Assuring the information and Cyber Security of the civil nuclear power supply chain
The nuclear sector is going through significant changes, and there is a growing focus on the future of the industry. At the recent Nuclear Institute’s industry seminar, hosted by the Office of Nuclear Regulation’s Deputy Programme Director for Civil Nuclear Security, Tom Parkhouse, Templar Executives were invited to participate in the panel debates on the future security needs of the nuclear industry.
Duncan Hames, Strategic Adviser at Templar Executives, spoke about the critical need to address information and cyber security risk management and in particular, it’s supply chain, commenting:
“Politically, civil nuclear power is more popular now than it has been for a generation. Very long term decisions however, that are being made about new build nuclear power stations, still rest heavily on the credibility that the industry has in operating existing facilities, and that new ones can be commissioned without writing a blank cheque for additional requirements down the line.
“Government’s approach to regulation is evolving. The independence of Regulators is respected; Ministers set a policy framework, but leave their regulator to agree outcomes with industry when deciding what is realistic. Wherever possible it looks to market forces to incentivise actions which would be expensive or clumsy to mandate. Nonetheless this is a regulated industry, and although regulators are moving towards risk-based assurance, a state regulator can demand actions are undertaken.
“So, whilst Government has a responsibility to support the defence of the UK’s critical infrastructure, the private sector companies in this regulated civil nuclear industry have signed up to undertake that defence. We at Templar consider the best form of defence here is proactivity through maturity in information assurance, right the way along the supply chain, The unavoidable long term answer will be to demand a performance from suppliers that supports, not undermines, the outcomes operators have signed up to.
“Too often, accountability breaks down along the supply chain, and you are as vulnerable as your weakest link. Yet compared to what people here are capable of, supply chain management and supply chain assurance are relatively straight-forward measures which will help Primes save money, and help suppliers both to retain and to win business.
“That’s right, suppliers should want their business to be assured. You should want to be able to demonstrate your pre-eminence and Cyber Security maturity. There are substantial business results to be had from going down this route. Templar’s work with one of its large multi-national Defence and Engineering clients successfully enabled the organisation to achieve a level of maturity that was ‘business enabling’, contributing to a significant competitive advantage and winning seven billion pounds of new business.
“It is in the whole industry’s interests that progress in this regard is swift and sure-footed. A good place to start will be for the Primes to peer-demonstrate maturity as businesses. In the face of an evolving threat, maturity is both a more dependable and agile defence than momentarily achieved compliance for compliance’s sake. Regulators can justifiably take a lighter touch to achieving assurance from entities that can demonstrate their own ongoing maturity and that of their suppliers.
“I understand why many are seized by the Cyber skills gap issue, but this can be a distraction from the absolute necessity that the business people across an industry ‘get it’ and that they don’t leave this weighty issue to the IT specialists. It really is a business issue.”
Templar Executives is an award-winning Cyber Security company trusted by Governments and multi-national organisations. Operating at the highest levels across the public and private sectors Templar Executives has a world class track record in helping clients develop a resilient and business enabling Cyber Security capability.