Civil nuclear facilities hold extremely sensitive data and face uniquely high risks if industrial systems are compromised. They also are heavily dependent on timely actions from other organizations, such as global shipping companies, which may not be secured. The practice of isolating computer systems from the internet, known as “air-gapping,” is becoming less effective and desirable as the benefits of interconnectedness increase and proper maintenance is dropping. Cyberattacks and company awareness of cyber risk is increasing, and resulting, so is the cyber insurance industry. A report by Chatham House suggests all civil nuclear facilities should establish computer security incident response (CSIR) teams as a prerequisite to seeking cyber insurance. Regardless of being self-insured or externally insured, the report lays out how civil nuclear facilities should assess and strengthen their cyber risk response capabilities. The steps are to quantify risk, measure response capacity, and use training to minimize “time in recovery”. Practicing crisis response and maintaining good cyber-hygiene are examples of how nuclear facilities can reduce cyber risk.
