Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo, and this week I have the privilege to sit down with Dr. Marion Messmer. Dr. Messmer is a Senior Research Fellow at Chatham House, a premier think tank located in the United Kingdom in London.
Prior to that, she studied at Cambridge as well as King's College, has a strong background in nuclear issues, was co director of of basic, which is the British American Security Information Council, and is the author of a new report which we'll go into today. Dr. Messmer, thank you for joining us today. Thanks so much for having me.
So, I thought maybe we'd start with. You just came out with this report, Cybersecurity of the Civil Nuclear Sector, and I thought maybe we can kick off with a little bit of a summary of the report, some of your key findings and also what led you to work on this particular effort. Yeah, absolutely. So this report for Dr. Marion Messmer: us brings together a few different strands of work that we've been working on for
Dr. Marion Messmer: quite a few years now. So the cybersecurity specifically of nuclear power plants is something Dr. Marion Messmer: that's been really important for us at Chatham House for a long time. So we Dr. Marion Messmer: started working on that as a team back in 2014 and spent some time with Dr. Marion Messmer: the nuclear power sector in the UK and with the IAEA working on these topics
Dr. Marion Messmer: in sort of 2014 to 2016. We then checked in on it again in 2019 Dr. Marion Messmer: and did some work where we looked at what we can learn from the insurance Dr. Marion Messmer: sector around ensuring against cyber attacks, because that was a new topic that was coming Dr. Marion Messmer: in at the time. And then because the IAEA also had actually led such a
Dr. Marion Messmer: huge effort on making sure to build capacity for cybersecurity globally. On this, we thought Dr. Marion Messmer: it was a good time to kind of check in again where we had got Dr. Marion Messmer: to, not just in the uk but also globally, because at the same time there Dr. Marion Messmer: was this other trend of a huge increase in cyber attacks, specifically on critical national
Dr. Marion Messmer: infrastructure, which nuclear power is for a lot of countries. So what we wanted to Dr. Marion Messmer: do in this report was, first of all, assess what the threat landscape is like Dr. Marion Messmer: now from a cybersecurity perspective. For nuclear infrastructure specifically, we also wanted to look at Dr. Marion Messmer: what international law does in order to protect this really important sector, because there was
Dr. Marion Messmer: also. There has been a lot of attention on that side of things because of
Dr. Marion Messmer: the Russian attacks on the Zaporizhzhia nuclear power plant in Ukraine. And then finally we Dr. Marion Messmer: wanted to look at what more could be done to ensure the cyber security and Dr. Marion Messmer: whether there was anything about the technological changes that we are seeing approaching in the Dr. Marion Messmer: sector through things like the wider spread of AI and things like the, the advent
Dr. Marion Messmer: of different types of reactors. Because you know, if we, if we compare the sort Dr. Marion Messmer: of traditional nuclear power sector, we've got, we've got nuclear power plant design that in
Dr. Marion Messmer: some cases predates the Internet. But then we also have new reactor types like small Dr. Marion Messmer: modular reactors or micro reactors that may not be widely distributed at this point, but Dr. Marion Messmer: the whole purpose of them is that they will all be networked and that they
Dr. Marion Messmer: can be operated remotely. So some of the traditional cybersecurity techniques that you might be Dr. Marion Messmer: using, like air gapping and so on, is all of a sudden not so straightforward Dr. Marion Messmer: anymore when you have a reactor where the whole selling point is that it can
Dr. Marion Messmer: be operated remotely without having staff on site. So those were some of the issues Dr. Marion Messmer: that were driving us to look into this and that we wanted to address in Dr. Marion Messmer: the report. Marion, thank you for an excellent summary. And I would question if we
could ever completely air gap any the cyber domain. But clearly when you're looking at the advent of small modular reactors, micro, and you're seeing the same thing play out in other energy sectors with micro grids and the like, these obviously are designed at a different time and do bring about new risk, new opportunity and efficiency and including
for climate and the like, but also new security risks. And what I thought maybe you could do is start looking at what you saw the primary threats face to this sector. And again, I think we're talking here, civilian in particular, but there's been a growth. So I'd be curious what some of your initial findings were. Yeah, absolutely.
