Since the introduction of nuclear technology, states have developed a comprehensive international nuclear security regime. The regime is a web of institutions and norms accepted by states, international organizations, and relevant stakeholders to keep the world relatively safe from nuclear risks that states incur when harnessing nuclear technology for energy or military purposes. With new technologies, new risks energy, requiring new solutions for nuclear security.
Cyber threats are evolving and becoming more sophisticated. The emphasis on digitalization in nuclear facilities creates new vulnerabilities that can be exploited by malicious actors. There is vast diversity in capable actors that may target nuclear facilities, such as state-sponsored actors, terrorist groups, criminal organizations, hacktivists, and insiders. Limited international cooperation and coordination on cybersecurity issues related to nuclear facilities further complicates this threat scenario.
Cybersecurity can be understood as one aspect of nuclear security. Nuclear security entails the legal and regulatory framework supported by security standards, guidelines, and best practices to physically protect nuclear facilities and materials in storage, use, or transport. Conversely, a cyber threat is distinct from a physical threat on nuclear facilities or materials. Cyber attacks happen at the speed of light and guns, gates, and guards do not deter it. A watchtower cannot detect and respond to phishing or hacking. Cyber threats are always present – vulnerabilities can be exploited, digital firewalls can be breached, malware can be installed at any moment in time.
As a state that operates a complete nuclear fuel cycle, Pakistan must ensure that its military and civilian nuclear facilities remain secure against cyber threats. Integrating cyber security into its nuclear security regime is one way of addressing this challenge. In the past, Pakistan has emphasized the physical aspects of nuclear security. The nature of evolving cyber threats denotes that Pakistan’s traditional approach to nuclear security may not be sufficient for cybersecurity measures. Cyber threats require an active, hyper-vigilant, and holistic approach.
As the complexity and frequency of cyber attacks is increasing worldwide, it is imperative for Pakistan to establish a robust and comprehensive cybersecurity framework for its nuclear facilities. Pakistan has not yet issued a legislative or regulatory framework for cybersecurity of nuclear facilities. Similarly, the Pakistan Nuclear Regulatory Authority (PNRA) has not issued guidelines or standards for cybersecurity of nuclear facilities. Even though the nuclear operator has taken measures to ensure that the nuclear facilities remain secure from cyber threats, the lack of transparency and absence of public information makes it difficult to assess the effectiveness of these measures.
Cybersecurity and Nuclear Security Standards
In this backdrop, it is crucial to examine the contours of Pakistan’s cybersecurity framework for its nuclear facilities. The goal of Pakistan’s cybersecurity strategy should be to protect all computer-based systems and digital assets from cyber-attacks on nuclear facilities. Cybersecurity measures must entail protection of information and communication technology (ICT) systems and networks (e.g., control systems, data acquisition systems, communication systems and databases) in a nuclear facility.
Pakistan has not publicly issued a cybersecurity strategy for its nuclear facilities. Three institutions are responsible for nuclear safety and security in Pakistan: the PNRA functions as the nuclear regulator, Pakistan Atomic Energy Commission (PAEC) as the nuclear operator, and Strategic Plans Division (SPD) as secretariat of the National Command Authority (NCA) and with the responsibility for management of all nuclear matters and activities. PNRA, PAEC, and SPD have yet to publicly issue any cybersecurity strategy for nuclear facilities or their cybersecurity measures. The absence of a legal cyber regime, regulatory measures, and guidelines suggest that the nuclear regulator cannot monitor and assess the operator’s cyber security measures.
Application of Principles of Nuclear Security to Cybersecurity
To shape its nuclear cybersecurity strategy, Pakistan could implement the nuclear security principles that are regarded by the IAEA as essential elements of a state’s nuclear security regime.
First, the responsibility for ensuring cybersecurity would rest with the nuclear operator primarily and the state secondarily. The state and the nuclear operator must ensure that they establish, implement, and sustain an effective and appropriate cybersecurity regime to prevent and respond to any cyber security event. This implies that Pakistan should establish a comprehensive legislative and regulatory framework for cybersecurity and the PAEC as operator should ensure implementation of this framework. Input and involvement of all stakeholders (SPD, PAEC, and PNRA) would be essential for developing this legislative and regulatory framework. Pakistan’s legislative bodies (the National Parliament and Senate) would enact the legislative framework for cyber security of nuclear facilities. PNRA, as the regulatory body, should issue the guidelines and the implementing guides for the nuclear operator.
