersecurity by design, continuous innovation and transparency in threat sharing, education and training, multi-stakeholder engagement and collaboration, adherence to basic cyber hygiene practices, and the use of cloud-based systems. These measures are crucial to mitigating cyber threats and creating a secure online environment.
Marion Messmer
The analysis explores the topic of cybersecurity risks in nuclear facilities and their potential impact. It highlights that cyber attacks can target civilian nuclear facilities either due to their specific role in nuclear systems or their importance to a country’s power supply. Given that nuclear power plants are a crucial part of a nation’s energy infrastructure, any disruption or compromise can have significant consequences.
The analysis notes that awareness of these risks has evolved over time, indicating a need for improved security measures. It mentions that older nuclear power plants initially believed they were safe from cyber threats due to their bespoke IT infrastructure. However, as plants updated and integrated off-the-shelf IT systems, they also had to incorporate cybersecurity measures. Consequently, new regulations and training procedures were required to address these emerging risks.
Moreover, the addition of cybersecurity concerns to the nuclear energy sector, where physical safety has always been of utmost importance, has changed the game. This realization of cyber threats has caused worry among many individuals and organizations involved in the nuclear energy sector.
The analysis also highlights the risks and opportunities presented by new developments in the nuclear sector, such as small modular reactors and microreactors. While these developments can provide a stable power supply to remote regions, they also increase the risk due to the presence of more reactors. The diversification and length of the supply chain in these systems can introduce cybersecurity vulnerabilities. However, the analysis emphasizes that newer reactors are designed with a focus on safety, and awareness of cybersecurity in these systems is more advanced than before. Advancements in design and operator training contribute to reducing the potential risks associated with these developments.
Notably, the war in Ukraine has brought new risks to civilian nuclear infrastructure. The analysis mentions the Saporizha power plant in Ukraine, which has been directly affected by the conflict. Regular physical and cyber attacks on the power plant underline the vulnerability of such infrastructure during times of conflict. The analysis also notes that managing these risks requires particular attention to potential disruptions to the cooling system for the reactors. A disconnection from the grid, for example, could interfere with the cooling system, leading to a reactor meltdown. Backup generators have been put in place at the Saporizha power plant to ensure that cooling can still occur.
The International Atomic Energy Agency (IAEA) has had a positive impact by actively supporting the personnel operating the power plant. Their monitoring and actions have played a crucial role in mitigating risks. It is evident that their involvement is essential in maintaining the security and safety of nuclear facilities.
Additionally, the analysis emphasizes the importance of addressing environmental, health, reputational, and equipment risks associated with nuclear energy. While it may be challenging to determine the exact likelihood of these risks, the potential severe outcomes warrant preventive measures.
Marion Messmer, a noteworthy figure referenced in the analysis, offers insights into the topic. Messmer finds reassurance in the current safety operations and mitigating actions being taken, particularly in the case of the Saporizha power plant. This implies that efforts are being made to address the risks involved in nuclear facilities caught in conflicts. Furthermore, Messmer highlights the significance of reactor design in reducing the likelihood of a Chernobyl-like incident.
It is essential to consider potential scenarios as nuclear energy becomes more prevalent due to the energy transition. Conflicts involving power plants could increase, necessitating effective management strategies for such situations.
Lastly, the analysis raises concerns about putting reactors underwater, as even small modular reactors can pose severe consequences for the environment in the event of a radiological incident. While the idea of hiding reactors underwater may seem appealing, the potential spread of radiation due to water mixing remains a significant risk.
In conclusion, the analysis provides a comprehensive overview of cybersecurity risks in nuclear facilities. The increasing awareness of these risks has led to improved security measures and regulations. New developments in the nuclear sector offer both opportunities and risks, which are being addressed through advancements in design and operator training. The war in Ukraine and the associated risks to civilian nuclear infrastructure highlight the need for managing potential disruptions to cooling systems. The involvement of organizations such as the IAEA has proven valuable in mitigating these risks. Additionally, the analysis emphasizes the significance of preventive measures to address environmental, health, reputational, and equipment risks in the nuclear energy sector. Marion Messmer’s insights further contribute to the discussion, emphasizing the importance of safety operations, reactor design, and effective management strategies.
Tariq Rauf
The International Atomic Energy Agency (IAEA) has issued more than 30 documents providing guidance and recommendations on nuclear security. These documents primarily focus on the integrity of the control systems, containment and control of nuclear materials, and ensuring the safety of nuclear facilities. The IAEA plays a significant role in promoting nuclear security.
However, the primary responsibility for nuclear security lies with states and operators. While international conventions like the Convention on the Physical Protection of Nuclear Material do exist, states and operators are responsible for ensuring the security of their nuclear facilities. The Convention primarily focuses on nuclear security and aims to protect nuclear material during international transport.
Cybersecurity is a crucial aspect of nuclear security and safety. A malicious cyber attack can lead to serious consequences, including the compromise of the cooling system of a nuclear facility. There have been incidents suspected to be caused by cyber attacks that have resulted in leaks in the cooling system of operating nuclear facilities. It is crucial to implement robust cybersecurity measures to prevent, respond to, and recover from such attacks.
Small modular reactors (SMRs) and sealed reactor units are seen as more secure options compared to larger nuclear power plants. SMRs are compact and have sealed reactor units that do not require frequent refueling. This enhances their security and reduces the risk of accidents or material misuse.
The IAEA plays a pivotal role in providing IT security guidance to nuclear facilities. It collaborates with its member states to produce comprehensive cybersecurity measures, which include defense in depth approaches, risk assessment, security policies and procedures, access controls, network security, and incident detection and response protocols.
Capacity building and international cooperation are essential elements in improving nuclear security. The IAEA facilitates capacity building by conducting training sessions at various locations to enhance the skills of nuclear facility operators. It also encourages participation in security audits and assessments to discover new vulnerabilities.
While the Convention on the Physical Protection of Nuclear Material (CPPNM) is an important international instrument for nuclear security, it is not universally binding. Only countries that have acceded to the CPPNM are subject to its provisions. However, the CPPNM amendment in 2005 extended its scope to cover nuclear materials in peaceful uses, domestic storage, and transport.
There is significant concern regarding the potential risks associated with cyber attacks on nuclear facilities. Fukushima and Chernobyl disasters have highlighted the transboundary effects of nuclear accidents. The release of radiation resulting from cyberattacks on nuclear facilities is a major concern. Balancing the protection of national sovereignty and the prevention of widespread radiation is a challenging task.
It is argued that every nation, especially those with nuclear power plants, should accede to the CPPNM to promote international safety. Iran, for example, operates a nuclear power plant but has not yet acceded to the convention. After the Fukushima accident, there were efforts to make the CPPNM mandatory for all 31 states that operate nuclear facilities.
The involvement of the private sector in nuclear security is increasing. International organizations like the IAEA are interacting more with industry, which provides expertise and technology solutions to enhance overall nuclear security efforts.
However, international organizations like the IAEA face the risk of system penetration by state actors. The IAEA deals with highly classified information about the nuclear activities of more than 180 states. State-originated cyber attacks like Stuxnet and Olympic Games on Iran’s enrichment facilities have underscored the need to address this challenge.
Building trust and cooperation with industry is crucial for the IAEA. While the organization has purchased commercial products for managing big data, its IT experts may not match the expertise and capabilities of states. Strengthening cooperation with industry can help overcome suspicion and further enhance nuclear security efforts.
The conclusion drawn from the analysis suggests that the IAEA should have the authority to regulate nuclear security and cybersecurity. An international, legally binding framework for cybersecurity in nuclear facilities is necessary to address the current reliance on national responsibility. Conventions for liability also need to consider damage resulting from cyber incidents at nuclear facilities.
Overall, the summary highlights the importance of nuclear security, the role of the IAEA and international conventions, the need for robust cybersecurity measures, and the challenges posed by cyber attacks. It emphasizes the significance of trust, cooperation, and capacity building to enhance nuclear security and promote international safety.
Session transcript
Talita Dias:
Today, this afternoon, entitled Cybersecurity of Civilian Nuclear Infrastructure. This session is being co-hosted by Chatham House, as well as Microsoft, and the University of Oxford. It’s a real pleasure to be with you all today, both in person and online. Special thanks to all those of you who are joining us from different time zones, especially six or seven hours behind, especially our online speakers. Thanks so much for joining us, for being with us today. What I’m going to do in two and a half minutes is really go through our run of show, to take you through what we’re going to cover today, and introduce our brilliant, our stellar line-up of speakers for this afternoon. My name is Talita Diaz. I am the Senior Research Fellow on the International Programme at Chatham House. This session is being co-hosted with my brilliant colleague, Rowan Wilkinson, who is sitting by my side, who is the Programme Assistant at Chatham House’s Digital Society Initiative, and the International Law Programme, who is an expert in tech policy. What I want to do now is talk a little bit about this topic, to give you a little bit of an overview, to set the scene, and to really speak to the importance of why we are here today. This session is really about the convergence of cyber and nuclear risks. We have, on the one hand, an increasing number of malicious cyber operations of all kinds. all shapes and forms, targeting all types of infrastructure, including critical infrastructure, like the healthcare sector, the energy sector. And at the same time, we have long-standing nuclear risks that have been around since nuclear energy has been around. And so when the two come together, that poses a significant threat to national security, as well as to global stability. And cyber attacks against civilian and military nuclear systems, though our focus is on civilian infrastructure, they have been reported in different parts of the world, both developing and developed countries. So we all heard about what happened in Iran with Stuxnet or Olympic Games. That was probably the most widely reported cyber attack against a nuclear facility. But there were also different kinds of cyber attacks against different kinds of nuclear facilities in India, North and South Korea, Norway, Germany, the United States, and now Ukraine. And even the International Atomic Energy Agency has been the target of malicious cyber operations. And the actual and the potential risks of these attacks, they include the extraction of sensitive information about nuclear capabilities, malfunctioning of equipment, as was the case with Stuxnet in Ukraine, disruption of energy supplies or of places that are supplied by nuclear energy, increased radiation levels, which is very concerning, and potentially disastrous consequences of nuclear accidents for human lives, for health, and for the environment. These risks have now been amplified with the push for green energy, with the spread of what we call modular or small modular reactors and micro reactors, the use of nuclear energy, including these small reactors, to power AI, as well as the use of AI to automate and diversify the different types of cyber operations against different targets, including critical infrastructure and potentially nuclear infrastructure. So we’re going to talk about this in more detail during this session, I hope so. But these operations, they include disruptive cyber operations that might affect the operation of software and hardware. They include data surveillance or data gathering operations, as well as information operations like misinformation and disinformation. Now, for many of you, the film Oppenheimer might have sort of resurrected some of those fears of nuclear threats and nuclear holocaust. For me personally, being in Japan and having had the opportunity to visit Hiroshima has been a real life changing moment and just highlights for me the importance of what we are discussing today and the kinds of threats that we are facing, that humanity is facing. So Chatham-Howes is worried about these risks, so is Microsoft, so is the University of Oxford. And so Chatham-Howes has done work in the past from an international security perspective on the risks, the cybersecurity risks against civilian and both and military nuclear infrastructure. We are at the moment carrying out a project on this topic, on this exact topic, focusing on international law and norms. And so this session will explore in more detail these issues, including in particular international technical standards, rules and principles of international law, and non-binding norms of responsible state behavior that protect the cybersecurity of civilian nuclear infrastructure. So the session will be divided into three parts, or we’ll have three segments. The first one will be an in-conversation session with Marian Messmer, who is speaking online from London. She’s a senior research fellow on the International Security Program at Chatham-Howes. She’s an expert in arms control and nuclear weapons policy issues. We’re going to talk about cyber security risks and the consequences facing civilian nuclear facilities. Then in the second part of our session, we’re going to have a discussion with Tarek Raouf, who was head of nuclear verification and security policy coordination at the International Atomic Energy Agency, IAEA, with years of experience in nuclear disarmament, nonproliferation and arms control, as well as Giacomo Persi-Paoli, also joining us online from Geneva, who is head of the security and technology program of UNIDIR, the UN Institute for Disarmament Research, and he’s an expert on the implications of emergency technologies for security and defense. And we’ll also be joined by Michael Karimian, who is here in person with us, who is director for digital diplomacy at Microsoft in the Asia-Pacific region, with extensive expertise in human rights policy. We’re going to talk about technical and policy approaches to protect civilian nuclear infrastructure from cyber operations. And then we’ll have a final section of our discussion, which will look at the legal and normative aspects of the issue. And for that, we’ll have a chat with Tomohiro Mikanagi, also in person here today, who is legal advisor of the Japanese Ministry of Foreign Affairs, and a partner fellow of the Lorapak Center for International Law at Cambridge University, who has written extensively on cyber and international law. And also joining us online for this discussion is Priya Erse, junior research fellow in law at St. John’s College, Oxford, whose expertise spans across public international law, including cyber operations targeting critical infrastructure. Michael will also join us for this segment of the program. I’m going to turn to Rowan for a few housekeeping announcements. Rowan, over to you.