Dr. Marion Messmer: And we, we broke this threat analysis down basically into peacetime and then conflict. And, Dr. Marion Messmer: and this was, this was in part inspired, as I said, by what we have Dr. Marion Messmer: been seeing Russia do around the Zaporizhzhia nuclear power plant, but also because of, because Dr. Marion Messmer: of this forward look and looking at the potential that small modular reactors and microreactors
Dr. Marion Messmer: bring for a lot of regions of the world, you know, that, that are suffering Dr. Marion Messmer: from conflicts at the moment. Which means that if these reactor types spread, then what Dr. Marion Messmer: we're seeing now in Zaporizhzhia, while it's not a completely unique or never before seen Dr. Marion Messmer: situation, it is pretty rare that a nuclear power plant is caught up in war
Dr. Marion Messmer: fighting in that way. But it's something that we might actually see much more frequently Dr. Marion Messmer: in the future, which is why we thought it was important to look at these Dr. Marion Messmer: issues separately. But even in peacetime, we have seen perhaps like a slight shift in
Dr. Marion Messmer: the threat landscape. In part, that's because there has been a rise of, of cyber Dr. Marion Messmer: criminals that like to target specifically critical national infrastructure, which nuclear power is for a Dr. Marion Messmer: lot of countries. And so that means that you have a range of threats facing
Dr. Marion Messmer: nuclear nuclear infrastructure in that regard. So you have, you have criminal actors that might Dr. Marion Messmer: want to extort a government or want to extort an operator that just, you know, Dr. Marion Messmer: don't necessarily care about the fact that it's a nuclear power plant. They just care
Dr. Marion Messmer: that it's critical national infrastructure. And in that sense, that poses a risk in the Dr. Marion Messmer: same way that perhaps health infrastructure might be at risk or other types of energy Dr. Marion Messmer: infrastructure. But then, of course, you have also the additional sensitivity that, that there is
Dr. Marion Messmer: a risk involved with nuclear reactors. Not the same for all reactor types. But, you Dr. Marion Messmer: know, when people hear nuclear power, many of them think of Chernobyl and those kinds Dr. Marion Messmer: of nuclear accidents. And there is of always the risk that there could be an Dr. Marion Messmer: accident that leads to the release of radiation or that might lead to the theft
Dr. Marion Messmer: of nuclear materials. So in that sense, you have to be extra careful just to Dr. Marion Messmer: make sure that you mitigate against those kinds of risks as well. And then you Dr. Marion Messmer: have the, the other sort of, perhaps threat vector of someone targeting personnel that works Dr. Marion Messmer: in a power plant against again, either in order to extort or to coerce. So
Dr. Marion Messmer: there are these different slices of threats that emerge. And then, of course, you know, Dr. Marion Messmer: given the geopolitical environment, we have also seen over time that hostile governments might want Dr. Marion Messmer: to target nuclear power plants either as critical infrastructure or just as a, as a
Dr. Marion Messmer: way of attacking something that is really important to a government. For example, we've seen Dr. Marion Messmer: this in South Korea, where North Korean hackers targeted some of the energy infrastructure there.
Dr. Marion Messmer: So in broad strokes, those are the kind of threats that we see. But then, Dr. Marion Messmer: of course, there is the sort of inadvertent or accidental threat landscape as well, where Dr. Marion Messmer: you might just have some sort of a bug out there, some sort of a Dr. Marion Messmer: virus or worm that isn't necessarily targeting a nuclear power plant as such, but perhaps
Dr. Marion Messmer: the power plant uses software that is susceptible to that kind of, kind of attack,
Dr. Marion Messmer: and therefore there's a vulnerability there that can be exploited. And I think, you know, Dr. Marion Messmer: while we have got a lot better at sort of thinking of the purposeful kinds Dr. Marion Messmer: of risks out there, something that we're not always thinking through is where the, the Dr. Marion Messmer: inadvertent vulnerabilities might be coming from and how you can also protect from those kind
Dr. Marion Messmer: of attacks. Marin that, that's a great point and very apropos given the crowdstrike news. Sometimes it may not even be malicious at all. It may be intended to be a patch that can have unintended consequences. And I do want to talk about the software sets of issues momentarily, but I think you raised a really important point. Some countries are in it for espionage to enhance some of their nuclear
aspirations, goals, capabilities, think North Korea, think Iran, think, think others. But we are seeing, and I think you framed it in a very good way, peacetime, wartime, I kind of have a hard time discerning the two sometimes these days. And cyber extends the
battlefield to incorporate all of society. But all that said and done, from the US perspective, Volt Typhoon was a big wake up call where China was doing nothing, no benefit for espionage or even traditional reconnaissance, but intelligence preparation on the battlefield and have a foothold into our critical infrastructure. So that is part of what this, this broader
set of issues looks, looks like. Right. Any, any, any cases in particular that we've seen thus far that we can discuss publicly that drew concern and attention from your perspective. And clearly this sector is unique, it is the nuclear sector. And, and yes, we all come to that maybe from a different perspective than some of the other critical infrastructure sectors. But, but any cases in particular rise to the level of concern
