Cyber security and compliance: Securing a nuclear power plant

EPZ Nuclear Power Plant Borssele, a nuclear power plant in the Netherlands originally built in the 1970s, collaborated with CGI to address cybersecurity vulnerabilities and enhance operational efficiency.

Operating in a highly regulated industry, the plant faces considerable security and safety concerns. With a commitment to ensuring nuclear safety, the plant is now in the process of upgrading its cybersecurity protocols to meet modern threats while also navigating complex regulatory requirements and overcoming legacy technology challenges.

Challenge

The plant faced a critical challenge from the Dutch regulator, which mandated comprehensive risk analyses of its entire system. This included not only IT systems but also operational technology (OT) such as fire extinguishers and ventilation systems. The purpose of the risk analysis was to uncover vulnerabilities, especially the potential for malicious actors to exploit these systems, which could lead to significant material consequences.

Given the plant's age and detachment from the broader digital network, cybersecurity risks were primarily managed through the physical separation (air-gapping) of systems. However, with the emergence of new security threats, there was an urgent need for more effective, scalable, and practical approach to risk analysis. This approach would need to focus on identifying and addressing the most critical vulnerabilities without being overwhelmed by less significant risks.

Solution

To address the plant’s requirements, CGI collaborated with the client to develop a practical, targeted risk analysis framework using the Attack Tree methodology. This method enabled CGI to effectively pinpoint critical vulnerabilities by beginning with the worst-case scenario and working backward to uncover potential exploits. By focusing only on the most significant risks, CGI was able to quickly assess high-priority threats while avoiding lengthy, over-complicated processes.

The solution was designed to be fast, effective, and understandable, providing the client with a clear and actionable risk analysis. To achieve this, the process was simplified and aligned to the EPZ’s knowledge and experience in nuclear safety. Additionally, the team worked closely with the EPZ’s system owners to ensure that each identified threat corresponded with the suitable control or mitigation strategies.

In response to a new regulatory requirement, CGI also developed a tool that mapped the risk analysis to the MITRE ATT&CK framework, a globally recognised cybersecurity standard for categorising attack techniques used by malicious actors. The tool helps the client track and evaluate risks more concretely, ensuring that the mitigations align with the regulator’s expectations.

The tool was further enhanced by incorporating the CIS (Center for Internet Security) Controls, providing even more detailed, system-specific mitigation measures to strengthen cybersecurity. This integration ensured the plant could better prepare for and respond to potential threats, while remaining compliant with industry standards.

Key outcomes

1. Faster risk assessment: By using the Attack Tree methodology, the process of identifying and prioritising risks was streamlined, focusing on the most critical vulnerabilities rather than lesser threats.
2. Improved security posture: The integration of MITRE ATT&CK and CIS Controls allowed for more accurate and detailed control selection, enabling better tracking of mitigation progress and ensuring comprehensive coverage.
3. Regulatory compliance: The new risk analysis tool helped the client comply with the Dutch nuclear regulator's requirement to map risk assessments to the MITRE ATT&CK framework.
4. Actionable insights: Through the tool’s mapping and continuous feedback loop with system owners, the plant was able to implement compensating controls where necessary, leading to a stronger, more proactive security framework.
5. Legacy modernisation: While the plant is still operating on air-gapped systems, the ongoing work is laying the foundation for future digital upgrades, helping the client adapt to evolving cybersecurity challenges.

The road ahead: Securing the future

This collaboration represents the first step in a long-term cybersecurity journey. As new digital plants are constructed, the lessons learned from this engagement will be vital in addressing the increased connectivity and security risks associated with modern nuclear facilities. CGI’s work with EPZ continues to be an integral part of the organisation’s efforts to both secure legacy systems and prepare for the next generation of nuclear power plants.