Rowan Wilkison:
Yeah, so hello. Good morning, afternoon, evening, wherever you are. Thank you so much for coming. So yeah, just some brief housekeeping things. We’re going to be running an interactive survey on Menti alongside this session. So we urge all people online and also in the room to scan the QR code when it comes up and please take part as we go along because we’d love to hear your thoughts. And then at the end of the session, we’re going to be having the usual Q&A. So for those in the room, we have the mics. So if you line up behind, if you have a question and those online, please just use the chat function. So to kick us off with the first question.
Talita Dias:
Yeah, so I actually wanted to show a video first, Rowan. So technical team, would you mind putting up our slides so we can actually show a video that Chatham House has produced on this issue just to give people an idea of what we’re talking about today? to heat water that turns into steam. The steam then drives a turbine to provide electricity that goes into the national grid. An advantage of nuclear energy is that it can reduce the reliance on fossil fuels and can help fight climate change. The energy that is produced by nuclear reactors is controlled for output and safety by sophisticated computers. But cyber attacks can interfere with these network computers, potentially shutting down power plants or causing other safety issues. A cyber attack using a computer worm called Stuxnet. was used to disrupt Iran’s nuclear enrichment program by interfering with the control systems for the centrifuges. So we need to put measures in place to protect nuclear plants against cyber attacks. Great, thanks. So I’m going to turn over to Rowan who will kick us off with our survey, actually to give a little bit of background to the topic and also get your views on what worries you the most when it comes to cyber security of a civilian nuclear infrastructure. Rowan?
Rowan Wilkison:
Yeah, so you can see on the screen, I’m just going to put up the first question that we have for you all, which is when you think about nuclear cyber security, what risks come to mind? So yeah, please feel free to scan the QR code or you can enter the code to join the room and we’ll see what you all have to say. I’ll give about a minute and a half or so just for people to answer.
Talita Dias:
So really, what do you think about when we talk about this issue? And we really want to get your views on what is most concerning for you, because sometimes it’s not obvious when we talk about… It can be a very technical or sometimes an intimidatingly technical topic. So we want to get your views on what worries you the most when you think about cyber and nuclear. Should we have a look at the responses that we’ve had so far? Cool. Okay. Wow. Okay. So we’ve got radiation, radiation, environmental disaster, significant loss of life in long term radiological fallout.
Rowan Wilkison:
We’ve also got reputational harm to institutions, environmental destruction. We’ve got security failures in IT networks of the nuclear plants, which leads to disastrous outcomes, which I suppose links a bit to the one before about radiation.
Talita Dias:
So yeah, a wide range of harms, as you can see here. So to discuss or to delve deeper into those harms, we’ll have a chat with Marion online, joining us from London. So Marion, let’s talk about cybersecurity risks and consequences facing civilian nuclear facilities. So welcome.
Marion Messmer:
Hi, everyone. Good to be here. Great. Thanks, Marion, for joining us so early for you. So first question I have for you, Marion, is what types of cyber operations have targeted or can target civilian nuclear systems? So broadly speaking, I think it’s really important to remember that there isn’t just one type of cyber operation or cyber harm that could target civilian nuclear facilities. Because as you already mentioned in your introduction, they could become targets for different reasons. So they could be targeted because they are specifically part of a nuclear system or nuclear network. And so perhaps the theft of specific nuclear related information is the goal. of the attack, or they could be targeted because they produce energy and they are an important backbone of the national grid or of a country’s power supply. So, you know, you could imagine a whole range of scenarios in which they are targeted either purposefully or where they actually become collateral damage of some sort of other attack. You already mentioned some of the examples that we’ve seen where nuclear power plants or other aspects of civilian nuclear infrastructure were targeted. And I think what’s really interesting about this conversation about cybersecurity and nuclear infrastructure is that when we first began to worry about cybersecurity, because a lot of existing operating nuclear power plants are older or perhaps have very bespoke, very purpose designed IT infrastructure, people originally thought that maybe this was a risk that they didn’t have to worry about so much. So there was this idea that maybe nuclear operators would be safe because the IT infrastructure that they’re using is so specific or is so unique. Whereas what we’ve seen over time is that as nuclear power plants have had to evolve, have had to update their systems or as new nuclear power plants have come online, a lot more of the IT infrastructure is also off the shelf or is the same as that of other systems. And then you are in an environment where nuclear operators all of a sudden also have to think about cybersecurity and the aspects of IT security that they previously didn’t have to worry about so much. So there was a bit of a catch up that had to take place in the nuclear energy sector where operators had to think about new regulations, new training procedures. And that’s really interesting to me because it’s of course the sector where. have physical safety and security has been so paramount for a long time. So now that we also need to think about cyber security, that can change the game a bit. And I think that worried a few people quite a lot when that first emerged as a possible risk.
Talita Dias:
Thank you, Marion. And there are also the risks to hardware rights, to physical components of what we call cyberspace. Right. So it’s not just software risks, say a hacker hacking into the system, but also like there’s human failure that might lead to, say, a breach in the hardware system of a power plant. So that’s exactly what happened or allegedly what happened with Stuxnet, for example. So great. So my second question to you is, to what extent have new developments in the nuclear sector or in particular in the nuclear energy sector, such as the spread of small modular reactors and microreactors, which I’ve mentioned earlier, to what extent have these developments increased those risks that you have just discussed?
Marion Messmer:
Yeah, so I think these developments pose both a risk and an opportunity. So, you know, if I had to say it simply, then having more systems increases the risk just by virtue of the fact that there are more reactors out there. That’s that’s one aspect where the risk is coming from. Small modular reactors and microreactors are specifically designed to be more accessible. And the hope is that they will be able to help, you know, bring a more stable power supply to perhaps regions of the world where that’s currently not possible or very remote areas or areas where it’s really difficult to have to have a stable infrastructure network for other reasons, perhaps because of remoteness, perhaps because of geography. So so that’s, of course, a huge chance. But at the same time, that also. means that if you multiply the number of reactors that exist around the world, you of course also increase the risk of something going wrong. The other concern about some of these reactors is that because they are developed by many different commercial actors, when I was preparing for this, I tried to figure out what the most accurate number is at the moment. And the IAEA estimates that at the moment, around 80 different reactor designs or small modular reactor designs are being considered by different kinds of commercial actors. There are concerns about the supply chain security. So you of course have a situation where different components for the reactor or the steering modules or whatever you need in order to put this together, are being developed by lots of different commercial entities. And, and in order to ensure the highest standards of cybersecurity, you also need to have quite a good understanding of that supply chain, and where some of those, where some of those security risks might come in. So that’s, that’s another concern that just because of the length of the supply chain, the diversity of the supply chain, and the numbers of different actors involved, it might be hard in the end to trace where some of those risks might come in. And then the other component, I think, where it introduces some newer risks, or might actually highlight risks that already exist, but just multiply them, is that, as I mentioned, when I spoke about the use cases, a lot of these use cases can be in quite difficult operating environments, or they can be perhaps in regions that are already less well off, and therefore perhaps have less money to spend on cybersecurity. So that’s, of course, a risk that, you know, systems in that region would already be facing, but you then just combine that with the additional risk of, of nuclear energy. So And then generally speaking, what I mentioned earlier about this tension between sometimes a really bespoke or unique system also being just a tad more secure, because perhaps it has fewer vulnerabilities or the existing vulnerabilities will be less enticing to exploit. These small modular reactors and micro reactors will, of course, have completely up to date software solutions and in many cases off the shelf software solutions. So if there are any vulnerabilities that we’re not aware of, then they would, of course, be there as well. But for the advantages, opportunities, these newer reactors are designed differently. So in some cases they are already like the nuclear aspect is already safer by design than it would have been in some older power plants. So that’s, of course, one advantage. And the same also goes for the cybersecurity considerations. So because the awareness of cybersecurity in those systems is much more advanced now than it was even five years ago, or certainly 10 years ago, 15 years ago, there are already much more considerations about cybersecurity in the design and then in the training of potential operators. So, of course, we need to be vigilant and, you know, in part by having this panel because the cybersecurity conversation for nuclear civilian infrastructure needs to go farther. But at the same time, I think we shouldn’t let that forget us about the opportunities that come with some of these new developments as well.
Talita Dias:
Great. Thanks, Mayor. So there are both challenges and there are opportunities. And one issue that we will touch on in this panel later is the question of regulation. Right. And you’ve mentioned the spread of these reactors in different parts of the world. But, of course, we don’t know how, you know, different states regulate the acquisition and the operation of these small modular reactors. So that’s probably also a risk that we need to be aware of. Now, pivoting to from peacetime to wartime, and I know that the war in Ukraine is on everyone’s minds at the moment, it should be, not just the situation in Gaza. Hopefully we haven’t forgotten about that. So I want to talk about the new and existing risks against civilian nuclear infrastructure that have resurfaced in the context of the war. Are there any particular risks that we need to be worried about because of the war, Marion?
Marion Messmer:
I mean, what we’ve seen happen around the Saporizha power plant in Ukraine has, of course, been horrendous. And I think one of the really new things there, or maybe not new, but rare occurrences is of a nuclear power plant being caught directly in war and directly being on the front line. So the combination of physical and cyber attacks taking place at the same time is something that I suppose we were worried about, but that luckily doesn’t happen all that often. So the personnel at the Saporizha plant has been incredibly dedicated. Many of them have stayed in place despite the risks to their own lives, but the power plant has had to operate with reduced personnel on site who are, of course, now working under much more stressful conditions and much more uncertain conditions. And so I think the combination of there being physical attacks that are very regular over a prolonged period of time, at certain points in time being quite constant, and then also having to worry about cyber attacks at the same time, which, of course, have taken place all over Ukraine with regularity, has created a particularly difficult-to-manage environment. The results of that could be. We’ve not seen that so far, of course. and the IAEA has also done its best to support the personnel operating the power plant to ensure that everyone can stay safe and that the running or the management of the power plant, I should say, can continue safely. So while I would say that some of the biggest risks probably were in place early on in the conflict, when the reactors at Sapariza were still running, they have now all been in some type of shutdown for the past several months. So that, of course, mitigates the risk significantly. One of the things about nuclear reactors is that you can’t turn them completely on or off immediately because some of the nuclear reaction continues on, which is why I’m talking about different types of shutdown. But five of the six reactors have been in cold shutdown for several months now. And then there is a sixth reactor which has been in hot shutdown because they’ve had to use some aspects of the reactor for safety operations. But the IAEA has monitored all of that and has tried to support the personnel at the power plant. So what we have been worried about, specifically with Sapariza and specifically early on in the war, is that a potential loss of power or disconnection from the grid could interfere with the cooling system for the reactor. So that’s when you could get into a reactor meltdown situation, which could, of course, have devastating consequences. So, yeah, there were various mitigating steps taken to make sure that those risks were managed a little better, such as ensuring that there were plenty of backup generators on site so that cooling could still take place.
Talita Dias:
Thanks. Thanks, Marion. So I’ll pause the chat with Marion for a second because we want to hear your views on this. And so, Rowan, over to you.
Rowan Wilkison:
Yeah, so we have the next question on the Menti. So bearing in mind what you’ve just heard, thinking about both stable and context of instability, why should we be worried about cyber operations targeting civilian nuclear infrastructure? And for those of you that have just joined the session, please feel free to take part in the polls that we’re running, because we’d love to hear your views on this topic. Sorry, we seem to be having a problem with that one. So I think we’ll leave that one for today. Yeah, or maybe go back to it later. Okay, so Marion, back to you.
Talita Dias:
Now, since we’re talking about risks and what we should be worried about, what is the actual likelihood of all these risks that we have been discussing on the environment, on lives of individuals, on health, on reputational harm of international institutions, equipment malfunctioning? What is the actual likelihood of these risks materializing? And a related question is, what would be the consequences? You know, concretely, what would be the consequences? Do you agree with the responses that have been provided in the previous question about the consequences of those risks materializing, for example, health, environment, and the international system?
