Unusual and suspicious behaviour of a disgruntled employee captured in a 10 second surveillance video of a hypothetical nuclear facility opened a large-scale cybersecurity exercise in Slovenia. Following the employee footage, a series of simulated events unfolded and culminated in a malware attack at the hypothetical nuclear facility operational technology systems.
Conducted by the Slovenian Nuclear Safety Administration (SNSA), this highly interactive exercise - included hands-on examples and involved key Slovenian nuclear sector stakeholders. The scenario involved real operational technology systems with insider threats, external cyber-attacks, and physical intrusions to a hypothetical nuclear facility exhibiting the impacts of a computer security compromise of critical operational control systems leading to a nuclear security event.
"Increasing awareness about the response capabilities needed to secure nuclear facilities from cyber-attacks is one of the objectives of such exercises. The identification of any existing vulnerabilities, the testing of internal procedures and the strengthening of collaboration among involved stakeholders are some of the practical benefits for the host countries," said Elena Buglova, Director of the IAEA Division of Nuclear Security. "The interest for computer security exercises is growing and the IAEA stands ready to support countries' requests in this area of nuclear security."
The KiVA2022 exercise was attended by 70 experts representing the national nuclear sector stakeholders, including the operators of nuclear facilities, governmental bodies such as the Government Information Security Office, Ministry of the Interior, national technical support organizations, as well as suppliers of computer equipment.
"The organising team and the participants were extremely engaged. The well-tailored scenario offered all of them a first-hand experience on the interconnections between safety, security, and emergency preparedness functions during a highly sophisticated cyber security incident," said Igor SIRC, Director of SNSA. "Our national capabilities for response to emergencies, triggered by cyber security events at nuclear facilities, have been further strengthened after this exercise," he added.
The exercise was conducted by the SNSA in cooperation with the IAEA and the AIT Austrian Institute of Technology, which is an IAEA Collaborating Centre for Information and Computer Security for Nuclear Security. The IAEA and AIT provided, developed and assembled dedicated information and operational technology infrastructure, components and systems tailored for the exercise. A nuclear power plant (NPP) simulator and fictitious facilities were developed as part of a recently completed IAEA Coordinated Research Project (CRP) were used.
Exercise participants represented stakeholders from the whole range of the Slovenia's nuclear sector (Photo: T. Nelson/IAEA)
The three-day exercise also drew the interest of observers from Slovenia and abroad. Representatives from Austria, Argentina, Romania, Switzerland, the United Arab Emirates, the United States of America, and the World Institute for Nuclear Security (WINS) attended the exercise and gained insight into the complex nature of cyber-attacks and the response activities to such attacks.
The exercise was concluded with the delivery of detailed reports from all key players about the cyber-attack. A major takeaway both for participants and observers was the importance of effective and timely coordination and communication among all the involved stakeholders at national and international levels to support the quick response and recovery from computer security attacks against nuclear facilities.
Slovenia's KiVA exercise series (the first one was held in 2019) has been acknowledged as good practice during a recent IAEA Integrated Regulatory Review Service (IRRS) mission in the country.
IAEA Nuclear Security Programme and Computer Security
The support of computer security exercises like this one is part of the IAEA's assistance provided to countries to raise awareness of the threat of cyber-attacks, and their potential impact on nuclear security.
The information and computer security activities currently implemented by the IAEA are outlined in the Nuclear Security Plan 2022-2025. It emphasizes information exchange and research as main tools to stay abreast of the technological developments.
The IAEA offers guidance and e-learning tools to address countries' needs with regard to computer security for nuclear security. The latest IAEA implementing guide to comprehensively address computer security - Nuclear Security Series (NSS) No. 42-G Computer Security for Nuclear Security - was issued in 2021.
Next year the IAEA is hosting its second conference dedicated to computer security. The 2023 International Conference on Computer Security in the Nuclear World will be held in Vienna from 19 to 23 of June 2023.
