Published this month, the Royal Institute of International Affairs (AKA Chatham House) report: ‘Cyber Security at Civil Nuclear Facilities, Understanding the Risks’ makes interesting reading. Industrial facilities have their own particular problems such as legacy equipment, insecure protocols, near impossibility of patching frequently and safely, and one size fits few. Even within that context, the report was not particularly complimentary about cyber security within the nuclear industry as viewed in several countries, which led to a number of observations and recommendations. Whereas many of them might be guessed at by anyone with an understanding of industrial cyber security, and perhaps even implemented within a site, there was one which is not within any plant operator’s control: "Governments can […] play a key role in encouraging information-sharing within their own countries by leading the establishment of national Computer Emergency Response Teams specialized in industrial control systems." And again: "…encouraging greater information sharing between national CERTs could prove beneficial".
The nuclear industry is only one industrial sector which could benefit from this. This is precisely the sort of area of mutual benefit that European projects should be good at delivering against. There is already a hint of what might be possible, in the form of the imaginatively named ‘ACDC project’ which collates and shares information from a number of centres on BotNets. With a project budget of 7.7 M Euros this is not small beer but if BotNets can be bottled up we all stand to benefit.
However, that really only tackles the threat to personal and server computing environments. It must surely be time to match this with greater collaboration on industrial cyber threats. Meanwhile, EEMUA continues to be active in promoting awareness and good practice through its work on industrial cyber security and production of an industry information sheet.
