 Oh, yeah, we're sharing, okay. Are we all ready? Yeah, everyone happy? Good afternoon, everybody. Seeing with the closing of the doors, I'm just going to go ahead and get started. Good afternoon. My name is Jeff Bream. I'm the acting branch chief for the cybersecurity branch in the NRC's Office of Nuclear Security and Incident Response. I want to thank you all for joining us at today's discussion titled Two Decades of Nuclear Cybersecurity. What Does the Future Hold? In this session, we will explore the past two decades of cybersecurity requirements and implementation in the nuclear industry. The presenters will discuss the initial cybersecurity requirements and how they were built on to establish the robust requirements that are in place today. The session will also explore where cybersecurity goes from here, addressing the cybersecurity challenges associated with the application of novel technologies and the operation of SMRs, small modular reactors, and microreactors. Presenters will discuss agency research, both planned and ongoing, to support cybersecurity licensing and oversight of these applications. I'll ask each of the presenters to briefly introduce themselves in their affiliation. Good afternoon. My name is Anya Kim, and I'm with the NRC in the Office of Research, and I'm with the instrumentation controls and electrical engineering branch. Good afternoon, Paul Shanes. I'm with the UK's Office for Nuclear Regulation. I'm the professional lead for cybersecurity. Good afternoon. My name is Rich Magabro from the Nuclear Energy Institute. I'm the director of security and incident preparedness. Hello, my name is Kim Lawson Jenkins. I'm in the cybersecurity branch of the division of physical and cybersecurity policy in the Office of Nuclear Security and Incident Response. Before we get started with the presentation, just a couple of the general housekeeping, the Wi-Fi code for attendance or for attendance of the RIC is Rick RIC 2024. Please remember to science your electronic devices and all sessions are being video recorded. For the QA portion of this session will be through electronic means for both the virtual and in-person attendees. For those of you in session in this room, please, the QR code that was displayed a moment ago is how you can submit your questions. For those joining virtually, there should be a box to the right of the screen so you can enter your question in directly. At this time, I will pass on to our first presenter, Anya Kim. Hello again, everybody. I hope you can hear me. It's pretty late in the afternoon. It's the last session of the day and I'm sure a lot of us are flagging and some of us are even jet lagging, I'm sure. Let's see if we can do a little brain exercise. Why don't you read this title and then see if you can recall it when I ask you for it in a few minutes. But first of all, let me just point out, so changing nuclear cybersecurity landscape, that's a mouthful, but it also leads to really interesting cybersecurity research ideas. And today I'll be talking about some of those cybersecurity topics that the NRC is exploring within this changing landscape. But from a research perspective, and Kim Lawson Jenkins, who's sitting at the end and will be speaking last, will provide you with a more programmatic perspective. Kim's group, the Cyber Security Branch, and my group, which is in the Office of Research, work together very closely with respect to cybersecurity. Okay, so my group, which is part of REZ, or the Office of Nuclear Regulatory Research, which provides technical advice, tools, and information for meeting NRC's mission. And this mission includes resolving safety and security issues, making regulatory decisions, and promulgating regulations and guidance. In fact, one of the driving forces behind our research is the development of novel technologies or novel implementation of existing technologies that are being considered for use in new and advanced reactors and also in operating reactors. In fact, in my branch, we have a small but crackerjack cyber team that is looking at these cybersecurity related challenges, gaps, and implications associated with the use of these technologies. So let's talk about some of the work we do. So if you've ever had the opportunity to hear Kim Lawson Jenkins speak, you might have heard or mentioned the inspector's toolbox, which is a metaphor for the cybersecurity inspector's capabilities. And I just love this analogy, so I steal it whenever I get the chance. Because in fact, what we in research are doing is developing the tools that are used in that toolbox. And some of those tools are, for instance, developing a technical basis for assessing certain aspects of the program, engaging actively in the revision and development of the necessary regulatory frameworks or infrastructures such as regulations and guidance documents, understanding the safety and cybersecurity issues associated with various technologies, and developing and maintaining the necessary core capabilities in the various functional areas so that the cybersecurity inspectors have the expertise, knowledge, and experience to do their job efficiently and effectively. And this also includes the confirmatory and anticipatory research activities that we do in support of the known and future needs of the program office and regional offices. All right. So can anybody recall what that title was? You can like nod your head or shake your head. So the title, I made up the title and I still can't remember it, but it had something to do with shifting attack surfaces, changing nuclear landscapes and a research perspective. So right now I want to focus your attention on that shifting attack surface. What is an attack surface? And why is it shifting? So when I presented my slides to my colleagues, they all said you have to explain what an attack surface is. I was like, no, everybody knows what that is. That was the feedback I got. So I do want to say that a few years ago there was a study done. Several researchers examined like 600 something papers, journals that mentioned or had focused on the concept of attack surface and they found 49 different definitions of attack surface. So I only have 11 minutes left for the final 49 definitions but I will use the definition that is provided in the regulatory guide 5.71 revision 1. An attack surface is the set of points on the boundary of a system element or an environment where an attacker can try to enter, cause an effect on or extract data from that system element or environment. That's a mouthful, but having a smaller attack surface from our perspective is better unless you're a hacker, right? So why does it shift? Well, it shifts and expands because you have threats that keep evolving. You have new technologies that keep getting added into the system that bring their own set of risks and attack factors and a shifting way of thinking about things. These are all things that attack surface. For example, malware. Malware is becoming more sophisticated and targeted with increasing knowledge of industrial control systems and operational technology networks and they possess greater cyber physical attack capabilities. And not to mention they know how to lay low or they're becoming really good at laying low and evading detection from vulnerability scanners. So should we start thinking about maybe the vulnerability management practices we have going on now? And then we also have new and advanced reactors and sometimes operating reactors that propose to use various technologies like artificial intelligence, wireless technologies, technologies that support remote operations. These new tech... So, what kind of new attack vectors are these introducing? And on top of that, these new technologies don't really fit very neatly into the existing traditional physical security or other regulatory framework. At the NRC cybersecurity is an integral part of the physical security program. But in fact advanced reactors may rely less on physical security. And in that case, we may have to place more emphasis on the cybersecurity aspect, right? So what should we focus our attention on? And these are just some of the drivers that behind the research that we're working on to build the new tools for that toolbox. I'm continuing with that metaphor. All right. These are some of the... a sampling of some of the research we've done for the cybersecurity... to support the cybersecurity branch, the program offices, and the regional offices. For example, we are looking at the feasibility of using AI, artificial intelligence, and machine learning in nuclear systems to be able to characterize the cybersecurity states. Let's see. The nuclear industry is very interested in expanding their use of wireless technologies in their environment. So what we're doing is analyzing the impact that wireless... the use of wireless technologies would have... Specifically, we looked at using it for monitoring safety critical... safety-related critical digital assets. Let's see. We are looking at developing knowledge and insights necessary for assessing cybersecurity risks and concerns of remote monitoring in autonomous control technologies. And some of these ideas come from out of the blue. Today, I was driving into work and I heard on the radio that the IIHS, it's the insurance industry for... Oh, I forgot what it stands for. Something about vehicle safety. But they are a U.S. organization that rates the safety of vehicles and vehicle technology. And they examined I think 14 different... Let me get the words correct. 