How to protect nuclear facilities from virus attacks? Risk assessment – new tendency for prevention of cyber security threats

Currently, the Ukrainians pay more attention to the issues related to critical infrastructure cyber security. One of the reasons for this is “Petya” virus that suddenly infected considerable number of IT-systems of the country. Currently, the Cyber Incident Response Center has been already established and is functioning in Ukraine. The website editors contacted with Sergiy Drapey, the expert of the George Kuzmycz Training Center for Physical Protection, Control and Accounting of Nuclear Material and discussed the fact what exactly lacks the Ukraine to implement a comprehensive program for the prevention of cyber security threats.

Sergiy Drapey – expert of the George Kuzmycz Training Center for Physical Protection, Control and Accounting of Nuclear Material

 – Mr. Drapey, last September, you proposed to create in Ukraine a cyber-security unit for nuclear facilities. In February 2018, the Cyber Incident Response Center was established. Is such center capable to protect the nuclear industry facilities from virus attacks?

– Last year I mentioned that it is necessary to create the corresponding unit of immediate response for cyber threats in Ukraine at the level of nuclear power plants and the Regulator. This unit should include the experts of all nuclear facilities of Ukraine, as well as the representatives of the SNRIU, Energoatom and the Ministry of Energy and Coal Industry of Ukraine.

As far as I know, currently such units exist at the level of nuclear facilities, but the interdepartmental unit was not established yet. Still, I think that we shall come to this sooner or later and the Cyber Incident Response Center shall be due in no small part to this.

For Ukraine, the creation of such Center is undoubtedly a step forward. It`s experts shall deal with exploring the Internet for timely detection of dangerous viruses and programs. It is too early to speak about considerable strengthening of cyber security system in Ukraine since the Center was established two months ago.

Frankly speaking, I believe that for such technologically developed country as ours – one Cyber Incident Response Center is not enough. In Ukraine there is a long overdue need to establish regional and cross-sectoral centers managed by Cyber Incident Response Center or by Cyber Security Situational Center established on the basis of the Main Department of Counter-intelligence Protection of the State Interests in the Sphere of Information Security of State Security Service of Ukraine.

– Were there the virus attacks on nuclear facilities in Ukraine recently?

– As far as I know, there were no such cases. This is due to the fact that almost all of the networks of nuclear facilities in Ukraine are closed, and the personnel undergo corresponding check what minimizes the probability of internal offender.

However, it does not mean that there is no need in the improvement of cyber security of nuclear facilities in Ukraine. It is necessary to establish the interdepartmental cyber security unit for nuclear facilities to analyze all worldwide cybercrimes, to evaluate each case and to be prepared to implement countermeasures at any time. There is no need to expect new problems, it is better to act on prevention, learn from others’ but not own mistakes.

– How cyber security systems are improved in the developed countries?

– I would probably stopped at the U.S. experience.

Understanding that stability of nuclear power, economy, medicine and, finally, of the entire nation as a whole depends on the proper cyber security – the former president of the United States Barack Obama signed a Decree on Improving Critical Infrastructure Cyber Security in 2013. After that, the National Institute of Standards and Technology of the United States (NIST) faced the challenge to develop and implement the standards based on risk assessment. On October 2, 2013, NIST presented the draft Guide with preliminary description of the structure of the standards.

Currently, there is a set of Guides that support the proper level of functioning of the unified information security framework in the USA.

First of all it is referred to the Guide for Applying the Risk Management Framework to Federal Information Systems (Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach); Recommended Security Controls for Federal Information Systems and Organizations (Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations); Guide for Conducting Risk Assessments (Draft Special Publication 800-30, Guide for Conducting Risk Assessments), etc.

 Besides, in the USA there is used a set of the following international standards:

  • ISO/IEC 31000, Risk-management – principles and guidelines;
  • ISO/IEC 31010, Risk-management – risk assessment methods;
  • ISO/IEC 27001, Information technologies – Security technics – Code of practice of information security – Requirements;
  • ISO/IEC 27005, Information technologies – Security technics – Information security risk management.  

I think that similar documents must be developed and enforced in Ukraine to implement a comprehensive program for prevention of cyber threats.

In addition, it would not come a miss to improve the level of training of critical infrastructure cyber security experts. In general, the Cyber Security System is functional in Ukraine, but we have to improve a lot of things. Editorial Board