Cybercrime consequences are in the third place regarding negative impact on the world community. With increasing frequency, we hear weird word “cybersecurity”: whether from the reports of Elon Musk or from Black Mirror series. Moreover, it seems like not from our everyday life. However, imagine that you need to go to a hospital and no one accepts patients because all systems are blocked by hackers (two months ago, Alabama hospitals paid hackers for unlocking information systems), or all your personal Facebook and Google data were transferred in an unknown direction and can be used at any time against you that happened not so long ago.
We even fear to think what consequences the same actions may have regarding installations as nuclear power plants. For example, one of the simplest cases that can be arranged by intruders: information on sensors important to systems is supplied not from controlled nodes, but from an external source due to outside interference. Thus, the operator sees on the instrumentation that the system operation is normal, but in fact, the reactor starts get out of control gradually.
Information security or cybersecurity is the security of data processing and storage systems, which ensures information confidentiality and integrity, as well as prevents unauthorized access to it, including for the purpose of illegal use. From the practical viewpoint, cybersecurity is measures that should be taken to prevent the unauthorized use, misuse and change of information, facts, and data, as well as to protect the information field against outside influence. However, even if you build the strongest fortress in the world, there will immediately be a threat from someone with even more powerful weapons. Therefore, cybersecurity is primarily preventive measures that helps to protect information and equipment against threats and use of their vulnerabilities.
The experience of the Stuxnet virus, which was launched through an industrial controller and brought losses worth billions to the Iranian nuclear energy, perfectly shows that important industrial installations around the world remain vulnerable to cyberattacks. We ask Serhii Drapei, leading engineer of the George Kuzmich Training Center for Physical Protection, Accounting and Control of Nuclear Materials, is the system of counteraction to cyberattacks in the Ukrainian nuclear energy adequate?
Serhii Drapei, leading engineer of the George Kuzmich Training Center for Physical Protection, Accounting and Control of Nuclear Materials
Mr. Serhii, please explain what exactly units deal with cybersecurity issues?
There are centers directly under the Security Service of Ukraine. Now the State Service of Special Communication and Information Protection of Ukraine is forming a list: database of critical information infrastructure. NPPs submit their data to this database. The data will then be collected, evaluated and verified. CERT-UA
now provides recommendations on how to organize information security. However, these recommendations are quite general. There are cyber police units under the Security Service of Ukraine and the National Security and Defense Council of Ukraine is also involved in the cyber security system. The services of information technologies should deal with this at NPPs. However, information security is difficult to consider as part of physical protection. We can evaluate the risks to a system from a man with a grenade, but it is quite difficult to assess risks and form protection against a man with a laptop.
Can algorithms be developed and special responsible persons be defined to counteract cyber threats?
There should be an industry group that understands all kinds of physical hazards and can protect against them due to process requirements. These groups should be under the operating organizations, because without understanding of the technical constituent it is impossible to establish standards and rules that work. All protected nuclear installations have different configurations of nodes, systems, units and so on. Therefore, the final group for developing these algorithms should include experts from different NPPs who understand the essence of the processes.
Serhii, if there is information distribution by importance levels and need for protection?
The physical protection system provides that no information from an NPP can be transferred outside the NPP without a special permit. It means that there are no physical channels through which this can be done. However, nobody checks, for example, are there invisible Wi-Fi channels for ordinary users. A special equipment is required for this.
However, as I understand, if these channels are not connected, then they cannot transmit information.
There should be an industry group that understands all kinds of physical hazards and can protect against them based on technological requirements. These groups should be under the operating organizations, because without understanding of the technical constituent it is impossible to establish regulations and rules that work. All protected nuclear installations have different configurations of nodes, systems, units and so on. Therefore, the final group for developing such algorithms should include experts from different NPPs who understand the essence of the processes.
Yes, and who can check if your device has an additional Wi-Fi channel that cannot be seen without special equipment, but which can provide communication with the device without your knowledge. It can be a camera, a controller, and even a printer. As part of a cybersecurity course for the military, we connected a video camera produced by an enough expensive manufacturer. After camera configurationit was found that it still had a special channel for the operator, and we saw it purely accidental. Through this channel, it was possible to connect to the general network and do anything.
Can physical protection experts be designated responsible for cybersecurity or should they be IT experts?
There are IT experts in physical protection, but their activity is limited, because manufacturers and suppliers provide finished products, even entire systems, activities with which do not require detailed verification by physical protection personnel. Since the requirements for mandatory inspections are not presented in our legislation, this should be at least mentioned in the supply or maintenance contracts. This should be done before something similar to the Iranian situation happens. For example, an input equipment control may be set and included in the status checkup as part of physical protection.
How to form the hierarchy of responsibility for cybersecurity in the best way?
The first thing to do is to form a group that can justify and describe possible issues. This should be done at the level of the Ministry, Energoatom and SNRIU, because not solved cybersecurity issues are a loaded gun that can go bang at any time. It is necessary to perform periodic risk assessments for identifying threats and vulnerabilities, have appropriate technologies and controls taking into account importance of the protected information.
Uatom.org Editorial Board