Marion Messmer:
Yeah, I mean, it’s really hard to say how likely it is that those… risks might materialize. I think what’s important is that the consequences could be severe. And so we have to take the risks seriously and we have to do our best to mitigate those risks. As I already mentioned a little in my previous answer, in the Sapariza case especially, while of course there is still a risk there, for the time being, I’m a little reassured by the accident safety operations that are taking place there. And also by some of the other mitigating steps that have been taken. The other thing I would also say in that regard is that we heard a lot, especially early on in the war, that Sapariza could lead to the next Chernobyl. And that there is a significant difference in how the reactors are designed at Sapariza versus at Chernobyl, that would actually make that outcome less likely. So I’m not trying to say people should be complacent. These risks are very severe. And if something was to happen, then that would have really grave consequences. So we need to be vigilant. But in terms of people being overly worried or seeing another Chernobyl type situation on the horizon, I think there are reasons why that is less likely than people might have feared. And the other thing I would say is that, you know, as you mentioned in your introduction, we’re hoping that nuclear energy can play a really important role in the energy transition, in moving towards net zero, and in ensuring that we’ve got a more stable energy supply while we are trying to figure out, you know, sustainable and renewable types of energy, so that we can hopefully slow or halt climate change. And what really worries me in that regard is that what we have seen in Ukraine, this combination of nuclear power plants being caught in conflict could actually happen. more frequently around the globe, because if more countries end up using nuclear energy as an important part of their energy supply, and you also mentioned the increasing frequency of cyber attacks, then I think this unique combination of a power plant or other types of energy infrastructure being caught in conflict might become a much more frequent occurrence. So if we can think about now what we can do to manage that situation for the future, then that’s going to leave all of us much better off.
Talita Dias:
Thank you, Marion. Now, to summarise or to get your views on what we just discussed in this segment of our panel, we will go back to Menti with a survey. This time, hopefully it will work. Rowan?
Rowan Wilkison:
Yeah, fingers crossed. I think we’ve fixed it now. So this one is about the risks that we’ve just heard. So we’re wondering which of these risks worries you the most. So we have some five different options here for you to choose from. So picking your kind of priority option, we’ve got disruptive cyber operations.
Talita Dias:
For example, ransomware attacks, distributed denial of service attacks. We’ve got information operations like disinformation, propaganda, misinformation revolving around nuclear energy, which have occurred in the context of Ukraine, for example. We’ve also got data gathering or surveillance operations. So basically, solar winds, for example, operations that try and get access to sensitive nuclear data. We’ve got physical effects of these operations, for example, as what happened with Stuxnet in Ukraine. So lots of centrifuges stopped working. And as Marion said, there is a risk of a new Chernobyl, of a cyber-generated Chernobyl, even though that risk might be more remote now. and we’ve got non-physical effects that we have discussed already such as effects on the reputation of the international system and also going back to physical effects we can’t forget about health and the environment so just just vote there we want to we want to see what you what you think and as Michael just reminded me there’s also the psychological effects of information operations well the fear of nuclear holocaust and war as well that’s a good one yeah ready okay so let’s see what you voted on see the results of this okay so everyone so most people are worried the most about physical effects that’s what I answered which which makes sense given that at the beginning a lot of people mentioned radiation yeah yeah disruptive cyber operations I think that’s because they carry the most risk of you know of interrupting the energy supply for example or destroying power plants for example information operations comes in third place day at the gathering operations and fourth and the non-physical effects come in in the fifth place that’s interesting go keep that in mind so moving on to the second and thank you Marion so much again for joining us so early for you it was great so let’s move to the second part of our panel which is about technical and policy approaches to protect civilian nuclear infrastructure from cyber operations For that, we have a conversation with Tarek Rauf, former IEAE. We’ve got Giacomo Paoli at UNIDIR, and we’ve got Michael Karimian at Microsoft here. So I’m going to start with a question for Tarek. Tarek, do we have any international technical standards on how to mitigate those risks and consequences that we have been talking about?
Tariq Rauf:
Well, yes, at the International Atomic Energy Agency, cybersecurity, which is usually referred to here as computer security of nuclear facilities and nuclear materials, is considered being a subset of nuclear security. And nuclear security is the responsibility of the state and the operator. And while there are international conventions, such as the Convention on the Physical Protection of Nuclear Material, as amended, the primary responsibility still remains with the state and the operator. And the IAEA has issued more than 30 documents on guidance, recommendations, and fundamentals of nuclear security, and there is a parallel sub-series of guidance and recommendations on enhancing cybersecurity or computer security. And in the discussions here, cybersecurity or computer security also has implications for nuclear safety. So there are two aspects to it, not only the security of the facility and the material and the integrity of the instrument control system, but also the safety of the nuclear facility, because as we discussed a little bit in the first session, we are dealing with radioactive materials and containment of reactivity or release of radioactivity from an operating or a shutdown nuclear facility. is one of the highest objectives of nuclear safety. There’s also consideration of ensuring that the heat removal and the cooling system of a nuclear reactor, whether in operating status or shutdown is not compromised. And then also there is the confinement and control of nuclear materials, whether in spent fuel bundles in cooling ponds or nuclear fuel bundles stored inside the reactor that are cooling down, and then also the fuel in a reactor itself. One important element here is to ensure that there is no loss of coolant. There has been at least one incident where it is suspected that because of a malicious cyber attack, some coolant was leaked from an operating nuclear facility, but the control room managed to detect it early on and they shut off the pump that was discharging water from the cooling system. Later on, I can give you more details about specific IAEA documentation and guidance.
Talita Dias:
Great, thanks, Derek. I can see that there are some comments or questions in the chat, and I want this to be as interactive as possible. So maybe we should take the questions now. So apologies for mispronouncing the name in advance. So Tumi is saying, he thinks that the reuse of old submarines and add SMRs, I’m not sure what that means, but maybe, okay, small modular reactors, okay, great, to generate electricity permanently under the sea, we’ll be able to isolate ourselves from problems on land, and then Tyrell says it’s a great idea. What do you think, Tarek, or maybe Marion, do you wanna? I know it’s bringing the Q&A to the session.
Tariq Rauf:
So we do have a floating reactor that is operating in the Russian north. This is actually a modified reactor from a nuclear propulsion unit of icebreaker. There are nuclear powered submarines, but at the moment there is no consideration of using submerged small and medium-sized reactors for power generation. All of the designs that were referred to, there are about 80 designs currently under discussion of which about three are close to maturity for testing, first of a kind, but these are all land-based. Now one advantage of SMRs and MMRs is that these are sealed reactor units as compared to large nuclear power plants which need to be refueled partially or completely every year or every few years. So that is one inherent in-built safety consideration for SMRs and MMRs. But nonetheless, one needs to ensure that the integrity of the instrument control system and regulation of the reactor itself is not compromised. The instances that have occurred of compromise usually have been through back doors, either left open by contractors so that they could do the servicing sitting at home or from their office, or inadvertent back doors that were created through the use of USB sticks that were inserted into some part of the computer system in the facility, although this is strictly prohibited not to bring in any outside USB sticks or other data-carrying devices and to insert them into the computer systems of nuclear facilities.
Talita Dias:
At least in theory. Okay, Marion, do you want to comment on that or should we move on?
Marion Messmer:
I can just add one bit, because what I wanted to say is that, you know, even if it seems tempting to, for example, put small modular reactors or other types of reactors underwater to have them away from land, you have to remember that, of course, the ocean is also part of our ecosystem. So even if there was to be a radiological incident underwater, that would still have pretty severe consequences for that environment. And the water will, of course, mix, so the radiation would still spread. So while it wouldn’t be the same kind of fallout that we would get if it was in air, it’s not like it’s just out of sight, out of mind in that sense, because it’sYeah, we also drink some of the water that comes from the sea.
Talita Dias:
So that’s a very important point, Marion. So I want to go back to Tarek, and I want you, Tarek, if you can, to take us a little bit through the IT security guidance for nuclear facilities that the IAEA has produced for member states that have operational nuclear power plants or nuclear fuel cycle facilities. Can you talk to us a little bit more about these documents, these over 30 documents that the agency has issued?
Tariq Rauf:
So the way the IAEA is approaching this, and this is in cooperation with IAEA member states. So this is not just the bureaucracy of the International Atomic Energy Agency that is producing this guidance or recommendation. They do it in concert with technical experts from the IAEA’s 176 member states, those that are interested, and this is an interactive process between the technical experts of member states and the experts of the IAEA Secretariat. and jointly they draft and produce these documents, which then once they are approved, become the guidance recommendations or fundamentals. So computer security measures in the context of cybersecurity for nuclear facilities as discussed and considered at the IAEA are to prevent, detect, delay and respond to criminal or other intentional or unauthorized attacks. Then to mitigate the consequences of such attacks and to recover from the consequences of such attacks. So computer security measures can be assigned to one of three categories, technical control measures, facility control measures or administrative control measures. So the agency has been actively involved in developing these and they’ve come up with a taxonomy, which is number one defense in depth. This is having a defense in depth approach to cybersecurity with multiple layers of security controls and measures to protect nuclear facilities, including physical security, network security, access controls and monitoring. Also risk assessment that nuclear facilities should conduct a comprehensive cybersecurity risk assessment to identify potential vulnerabilities and threats. And then this assessment forms the basis for developing appropriate security measures. To institute, this is number three, to institute security policies and procedures, which is to establish and implement cybersecurity policies and procedures tailored to the specific needs of specific nuclear facilities. This is called design basis threat. Designing security policies and measures specific to a particular nuclear facility, its technological peculiarities and the risks that that particular facility might face. Then of course, there are obvious things such as access controls, network security, patch management. Incident detection and response, this is a increasingly important element. As you mentioned in your introduction, the IAEA is subjected to daily cyber attacks on its system from different sources. Some are trying to access the highly confidential safeguard information, some are just opportunistic attack. My colleagues at the IAEA in the IT sector, this is their biggest challenge, is to make sure that there is no intrusion into the IAEA’s computer security system. They are very proud that they have managed to detect and to counter any of these potential attacks on the system. But we say nuclear security is not an end, it’s a journey. Cybersecurity is also the same as the threats are evolving, the responses also need to evolve, so to speak. Then there’s also, of course, encryption, physical security. An important element is also to do security audits and assessments on a continuous basis, to see if there are new vulnerabilities that have come in, supply chain vulnerabilities. Other important issues are information sharing, international cooperation, training and awareness, and then capacity building. This is one of the IAEA’s biggest activities. Every year, the IAEA holds hundreds of sessions, both at headquarters here in Vienna and in different cities to build capacity to strengthen the capacity and the training of nuclear facility operators. Sorry, Tarek, is there anything else that you want to comment about the guidance? You sent me some questions, so I will come back when you get to the next question where I can cite. some of the specific IAEA documentation, which is all available freely on the internet. It’s not password control and people can download the PDFs. A lot of this is quite technical, but it’s all up there.
Talita Dias:
Great, thanks. So you’ve mentioned a lot of guidance, a comprehensive range of best practices from every step of the way of nuclear cybersecurity, from design to implementation to risk mitigation and so on and so forth. But all of those guidances, as the name suggests, they are non-binding guidances. They are documents that are not mandatory for states, right? But I wanna ask you if any of those measures that have been proposed or recommended by the IAEA have been adopted by the Convention on the Physical Protection of Nuclear Material, which is a binding document under international law.
Tariq Rauf:
Well, this unfortunately is the situation when we are dealing with sovereign states. So the Convention on the Physical Protection of Nuclear Material, as amended, is only binding on those states that have acceded to it, unfortunately. It’s not universal international law that if a country has nuclear material and nuclear facilities, it must be a party to the CPPNM. So the way around it is that those countries that have signed onto it, for them it is internationally legally binding. Now, the amendment to the CPPNM, which took place in 2005, was more to extend the scope of the CPPNM to cover nuclear material in peaceful uses, in domestic storage, and in international transport. But unfortunately, state parties were not able to. agree on the application of the CPP-NM to military nuclear material. And as you know, we have had five nuclear security summits. People only remember four of them, the ones that started in 2010 in Washington, but the very first one was in 1996. So 83% of the world’s dangerous nuclear material that is highly enriched uranium and plutonium is in the custody of the nine countries with nuclear weapons, and it is completely outside of any international accountability or monitoring. Only 17% of the material is under International Atomic Energy Agency safeguards, and as part of the safeguards agreement of a state with the IAEA, physical security and safety is obligatory. And then, as we just mentioned, cybersecurity being a subset of nuclear security is also something that the state needs to implement. So even after the Fukushima accident, there were attempts to make the CPP-NM mandatory and compulsory for all of the 31 states that operate nuclear facilities. At the moment, only Iran remains outside, a country that has an operating nuclear power plant that has not yet succeeded to the CPP-NM as amended, and also not to the Convention on Nuclear Safety. So this again is the stessel between protection of national sovereignty, and on the other hand, protecting against cyber and other malicious attacks, because the effects of those will be transboundary. They will not be limited to the territory of the affected or the accident state. As Chernobyl showed, as Fukushima showed, we have transboundary transport of radiation, and that is… the biggest concern as regards a disruptive cyber attack on a nuclear facility that results in the release of radioactivity.
Talita Dias:
Thanks Derek, and it affects that stretch in time as well, because even this year we’ve had issues about the disposal of water from Fukushima. Thanks for clarifying the scope of the convention, and I guess what you said just highlights the importance of international law and strengthening international law, and discussions that might lead to new norms and rules on this issue. I’m going to turn over to Rowan just for another question for everyone here in the audience and online. So based on what we have just heard from Tariq, in your opinion, should there be enhanced
Rowan Wilkison:
interaction and cooperation on cyber security between agencies like the IAEA and also the tech industry? We’ll give a little bit of time just as people come into it. So I guess that’s a clear unanimity here on yes, right?
