History That Is Not Reflected
Alvin Hays, a half-century veteran of the nuclear industry and senior systems analyst at NPPD who participated in the April 2017 audit, said the vendor performed well overall, but that there were still some security kinks to work out. “There were areas where they didn’t realize they needed to have a policy,” Hays told me. “It was definitely still in draft form.”In one case, Hays explained, a documented control had an effective date of the audit, meaning it had been assembled expressly for the inspection. Hays said it was NPPD policy to test all the gear it gets for vulnerabilities, even if the equipment comes from a trusted vendor.
The Culture to Make It Better
Discovering such vulnerabilities is not necessarily a cause for concern. In every industry, from nuclear to retail, a good malware hunter strives to find something. A reluctance to go looking for vulnerabilities, however, would be a problem. And while the nuclear industry has made strides in more proactively probing networks for bugs, observers like Tom Parkhouse say, as in other industries, more can be done.Parkhouse, the top cybersecurity official at British regulator the Office for Nuclear Regulation, said he came across an organization working in the nuclear sector that ties employee bonuses to having a clean sheet for reporting cyber vulnerabilities. Meaning, if you flagged no vulnerabilities, you could be eligible for a bonus. Parkhouse declined to say whether that was a vendor or some other organization, but stressed that the practice is the exception rather than the norm and that he’s had success in stamping it out. (That type of practice is very rare indeed because, industry insiders say, nuclear security culture encourages people to report security concerns whenever they arise.)“I want people to understand what the risk is rather than deny the problem or overblow it,” Parkhouse said, adding that the UK nuclear sector is accomplishing this in part by sharing threat information as the cyber landscape changes.
“It is as simple as: Do people understand their exposure to risk?”