14 different partially autonomous... automated driving systems and found little evidence that partial automation has any safety benefits because they introduce new risks into the system. And... So, some interesting things that they pointed out was there's a lack of adequate driver monitoring. Seeing if the driver is actually engaged, or are they playing with their cell phone and not looking up at you. And when they are looking at their cell phone, then a vehicle should give them attention reminders. Like, wake up, pay attention. Come on, wake up! That was a failure as well. And then they can also... Because these partially automated driving systems are not considered safety systems, they shouldn't be able to operate when the safety... Vital safety features are not in place. But that was not the case. They could work even when the person was not wearing a seatbelt or when other safety features were turned off as well. Anyway, so... Oh, and one last thing was that they... Should have had a human in the loop in the decision-making process, but they did not. So, there are interesting things. Even in autonomous driving, which is one of the more advanced autonomous technologies, there are lots... There's a lot of long way to go. And let's see. We are also examining the security issues and potential impact of using field program at full gate arrays in safety systems. And also zero-chess framework. So, if you've... You might have heard, zero-chess is somewhat big buzzword these days. And it's... The... Goes against the concept of the traditional perimeter-based defense. Where with the perimeter-based defense, you're using firewalls and VPNs and saying, don't come in, my door. Zero-chess assumes the enemy is not at the door. It's already in the door in your system. What are you going to do about it? So, this is a project both Kim and I are actually working on together. And we want to find a way to apply it in an industrial control system environment. Develop suitable architectures and principles and frameworks that would work in there. And see what kind of controls would have to be used or adapted and maybe propose it as an alternative for new and advanced reactors. Oh, and I ran out of space. There were a couple of other research things I wanted to mention. Is everybody familiar with every electric power research institutes, technical assessment methodology, the TAM approach? So, it's an engineering approach, just in case you're not familiar with it. And basically, they look at how to see what you have, what your vulnerabilities are, how to mitigate those vulnerabilities to a level that is risk to a certain level of acceptable risk. But the way it's done it doesn't really work well for cybersecurity inspections, which are based on the traditional method approach available in regulatory guide 5.71 and I 0809. So, we are looking at a methodology on how to assess approaches, licensee approaches that use the TAM. And also, one last thing I wanted to mention is that if I can remember what it was. Developing a methodology for performing a cybersecurity audit alongside digital INC update safety reviews so that we can promote security by design. And as you can see, the research we do here is a mixture of providing a technical basis, understanding the issues, developing the tools, providing expertise and performing that anticipatory and confirmatory research that I talked about a couple of slides earlier. And we obviously don't want to reinvent the wheel. So, some parts of our research include looking at existing solutions in other industries and seeing if we can leverage the work that we're doing to get it to our needs. For example, the wireless technology area, before we even did the work I mentioned earlier, we looked at other critical infrastructure industries and wondered if they had any use of wireless in their safety critical systems or environment and how they were protecting it. So, that was basically a sort of survey and interview and spoiler alert. Nobody. So, in conclusion, I just want to say that we work closely with the program office and regional offices to produce better tools for the inspectors toolbox that are timely and useful. And in addition, we coordinate and collaborate research and development activities with domestic and international stakeholders, national labs, universities, industry and various federal organizations. And finally, since we have more research ideas than we have people, we prioritize the research according to how urgent the need is and how likely it is to be used adapting the needs to the changing landscape and working to be ready for the future. Thank you. Thank you, Anja. That was a really helpful introduction. So, just to remind you, my name is Paul Shaines. I represent the UK's Office for Nuclear Regulations. So, it's a great flavor of what we're doing in the UK on this topic, the way in which we go about regulating cybersecurity and some of the approaches we're taking to enabling innovation within the sector, particularly with regards to new technology. So, just a quick canter through the UK industry. O&R is the UK's independent nuclear regulator. We regulate across a range of purposes within the UK civil nuclear sector and the entirety of the UK fuel cycle. So, we cover the existing fleet of operating reactors far fewer than here within the US, obviously. The decommissioning estate and then all of the provision of services and fuel cycle aspects that go with that. So, service providers, the supply chain, et cetera, to varying degrees. And we operate across the traditional purposes of nuclear safety and nuclear security, but we also act with the international or site health and safety nuclear transport and since our departure from URATM nuclear safeguards as well. So, O&R operates as an outcome focused regulator. Our approach was recently changed within civil nuclear security to align with our already relatively well-established safety regulatory approach. The prime output of that being really the responsibility for demonstrating compliance and meeting regulatory outcomes rests firmly with the duty holder, the regulated party. It wasn't always that way. So, prior to 2017 we undertook a number of reviews in order to move from a more prescriptive approach to an outcome focused approach. And as part of those reviews, we attempted to move away from such a draconian approach to mandating particular procedure standards and arrangements to our procedures. And they were only partially successful because on each occasion when we did so, we gave a range of model expectations, model methods that our duty holders could use to demonstrate regulatory compliance. And, of course, like all good models when you provide a range of examples to those that you regulate, one of the easiest options is simply to follow them. So what we found was we were actually encouraging prescription through the back door. In 2017 we moved to a completely outcome focused approach where we didn't give model standards and expectations, but rather provided advice to our inspectors on what good looks like and how to determine what constitutes good practice. The approach that we use is technology neutral and doesn't prescribe any particular outcomes, sorry, rather than outcomes, any particular solutions. So from that perspective we consider that we're relatively well placed to encourage innovation within the sector and also to ready ourselves for what the future might bring. But, of course, nobody knows what the future might bring, so it's a challenge in itself. One thing that it does do since 2017 is encourage a much more open and honest debate with those that we regulate and as has been mentioned a few times in this conference already, those kind of pre-licensing, those early engagement conversations have proven really beneficial, particularly when our duty holders come forward with innovative solutions that we've not seen before. We're expected as a regulator to reduce the regulatory burden that we place on those that we regulate, but fundamentally, in the same way as the NRC, we're here predominantly to protect society and ensure that we have safe and secure industry, and that must take paramount primacy at all times. So I think within civil nuclear security within the UK, there's a general acknowledgement that cybersecurity is not where it needs to be. Certainly when contrasted against more established regulatory aspects, such as nuclear safety, that have had many years of experience in regulatory attention. There's a sector-wide cybersecurity strategy within the UK, which was developed in conjunction with government and industry, and both within that document, which is publicly available on the website, and in our own Chief Nuclear Inspector's Annual Report, both of those publications, again publicly available on our website, recognize that our duty holders have more to do in this space. What the infographic on the screen there is showing is the areas that we as a regulator have found ourselves focusing on over the last few years as we've increased our own competence and capability in the field of cybersecurity. And interestingly, many of the aspects that you'll see highlighted there are not the more technical side of cybersecurity. So yes, we