Talita Dias:
And Michael will come back to this point about cooperation or the role of the tech industry to tackle all of these issues that we’ve been discussing. But now on, so Tariq mentioned state sovereignty. He also talked a little bit about international law, the role of the Convention on Physical Protection of Nuclear Material, and I’ve mentioned the need for states to be discussing this issue more often. So I want to turn to Giacomo, who is joining us from Geneva. Hi, Giacomo. Hi, good morning. And I want to ask you, how has the protection of critical infrastructure been discussed in the context of the open-ended working group on the security of information and communications technologies, also known as the UNOEWG? Thank you.
Giacomo Persi Paoli:
Thank you, Tarita, for the question, and thank you also for inviting me. It’s great to be able to participate in this great panel. So let me give you like a 30-second summary of 25 years of history before I get specifically into the question. But I think this summary is useful particularly to those in the audience that may not be too familiar with the various UN processes and the jargon that is associated with them. So states have been discussing about international cybersecurity. I would say actually this year is the 25th anniversary since the first draft resolution on this topic was put on the table at a time by the Russian Federation in 1998. Since then, we had six iterations of a process called the Group of Governmental Experts. Now, this is a closed-door process that on average involves about 20 countries, of which five are always the P5 and the five permanent members of the Security Council, and then others are invited to join. The specificity about this process is that the only public thing that exists, public trace, is the mandate that sets up the process and the report at the end of it, which means that there isn’t really a lot of visibility as to what the discussions actually are. And if states do not agree on a consensus report at the end of it, the report that we have at the end of the deliberations, it’s a very procedural one that says, you know, We came, we met, we didn’t agree, move on. Now, the situation started to change in 2019, where in parallel with the last, at least to date, group of governmental experts, another process was set up, the Open-Ended Working Group. Now, the Open-Ended Working Group is open to all membership of the UN. It has a multi-stakeholder component to it, as well. But most importantly, it’s all public. So, all statements that are made can be consulted online. All sessions can be followed on UN TV. And the chair has the opportunity, even if there isn’t a consensus report, to publish its own summary. So, there is definitely more visibility in the actual workings of the process. Coming to your question, I think it’s important to realize that one of the most significant achievements that states collectively had is data since 2015, when a framework for responsible state behavior in cyberspace was adopted. And as part of this framework, there are 11 norms. The topic of critical infrastructure is probably the topic that features the most, either directly or indirectly. Three of these 11 norms focus on the topic of critical infrastructure, whether it is to basically call states to protect their critical infrastructure, whether it is calling states to not target critical infrastructure of others. And then there is a dedicated norm that focuses on ensuring that international assistance is provided to those states whose critical infrastructure is being targeted by cyber attacks. Now, these three norms have an explicit reference to critical infrastructure. And there are a whole set of others which are more indirect related. particularly related to vulnerability disclosure or the supply chain security, you can see how some of these topics may be indirectly relevant to critical infrastructure protection as well. I’m probably bridging to the next question here, but by design, these norms, and until very recently, I didn’t really go too much into the detail of which type of critical infrastructure. The OEWG is probably not the correct forum to have in-depth discussion as to how each of these general purpose norms applies to specific sectors or specific type of infrastructure. However, it is definitely a topic that has been discussed quite extensively, both in relation to how the threats are evolving, in relation to how norms can be implemented, as well as what could be some of the consequences from an international perspective.
Talita Dias:
Thanks, Giacomo. So in your opinion, it’s not the best forum to discuss specific risks to particular types of critical infrastructure, but to your mind, and you’ve been deeply involved in this process as part of UNIDIR, and does it come to mind that any state has specifically raised the issue of cyber nuclear risks within the OEWG, or perhaps other UN forums? Can you remember if any state has ever raised this issue?
Giacomo Persi Paoli:
So it’s a very interesting question, because if you look at the consensus reports, we couldn’t really find any explicit reference to nuclear itself in the consensus reports. However… The discussion is evolving states individually in their national submissions to the Secretary General that then compiles all of these submissions and releases a report, big flag, the nuclear security issue, characterized in different ways, whether it is more, again, expressing growing concern over the threats that cyber capabilities and cyber operations can pose to civilian nuclear infrastructure, so more on the threat side, or to highlight some of the efforts that they’ve put in place at the national level to protect their nuclear infrastructure as part of wider interventions. Some states have dedicated national cybersecurity strategies that have been designed and dedicated specifically to protect their nuclear infrastructure. So there is definitely a lot more that is going on at the national level that is flagged in the context of the OEWG, but if you look at how the OEWG discussions have been evolving, they went from being very general, then in 2021, also as a result of the pandemic and the sheer increase of cyber attacks that have characterized all sectors of society, including critical infrastructure, the report of the OEWG that concluded in 2021 did mention things explicitly, critical infrastructure types, such as medical infrastructure, or energy, or financial, et cetera. So we are going down the path of discussing these topics more broadly, but my personal opinion, my personal sense is that as long as there isn’t a dedicated forum for states to discuss implementation more than a kind of normative framework, but actually the implementation of these. quite general purpose norms that have been designed, it’s gonna be difficult for states to really go deep into any of these topics, simply also because of matter of time that they have available. However, I think it is important to acknowledge that the topic has been, despite not necessarily being captured in consensus reports, it is being flagged by an increasing number of states in their national capacity when they make their interventions.
Talita Dias:
So maybe just a question of some of those states trying to bring the issue to the general fora that the UN offers for these discussions, and maybe we should take up your idea of having a sort of like a more concrete implementation-focused forum for these discussions. Thanks, Giacomo, for your thoughts and for your input. I’m now gonna turn over to Michael, and perhaps maybe Giacomo and Tarek want to comment on this point, which is about the role of the tech industry in addressing those risks. So Michael, what is the role of the tech industry? You work for Microsoft, so what does Microsoft have to say about this?
Michael Karimian:
Thank you, Talita, not just for being our moderator, but of course to yourself and the team at Chatham House for being essential partners in this session and brought a project in the same to Priya from the University of Oxford. I’d like to underscore a couple of topics or key points, I guess, in this regard. One is that, of course, the tech sector broadly, and as Marion mentioned, there are many companies who supply ICT infrastructure to this industry that we’re looking at. Of course, the tech sector plays a central role in providing the digital solutions that underpin quite a broad range of operations, safety and security of nuclear systems, but also, to be frank, just mundane, everyday processes. applications like payroll or accounts receivable. And so because of that, there are many entry points into the IT systems. And so the risks are quite broad, and as Marion mentioned, the supply chains are very deep. As we’ve been discussing, of course, there is this convergence of cyber and nuclear risks, which poses a quite serious threat to national security and global stability. So with that in mind, I think it’s important to recognize that as a provider of these systems, we have quite serious responsibilities accordingly. And so to address these risks effectively, the tech sector can and should, more broadly, take a number of proactive steps, including but not limited to, of course, cybersecurity by design. So prioritizing the cybersecurity of systems from the very inception of their products and services and embedding security into the design, development, and deployment of processes. And by doing so, that will go a long way to reducing vulnerabilities and strengthen the overall resilience of nuclear systems. Continuous innovation is very important. As we’ve been discussing, the threat landscape is ever-evolving. And therefore, continuously innovating to stay ahead of cyber adversaries is essential. That requires actively researching, but also sharing threat intelligence to detect and respond to emerging risks. And doing that with governments, international organizations, and other stakeholders. So a degree of transparency and threat sharing from the tech sector is also very important. Equally, education and training plays quite an important role. Tech companies can be pivotal in educating and training end users and administrators of their technologies. So providing guidance on cybersecurity best practices is essential too. And of course, multi-stakeholder engagement has already come up as a topic in this session so far. But collaboration is key to addressing the complex challenges that we’re discussing here today. The tech sector, big and small, should be quite actively engaging with governments, civil society, and other companies to jointly tackle the cybersecurity issues that we’re talking about. We already do see initiatives that are doing that broadly, like the Cyber Security Tech Accord, which promotes collaboration and protection of critical infrastructure. That’s a prime example of these efforts, and we can delve into them more in this session.
Talita Dias:
Thanks, Michael. Giacomo and Tarek, do you have any thoughts or comments or reactions to what Michael just said about the role of the private sector in addressing those risks? Yep, would I comment on that? Absolutely.
Tariq Rauf:
I completely agree with what Michael just said. Again, this is the issue of state sovereignty. So international organizations like the IAEA are based on interactions with states and not with other actors such as industry. However, this pattern is changing and more and more industry is being brought in to provide its expertise and experience in providing technological solutions. To these new problems, but a main challenge for an international organization like the International Atomic Energy Agency that is dealing with highly classified information about the nuclear activities of over 180 states is the risk of penetration into the system by state actors, not so much non-state actors, given the high politics involved. And Talita, you in your introduction mentioned the cyber attacks on Iran’s enrichment facilities, Stuxnet and Olympic Games. So those were state-originated threats, and those are still continuing because of high politics here. So I don’t want to name states, but there are no innocent parties, so to speak. Anyone can be a threat for the IAEA’s computer security system at the agency here in Vienna. And then the IAEA has to buy commercial products. So one product that the IEA bought some time back was Palantir, which is to manage big data. Palantir was originally developed for the intelligence agency. So an international organization’s IT experts will never be able to match the expertise and the capabilities of offensive IT capabilities of states if they choose to deploy them against the IEA. So there’s this in-built suspicion, which is one potential roadblock for the IEA interaction with the industry beyond a certain level. And I think we need to overcome this and build more trust and build more patterns of cooperation and interactivity.
Talita Dias:
Thanks, Tarek.
Giacomo Persi Paoli:
Giacomo, one or two thoughts very quickly. Yes, conscious of the time, very quickly. I can only agree with both Michael and Tarek here. I think it’s important that even in relation to what we’re discussing with the AWG, the AWG covers state behavior. It’s discussed by states to regulate or guide their own behavior. It doesn’t deal with threats coming from non-state actors, which can be significant. But I think the private sector here can play a significant role in helping in states develop capacities, providing capabilities. Public-private partnerships have been almost at every single session flagged as a way forward that really needs to be investigated as a general purpose tool to really increase cyber resilience of member states. And this includes also the energy sector and in particular, the nuclear one. So absolutely, it is key that we bring the private sector along in the journey.
Talita Dias:
Great, so multi-stakeholderism is a recurring theme in this Internet Governance Forum, and we also need it to protect civilian nuclear facilities from cyber security threats. So that’s the main lesson, that’s the main takeaway from this discussion so far. So Michael, back to you.
Michael Karimian:
What best practices or recommendations have been developed by the tech sector, the tech industry operating in the civilian nuclear sector, including Microsoft itself? So I’ll speak on behalf of Microsoft and say that actually we haven’t developed specific guidance to the tech, for the nuclear sector. The reason being, although the outcomes of the risks are differentiated, the underlying cyber security risks are almost universal. We see these same risks applying to all sectors across the board. And it’s surprising that the sort of gaps that are out there, so 80% of incidents can be traced to missing security practices, which can be solved by quite basic modern approaches. Over 90% of accounts which have been compromised by password-based attacks did not have multi-factor authentication or any strong authentication in place. According to a study, 78% of devices are not patched within nine months of a critical patch being released, and the number of users who use multi-factor authentication is actually only around 26%, it’s pretty low. But what’s interesting here is that attacks by nation-state actors can be technically sophisticated, however many of these actors use relatively low-tech means, such as spear phishing and other efforts to deliver quite sophisticated malware into the systems. And actually, we mentioned the case in Germany, the case was mentioned about a USB stick. The case in Germany, as was publicly reported, was the entry point there was a user brought in a USB stick and then the rest is history, so to speak. So a lot of these issues can be mitigated by good, yet basic, cyber hygiene practices, and that’s meant to be holistic, adaptive, and global in nature, and a lot of that can happen better in the cloud than on-premises. So, the general guidance which would apply to all sectors, and include in this sector, is to protect the identity of users, apply updates as soon as possible, use extended detection and response anti-malware and endpoint detection solutions, and also to enable the auditing of key resources, and quite importantly, prepare incident response plans. That’s actually very much aligned with the IAEA guidelines, which really speaks to the strength of the guidelines that they have produced.
Talita Dias:
Thank you, Michael. The question of putting all of this together, you know, what the IAEA has already put out, what the private sector has advised operators to do, and also what states have also agreed to do or are willing to agree in this sector. So, I want to pivot to the third part, or the third segment of our panel today, of our workshop today, which is about international law and norms. And we have, for this segment, Priya Ers from Oxford joining us online, and Tomohiro Mikanagi from the Japanese Ministry of Foreign Affairs, and Michael will also join us for this discussion. I’ve noticed that there are a couple of questions about international law, international regimes, agreements, so I’m going to take those questions later from the chat and ask to our panellists in this segment. But I want to start with Priya and Tomohiro with a question, a very general question about the applicability of international law to all of those issues that we have been tackling today. So, to what extent can a cyber operation that targets civilian nuclear infrastructure breach existing rules of international law? I don’t know who wants to start, but maybe Priya, because you’re online and it’s very early for you. Do you want to kick off?
