Joint Statement on Cyber Security

2016: Gift Basket on cyber security of industrial control and plant systems at nuclear facilities 

Subscribed by: Argentina, Armenia, Australia, Belgium, Canada, Chile, China, Denmark, Finland, France, Georgia, Germany, Hungary, Japan, Jordan, Kazakhstan, Republic of Korea, the Netherlands, Norway, the Philippines, Poland, Spain, Sweden, Switzerland, Turkey, Ukraine, the United Arab Emirates, the United Kingdom, the United States of America and the United Nations.

Introduction

The States listed above commit to ensure adequate cyber security at industrial control and plant systems at nuclear facilities.  These control systems are often used within safeguards, security, and safety systems.  Increased attention in this area will assist States, nuclear operators and the supply chain to continue to strengthen the resilience of these systems, protecting them from potential malicious attack or accidental damage.

To date, work has mainly focused on mitigating the vulnerabilities of enterprise systems used to manage information and data within nuclear facilities and supply chains.  This work needs to extend to industrial control systems.

Nuclear facilities benefit from robust safety mechanisms which have been strengthened and developed over several decades.  In addition to physical, logical, and human based controls, there has been an increase in the use of information technology to form part of the safety and security aspects of plant control systems, as well as nuclear material accountancy and control.  More information on the use of information technology and the associated threats and vulnerabilities in this context is needed to inform continuous security improvements.

The Initiative

The States listed above agree, as resources permit, to participate in two international workshops on this topic in 2016.  These workshops will enable States and their nuclear sectors to share good practice in managing risks to industrial control systems in nuclear sites, as well as examine the impact of using information technology in managing safety and security aspects of plant control systems.

These workshops will focus on areas including:

  • Threats and vulnerabilities, through considering case studies of recent incidents;
  • Potential or known incidents which can impact on control systems, through an interactive approach;
  • Technical and management challenges of managing risksto legacy systems;
  • Technical and management challenges of assuring new build nuclear and supply chains
  • Incident response and recovery.
  • Managing public/media expectation in light of an incident.

Outcomes and Next Steps

The States listed above propose to present the findings of this work at the Ministerial segment of the IAEA International Conference on Nuclear Security, in Vienna in December 2016 to contribute to IAEA efforts to increase cyber security at nuclear facilities, building on the IAEA International Conference on Computer Security in a Nuclear World held in June 2015.