can look at whether or not systems are appropriately patched, whether or not firewalls are in place, rulesets are as you might expect. But actually, time and time again, as we do kind of root cause analysis, what we're finding is that it's the more strategic aspects of cybersecurity that are wanting. So areas such as governance, risk management, some of those basic attributes that you would expect to see in a highly mature and well established industry may well be in place for other areas that we regulate but have been found to be lacking in the field of cybersecurity. So we set out over the last 12 months or so, three areas of regulatory priority to improve the standard of cybersecurity across the sector. And these align to that sector-wide strategy that I mentioned a moment ago for a thematic priority across the industry to improve this area. The first of those areas focuses on governance arrangements within the leadership and the resultant culture that's applied to cybersecurity across the sector. We've rolled out recently a targeted campaign of board-level engagements to really drive home the message to those that we regulate that cybersecurity needs to be governed and led in the same way as other areas in the related aspects of the industry. I apologize for the state of the slides, they don't seem to have translated very well so I'll try and read out the bits that are missing. The second area focuses on risk management and cyber protection capabilities at our most critical sites. So what we're looking at here is particularly where there's interfaces and there's a growing number of them between traditional IT and OT systems. And this sets out to ensure that claims that are made by those that we regulate that there can be no potential cybersecurity event that could lead to an unacceptable radiological consequence can be evidenced appropriately to us as a regulator. There are lots of declarations made by those that we regulate to that effect but we're seeking greater evidence particularly as Anya has said that attack surface increases and we find that convergence increases across the OT and the IT estates. And then the third area, which again apologize you can't see there focuses upon intelligent led independent assurance activities. So what do we mean by that? Well clarifying expectations that as part of evidencing arrangements from those that we regulate there are independent assessments conducted so as to avoid us as the regulator getting too tactical. So I mentioned earlier we can go and look at firewall rule sets. We can look at systems and their hardening. What we found was over the last few years as we did that we would attend a duty holder organization we'd lift the stone, we'd find a problem we'd raise a regulatory issue the regulatory issue would be managed resolved appropriately closed out and then we'd return after a period of time we'd lift another stone and lo and behold we find the same problem again in a different area. When it comes back to that first priority around effective governance and leadership for cybersecurity we're really focusing on the root cause issues and raising the bar such that the duty holders that we regulate are taking ownership and responsibility themselves rather than relying on the regulator effectively to act as one of their own assurance arms. So we've placed far greater on us on those that we regulate to go out and get independent assurance undertaken and are excited on from a scoping perspective and then can contribute towards the claims, arguments and evidence put forward as part of that outcome focused regime. A really busy slide that I don't expect people to be able to necessarily digest in one go but I was asked to highlight some of the areas that we're looking at and are potentially concerned about from a cybersecurity perspective and I don't think anyone in the room will be surprised to see some of the things listed on the left hand side here. I don't think it's our sector alone that are grappling with these issues. I don't think that it's the UK alone that are grappling with them either. So as you might expect, we're interested in artificial intelligence we're interested in the increasing use of robotics across the estate and some of the more traditional aspects that we've seen developing over the last few years. So an ever increasing and complex supply chain ensuring appropriate quality assurance of critical digital assets components etc. High risk vendors and certain nations providing certain technologies might be of interest. So there's a whole range of things that we're looking at there that present a whole range of challenges and I mentioned earlier on that from an outcome focused perspective we consider ourselves pretty well able to receive and to consider a range of new technologies and innovative solutions within the sector. The way in which we deal with such proposals is to look at what constitutes good practice and in our outcome focused regime what we do is we look at different tiers of what we consider to be good practice. At the highest level we might have legislative expectations set out within UK legislation. One step down from that but still great importance might be established standards from professional bodies from international organizations the likes of IEC 62443 for example in the OT space or NIST for example we don't offer those as sole solutions to any particular problem but they are the sort of things that we will benchmark against when we receive proposals and then below that we have interpretive standards whereby there is a lack of a particular consensus in an area because something is new and emerging and the industry may come together itself in order to put proposals on how best to tackle an area. We found that certainly when there was an initial uptake of deployments of solutions to the cloud prior to our own technical authorities providing guidance in that area. So there's a range of RGP relevant good practice that we can call upon with the emerging technology where there is a lack of that RGP. How does one then go about determining what good looks like and whether or not something is sensible and it's those independent confidence building measures that we're seeking to determine whether or not something is appropriate. Now under our regulatory approach a lot of the onus does face does rely upon the part of the duty holder or the licensee and it can be really challenging for them to evidence to our satisfaction that something is appropriate but we are open to that conversation. The biggest challenge with all of this that we're finding is balancing all of these desires, these novel approaches against kind of standing still in many respects. So many of our duty holders have already admitted they need to do more work in this space many of them need to address the basics as we saw in that early slide. The challenge is finding the resource the skilled capable individuals to do that at the same time as addressing some of these perhaps higher profile areas. We tend to find across a lot of the estate there's a lot of interest in deploying robotics to reduce safety risk for example in high hazard areas. A lot of investment in that and a lot of keenness for cybersecurity practitioners to support that area. Far less interest in finding people that are willing to address cybersecurity challenges of obsolete technology items that are perhaps of less interest externally when one might seek a future job. So it's real balance for our duty holders to try and focus not only on what the future looks like but actually studying the ship in terms of what they already have at the moment and that's really where we're trying to get them to focus in many areas alongside some of these new areas. One of the ways in which we've been trying to tackle the problem of a lack of relevant good practice is through something called regulatory sandboxing. Quite a grand title really for not a particularly grand solution. All it effectively is is an opportunity to come together with those that we regulate in a safe and open space where there's very little judgment and to effectively workshop to war game different scenarios to talk about potential solutions to problems and for O and R to act less as a regulator but more in an advice and guidance capacity one of our remits from government is to act as that early advice and guidance sounding board. Not to solution in, not to determine the outcome upfront or to drive the solution but to provide that upfront confidence in the sort of expectations we might have and our sandboxing approach is exactly intended to do that. So we've done that a couple of times now. One of the areas we focused on initially was artificial intelligence and we looked at a few use cases set out perhaps what the problem was that was seeking to be addressed and looked at what mock example claims arguments evidence might be in place from a security and a safety perspective in order to satisfy later regulatory decisions. Again this is all publicly available. We've published a report on our findings on our website very happy for people to have a look at it and do come back to us. We work alongside not only those that we regulate but academia and government as well in this space. One of the main learning points from us was that by following this approach we can focus in on a particular use case a particular scenario because