Priya Urs:
Absolutely. Thank you so much. And it’s been a fascinating discussion so far. I think what’s tough when discussing international law… on this context is that unlike the technical and policy guidance we’ve been talking about so far, international law doesn’t yet have specific rules that prohibit or otherwise address cyber operations. And so even while states are increasingly recognizing, as we see, civilian nuclear infrastructure as part of what they call their critical infrastructure, which states suggest should be protected against cyber operations, this hasn’t really translated into specific legal protections. And so what we’re left with, at least for now, is more general rules of international law that could be applicable in this context. And this includes not just treaties, such as one we’ve already discussed with Tariq, but also rules of customary international law, including rules governing the use of force by states, the rule prohibiting intervention by one state in the affairs of another state, any other conduct that could also be prohibited as a consequence of a state’s sovereignty over its territory. And also, on the other hand, due diligence obligations for states. And so maybe I’ll just say for now that although none of these rules was actually designed with cyber operations in mind, and certainly not thinking of civilian nuclear infrastructure, they can in principle be applicable to this context. But of course, the particular application could raise some challenges. So I’ll leave it there for now. Thanks.
Talita Dias:
So Tommy, do you want to address this question about international law in general, but also a more specific question that I have for you on sovereignty. So I know you’ve written a lot about cyber and international law. So on top of the general sort of like landscape of international law applicable to this phenomenon, can you talk to us a little bit about the threshold for a violation of sovereignty by a cyber operation affecting critical infrastructure in general? And if that threshold for critical infrastructure in general differs for nuclear infrastructure? Thanks.
Tomohiro Mikanagi:
Thank you. Thank you for inviting me to this wonderful panel. This is a good experience for me to think about, you know, connection between cyber security and nuclear security. Actually, in my brain, these two issues have not well connected before, but this is a great opportunity to think in depth on these issues. Sovereignty issue is really difficult issue among international lawyers because of different positions taken by different countries. It is already very famous that the United Kingdom takes rather specific position that they don’t think there’s any stand-alone obligation arising from the sovereignty apart from the non-intervention rule into internal or external affairs of states. That is not supported by many states, I must say, but that is a very strong position expressed by United Kingdom. The other extremes are probably position is taken by France. France is saying that any effect caused by cyber operation in the territory of the country would amount to violation of sovereignty. In between, there are several other countries like U.S., Germany, and maybe Japan is also a part of this group, which set certain level of harmful effect caused in the territory that would amount to the violation of sovereignty or territorial integrity of the state. There’s no consensus, but I think there’s a general tendency of agreement, I must say, that the more serious the effect of the cyber operation, the more likely for states to accept that it is unlawful under the rule of law. So, I think, you know, nuclear, you know, cyber operations targeting nuclear facilities are more likely to cause more harmful effect. If that is the case, the states should be able to agree on the unlawfulness of that kind of particular kind of cyber operations to be unlawful. But this does not necessarily mean there’s a lower threshold for nuclear cyber attack against nuclear facilities. Rather, nuclear facilities are more vulnerable and more, I think, likely to cause severe, serious physical and other effects. So they should, I think, secure more support for states. When they are talking about application of the rules of sovereignty.
Talita Dias:
So it’s more a question of fact than law, right? So the law would apply a bit differently to the fact of an attack against a civilian nuclear infrastructure than other types of critical infrastructure because of the severity of harms. And because of that factual difference, then maybe states will be driven to agree on the applicability of sovereignty in this space. Thanks Tomo. So I’m now going to go back to Priya and talk a little bit about another important principle of international law that plays out in this context, which is the principle of non-intervention. So what is the relevance of the principle in this context? And in particular, could a cross-border cyber operation against a civilian nuclear infrastructure constitute an unlawful intervention, breaching the principle of non-intervention? Priya?
Priya Urs:
Thank you. I think this is an interesting question alongside the sovereignty discussions that Tomo was discussing. And the prohibition on intervention is interesting because states widely agree that such intervention is prohibited, but there is a serious lack of disagreement as to what kinds of activities are actually prohibited under the rule. And there are essentially two requirements for intervention to be unlawful, which will equally apply in the context of cyber operations, targeting civilian nuclear infrastructure. The first requirement is that the intervention has to do with or has to address the internal or external affairs of a state. And when we think about civilian nuclear infrastructure, which is responsible for generating energy, I think it’s quite easy, I would say, to satisfy this requirement and to make the case that the intervention does address a matter falling within a state’s internal affairs. The second requirement for unlawful intervention is somewhat more tricky because the intervention needs to coerce the targeted state or be coercive in order for it to be unlawful. And there seems to be quite a lot of disagreement still as to what actually amounts to coercion. And the general view that’s taken is that conduct is coercive when it deprives the targeted state of the ability to make a choice or to decide freely with respect to such matters. And I think there’s also now an emerging view, which could be relevant here, which suggests that if a state deprives another state of its control over the implementation of a policy falling within its internal affairs, then that could also be coercive. And I think this is relevant here because if a state adopts a policy with respect to the generation of nuclear energy, I think a cyber operation that actually disrupts the production of such energy could be coercive and therefore unlawful. But on the other hand, what this implies is that other kinds of cyber operations that involve surveillance or data breaches may not be coercive and therefore may not constitute unlawful intervention. because they’re not actually interrupting the implementation of a state’s policy. So, of course, just to conclude, there’s still a lot of clarity that’s needed in the context of the prohibition on intervention, but I think tentatively looking at these requirements, it could be that this rule is implicated in the context that we’re discussing.
Talita Dias:
Thanks, Priyan. I think most would agree that deciding on nuclear policy is part of a state’s internal affairs, and so far as a cyber operation can be seen or deemed as coercive, then the principle would be violated. Now, bearing in mind, and there’s a question here in the chat, so someone other than the attacker is to blame, all of these rules that we are discussing presume that the cyber operation in question can be attributed to a state. So we’re talking about state responsibility as opposed to the responsibility of individuals. Now, maybe I should just jump into that question of individual involvement in cyber operations because it has come up in the chat, and maybe, Tom, you can talk to us a little bit about the rule of due diligence, or the principle of due diligence, which precisely addresses this question. When we have a non-state actor that is involved in a cyber operation and the cyber operation cannot be linked to a state, and then what are the obligations of states? What does international law have to say when that’s the case, when the operation comes from a non-state actor? Tomo.
Tomohiro Mikanagi:
Thank you. Yeah, due diligence, the name of due diligence obligation is probably not really defined by international law, but when we talk about due diligence obligation, we often think about something which was announced by the International Court of Justice in the 1949 Kof Channel case. It was between UK and Albania. In that judgment, the court mentioned obligation not to allow knowingly the territory to be used for acts contrary to the rights of other states. So this obligation is interesting because it talks about territorial states obligation to prevent or mitigate the acts done by the non-state actors inside the territory. But because this unique structure or feature of the obligation, there is not a clear consensus among states whether this obligation or principle applies to cyber operations emanating from the territory. And again, UK is probably the most skeptical state in this regard, again. And the US is also a little bit skeptical about the application of this rule to cyber operations. Japan, Germany, and India are more flexible. But how this principle should apply, that is not clear yet. In the area of environment law, there is more discussion, advanced discussion going on. Like International Law Commission, UN International Law Commission adopted a document called draft articles on the prevention of transboundary harm from hazardous activities in 2002, I think. And this draft article is not binding. And it does not specifically talk about cyber operation. But I think when there is a transboundary harm to the environment, especially, there is more agreement among states that there should be a due diligence obligation applied to the territorial state. So I think here, again, there is no lower threshold for. due diligence obligation in the area of nuclear security. But I think it is likelier for a state to accept the existence of due diligence obligation in the area of transboundary harm, especially close to environment, I think.
Talita Dias:
Thank you, Tomo. And I can see some questions about negligence of the operator. And I can also see questions about accidents. And the principle that Tomo has been referring to, which is called as a no harm principle, which addresses transboundary harm, also covers non-intentional operations or incidents. So I hope that answers your questions. There’s also a question here in the chat, which is very interesting, from Rohana. Is it better to develop generic cybersecurity best practices for nuclear plant operators and employees and aware them is a must? Is there such a global initiative about cybersecurity best practices for nuclear plant operators? So does anyone want to answer that question? Maybe Tarek. And there’s also an interesting question about prospects for a multilateral agreement on cybersecurity of nuclear facilities. So what do our panelists think? And anyone, feel free to jump in. Tomo?
Tomohiro Mikanagi:
May I respond to the latter question? Since I was given this question about the relationship between nuclear security and cybersecurity, I studied some conventions. And Tarek mentioned the Convention on the Physical Protection of Nuclear Materials, which was amended in 2005 and covers nuclear facilities as well. In 2005, we didn’t discuss cybersecurity issue in a specific manner. But conceptually, the sabotage, the definition of sabotage in this treaty convention could theoretically cover sabotage through cyber attack. So I was wondering which path we should take, OEWG and the UNO spaces, where states are discussing general norms. Can we agree on the existing customary international law rules under OEWG? Or should we discuss this under IAEA or spaces, especially with reference to this convention, to apply or interpret this convention to the cybersecurity issues relating to the nuclear facility? So there are several paths, but I think this latter path, connected to the existing convention, might be easier from my personal point of view.
Tariq Rauf:
Could I comment on that? Yes, absolutely. Tariq. So I would suggest that since the IAEA is the internationally designated competent authority to provide regulations for nuclear safety and security and for safeguards, this discussion at one level properly belongs at the IAEA. And I will just list, in response to the previous question, some of the guidance that the IAEA has produced that is available to all member states. And as I mentioned, nuclear security, cybersecurity is considered by states to be a national responsibility still, and they are not willing to have an internationally applicable legal framework which is mandatory. And this is, I think, this thinking needs to change. For example, the IAEA has computer security techniques for nuclear facilities guidance, security of information technology for nuclear facilities, implementing guides for security of information technology, also computer security of instrumentation and testing. control systems, and approaches to reduce cyber risks in the nuclear supply chain, plus computer security aspects for design of more instrumentation and control systems at nuclear power plants, also for incident response planning at nuclear facilities, and also for assistance and so on. So there is a lot of… There’s a big body of literature and guidance, but it’s up to states and the operators. So nuclear facilities have to be licensed. Most nuclear facilities are state-owned, but some are also privately owned. So in order to have an operating nuclear reactor or a nuclear facility, the regulator of the state provides a license, which is usually valid for one to three years, and has to be renewed constantly, otherwise the regulator can shut down operations at the nuclear facility. So there is a robust system there, but we need to develop it further to encompass these new and evolving threats from cybersecurity. And my final comment here is there are also liability conventions, the Paris Convention and the Vienna Convention for Liability. Although this is covering an accident, but one could also envision that if an operator has been negligent and their facility suffers a cyber-related incident, which causes either nuclear damage or civil damage, who is liable and who provides compensation to the affected parties? Great.
Talita Dias:
Thanks. That’s a good question for states to take up in their negotiations about future conventions on the topic. Then, Priya, I know you wanted to comment on that as well, and then we were running out of time, so we only have three to four minutes, and then I want to end the session with a survey for everyone. Priya?
Priya Urs:
Thanks. Yeah, I’ll be quite brief, but I just wanted to highlight the importance, I think, of getting at the problem from different angles. And I think Tomo put it quite well too. You know, on the one hand, we need to take certain preventative measures of cybersecurity, which Michael mentioned as well. But we also, when incidents occur, need to be able to address them and address questions of legal accountability as well. And I think it probably remains to be seen how useful it will be to apply general rules of international law in this context and also to admit where those general rules might not apply and where there may be a need for some sort of further regulation. And whether that actually happens is, as Tariq mentioned, up to states at the end of the day to decide that they want to implement certain measures or not. So I’ll just, yeah, end it there, thanks.
Talita Dias:
Thanks, Priya. So to end the session, and thanks once again to our brilliant panelists, we have a question for you in the audience online and in person. So in light of everything that we have just discussed, the risks, the initiatives, the approaches that have been developed, Rowan?
Rowan Wilkison:
Yeah, we wanted to ask you, so what else should states, private companies, and all the other stakeholders that we’ve discussed today be doing to address the cyber nuclear risks? So we’ll give just a couple of minutes.
Talita Dias:
Okay. Okay, so let’s see what you have responded to this survey. What do you think? we should be doing next. Okay, so I think everyone, I think that the highest priority here Rowan is. Yeah, we’ve got better, oh we’ve got modernized
Rowan Wilkison:
cybersecurity and civilian nuclear infrastructure that scored a, oh moving, it’s still moving, 9.1. I guess, yeah and then coming in at second we’ve got to better understand the threat landscape. Currently 8.6. Yeah, so I guess that’s what Marion sort of like spoke to us about at the beginning.
