Enhancing Cybersecurity Education in the Nuclear Sector: Insights and Recommendations
The research delves into the state of cybersecurity education in the nuclear sector, focusing on requirements gathering, participant insights, program maturity, and evaluation challenges. It highlights the need for improved focus, regularity, and depth in training programs, addressing issues such as lack of monitoring, inadequate staff training, and management support. Recommendations emphasize all-staff training, security, and IT integration as key intervention strategies for enhancing cybersecurity in the nuclear sector.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
COMPUTER SECURITY TRAINING & EXERCISES IN THE NUCLEAR SECTOR Insights from a User-Centered Requirements Gathering Process Michaela Reisinger, Peter Fr hlich, Paul Smith
State-of-play for cybersecurity education in the nuclear sector How to measure it Education types & content needs
REQUIREMENTS GATHERING CAMPAIGN Audience response questionnaire (13 single-choice questions) IAEA TM on Conducting Computer Security Exercises for Nuclear Security elicit discussion identify questions of relevance Iterative refining Full questionnaire (32 items) Roles, Key Factors & Attack Vectors Organizational Setup Status Education Impediments & Mitigation Perceived Risks 25/09/2024 3
PARTICIPANTS 43 participants: 31 fully, 12 partly completed questionnaires 13 countries Affiliation: Organisation Type Operator: 19 Regulator: 15 Research Organization: 10 Policy maker: 6 Tech Support: 6 cba World map by $200inaire/ colored from original 25/09/2024 4
STATE OF CYBERSECURITY Who receives education? How mature are programs? Lack of monitoring and regularity Nearly all target someone : none - basic Lack of depth Structurally In content target specific roles : intermediate - mature targets all staff Strategical issue Dedicated task-forces High integration Focus: minimum requirements Little awareness of groups & their needs Defined action plan & systematic approach Periodical review - approaching gaps with corrective action programs 9/25/2024 5
FOCUS, FREQUENCY, EVALUATION Program Focus Theory > Application Types training 24% Intervention frequency more than once per year exercise 42% report training not to be evaluated (~50% in operators) Intervention evaluation report exercises not to be evaluated (~15% in operators) Main Impediment Lack of management focus and support 6
RECOMMENDATIONS: NEXT INTERVENTION all staff training security & IT/network staff engineering/process control staff management staff Roles all specific roles exercises Industrial control system considerations Implementing incident response plan Characterizing incidents scenario-based approach Top factors field exercises Removable media and devices Attack vectors Infected laptop Lack of security culture regarding the introduction of malware 25/09/2024 7
Responses from the field can shape recommendations Current state-of-play & improvements Classic cybersecurity issues also pertain to the nuclear sector e.g. lack of awareness, attention, and support on management level So might their solutions! Next: more specific observations & inquiry methods devised on-site context for creating & implementing interventions 25/09/2024 8
THANK YOU! Michaela Reisinger, 11.02.2020 The research leading to these results has received funding from the IAEA as part of the CRP J02008 on Enhancing Computer Security Incident Analysis at Nuclear Facilities.