it's very easy looking back a couple of slides at that big long list that I put up to be overwhelmed by the potential of new technology and the new developments that are coming without actually considering what the practical application of that might be and quite simply O&R doesn't have the resource to go and invest in lots of things that may never come to fruition so we have to focus our resource appropriately and this has been one of those opportunities to do so. Things that we've learnt along the way as we've been through the journey our outcome of focused approach as I mentioned I think puts us in a really good position to encourage innovation and to be really open to ideas but it has been a radical change for the sector moving away from a very prescriptive approach previously to one where duty holders need to upskill and to determine things for themselves and have a very different relationship with us as the regulator. It's not only been a big learning point for them but it's been a massive learning curve for us as well because our regulatory approach has had to change we've moved away from being more of an audit type function to providing upfront advice and guidance and ensuring that we can determine the appropriateness of solutions that are put forward based upon concrete evidence and that's required a huge upskilling on the part of the inspectors as well. All of that though I think does put us in good position when it comes to new and innovative technologies I'm not saying that we have the answers to any of the things on that list but hopefully the approach that we have allows us to work collaboratively with those that we regulate and external third parties in order to try and identify how we could best use those technologies within a regulated environment and I think I'll probably take questions at the end so thank you for your attention. Alright, good afternoon. My name is Rich McAvro from the Nuclear Energy Institute and I'm going to go through the history and then future of the Nuclear Cybersecurity Program so when I was asked to go through this Jeff did ask if I could go through the history so we're going to go back in time. Alright so if you look at this you're looking at a technological advance at some point in its simplest form and what happened there's somebody there spying from behind a tree they're likely stealing it reproducing it possibly copying it and then improving upon it or even trying to figure out how they could steal it and use it maliciously for some other way. But as you look at that and go into the future to today we've evolved but also so has the adversary so here you're seeing same scenario instead of hiding behind a tree you have somebody hiding behind a script somebody is looking at a computer maybe coming up with something innovative similar to somebody who has just created fire but now this hacker or a person who wants to steal this information they continue to use the original playbook but now it's through electronic means which means the process by which we defend against the adversary has to advance as well so where did it all start in our side in the nuclear industry as an industry we had to decide what to protect and there was a lot to consider what was the adversary thinking what was the target was the target theft of information denial of service sabotage grid disturbance in your dark clouds up there that you're looking at if you're thinking what's that middle building that's a nuke plant because it's a plant so depending on the adversary's objectives be it theft of information acts of cyber terrorism designed to result in mass casualties the types of computer systems he has to target will have to change so the concept is subtle but the nature of the assets is a significant role in how we protect them one measure in which we protect them at the nuclear plants is to disconnect them from our external network so if you look at the picture business assets are outside of the nuclear plant right so they're not protected in the same way but it's also important to say that the concept of cyber is a very simple reality right cyber is very easy to get wrong and very hard to get right because it's a constantly changing landscape and protecting the wrong assets will result in failure on our end right so we have to know what to protect and we can't protect everything because at that point you're not protecting anything so we have to be very specific on what we're doing so you see there's some overlap out there between federal organizations between FERC and the NRC in those interest at the power plants you see generation transmission those are balance of plant areas right so nuclear power plants they generate the electricity so FERC they have an interest in that right but they also use uranium so the NRC cares about that so differing in those areas we were able to find that the NRC as a single regulator and that determination between both FERC and the NRC agreeing on that we wound up with a single regulator similar to what Paul was talking about but just like other federal agencies they differ in their oversight of functions of power generation transmission bulk electric systems so nuclear and then in the nuclear side nuclear and enterprise programs also differ in their requirements but the focus is always the same detect, delay, respond to and recover from cyber attacks that has to be the focus but cyber security on the enterprise side on the business asset side is much different than cyber security on the operational side of the house but having that division and determining that division of protection was the start at which the nuclear cyber security program began so we had to decide who owns what and what exactly did we need to protect so similar to Paul's slide that he went through the timeline this is our timeline right and when we look back over the years it shows that very early on the industry recognized that there was a threat and it's been an evolving threat and that we have been as an industry very nimble and able to continue evolving over time defending against that threat and as you can see on here the cyber security program has essentially been around since the early 2000s we developed our cyber security task force in that time frame NEI 404 which is the original predecessor to the cyber security program for power reactors cyber attack was added to the design basis threat and then NRC endorsed NEI 809 cyber security plan which is the associated document to the NRC red guide 571 in the next series of years all cyber security programs have been approved and then plants fully implemented the program and all sites have been inspected to that program and currently the NRC has implemented the updated NRC cyber security program inspection procedure and is now taking a look at maybe there's an evolution to that as well there was movement on this next slide so when we look at our cyber security performance objectives we have to recognize that here's a series of key attributes to the cyber security program the cyber security program is an integrated component of the physical security program and that makes sense after all because it is a design basis threat rule as part of the physical security protection program the cyber security program's principal focus is that of preventing against radiological sabotage just like in the second box finally when we look at it the cyber security program is not static it's not a once and done program the program is designed to evolve over time ensure that it continues to be effective and evolves at defending against an evolving threat landscape I think each of us has said evolving threat landscape at least once on this panel and that's a very important element while the plants have programs in place for protecting sensitive information like safeguards information and personal information the NRC's cyber security requirements are about protecting against any malicious act including a cyber attack that could endanger the health and safety of the public by exposure to radiation so where are we going from here and I use the DeLorean because we're going back to the future 88 miles an hour so we're looking at continuous improvement of the current reactor fleet we're updating our cyber security plan at NEI0809 document the NRC has taken a look at their inspector guidance and updating guidance in there the appendix echo appendix echo to 0609 and which provides additional examples to minor more than minor we're taking a look at the industry OE through a cyber security inspection information forum we have cyber security conferences and training forums where we're looking at opportunities to improve that training as cyber security evolves over time how do we need to implement our programs a little bit better and how do we start on implementing our programs better in the industry and we're looking at ways and opportunities to incorporate the principles of very low safety significance issue resolution of the VLISR process and even beyond that when we look forward to that what do we need so we're looking at advanced cyber we're looking at advanced reactors and the US like it says is embarked on an unprecedented effort to improve our broader economy and there could be many NRC applications going in in the next few years and part 53 that we've heard many times throughout this forum is the NRC's opportunity to enable that safe