Talita Dias:
We need, we need to better understand the threats, both the cyber attacks that are out there and the types of cyber attacks that are out there, accidents that might happen as well, but also the consequences of those, those harms and we also need to hear improved dialogue between the cyber and nuclear sectors. I think that’s an important step forward. Now on law, do we need cyber specific, cyber nuclear specific norms, rules or best practices? That got a 6.4, so maybe we should stick to what we already have. Okay everyone, thanks so much for joining us today for this panel. Thanks to our speakers, thanks to your involvement, thanks to your answers to the survey. It was a real pleasure to be with you today. If you want to know more about our work, just go on our website. We also post things regularly on Twitter. Just follow our work, the work of our panelists and yes, we will keep you informed about future developments that we are doing in this space. Thanks everyone again and bye. Greetings from from Kyoto. Bye. you
Rowan Wilkison:
. . . . . .
Speakers
Giacomo Persi Paoli
Speech speed
153 words per minute
Speech length
1311 words
Speech time
516 secs
Arguments
The Open-Ended Working Group was set up to ensure greater visibility and active participation in discussions dealing with international cybersecurity.
Supporting facts:
- The Group of Governmental Experts has six iterations, with each iteration involving about 20 countries, including the permanent members of the Security Council.
- The Open-Ended Working Group, unlike the Group of Governmental Experts, is more transparent, as everything is open to the public.
- The Open-Ended Working Group allows the chair to publish a summary if consensus isn’t reached on a report.
Topics: International Cybersecurity, Group of Governmental Experts, Open-Ended Working Group
The protection of critical infrastructure has been a prevalent subject of discussion in the Open-Ended Working Group.
Supporting facts:
- As part of the framework for responsible state behavior in cyberspace adopted in 2015, critical infrastructure is a focal point of multiple norms.
- States are called to protect their own critical infrastructure and are recommended not to target the critical infrastructure of others.
- International assistance is encouraged for states whose critical infrastructure is targeted by cyber attacks.
Topics: International Cybersecurity, Critical Infrastructure Protection
No explicit reference to nuclear security was found in the consensus of the OEWG’s discussions
Supporting facts:
- The discussion evolving states individually in their national submissions to the Secretary General do mention nuclear security.
- Some states have designed national cybersecurity strategies specifically to protect their nuclear infrastructure.
Topics: OEWG, nuclear security, consensus reports
State concerns regarding threats to civilian nuclear infrastructure by cyber operations are growing
Supporting facts:
- States have flagged their growing concerns over cyber threats to the Secretary General
- Cyber attacks increased during the pandemic across all sectors of society, including critical infrastructure.
Topics: cyber threats, nuclear infrastructure, cybersecurity
The private sector can play a significant role in helping states develop cyber resilience
Supporting facts:
- AWG covers state behavior
- Private sector can provide capacities and capabilities
Topics: State Behavior, Cyber Resilience
Report
The Open-Ended Working Group (OEWG) was established to ensure greater visibility and active participation in discussions dealing with international cybersecurity. It has had six iterations, with each iteration involving approximately 20 countries, including the permanent members of the Security Council. The OEWG is seen as more transparent, as everything is open to the public.
Furthermore, if consensus isn’t reached on a report, the chair has the authority to publish a summary. The OEWG has focused on the protection of critical infrastructure, which has been a prevalent subject of discussion. As part of the framework for responsible state behaviour in cyberspace, critical infrastructure is a focal point of multiple norms.
States are called to protect their own critical infrastructure and are encouraged not to target the critical infrastructure of others. International assistance is also encouraged for states whose critical infrastructure is targeted by cyber attacks. However, the OEWG may not be the right forum for detailed discussions on how general norms apply to specific sectors or types of infrastructure.
It is viewed as more suitable for discussions on evolving threats, norm implementation, and international impact. There is a need for a dedicated forum to discuss the implementation of general purpose norms for cyber nuclear security. Discussions within the OEWG have covered various aspects of critical infrastructure, such as medical infrastructure, energy, and financial sectors.
However, the limited time available has made it challenging for states to deeply explore any of these topics. Concerns regarding threats to civilian nuclear infrastructure by cyber operations are growing, as states have flagged their increasing concerns over cyber threats to the Secretary General.
Cyber attacks have also been on the rise during the pandemic, affecting all sectors of society, including critical infrastructure. The private sector can play a significant role in helping states develop cyber resilience. The private sector has capacities and capabilities that can contribute to enhancing cyber resilience efforts.
Public-private partnerships have been suggested as a tool to increase cyber resilience and have been flagged as a way forward. In conclusion, the OEWG serves to enhance visibility and participation in discussions on international cybersecurity. It has addressed the crucial issue of critical infrastructure protection.
However, it may not be the ideal platform for discussing specific sectors or types of infrastructure. The need for a dedicated forum for discussing the implementation of general purpose norms for cyber nuclear security has emerged. Concerns about threats to civilian nuclear infrastructure by cyber operations are growing, and the involvement of the private sector in developing cyber resilience is seen as significant.
Public-private partnerships are also being considered to increase cyber resilience.
Marion Messmer
Speech speed
171 words per minute
Speech length
2410 words
Speech time
844 secs
Arguments
Civilian nuclear facilities can be targeted for various reasons such as their specific role in nuclear systems or their importance to the power supply grid.
Supporting facts:
- Cyber attacks can either be specific to nuclear systems or they can be collateral damage from other attacks.
- Nuclear power plants produce energy that is a crucial part of a country’s power supply.
Topics: Cybersecurity, Civilian nuclear systems, Targeted attacks
The addition of cyber security concerns to the nuclear energy sector, where physical safety has always been paramount, has changed the game.
Supporting facts:
- Originally, nuclear operators didn’t have to worry about IT security.
- The realization of cyber threats worried many people when it first emerged as a risk.
Topics: Cybersecurity, Nuclear energy, Safety concerns
New developments in the nuclear sector, like the spread of small modular reactors and microreactors, both pose a risk and an opportunity.
Supporting facts:
- Having more systems increases the risk by virtue of more reactors being there.
- These reactors are designed to be more accessible and provide stable power supply to remote regions.
- The diversification and length of the supply chain could introduce cybersecurity risks.
- The software solutions for these reactors would be up to date, hence, vulnerabilities, if any, could be present.
Topics: Nuclear Sector, Small Modular Reactors, Microreactors
The war in Ukraine has brought new risks to civilian nuclear infrastructure
Supporting facts:
- The Saporizha power plant in Ukraine has been directly caught in the war
- Physical and cyber attacks on the power plant have been regular
- The power plant had to operate with reduced personnel who are working under stressful conditions
Topics: Nuclear Infrastructure, War in Ukraine
IAEA has been actively supporting the personnel operating the power plant
Supporting facts:
- IAEA has done its best to support the personnel operating the power plant
- IAEA has been monitoring the power plant and their actions have helped mitigate the risks
Topics: IAEA, Nuclear Infrastructure
Marion Messmer finds it hard to determine the exact likelihood of environmental, health, reputational, and equipment risks, but stresses that we must take preventive measures due to the potentially severe outcomes.
Topics: environmental risks, health risks, reputational risks, equipment risks
Marion Messmer states that the design of the reactors at Sapariza makes a Chernobyl-like situation less likely.
Topics: Sapariza case, nuclear reactor designs, Chernobyl
Even if small modular reactors are put underwater, a radiological incident would have severe consequences for the environment
Supporting facts:
- The ocean is part of our ecosystem
- The water will mix and the radiation would spread
- We drink some of the water that comes from the sea
Topics: nuclear power, underwater reactors, environmental impact
Report
The analysis explores the topic of cybersecurity risks in nuclear facilities and their potential impact. It highlights that cyber attacks can target civilian nuclear facilities either due to their specific role in nuclear systems or their importance to a country’s power supply.
Given that nuclear power plants are a crucial part of a nation’s energy infrastructure, any disruption or compromise can have significant consequences. The analysis notes that awareness of these risks has evolved over time, indicating a need for improved security measures.
It mentions that older nuclear power plants initially believed they were safe from cyber threats due to their bespoke IT infrastructure. However, as plants updated and integrated off-the-shelf IT systems, they also had to incorporate cybersecurity measures. Consequently, new regulations and training procedures were required to address these emerging risks.
Moreover, the addition of cybersecurity concerns to the nuclear energy sector, where physical safety has always been of utmost importance, has changed the game. This realization of cyber threats has caused worry among many individuals and organizations involved in the nuclear energy sector.
The analysis also highlights the risks and opportunities presented by new developments in the nuclear sector, such as small modular reactors and microreactors. While these developments can provide a stable power supply to remote regions, they also increase the risk due to the presence of more reactors.
The diversification and length of the supply chain in these systems can introduce cybersecurity vulnerabilities. However, the analysis emphasizes that newer reactors are designed with a focus on safety, and awareness of cybersecurity in these systems is more advanced than before.
Advancements in design and operator training contribute to reducing the potential risks associated with these developments. Notably, the war in Ukraine has brought new risks to civilian nuclear infrastructure. The analysis mentions the Saporizha power plant in Ukraine, which has been directly affected by the conflict.
Regular physical and cyber attacks on the power plant underline the vulnerability of such infrastructure during times of conflict. The analysis also notes that managing these risks requires particular attention to potential disruptions to the cooling system for the reactors.
A disconnection from the grid, for example, could interfere with the cooling system, leading to a reactor meltdown. Backup generators have been put in place at the Saporizha power plant to ensure that cooling can still occur. The International Atomic Energy Agency (IAEA) has had a positive impact by actively supporting the personnel operating the power plant.
Their monitoring and actions have played a crucial role in mitigating risks. It is evident that their involvement is essential in maintaining the security and safety of nuclear facilities. Additionally, the analysis emphasizes the importance of addressing environmental, health, reputational, and equipment risks associated with nuclear energy.
While it may be challenging to determine the exact likelihood of these risks, the potential severe outcomes warrant preventive measures. Marion Messmer, a noteworthy figure referenced in the analysis, offers insights into the topic. Messmer finds reassurance in the current safety operations and mitigating actions being taken, particularly in the case of the Saporizha power plant.
This implies that efforts are being made to address the risks involved in nuclear facilities caught in conflicts. Furthermore, Messmer highlights the significance of reactor design in reducing the likelihood of a Chernobyl-like incident. It is essential to consider potential scenarios as nuclear energy becomes more prevalent due to the energy transition.
Conflicts involving power plants could increase, necessitating effective management strategies for such situations. Lastly, the analysis raises concerns about putting reactors underwater, as even small modular reactors can pose severe consequences for the environment in the event of a radiological incident.
While the idea of hiding reactors underwater may seem appealing, the potential spread of radiation due to water mixing remains a significant risk. In conclusion, the analysis provides a comprehensive overview of cybersecurity risks in nuclear facilities. The increasing awareness of these risks has led to improved security measures and regulations.
New developments in the nuclear sector offer both opportunities and risks, which are being addressed through advancements in design and operator training. The war in Ukraine and the associated risks to civilian nuclear infrastructure highlight the need for managing potential disruptions to cooling systems.
The involvement of organizations such as the IAEA has proven valuable in mitigating these risks. Additionally, the analysis emphasizes the significance of preventive measures to address environmental, health, reputational, and equipment risks in the nuclear energy sector. Marion Messmer’s insights further contribute to the discussion, emphasizing the importance of safety operations, reactor design, and effective management strategies.
Michael Karimian
Speech speed
190 words per minute
Speech length
939 words
Speech time
296 secs
Arguments
Tech sector plays a central role in providing digital solutions for safety, security of nuclear systems and everyday processes
Supporting facts:
- Tech sector provides ICT infrastructure
- Many entry points into the IT systems increases risk
Topics: Tech sector, Nuclear systems, Digital Solutions, Cybersecurity
The tech sector should prioritize cybersecurity by design.
Supporting facts:
- The threat landscape is ever-evolving.
