Back to Insights

Greetings from the Vienna IAEA Information Security Conference

Jarkko Holappa

June 22, 2015 at 10:30

By now, it should be evident that information security is an integral part of nuclear safety.

In early June, at the very first information security conference hosted by the International Atomic Energy Agency, IAEA, I presented a white paper, created jointly by Nixu, Teollisuuden Voima (TVO) and the Finnish Radiation and Nuclear Safety Authority (STUK), discussing the development and management of nuclear power plant information security.

This white paper created a lot of interest and the summary documents flew out of our hands at Nixu's stand, where we received plenty of visitors eager to learn more throughout the entire five-day conference.

The international audience is clearly interested in learning about information security regulation and its practical application in Finland.

I believe this interest stems from the fact that a developed country like Finland is in the midst of acquiring a new and modern facility. A country where information security regulation is consistently under government control.

Positive Finnish visibility 

Finns were highly visible during the conference in many other arenas as well, and a number of Finnish specialists, myself included, took on leadership roles in various channels.

Considering the size of Finland, our level of contribution was exceptionally high. STUK's Senior Inspector, Timo Wiander, was chairman of the conference planning committee and one of the speakers. Like Nixu, Codenomicon had its own stand and they gave a joint presentation with the Tampere University of Technology. 

Codenomicon also took part in a demonstration, commissioned by the IAEA, that involved hacking into a nuclear power plant's control system by exploiting weaknesses in physical and information security systems.

For demonstration purposes the scenario had of course been simplified and the facility's information security system had obvious gaps.  Had everything been set up according to current best practices including sound information security management, the demonstrated attack would not have been possible.

My favourite part was one of the demonstration's key messages: even a well-managed physical security system might be connected to information systems with vulnerabilities that make it possible to exploit some features of the physical security system such as access control. High fences and access control are no longer enough to guarantee security. 

Key insights from the Vienna conference president's Jazi Eko Istiyanto's summary:

  • The conference fulfilled its mission by offering a global venue for the discussion of information safety of nuclear plants. The resulting desire to improve information security must be kept alive and nurtured.  
  • IAEA must develop current international security guidelines regarding nuclear plant information security. 
  • The increasing mutual connectivity of information systems continues to add to their complexity.  To ward off and respond to attacks against information systems, we need coordinated research and exchange of ideas and information.
  • Government regulation should be aimed at the information systems, industrial control systems and physical security systems used in the nuclear industry.
  • Boosting human capital by educating, training and fostering knowledge management are practical measures for retaining information system expertise related to nuclear safety.