reliable advanced nuclear right so what do we need as an industry to implement right as we await new rules and associated regulatory guides we need to ensure that what's on the screen is in place for the next generation of power generators and nuclear power we need a regulatory framework that's used and that is useful that it's risk informed technology inclusive and performance based safety is assured that unnecessary regulatory burden that it's efficient and timely with our licensing approvals I think we've heard that a few times in this forum as well greater licensing flexibility and how we implement those programs as well as long term regulatory if you look at all these empty boxes no matter what we fill in each of these boxes whether it be some kind of futuristic technology like quantum cryptography way down the road or artificial intelligence or a generic adversary new vulnerabilities you name it right we need to work together in our industry to defend and keep our critical infrastructure safe and secure for years to come and with that I want to thank you for your time I'm going to turn it over to Kim okay good evening I'm going to be speaking for briefly on cybersecurity oversight in the changing nuclear security landscape the cloud on the left of this slide represents aspects of a cybersecurity landscape where the US NRC cybersecurity regulations for nuclear power plants and the associated regulatory guidance were issued in 2009 2010 security for digital assets and computer systems heavily leveraged areas of operational nuclear power plants such as actions taken for software reliability physical security and operation operator experience and training licensees credited actions for software reliability for safety related functions cybersecurity plans heavily leveraged physical security protections as well as operator experience and training the regulatory guidance that the NRC generated did heavily rely on prescriptive measures such as implementation of specific security controls however I will note that even in the original version of the guidance the guidance allowed for risk informed treatments are measures where the level of protection was based on the importance of the safety or security function all the things on the left are still there but the cloud on the right represents the landscape in the fast approaching future artificial intelligence drones remote operations and maintenance industrial internet of things these are technologies that will be introduced to improve safety security and operational efficiencies however from a cybersecurity perspective the new technologies will also change the attack surface and can introduce new threats attack pathways and vulnerabilities this slide represents a holistic view of security at a nuclear power plant that consists of physical security cyber security operational security and information security in each security type if you look at the top you will see a notation in the figure representing how much of a security type contributes to the overall security posture of a nuclear power plant and just use notations but w plus x plus y plus z equals 100% let's say what percentage it is that's going to be very site specific based on the plant as mentioned in the previous slide in the previous slide today's features implemented in physical security and cybersecurity and operational security that's where a lot of security focus is however if you think about that physical security and operational security is where industry is looking to gain efficiency also so as you make changes to those things it's going to impact other areas of security a reduction in physical security will likely increase the need for cybersecurity protection with remote monitoring and access information previously restricted to the boundaries of the physical parameters of the plant will require with remote access or monitoring will require additional information security protections new technology such as new use of technology such as automation and artificial intelligence will impact operational security in addition to training the human which we've done for operational security models will now have to be trained with data to implement the technology securely and effectively so we've mentioned throughout the presentation risk-informed security risk-informed security must be evidence-based a risk analysis should be performed prior hopefully prior to obtaining and installing technology the ability to perform monitoring and detection is crucial the plant operator whether normal event expected normal events let me say it one more time what are expected normal events and what are abnormal events automation and artificial intelligence processes could take actions without communication that would normally be monitored and obviously this is going to make a difference in this protective strategy that's used monitoring and detection is also important based on that risk analysis I spoke of at first with the risk analysis we're assuming if you assume it's perfect you'll know everything in advance but we don't work in a we don't operate in a world like that the risk analysis will not be perfect so therefore you need monitoring and detection to catch those cases that were not anticipated with technology changing it would be wonderful if the technology will self report if it's in a secure state or not so you know when you start using it it is in a secure state so this is something that a vendor will help work with the operators to get that kind of information to understand if the technology is in a secure state I'm going to mention something on that previous slide since I do I have a reverse button here yeah I'm going to go quickly over this because licensees knowing what you have rich other people have spoken about that that's critical we have protections in place already for supply chain asset management configuration management those are critical this is very important you can't protect what you really don't know we don't want to be in a position where the attacker will know more about the assets and the vulnerabilities and how to explore them than we do cybersecurity risk analysis as I said it's important to understand the plant functions affected by the technology it's important to understand the minimal capabilities of the technology that should be used to support those identified plant functions and it's important to evaluate the risks the new attack surfaces of vulnerabilities and the mitigations the licensees or applicants motive for using a technology will likely be different than the motivation of the attacker the attacker will misuse the technology to accomplish their goals the outcome of the security risk analysis is that the licensees should understand what it will take to securely deploy the technology and operate it and this evidence can be provided to the regulators this is a diagram that I generated to show the process that we believe that when technology is introduced to a plant that there should be an evaluation of the new risk associated with the technology if the decision is going forward to have that technology in the plant to determine what cybersecurity procedures and processes need to be updated okay the licensee will go on and implement those security controls based on the risk analysis and those controls should be monitored so this is the circle and then as you monitor the controls you may find new risks as I mentioned earlier you adjust so it's a circular argument a circular system here a fair amount of the work will take place in evaluating the new risk a lot of work will take place there how will security controls to address risks be implemented security requirements with technical security controls should be given to vendors based on the risk assessment and evaluation so I'll give a brief example autonomous operation or monitoring if you have autonomous operations there will probably be less communication to monitor at that point so you have to monitor the actual processes and actions that are being performed on the device how is this implemented the first step and second step of this diagram those are kind of questions and things that need to be discussed before purchasing and installing the new technology Anya has already mentioned the toolbox analogy for cybersecurity plans they contain cybersecurity controls that are implemented and there's always been a debate over the last ten years how many cybersecurity controls do we really need which are really effective and the analogy I used for the toolbox is to look at your own home you have a toolbox do you use every tool in that toolbox probably not some of you may never use but they are there because you don't know what's coming in the future you know some things you use quite often other things you may not but if you don't want to always have to get new controls in there it's probably best to understand the purpose of the controls and have them in the toolbox for the operational security for the managerial or administrative controls or for the technical security controls by having all those controls you will have defense in depth to be able to detect respond to and recover from a cyber attack another point I wanted to make about all the security controls oh when we had a prescriptive way of operating and inspecting it made sense there's an understanding why you would not want to have 140 security