Second, the nuclear regulator (PNRA) should develop guidelines and standards for the operator and should ensure compliance through monitoring and inspections. The mandate of the nuclear regulator gives it the authority to set the standards for cybersecurity which may include establishment of regulations and associated procedures, verification, and enforcement measures to ensure compliance with applicable laws, regulations and requirements, and imposition of appropriate and effective sanctions or punitive measures in case of failure in compliance by the operator.
Third, a risk-informed cybersecurity framework with its basis in systematic and comprehensive risk assessment would be able to identify and assess the threats and detect vulnerabilities to Pakistan’s nuclear facilities. It would include the state’s assessment of cyber threats, vulnerability of potential targets, and plausible harmful consequences of a cyber attack.
Fourth, the defense-in-depth concept used for nuclear security could be helpful in ensuring cybersecurity as well. Multiple layers of protection measures would result in prevention, detection, and improved response to cyber threats. Layers of firewalls, physical and administrative controls, antivirus programs, and network security controls are some of the cybersecurity measures that can provide defense-in-depth cybersecurity in a nuclear facility.
Fifth, a performance-based program would set clear objectives and criteria for cybersecurity measures which would help in the auditing and review process. This would give flexibility to PAEC to set cybersecurity goals for its nuclear facilities. Regular performance evaluation by PNRA would help in addressing any weaknesses in these cybersecurity measures. Evidently, this means that the professional competence of PNRA’s staff should be high enough that they can ensure that all regulatory standards related to cybersecurity are met.
Sixth, a cybersecurity culture influenced by the nuclear security culture would ensure vigilance, raise awareness, and encourage reporting of cyber incidents or any oversights. Cybersecurity culture refers to how an organization’s goals, policies, processes, and leadership influence people’s beliefs and actions towards cybersecurity and determines their response in cybersecurity events. Pakistan may establish a cybersecurity culture by establishing a legal and regulatory framework, setting up dedicated institutions or departments for cybersecurity, conducting trainings of workers, creating awareness about cybersecurity, and increasing transparency of its cybersecurity procedures.
Holistic Approach to Cybersecurity
A holistic approach to cybersecurity of nuclear facilities would entail three overarching measures. First, Pakistan should ensure integration of cybersecurity with physical security, nuclear safety, emergency preparedness, and quality management. This integration means that cyber threat should not be seen in isolation to other threats that may potentially harm the nuclear facilities, workers, and environment. Integration entails a comprehensive response to a broad range of threats. Second, Pakistan should take all necessary legal, regulatory, technical, and procedural measures for cybersecurity. And third, Pakistan should view cybersecurity as an evolving challenge which requires constant vigilance, regular risk assessments, vulnerability assessments, and audits to identify and mitigate cybersecurity risks and threats.
In addition to setting up a cybersecurity department in each nuclear facility, it would be beneficial to have an overarching management setup at the operator level. For example, PAEC could establish a dedicated cybersecurity department at its headquarters which would layout the measures and procedures for all nuclear facilities and institutions working under PAEC. This would help in research and development of cybersecurity technologies and solutions that are tailored to the specific needs and challenges of nuclear facilities. It will also improve PAEC’s capability to enhance cybersecurity awareness and culture of the nuclear workforce, through training, education, and communication.
A robust and comprehensive cybersecurity framework for nuclear facilities is imperative for Pakistan’s national security, for protection against potential threats, and for ensuring the safe operation of its nuclear facilities. Application of nuclear security principles would make it easier to develop the legal, regulatory, and technical framework to address cyber security of nuclear facilities. Adoption of a holistic approach to cyber security would ensure that the cyber security measures are comprehensive and would protect Pakistan’s nuclear facilities from the ever-evolving cyber threats.
Image 1: Cybercriminal via Flickr
Image 2: IRBM in Pakistan via Wikimedia Commons