Topics: Tech sector, Cybersecurity
Continuous innovation and transparency in threat sharing from the tech sector is important
Supporting facts:
- Actively researching and sharing threat intelligence is essential
Topics: Tech sector, Innovation, Threat sharing
Education and training play an important role in cybersecurity
Supporting facts:
- Tech companies can provide guidance on cybersecurity best practices
Topics: Education, Training, Cybersecurity
Multi-stakeholder engagement and collaboration is key in addressing cybersecurity challenges
Supporting facts:
- Collaboration between tech sector with governments, civil society, and other companies is essential
Topics: Multi-stakeholder engagement, Collaboration, Cybersecurity
Underlying cyber security risks are universal across all sectors
Supporting facts:
- 80% of cyber incidents traced to missing security practices
- 90% of compromised accounts lacked multi-factor authentication
Topics: Cyber Security, Tech Industry, Civilian Nuclear Sector
Basic cyber hygiene practices can mitigate many cyber security threats
Supporting facts:
- Many attacks by nation-state actors use low-tech means
- A case in Germany involved a user introducing malware via a USB stick
- 26% of users use multi-factor authentication
Topics: Cyber Security, Cyber Hygiene, Tech Industry
Cloud-based systems offer better protection than on-premises systems
Supporting facts:
- Holistic, adaptive, global cyber protection is better facilitated in the cloud than on-premises
Topics: Cloud Technology, On-premise Technology, Cyber Security
All sectors, including the nuclear sector, should adhere to general guidance for cyber security
Supporting facts:
- Protect user identities, apply updates asap, use advanced anti-malware, enable auditing resources and prepare incident response plans
- IAEA guidelines are aligned with this general guidance
Topics: General Cyber Security Guidelines, Tech Industry, Civilian Nuclear Sector
Report
The tech sector plays a central role in providing digital solutions for safety, security, and everyday processes, including nuclear systems. It provides ICT infrastructure that is crucial for these purposes. However, the tech sector’s involvement also increases the risk of cyber threats due to the many entry points into its IT systems.
Therefore, it is essential for the tech sector to prioritize cybersecurity by design. One of the main arguments is the ever-evolving threat landscape. The continuous advancements in technology result in a constantly changing and sophisticated threat landscape. Thus, the tech sector must prioritize cybersecurity measures to effectively combat these threats.
Continuous innovation and transparency in threat sharing are also considered crucial. Actively researching and sharing threat intelligence is essential to stay ahead of cyber threats. By engaging in innovation and sharing information, the tech sector can contribute to creating a safer online environment.
Education and training in cybersecurity are also highlighted. Tech companies can provide guidance on cybersecurity best practices, contributing to the education of individuals and organizations in protecting themselves against cyber threats. This emphasizes the importance of quality education and training for ensuring cybersecurity.
The significance of multi-stakeholder engagement and collaboration in addressing cybersecurity challenges is underscored. Collaboration between the tech sector, governments, civil society, and other companies is seen as essential to effectively tackle cybersecurity issues. By working together and sharing knowledge and resources, it becomes easier to address the complex nature of cyber threats.
Microsoft’s stance is mentioned, as they believe in proactively taking steps to address cybersecurity risks. As part of their commitment, they are involved in initiatives like the Cyber Security Tech Accord, which aims to improve cybersecurity across the industry. Microsoft’s active involvement showcases the importance of industry leaders taking responsibility and actively addressing cybersecurity challenges.
Basic cyber hygiene practices are also highlighted. It is mentioned that good yet basic cyber hygiene can significantly reduce the risk of cyber threats. This includes practices such as protecting user identities, applying updates as soon as possible, using advanced anti-malware, enabling auditing resources, and preparing incident response plans.
Following these practices allows individuals and organizations to mitigate many cybersecurity risks. In terms of technology solutions, cloud-based systems are recommended over on-premises systems for better cyber protection. Cloud-based systems offer holistic, adaptive, and global cyber protection, which is facilitated better compared to on-premises systems.
Lastly, the summary emphasizes the importance of adherence to general guidance for cybersecurity across all sectors, including the nuclear sector. Protecting user identities, applying updates as soon as possible, using advanced anti-malware, enabling auditing resources, and preparing incident response plans are considered essential for all sectors.
The International Atomic Energy Agency’s guidelines align with this general guidance, further emphasizing the importance of adherence to cybersecurity measures across sectors. Overall, the summary highlights the tech sector’s importance in providing digital solutions for safety, security, and everyday processes.
It emphasizes the need for prioritizing cybersecurity by design, continuous innovation and transparency in threat sharing, education and training, multi-stakeholder engagement and collaboration, adherence to basic cyber hygiene practices, and the use of cloud-based systems. These measures are crucial to mitigating cyber threats and creating a secure online environment.
Priya Urs
Speech speed
178 words per minute
Speech length
871 words
Speech time
293 secs
Arguments
International law doesn’t yet have specific rules that prohibit or otherwise address cyber operations on civilian nuclear infrastructure.
Supporting facts:
- States are increasingly recognizing civilian nuclear infrastructure as part of their critical infrastructure, which states suggest should be protected against cyber operations.
- This recognition has not translated into specific legal protections.
Topics: cyber operations, international law, civilian nuclear infrastructure
The prohibition on intervention is agreed upon by states but the specific activities that constitute intervention are not uniformly agreed upon
Supporting facts:
- There are two requirements for intervention to be unlawful, one that it should address the internal or external affairs of a state, and secondly, the intervention should coerce the targeted state
- States widely agree on the prohibition of intervention but have disagreements on what activities are prohibited under this rule
Topics: principle of non-intervention, civilian nuclear infrastructure, cyber operations
Importance of getting at the cybersecurity problem from different angles
Supporting facts:
- Need for preventative measures of cybersecurity
- Addressing incidents when they occur and legal accountability
Topics: cybersecurity, legal accountability
Report
The analysis examines the issue of cyber operations targeting civilian nuclear infrastructure within the framework of international law. The first argument highlights the absence of specific rules in international law that directly address cyber operations on civilian nuclear infrastructure. While states recognize the importance of protecting civilian nuclear infrastructure as critical infrastructure against cyber operations, there is a lack of concrete legal protections.
The second speaker argues that while general rules of international law, including treaties and customary international law, may potentially apply to this context, their specific application presents challenges. These general rules encompass aspects such as the use of force by states, the prohibition of intervention in another state’s affairs, respect for state sovereignty, and the due diligence obligations of states.
However, it is important to note that these rules were not designed with cyber operations in mind. The third and fourth arguments focus on the prohibition of intervention, a principle agreed upon by states, but with variations in the definition of activities that constitute intervention.
The generally accepted requirements for intervention to be deemed unlawful are that it must address the internal or external affairs of a state and that it should coerce the targeted state. However, there are disagreements among states regarding the specific activities that fall under this prohibition.
The fifth speaker emphasizes that a cyber operation that disrupts the production of nuclear energy can be seen as coercive and may therefore constitute unlawful intervention. This reflects the belief that if a state adopts a policy regarding the generation of nuclear energy, a cyber operation that disrupts its production would be deemed coercive and thus unlawful.
On the other hand, the sixth speaker argues that cyber operations such as surveillance or data breaches may not be perceived as coercive since they do not directly hinder a state’s policy implementation. These types of operations, which do not interrupt the implementation of a state’s policy, may not be considered unlawful intervention.
The analysis also highlights the importance of preventative measures in cybersecurity and the need for legal accountability. It emphasizes the significance of addressing the cybersecurity problem from multiple angles, including proactive measures and holding accountable those responsible for incidents. In conclusion, the analysis underscores the lack of specific rules in international law regarding cyber operations on civilian nuclear infrastructure.
While general rules of international law may have some relevance, applying them in the context of cyber operations poses challenges. The debate surrounding the definition and scope of intervention further complicates the issue. The analysis also emphasizes the complexity of distinguishing between coercive and non-coercive cyber operations.
Finally, it underscores the necessity of comprehensive cybersecurity measures and legal accountability in addressing this complex issue.
Rowan Wilkison
Speech speed
139 words per minute
Speech length
585 words
Speech time
252 secs
Arguments
Concerns about the security failures in IT networks of nuclear plants
Topics: Cybersecurity, Nuclear Safety
Modernization of cybersecurity and civilian nuclear infrastructure is a high priority
Supporting facts:
- The survey score for this topic is 9.1
Topics: Cybersecurity, Nuclear Infrastructure
Better understanding of the threat landscape is also important
Supporting facts:
- The survey score for this topic is 8.6
Topics: Threat Landscape, Cybersecurity
Report
Concerns have been raised regarding the security failures within the IT networks of nuclear plants. These concerns arise from the potential harm and disastrous outcomes that could result from such failures. It is imperative to address these shortcomings and take measures to prevent any adverse consequences.
The modernization of cybersecurity and civilian nuclear infrastructure is seen as a high priority in mitigating the risks associated with these security failures. This would involve implementing advanced and robust security measures to safeguard the IT networks of nuclear plants.
By prioritising the improvement of cybersecurity, the likelihood of breaches and potential threats can be significantly reduced. Furthermore, gaining a better understanding of the threat landscape is crucial. This entails identifying potential vulnerabilities and weak points within the IT systems of nuclear plants and staying updated on the latest cyber threats.
By doing so, appropriate measures can be taken to prevent any breaches or malicious activities. It is worth noting that these issues align with various Sustainable Development Goals (SDGs). Specifically, they relate to SDG 9 – Industry, Innovation and Infrastructure, as the modernisation of cybersecurity and civilian nuclear infrastructure falls within the scope of enhancing industry and infrastructure.
Additionally, these concerns also relate to SDG 13 – Climate Action, as the disastrous outcomes of security failures within nuclear plants can have severe environmental implications due to the link to radiation. Moreover, the issues raised have implications for SDG 16 – Peace, Justice, and Strong Institutions.
By addressing the security failures in nuclear plant networks, stronger justice systems and institutions can be established to ensure the safety and security of critical infrastructure. This, in turn, contributes to promoting peace and stability. In conclusion, the concerns surrounding security failures in IT networks of nuclear plants highlight the need for immediate action.
Modernizing cybersecurity and civilian nuclear infrastructure is crucial not only for the industry but also for addressing environmental concerns and maintaining peace and justice. By prioritising these areas and adopting proactive measures, the risks posed by security failures can be effectively mitigated.
Talita Dias
Speech speed
153 words per minute
Speech length
4668 words
Speech time
1833 secs
Arguments
Increased cyber and nuclear risks pose a significant threat to national security and global stability
Supporting facts:
- Cyber operations are targeting all types of infrastructure, including critical sectors like healthcare and energy
- There have been cyber attacks against civilian and military nuclear systems in different parts of the world
Topics: Cybersecurity, Nuclear Energy
Talita Dias is questioning the actual likelihood of the risks associated with cyber operations targeting civilian nuclear infrastructure.
Topics: cyber operations, nuclear infrastructure, risk assessment
The IAEA, in cooperation with member states, develops guidance and recommendations for computer security measures with the consultation of technical experts
Supporting facts:
- IAEA’s guidance for cybersecurity includes a defense in depth approach, risk assessment, instituting security policies, access controls, network security, incident detection and response, encryption, physical security
- IAEA continuously conducts security audits and assessments to detect new vulnerabilities
- IAEA also helps in capacity building by holding hundreds of sessions each year to train nuclear facility operators
Topics: Cybersecurity, Nuclear Facilities
Talita Dias queries about the adoption of IAEA’s recommended measures by the Convention on the Physical Protection of Nuclear Material
Topics: Convention on the Physical Protection of Nuclear Material, Adoption of IAEA’s recommendations
Multi-stakeholderism is crucial to protect civilian nuclear facilities from cyber security threats
Supporting facts:
- The contribution of private sector in helping states develop capacities has been pointed out
- Public-private partnerships are considered a robust way forward to increase cyber resilience of member states
Topics: Internet Governance Forum, Cyber Security, Civilian Nuclear Facilities
There is a need for clarifying what constitutes the prohibition on intervention in the cyber landscape with regards to states’ civilian nuclear infrastructure.
Supporting facts:
- An intervention has to address the internal or external affairs of a state to be considered unlawful.
- Also, the intervention needs to be coercive to be unlawful.
- Cyber operations that disrupt the production of nuclear energy can be coercive and thus unlawful.
Topics: Cyber Law, Nuclear Power, State Sovereignty
The question of individual responsibility in cyber operations is important to address.
Supporting facts:
- Current rules discussed pertain to state responsibility rather than the responsibility of individuals.
Topics: Cyber Law, Individual Responsibility, State Responsibility
Understanding of the threat landscape in cyber and nuclear sectors is crucial
Supporting facts:
- Different types of cyber attacks exist.
- Accidents can happen in the nuclear sector and the potential consequences are significant.
Topics: Cyber attacks, Accidents in nuclear sector
We need improved dialogue between the cyber and nuclear sectors
Topics: Cyber sector, Nuclear sector
Report
Increased cyber and nuclear risks present a significant threat to national security and global stability. Cyber operations are targeting critical sectors such as healthcare and energy, as well as civilian and military nuclear systems worldwide. It is urgently necessary to develop international technical standards, rules, principles, and non-binding norms to ensure the cybersecurity of civilian nuclear infrastructure.
This is particularly crucial given the growing use of small modular reactors and artificial intelligence, which could expand the potential targets for cyber operations. The International Atomic Energy Agency (IAEA) plays a vital role in this area by providing guidance and recommendations for computer security measures.
They also conduct ongoing security audits and assessments to detect vulnerabilities and offer training sessions for nuclear facility operators. However, there is some debate surrounding the binding nature of the IAEA’s recommendations. To enhance cyber resilience, it is essential to foster multi-stakeholderism and public-private partnerships.