controls you don't want to have to inspect to those however okay we're doing it based on risk analysis okay there's no advantage or less advantages to having a number of controls in your toolbox so that's why I'm saying everyone should reconsider just understanding the purpose of the control and having it available to use if necessary I've spoken about what the regulator and vendors and everybody else is doing we have work to do in the security branch of the NRC okay we have been adapting based on lessons learned from inspections during COVID about focusing on the most important things when we're on site and trying to get information before we get to the site to have the most effective oversight possible during the inspection and that oversight includes licensees self-assessments for us to see the evidence that they consider that the cybersecurity plans are working we have been participating in pre-application and licensing meetings with NRR the Office of Nuclear Regulation staff so that we can understand the importance of the safety features that are being in the new in the new plans and then we can focus on what's important from the site of the security aspect as Anya said my group works very closely with the Office of Research on issues involving novel use of technologies at nuclear facility plants and we're also in the process of updating and generating new NRC guidance associated with cybersecurity so in summary the use of emerging technology can improve plant security plant safety, plant security and operating efficiencies risk assessments are needed to perform securely deployed securely deployed technology within the plant no one will know nuclear facilities as well as the people in this audience and people probably watching this presentation all of us will be involved in developing deploying operating and providing oversight for these new technologies there is a need for all of us to communicate with each other and in order to provide adequate security risk assessments and oversight and the last bullet is that as my group is working in an answer with the Office of Research and also in the Office of Nuclear Nuclear Reactor Regulations for safety to identify safety functions and to deploy cybersecurity programs at the plants to make sure that the oversight is effective and that's been in my presentation thank you very much thank you everybody can we get the QR code up on the screen everybody missed it in the first round so I want to ask questions we have had a couple of questions that have come in I will sort through them and ask as they as I have them here but Paul first question for you so a member of the audience indicated that they found the UK's approach to cybersecurity very interesting and that the NRC should consider adopting a similar more focused approach the question was that inspectors and I'll paraphrase a little bit here as well the licensees as well tend to appreciate having clear thresholds or clear guidance on how to implement various cybersecurity requirements various other regulatory requirements how well have the inspectors and duty holders adapted to the new paradigm how well do they or how well have they determined what compliance or how well do they determine compliance or how well is compliance assessed from both the licensee aspect or the duty holder aspect and the inspector aspect okay so I think it's been a mixed bag if we're being completely honest I will start by saying that I think that our transition to outcome focused regulation for security has been on the whole a huge improvement to where we were before on the basis of sheer compliance with mandates issued by ONR and our colleagues in government so I do think that we have seen a positive improvement in that respect but in terms of how well has the industry I guess coped with the change and then also at ONR I think if that's your question it's definitely been mixed so there are some of our duty holders that have relished the opportunity to have greater involvement and suggestions in terms of how they will deliver the outcomes that we set and that's very much how we have done things. We have set high level outcomes, high level objectives for what we want to see and the way in which the duty holder community does that is really for them to decide. We have a really diverse industry in the UK so we have operating facilities that operate obviously under a commercial model but we also have a huge part of the estate in government ownership and control through its decommissioning phase and no two aspects of the industry really are alike and so it has been really positive in that respect but in terms of the actual duty holder approach it has certainly been mixed. Some duty holders I think have preferred a more prescriptive approach because to be quite frank it's easier to go into a board room and say ONR says we need this I need this much money I need this many people to achieve it if it's not quite that clear it can be really difficult for that conversation to happen at the board room or however you determine that you need this many people this much funding etc so where we've seen the biggest challenge I think has been in the small to medium enterprise community certainly across aspects of the supply chain where we take a slightly different approach we're not prescriptive but what we do is we risk profile and we suggest controls that would meet the threshold for those organisations that the person in charge of security is also in charge of half a dozen other things so we've tried to be proportionate in the approach to our move to outcome focus regulation but certainly some duty holders have been in favour of it far more than others in terms of ONR's approach it has required a paradigmatic shift really in terms of the inspector's mindset again some of the inspectors have struggled with that transition because they've been very used to following a more compliance led approach what we now do is we issue guidance to our inspectors in order for them to reach consistent regulatory judgements in a way that's proportionate and targeted and that has helped dramatically but it has required a change in approach for both our staff and those that we regulate you know it's not complete we're not fully there yet we have further to go without naming and shaming certain parts of the industry have found it easier than others does that kind of cover there's quite a long question so I hope I've covered most of it yes thank you I think it does next question is for Anya could you provide some detail on the research that's being conducted on the field programmable gate arrays in INC safety systems sure so industry is interested and is using field programmable gate arrays in safety systems and some of the claims they have made is that oh there's no software so there's no vulnerabilities or there's no attack surface and instead of just taking that at face value we are we have examined some the literature and looked at what kind of vulnerabilities are because FPGAs aren't vulnerability free and really it depends on the type of FPGA how it's used things like that and these days there's not just a regular just simple FPGA there's a system on a chip so now when the claim there was no software there's no software so we sort of started out with looking at some of the vulnerabilities that were on FPGAs or related to FPGAs and then we provided very high level guidance on when you're reviewing something with FPGAs what should you be looking for what type of FPGAs is this there's like something called SRAM antifuse and other kinds of FPGAs that have different characteristics and let's see I think every even had some guidance on one type is better than another from a security perspective and we also based on that those metrics we sort of provided things that the inspector could sort of check out it's just a high level framework that we created to sort of understand better the actual security issues associated with FPGAs instead of just taking it for granted that they are much more secure than for instance microprocessor based systems thank you this question was directed then actually staff but I'm going to actually pivot and ask Rich and Paul also to address this question given the competitive nature of talent needed to assess and inspect the status of cybersecurity in US nuclear fleet what is the NRC doing to attract, retain and train cybersecurity inspectors to ensure quality and consistency but not inspectors but your own talent that you would need for implementing the system for Rich and obviously Paul for security for inspection but essentially the this is a very difficult question to answer the leading thing that the NRC is doing to identify the talent that we need or to identify where we need additional talent is through our own workforce planning program where we identify what areas we or what skills we have within the agency and what we need to either develop our own internal staff to give them the training identify external training resources or identify if we need to develop internal training and then to use that to either recruit new personnel directly out of school experienced personnel that are experienced people that are already out in the field and able to that have the skill sets that we are looking for we have a lot of different areas within the workforce planning or within our workforce planning where we identify what