Hiroshi Tamai

Cybercrime has been increasing with the spread of the Internet and the development of computer technology. We often hear of criminal activities such as planting malware on targeted computers to steal credit information or cause equipment malfunction. Looking at cyber-attacks on nuclear facilities, in 2010, Iran’s uranium enrichment facility was attacked by Stuxnet, a malicious computer worm. Fortunately, the attack did not lead to a serious accident, but the facility’s centrifuge was damaged due to a defect in the control program. If nuclear facilities were to be damaged and nuclear or radioactive materials were to be dispersed due to such an attack, it could have an enormous impact on the public, the environment, and society. In recent years, computer systems have been playing an increasingly important role in the physical protection of nuclear materials in use, storage, and transportation, as well as in detection and response measures for materials that are out of regulatory control. As such, the need for countermeasures against cyber-attacks is urgent.

The IAEA, in its Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities, Fifth Revision (INFCIRC/225/Revision 5), urged that “Computer systems used for physical protection, nuclear safety, and accountancy of nuclear material should be protected against cyber-attacks and tampering,” and has issued various guidance documents detailing how to implement effective countermeasures against cyber-attacks. The documents recommend taking countermeasures against cyber-attacks by identifying the assets to be protected; understanding the motivations, intentions, capabilities, and tactics of possible cyber-attacks; assessing the threats and risks; and understanding the vulnerability of systems/networks and potential consequences in the event of an attack. The IAEA further asserts that adopting an approach based on a graded defense in depth concept that is appropriate for the target and threat can be effective in realizing adequate cyber security. In addition to this, the IAEA is helping countries to improve their cyber security capabilities. As one example, at the technical session of the IAEA International Conference on Nuclear Security held in 2020, information was shared regarding effective practices each country had taken in protecting digital assets related to nuclear security.

In Japan, the Basic Act on Cybersecurity was enacted in November 2014 in response to the growing sense of urgency surrounding information security issues, and the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) was established in January 2015 for the planning, formulation, and comprehensive coordination for the promotion of information security measures in the public and private sectors. According to this plan, fourteen fields—including electric power—are designated as critical infrastructures essential for the national life and socioeconomic activities. Based on the Cybersecurity Policy for Critical Infrastructure Protection, measures related to the preservation and promulgation of safety standards, enhancement of information sharing systems, enhancement of failure response systems, risk management, and enhancement of the protection infrastructure are promoted.

In addition, the Nuclear Regulation Authority (NRA)—in its Regulations Concerning the Installment and Operation of Commercial Nuclear Power Reactors—requires operators to take measures to prevent unauthorized external access to information systems related to the protection of nuclear reactor facilities and nuclear fuel materials, and to prepare an information system security plan to respond quickly and reliably in the event of such an attack. The nuclear industry is obliged to comply with these laws and regulations, as well as the IAEA’s guidelines. While strengthening protection against the threat of cyber-attacks in accordance with these laws and regulations and the IAEA’s guidance, the nuclear power industry has developed a common basic policy and performance rules for the domestic nuclear power industry. Based on the latest knowledge of the nuclear power industry in Europe and the United States, as well as the domestic industry, the measures serve to help realize multilayered protection of computer equipment related to nuclear reactors from cyber-attacks.

In order to maintain and improve the public trust and win acceptance concerning nuclear usage, enhancing cyber security remains an urgent issue.

Hiroshi Tamai: Member of the Institute of Nuclear Materials Management, Japan Chapter