In this posting I present a white paper, published jointly by Nixu, Teollisuuden Voima (TVO) and the Finnish Radiation and Nuclear Safety Authority (STUK) in Vienna in early June, discussing ways of developing and maintaining information security management in a nuclear power plant. The event is the International Conference on Computer Security in a nuclear World: Expert Discussion and Exchange (1st - 5th. June, 2015), hosted by the International Atomic Energy Agency (IAEA).
The approach adopted at Teollisuuden Voima's third Olkiluoto plant is one of continuous threat assessment on both plant and system level, making it possible to meet all current as well as future security requirements.
One example of this approach are the checklists, which are updated whenever new threats are identified during an assessment. Any feedback stemming from the observation of day-to-day activities of the plant and the evaluation of documentation is also taken into account.
Thus far, measures required by this approach have been targeted at the working methods of subcontractors working at the Olkiluoto construction site, but the model can also be applied during other phases of the plant's lifecycle. Our presentation will also shed light on insights and results gained to date.
Why is this necessary?
Increasingly, modern nuclear power plants use digital automation systems. Because of this, information security has become an integral part of nuclear safety.
Institutions must be protected against unauthorised process changes and cyber attacks. However, information security must not interfere with the main issue: nuclear safety. Ensuring that the plants can operate continuously and without disturbances will also increase their profitability.
The need for information security wasn't really understood within the nuclear industry until the new millennium. The main reason for this late awakening was the longevity of the plants and their systems: most plants had been built in the 70's and 80's and already had closed and isolated control and automation systems. It was commonly thought that ensuring the physical safety of a nuclear power plant would also cover information security.
It wasn't until the appearance of the Stuxnet virus that the need for better information security was acknowledged. The industry came to realize that even older automation systems have to be protected against all security threats while making sure that the new systems, which will inevitably replace the old ones, are fully compliant with the requirements of the digital age.
In many ways industrial automation challenges are the same for nuclear power plants as they are for any other areas of industry. The biggest challenge is getting all subcontractors to adopt a uniform culture of security. Information security is a part of overall security including personnel, physical, work and environmental safety. Security arrangements rely heavily on an operator's ability to self regulate. In addition, a plant is subject to the regulation of independent authorities.
The fact that the white paper that was published in Vienna was a collaboration between an operator and a regulating authority speaks volumes about the Finns' ability to collaborate.