we need and fill those gaps I know the staff within the cybersecurity branch go or have a lot of training internal and external to develop their skills and enhance their skills research programs or the research groups have the same opportunities for the for training but we're also hiring new and experienced person or new new personnel and experienced personnel in order to fill out those skill sets even more so or provide additional I'll say margin within our own workforces so that we have those skills going forward Richard Paul if you want I can go first that's fine so I can give a perspective from the industry at least you know similar to what Jeff said site workforce planning is where it begins right identifying that pipeline for for quality personnel to take over those roles within the cybersecurity program as you as you saw on my slide this has been going you know the cyber program has been in place for quite a many years so the folks who stood up that program are likely either moving into next next generation of programs of ownership right they may become managers they may become higher level leaders leaving that onto the next team to provide care and feeding of those programs and so as they look forward what's that succession planning look like for knowledge transfer and retention right so sites are beginning to develop that at NEI we're taking a look at that holistically we're starting to see during inspections what seems to be issues of concern maybe when we're when findings are identified what's it associated with is it more associated with training is it resources staffing as their documentation challenges so these are some of the things where we're starting to trend and identify to where we can provide that feedback back to the industry that maybe you know do we have to start looking at additional training throughout the year right as folks stood up the program they're very close to the development of it the pedigree of the program but as that knowledge transfer turns over throughout the years how is that being retained right if you're hiring someone brand new in that had maybe new to nuclear then they're going to have to start the beginning right and that's one of the ways one of the main reasons we took a look at the NEI 0809 guidance right that guidance is a big document in itself but the guidance over time had additional pieces of guidance that were not in that document but they were approved ways to implement the program that the NRC said these these essentially meet the intent of the regulation so as a program manager you would take your NEI guidance document and then you'd have to go look for four five six other documents as well as frequently ask questions and answers to that so we decided let's put it all in one spot where even somebody new to nuclear coming into the cyber program could pick up one document and find everything they need to know for implementing the guidance so that was one way in which NEI sort of tried to play a role in knowledge transfer but also the fluid turnover of that knowledge transfer but looking back at the sites I think identifying a pipeline and need for new personnel is something that the industry is looking at Jeff and I'll turn it over to Paul so I think there's a lot to say on this topic and where to start there's a huge challenge here so when we recruit inspectors within O&R within cybersecurity we're looking for people that understand cybersecurity and have a passion for it but people that are accepting of the fact they will no longer be hands on with cybersecurity and that's a challenge in itself then we need people that are comfortable with or able to develop skills around regulation and enabling approach able to engage with people encourage change do all the good things that you would hope to see in an effective regulator then we typically slap on a government security clearance on top of that and then we tell them they've got to work in typically one of three locations and possibly support sites that are in some challenging areas within the UK to get to so when you start piling those requirements on to a job advert as we've discovered your pool of candidates reduces significantly with every one of those aspects so not only is it a challenge for us to recruit people it's a challenge for us to retain them and it's equally a challenge to recruit and retain individuals that don't all look, sound and act the same because we believe that a diverse workforce would be a more healthy workforce so none of those are solutions, I appreciate that but those are the challenges that we as a regulator face and I'm sure that's true of other disciplines as well but my particular area of concern is obviously cyber security so some of the things that we've been trying to do to address that, we've been working really closely with a new professional body which has been recently given a royal charter within the UK called the UK Cyber Security Council so for the first time cyber security has a dedicated professional body within the UK which is seeking to professionalise that part of the community so cyber security professionals across all walks of life all sectors and that's not been there before and the aspiration of that body and I don't represent them but in a nutshell what I believe is that they are seeking to professionalise cyber security in a way that will be akin to any other formally recognised professional group and that I think is really important because what that does is it acknowledges the status of cyber security as a valid profession and that coupled with wider UK aspects around training and education for cyber security having a hugely positive effect I think in the future talent pipeline because you know when I went through there were no cyber security degrees in fact cyber security was a bit of a jovial term it wasn't really recognised as a proper profession and people didn't really believe it existed so all of that is going on in the background beyond ONR's direct control but we're contributing to a lot of the discussions and we're supporting the new council on cyber security actively to try and promote and to ensure that we can have our views represented closer to home what we do is because it's so difficult to recruit people in cyber security we operate something called a specialist generalist model so we expect our cyber security inspectors to have a general appreciation and understanding of cyber security across the piece but what we then do is we expect them to focus in on one or two niche areas within the domains of cyber security because it's a very broad field so no two people are alike and it's really difficult in people with those same skills and actually I don't want a dozen people that are cloud security experts or a dozen people that are specialists in OT because we regulate far more broadly than that so I need a diverse mix of individuals and if I'm not careful when I recruit people what they do is they all kind of want to do the same type of training courses many of them actually around the topics that I raised in my slides there around the new emerging tech because that's the area of interest that's what everyone's interested in trying to get people qualified in obsolete technology is a challenge because a lot of people aren't really interested in it so that's another thing that we've been focusing on and then more widely within the UK there's been the creation recently and I think it will really come into its own first of April of a new nuclear task force which is focused on careers more generally within the nuclear industry within the UK there's been a lot of discussions given SMRs, advanced technologies potential for new power plants etc because there's a recognition not only for cyber security but across many of the domains of ensuring a healthy industry we're all going to be fishing from the same pool and if we're not careful we're just kind of poaching each other's staff all the time so those are some of the things that we're working on but it is a real challenge and I think it has an always on recruitment campaign there's no end date at the moment and I can't see there being an end date because I simply struggle to bring in the calibre of individuals that we need but we are recruiting at all levels from graduate through to experienced inspector and it is a challenge and we offer I believe relatively good terms and enumeration for the roles and it is still a challenge because the cyber security is traversing every sector and so not only are we competing with perhaps a defence and other aspects of critical national infrastructure we're competing with every sector for these individuals and as I come back to my earlier point many cyber security individuals like to be hands on and that is not something that I can offer them and that's a real challenge so it takes a particular kind of person to come and work forever now and that's hard Thank you Next question I have is for Kim What are some of the unique aspects of performing inspections for cyber security programs that we don't see with other safety security inspections and how are these managed? I'm thinking of just the inspections for more like physical security and in scenarios where in a hard science like physics or chemistry where the basics are there you know what the parameters are you know what's something safe and reliable from the hard sciences but with