A mock scenario that included adversaries taking control of a nuclear research institute’s physical protection system and implanting malware at a nuclear power plant, to compromise security and cause sabotage, provided for intense learning this month, during an IAEA International Training Course (ITC) on Protecting Computer Based Systems in Nuclear Security Regimes.
The course was conducted in cooperation with Korea Institute of Nuclear Non-proliferation and Control (KINAC) at the International Nuclear Non-proliferation and Security Academy’s test facilities in Daejeon, South Korea from 4-15 November 2019.
As part of the training scenario, the 32 participants from 20 countries analyzed the fictitious nuclear research institute’s and the nuclear power plant’s computer networks and acted as members of the national computer security incident response team. They worked to identify the attack, contain the infected computer network systems, analyze the threat, remove the malware and restore normal operations.
“This training is critical due to the ever-evolving threat landscape of new techniques and tactics the adversaries can use, including the evolution of digital systems in the nuclear industry,” said KINAC President Sok Chul Kim, adding that increasing cyber-attack opportunities against nuclear facilities are a concern.
The participants tested their skills on mock-ups of actual state-of-the-art digital systems common in today’s nuclear facilities, which use digital technologies to provide functions that support safe operations, security, material accountancy and control, and protection of sensitive information.
Zeyneb Camtakan, responsible for physical protection and nuclear material accounting at Istanbul Technical University’s research reactor facility, said the hands-on exercises were particularly useful because they encouraged participants to think like attackers. “As a participant from one of the countries new to nuclear energy, I learned technical ways to implement IAEA guidance and cyber security controls in my facility,” she said.
Raja Adnan, Director of the IAEA’s Division of Nuclear Security, noted that States consider cyber-security a key part of nuclear security.
“Everyone with responsibility for nuclear security must have a thorough understanding of the vulnerabilities of their systems – they must know how to prevent and mitigate possible cyber-attacks on those systems,” he said. “The IAEA offers a range of training courses in computer security to help ensure that governments and organizations have the necessary technical, regulatory and other tools to succeed when faced with highly skilled adversaries.”
The IAEA’s ITC offers participants an immersive, hands-on learning environment that includes the use of exercises, lab equipment and presentations to raise awareness of the threat posed by cyber-attacks and their potential impact on nuclear facilities. The IAEA will continue to refine and improve the course to provide real-world systems and applications to enable participants to protect their facilities against evolving cyber threats.
The next ITC will be conducted in June 2020 in Idaho Falls, the United States.