The risk to nuclear facilities from cyber attacks is increasingly perceived as a growing, real problem due to entrance of new adversaries (e.g. ISIS) and the advancement of capabilities of existing adversaries such as criminal organizations and nation states. Recent sophisticated attacks have targeted instrumentation and control (I&C) systems having significant potential consequences for security and safety. This increasing risk has resulted in the recognition of cyber security as an essential element of the overall security framework of nuclear facilities and as such is a pressing priority for facility operators and national regulators.
A critical computer security measure is cyber security awareness and specialist training for all personnel. Provision of training is an administrative control measure, needs to be required by Computer Security Programme (CSP) and implemented in the organization’s training programme. When considering the requirements for training, it is important to have a risk informed approach. This begins with the assignment of personnel to roles and responsibilities to address risk associated with cyber security. These personnel require specialist training consistent with the risk associated with deficient or ineffective performance of their roles and duties.
However, the training programme must consider all personnel to provide an effective first layer or defence. As per the Verizon 2019 Data Breach Investigations Report , 94% of malware was delivered via email, and Social Engineering attacks were involved in 33% of attacks leading to breaches. Therefore, a training programme providing awareness training on cyber security is essential to enhance cyber security culture for all facility personnel.
This paper will provide evidence the importance and urgency of cyber security awareness and training is underestimated at present, and also provide recommendations on the types, trainees, contents, and development strategies of cyber security awareness and training programs to guide nuclear facility operators to deliver effective cyber security training.