something like cyber security it's more like I would think like biology or things that you don't you know they could evolve and change and that's a challenge because you engineer to what you know what you expect and you can't do everything that's what everyone's been saying and we absolutely agree so I think at least for cyber security the key is as Richard said and we are all in agreement you have to focus on what's important and you really secure that but then you have to watch for indicators things that you don't expect when we talked as inspectors we asked I know when I was new to the NRC I'm a cyber security professional so I did not know nuclear security and safety and I asked why would you do that why did you do this particular security control and that's when we were in the prescriptive mode back then they said well because we had to but it wasn't based on what they were trying to protect or what the potential threat was or how you use those controls together with other controls to have overall security and so we've learned from that so we're getting better at that but as we get better on that on things we know then comes artificial intelligence then comes remote access things that are completely different than what we used to do before not only is there are some issues and now we have to understand the new reactors because a lot of those meetings for the pre-applications and licensing I never speak in those meetings I'm sitting I'm like a fly on the wall listening and learning all the time trying to understand the safety cases for those reactors so then once I understand it and I confer people in RR to make sure I understand it then I can put my cybersecurity hat and say how do I get past those defenses so it is interesting working in cybersecurity in the nuclear domain because this is a trade office it's just what Paul said I used to build things I had my hands on things and we don't have that anymore at least we compete in like DHS competitions so that tries to keep a skill sharp and things like that but a day to day aspect we don't have hands on work so it's a balancing act but it's not just headquarters inspectors they do rotations they're learning these things so but it's an ongoing learning challenge for sure that we're doing here thank you next questions for Rich NEI has developed cyber guidance for the operating fleet has NEI what types of guidance has NEI identified might be needed for support of the advanced reactor development it's a great question similar to the operating reactor fleet we'll likely need those same types of guidance documents for the advanced reactor fleet as we review the slide that came out from the NRC associated with part 53 framework or 73.110 guidance once that once that draft red guide is in place it's highly likely we'll take a look at developing guidance for the advanced reactor fleet for implementing their cyber security program depending on the types of technology they're looking at the types of controls types of performance based approach they may want to take and I wouldn't foresee going into the world of so many documents similar to what we did with NEI 0809 and the multiple addendums that were associated with it I think we'll try to narrow it down on the front end a lot of the work will be done on the front end of analyzing exactly what we need what's needed to be protected and identifying the adequate set of controls to get there so we haven't gotten there yet we're waiting for the NRC's documents to be finalized and once we do we'll start evaluating what we'll need from the industry thank you seeing as the time I'm going to leave this next question for anybody who wants to answer it but based on the lessons of the last 20 years and the upcoming challenges what would be your advice for newcomer countries who have no experience with oversight of cybersecurity issues at the stage of design and construction where to focus the most resources for the most effect and most effectively train their staff I can start and then I'll just open up the door I would love to see everybody over here but I can't because of the bright light so that's why I'm kind of looking over here but if you're developing the program knowing what we know now in the current reactor fleet right and looking forward if we begin with what the impact of the function is and then what the threshold is that's acceptable per the NRC so if you look at the advanced reactors we're looking at 25 or M right so if you select your systems, components, structures if impacted if their functions impacted and would have exceeded the those values that are in the guidance then you've then you've identified the right structure systems components that need to be protected right and then start working backwards how do you adequately protect those and keep your focus tight right do your analyzation all up front because the time spent analyzing up front is going to be a direct correlation to one positive security and use of resources on those things most important to the health and safety of the public as a direct line we could see that right and that time spent on the front end will directly correlate to the amount of time spent on the back end if you have to go back and rework things to adequately protect it because you scoped incorrectly so I would say to adequately impact your resource use that time up front analyzing what exactly needs to be protected that's directly focused on health and safety of the public is probably the most important from my perspective very quickly back to the all the security controls and things like that you have to know or use or whatever when the advanced reactor program started was discussed in several years ago I someone said Kim pick three say something about what you think are the most important and they are in actually red guy 571 but I'm going to highlight them now you have to understand the defensive strategy you have to be able to explain why you're protecting what you're protecting okay whether you're using security levels you're going to allow remote access data dialed whatever your strategy is you know say wireless calling use in a certain place whatever you should be able to explain it and then understand the architectures that you're building on that will implement that strategy number two have the architecture that will support that strategy and the last one I would say is least functionality you don't have to protect it if you don't need to you don't want to have a big attack surface you want to minimize the functionality that you have to protect pick the right things but you protect those things you don't want the attacker to be able to come in and do you know explore things so if you have people who understand the function of the plant that's primary you have to have that kind of information why you're doing what you're doing in cybersecurity those two skills together that will kind of hone in on the most important things of fraud so I think what I'd start with is what a great opportunity so most of us in certainly in my organization we spend our lives trying to retrofit security to an industry that you know really predates expectations around modern information cybersecurity so what a great opportunity to have security at the front alongside all the other aspects that you will consider as you develop things so I look at countries like the UAE and you know I hear 10,000 critical digital assets on some of their facilities and it's mind-blowing for an industry with the history of ours but actually if you can get in there at the start and you can embed security from the start isn't that what most cybersecurity people dream of the ability to embed security from day one and so there's a real opportunity there not only in terms of the technical aspects in terms of categorizing, classifying assets undertaking risk assessments determining the value and the importance of assets from day one rather than trying to go back retrospectively and work out what should we have cared about the opportunity previously but there's also the strategic side as well so actually putting in governance arrangements executive teams to administer your facilities that actually consider security alongside other areas of risk and I just think that in many respects that's what we would almost dream of with many of the facilities that we have so I think there's a real opportunity to estimate the challenge particularly with increasing digitalization and connectivity but trying to retrofit particularly in the OT space when you've got licensing conditions and arrangements that prohibit things in terms of changes to standards, procedures and arrangements imagine baking that in from the start I know it will be a challenge to maintain it but I think there's a real opportunity so my advice would be to start with a blank piece of paper and think about what's important, what needs protecting and put those arrangements in from day one as is probably expected in a modern establishment I want to thank everybody for your time and participating in this presentation I want to thank everybody in the audience for joining us for talk should be I think there is a QR code that can be displayed for providing feedback for this session and any other sessions associated with the RIC so please if you have any comments or questions provide feedback appreciate your time, thank you and have a great night