The Need for Integrated Cybersecurity and Safety Training

Abstract

Companies involved in the nuclear energy domain, like component and platform manufacturers, system integrators, and utilities, have well-established yearly trainings on Nuclear Safety Culture. These trainings are typically covered as part of the annual quality assurance-related refresher trainings, introductory courses for new employees, or indoctrinations of temporary staff. Gradually, security awareness trainings are also addressed on a regular basis, typically with a focus on information technology, the daily office work, test bay, or construction site work environment, and some data protection and privacy-related topics. Due to emerging national nuclear regulation, steadily but surely, specialized cybersecurity trainings are foreseen for integrators and utilities. Beyond these safety, physical security and cybersecurity specific trainings, there is a need to address the joint part of these disciplines, starting from the planning phase of a new nuclear power plant (NPP). The engineers working on safety, physical protection, and cybersecurity must be aware of these interrelations to jointly elaborate a robust instrumentation and control architecture (defense-in-depth, design basis events, functional categorization and systems classification) and a resilient security architecture (security by design, security grading, zone model or infrastructure domain, security conduits, forensic readiness, security information, and event management). This paper provides more in-depth justification of when and where additional training is needed, due to the ubiquitous deployment of digital technology in new NPPs. Additionally, for existing NPPs, the benefits of conveying knowledge by training on specific interfaces between the involved disciplines will be discussed. Furthermore, the paper will address the need of focused training of management stakeholders, as eventually, they must agree on the residual risk. The decision-makers are in charge of facilitating the interdisciplinary cooperation in parallel to the allocation of resources, e.g., on security certifications of products, extended modeling-based safety and security analyses and security testing coverage.