The private sector’s involvement in assisting states in building their cybersecurity capacities is recognised, and public-private partnerships are seen as a robust strategy for enhancing the cyber resilience of member states. One area of contention involves determining what constitutes intervention in the cyber landscape regarding civilian nuclear infrastructure.
Understanding the threat landscape in both the cyber and nuclear sectors is critical, as accidents within the nuclear sector can have significant consequences. Improved dialogue between the cyber and nuclear sectors is necessary to effectively address these risks. Through dialogue, stakeholders can exchange knowledge and best practices, identify potential gaps in cybersecurity measures, and collaborate on developing effective strategies to mitigate cyber threats.
The need for specific cyber nuclear norms, rules, or best practices is currently being debated. The current feedback on this issue indicates a score of 6.4, highlighting the ongoing discussions and varying perspectives on the necessity of such measures. In conclusion, the increasing cyber and nuclear risks pose significant threats to national security and global stability.
Developing international technical standards, rules, principles, and non-binding norms is crucial to safeguarding the cybersecurity of civilian nuclear infrastructure. Collaboration between stakeholders, including public-private partnerships, is necessary to enhance cyber resilience. Clarifying the prohibition on intervention in the cyber landscape and understanding the threat landscape in both the cyber and nuclear sectors are key areas of focus.
The necessity of cyber nuclear specific norms, rules, or best practices is subject to ongoing debate and discussions.
Tariq Rauf
Speech speed
144 words per minute
Speech length
2507 words
Speech time
1047 secs
Arguments
The International Atomic Energy Agency has issued more than 30 documents providing guidance and recommendations on nuclear security, focusing both on security and safety of the facilities.
Supporting facts:
- Nuclear security and safety covers the integrity of the instrument control system, containment of reactivity or release of radioactivity, ensuring heat removal and the cooling system of a nuclear reactor is not compromised, and the confinement and control of nuclear materials
Topics: IAEA, Nuclear security, Nuclear safety
Cybersecurity is integral to nuclear security and safety, where a malicious cyber attack can lead to leaks in the cooling system of an operating nuclear facility.
Supporting facts:
- Cybersecurity is considered as computer security of nuclear facilities
- There has been at least one incident suspected to be caused by a malicious cyber attack that leaked coolant from an operating nuclear facility
Topics: Cybersecurity, nuclear security
No consideration of using submerged small and medium-sized reactors for power generation
Supporting facts:
- There are about 80 designs currently under discussion of which about three are close to maturity for testing, first of a kind, but these are all land-based
Topics: Small modular reactors
SMRs and MMRs are sealed reactor units more secure than large nuclear power plants
Supporting facts:
- These do not need to be refueled partially or completely every year or every few years
Topics: Nuclear energy, Nuclear security
Need to ensure the integrity of the instrument control system and regulation of the reactor
Supporting facts:
- Instances of compromise usually have been through back doors, either left open by contractors so that they could do the servicing sitting at home or from their office, or inadvertent back doors that were created through the use of USB sticks that were inserted into some part of the computer system in the facility
Topics: Nuclear energy, Nuclear security
The IAEA produces IT security guidance for nuclear facilities in cooperation with its member states
Supporting facts:
- This is a joint effort between the technical experts of member states and the experts of the IAEA Secretariat.
- Over 30 documents have been issued by the IAEA.
Topics: IAEA, IT security, Nuclear facilities
IAEA’s cybersecurity measures are designed to prevent, respond and recover from attacks
Supporting facts:
- Computer security measures can be assigned to technical control measures, facility control measures or administrative control measures.
- Measures include a defense in depth approach, risk assessment, instituting security policies and procedures, access controls, network security, incident detection and response among others.
Topics: IAEA, Nuclear facilities, Cybersecurity
Emphasis is placed on continuous security audits, international cooperation, and capacity building
Supporting facts:
- IAEA holds hundreds of sessions a year at various locations to build capacity and train nuclear facility operators.
- Participation in security audits and assessments to discover new vulnerabilities is highly encouraged.
Topics: IAEA, Nuclear facilities, Cybersecurity, Capacity building
The Convention on the Physical Protection of Nuclear Material (CPPNM) is not universally binding and only applies to countries that have acceded to it,
Supporting facts:
- The amendment to the CPPNM in 2005 mainly extended its scope to cover nuclear material in peaceful uses, domestic storage and transport.
- State parties were unable to agree on the application of CPPNM to military nuclear material.
- Only 17% of the world’s highly enriched uranium and plutonium is under International Atomic Energy Agency safeguards.
Topics: CPPNM, Nuclear Material
There is a struggle between protecting national sovereignty and protecting against cyber and other malicious attacks that could result in widespread radiation.
Supporting facts:
- Fukushima and Chernobyl demonstrated that the effects of nuclear accidents can be transboundary, affecting regions beyond the territory of the accident state.
- The problem of cyberattacks on nuclear facilities leading to the release of radiation is a major concern.
Topics: Cybersecurity, National Sovereignty, Radiation
Industry is increasingly providing expertise and technology solutions to international organizations like the IAEA.
Supporting facts:
- International organizations are increasingly interacting with industry.
Topics: Private Sector Engagement, Technology
IAEA needs to overcome suspicion and build more trust and cooperation with industry.
Supporting facts:
- IAEA has to buy commercial products like Palantir for managing big data.
- IT experts at IAEA cannot match the expertise and capabilities of states.
Topics: Trust Building, Industry Cooperation
IAEA should be the authority to regulate nuclear security and cybersecurity
Supporting facts:
- IAEA has produced guidance such as computer security techniques for nuclear facilities, security of information technology, computer security for nuclear power plants, etc.
- Operators need a license from the state regulator to run nuclear facilities.
- The licenses need to be regularly renewed
Topics: nuclear security, cybersecurity, IAEA
Report
The International Atomic Energy Agency (IAEA) has issued more than 30 documents providing guidance and recommendations on nuclear security. These documents primarily focus on the integrity of the control systems, containment and control of nuclear materials, and ensuring the safety of nuclear facilities.
The IAEA plays a significant role in promoting nuclear security. However, the primary responsibility for nuclear security lies with states and operators. While international conventions like the Convention on the Physical Protection of Nuclear Material do exist, states and operators are responsible for ensuring the security of their nuclear facilities.
The Convention primarily focuses on nuclear security and aims to protect nuclear material during international transport. Cybersecurity is a crucial aspect of nuclear security and safety. A malicious cyber attack can lead to serious consequences, including the compromise of the cooling system of a nuclear facility.
There have been incidents suspected to be caused by cyber attacks that have resulted in leaks in the cooling system of operating nuclear facilities. It is crucial to implement robust cybersecurity measures to prevent, respond to, and recover from such attacks.
Small modular reactors (SMRs) and sealed reactor units are seen as more secure options compared to larger nuclear power plants. SMRs are compact and have sealed reactor units that do not require frequent refueling. This enhances their security and reduces the risk of accidents or material misuse.
The IAEA plays a pivotal role in providing IT security guidance to nuclear facilities. It collaborates with its member states to produce comprehensive cybersecurity measures, which include defense in depth approaches, risk assessment, security policies and procedures, access controls, network security, and incident detection and response protocols.
Capacity building and international cooperation are essential elements in improving nuclear security. The IAEA facilitates capacity building by conducting training sessions at various locations to enhance the skills of nuclear facility operators. It also encourages participation in security audits and assessments to discover new vulnerabilities.
While the Convention on the Physical Protection of Nuclear Material (CPPNM) is an important international instrument for nuclear security, it is not universally binding. Only countries that have acceded to the CPPNM are subject to its provisions. However, the CPPNM amendment in 2005 extended its scope to cover nuclear materials in peaceful uses, domestic storage, and transport.
There is significant concern regarding the potential risks associated with cyber attacks on nuclear facilities. Fukushima and Chernobyl disasters have highlighted the transboundary effects of nuclear accidents. The release of radiation resulting from cyberattacks on nuclear facilities is a major concern.
Balancing the protection of national sovereignty and the prevention of widespread radiation is a challenging task. It is argued that every nation, especially those with nuclear power plants, should accede to the CPPNM to promote international safety. Iran, for example, operates a nuclear power plant but has not yet acceded to the convention.
After the Fukushima accident, there were efforts to make the CPPNM mandatory for all 31 states that operate nuclear facilities. The involvement of the private sector in nuclear security is increasing. International organizations like the IAEA are interacting more with industry, which provides expertise and technology solutions to enhance overall nuclear security efforts.
However, international organizations like the IAEA face the risk of system penetration by state actors. The IAEA deals with highly classified information about the nuclear activities of more than 180 states. State-originated cyber attacks like Stuxnet and Olympic Games on Iran’s enrichment facilities have underscored the need to address this challenge.
Building trust and cooperation with industry is crucial for the IAEA. While the organization has purchased commercial products for managing big data, its IT experts may not match the expertise and capabilities of states. Strengthening cooperation with industry can help overcome suspicion and further enhance nuclear security efforts.
The conclusion drawn from the analysis suggests that the IAEA should have the authority to regulate nuclear security and cybersecurity. An international, legally binding framework for cybersecurity in nuclear facilities is necessary to address the current reliance on national responsibility.
Conventions for liability also need to consider damage resulting from cyber incidents at nuclear facilities. Overall, the summary highlights the importance of nuclear security, the role of the IAEA and international conventions, the need for robust cybersecurity measures, and the challenges posed by cyber attacks.
It emphasizes the significance of trust, cooperation, and capacity building to enhance nuclear security and promote international safety.
Tomohiro Mikanagi
Speech speed
129 words per minute
Speech length
934 words
Speech time
433 secs
Arguments
Different countries have different interpretations of sovereignty in international law, specifically in relation to cyber attacks
Supporting facts:
- The UK does not see any stand-alone obligation arising from sovereignty apart from non-intervention rules
- France views any cyber operation causing an effect within its borders as a violation of sovereignty
- The US, Germany, and Japan believe a certain level of harmful effect needs to be caused in their territory for it to be considered a violation of sovereignty
Topics: Cybersecurity, International Law, Sovereignty
Cyber operations targeting nuclear facilities could cause severe effects and are likely considered unlawful under international law
Supporting facts:
- According to Mikanagi, more harmful a cyber operation is, more likely it is to be considered unlawful
- Nuclear facilities being more vulnerable could lead to more serious physical effects due to a cyber attack
Topics: Cybersecurity, Nuclear Infrastructure, International Law
Due diligence obligation in international law is not clearly defined
Supporting facts:
- Mention of an obligation not to allow knowingly the territory to be used for acts contrary to the rights of other states by the ICJ in 1949
Topics: International Law, Terroristic Obligation, Cyber Operations
Uncertainty exists among states whether this obligation or principle applies to cyber operations
Supporting facts:
- UK and the US are skeptical about the application of this rule to cyber operations, while Japan, Germany, and India are more flexible
Topics: Cyber Operations, State Responsibility
No clear application exists for the territorial state’s due diligence obligation in the area of nuclear security
Supporting facts:
- Discussion is ongoing but not yet clear
Topics: Nuclear Security, Cyber Operations, State Responsibility
The existing Convention on the Physical Protection of Nuclear Materials could theoretically cover sabotage through cyberattacks
Supporting facts:
- The Convention does not explicitly mention cybersecurity but its definition of sabotage could extend to include sabotages conducted via cyberattacks
- The Convention was amended in 2005 to include nuclear facilities
Topics: Cybersecurity, Nuclear Security, Convention on the Physical Protection of Nuclear Materials
Report
The interpretation of sovereignty in relation to cyber attacks varies among different countries. The UK does not see any standalone obligation arising from sovereignty apart from the non-intervention rules, while France views any cyber operation causing an effect within its borders as a violation of sovereignty.
The US, Germany, and Japan believe a certain level of harmful effect needs to be caused in their territory for it to be considered a violation of sovereignty. In terms of cyber attacks targeting nuclear facilities, it is argued that they could have severe effects and are likely to be considered unlawful under international law.
Mikanagi believes that there needs to be a consensus on what constitutes a harmful effect in a cyber attack in order to determine if a violation of sovereignty has occurred. Additionally, the due diligence obligation in international law is not clearly defined, leading to uncertainty among states as to whether this obligation applies to cyber operations.
Furthermore, there is no clear application for the territorial state’s due diligence obligation in the area of nuclear security, and discussions on this matter are ongoing. The existing Convention on the Physical Protection of Nuclear Materials could potentially cover sabotage through cyber attacks, despite not explicitly mentioning cybersecurity.
Given this, it may be more feasible to discuss cyber security issues related to nuclear facilities within the context of established conventions such as this one. Overall, the varying interpretations of sovereignty and the lack of consensus, clarity, and application of international laws and conventions contribute to the complexity of addressing cyber security issues effectively.