from your perspective? Well, there are a few different ones for different reasons. Right. And Dr. Marion Messmer: the other thing I would point out also is that we found that it, there's Dr. Marion Messmer: sometimes a huge time lag between when an attack might occur and when you actually Dr. Marion Messmer: hear about it specifically in the sector, because both operators and governments can be quite
Dr. Marion Messmer: worried about what it means releasing news of such an attack. But I would say Dr. Marion Messmer: it's actually really important to have that greater deal of transparency, which is, you know, Dr. Marion Messmer: in terms of our conversation is probably jumping several steps ahead because that's getting to Dr. Marion Messmer: what kind of recommendations we make in our report. And we will get there because
the recommendations are key. Yep, yep. Yeah, but that was something that was just really Dr. Marion Messmer: interesting to me because we were speaking with some people who do a lot of Dr. Marion Messmer: cybersecurity in the financial sector, which is also a sector that can be really worried Dr. Marion Messmer: about being too transparent or perhaps losing some of its, some of its privacy because
Dr. Marion Messmer: they might have client concerns around privacy and so on. But what the, the finance Dr. Marion Messmer: sector, at least in the UK found was that actually, you know, if you have Dr. Marion Messmer: a sort of notification system where you let each other know when, when a hack Dr. Marion Messmer: occurred or when an attack occurred, it can, it can help everyone because. Because, you
Dr. Marion Messmer: know, a competitor might have a similar vulnerability. And if you let them know this Dr. Marion Messmer: time around, then maybe next time, if they pick up on something early, they will Dr. Marion Messmer: let you know in turn. And so I think this is something that could also
Dr. Marion Messmer: be really beneficial for the nuclear power sector. But just to. To go back to Dr. Marion Messmer: your question about what kind of attacks have we seen that are particularly notable in Dr. Marion Messmer: this space? I mean, it's now a few years old, but I think something that Dr. Marion Messmer: always comes up and that remains notable is the, The Stuxnet attack on Iran's nuclear
Dr. Marion Messmer: Enric facilities. Just because it's one of the unique cases where we actually see a Dr. Marion Messmer: cyber attack having physical consequences. And that's something that doesn't happen all that often and, Dr. Marion Messmer: you know, was very carefully engineered in this case. But it is important in the Dr. Marion Messmer: sense that it's something that we have now seen can happen. So it's a risk
Dr. Marion Messmer: that we need to be prepared for and to protect against. And then I think Dr. Marion Messmer: the other case that really stuck in my mind is the one that I already Dr. Marion Messmer: mentioned, which, which is also actually from a decade ago now, the 2014 North Korean Dr. Marion Messmer: attack on the South Korean grid. Because one of the avenues that they took in
Dr. Marion Messmer: that, in that attack was that they purposefully wanted to frighten the. The Korean population Dr. Marion Messmer: as well and sort of like, you know, stoke fear of whether there might have Dr. Marion Messmer: been nuclear radiation release. None of which happened. Right. Like, I think they even just Dr. Marion Messmer: got access to HR data, which is, of course important and significant because it might
Dr. Marion Messmer: put the staff at the power plant at risk. But it's obviously less significant than Dr. Marion Messmer: in terms of radiation releases, a lot less significant than if they actually were able Dr. Marion Messmer: to control the reactor or, you know, get access to control software, that sort of
Dr. Marion Messmer: thing. But I thought that was really interesting because they used the fact of having Dr. Marion Messmer: done that attack in a way to then also add like an additional layer of Dr. Marion Messmer: psychological warfare, almost where they kind of used it to. To blackmail off Wright in.
Dr. Marion Messmer: And then I think the other thing that has really stuck in my mind is Dr. Marion Messmer: the, the huge increase of cyber attacks, not on a particular national grid or operator, Dr. Marion Messmer: whatever it might be, but actually attacks on the International Atomic Energy Agency, because that's Dr. Marion Messmer: a body, you know, that you would think is as benign as they can get.
Dr. Marion Messmer: All the IAEA is trying to do is coordinate its, its member states, making sure Dr. Marion Messmer: that people have access to best practice guidance, build capacity and, and provide safeguards for Dr. Marion Messmer: nuclear materials. But we've also seen a huge increase of attacks on them which can
Dr. Marion Messmer: inhibit how they do their work. So that says something about perhaps the motivations of Dr. Marion Messmer: cyber criminals that execute these attacks and also perhaps about the state of the international Dr. Marion Messmer: system and the state of multilateralism that the IAEA has become a target of attack Dr. Marion Messmer: in that sense. So these are all very different types of attacks that happened at
Dr. Marion Messmer: very different times. But I think they all say something about the threat landscape that Dr. Marion Messmer: we are in at the moment and what kind of risks governments and operators have Dr. Marion Messmer: to be ready to defend themselves against. You frame that very well and attacks you see in other sectors can obviously have implications in nuclear. And clearly you blink and you miss the hack du jour. And to your point, in terms of ransomware, it
really has democratized the threat agnostic to the targets. But we're seeing hospitals impacted that have life death consequences just as nuclear would. We also just had Michael Barnhart on from Mandian. He talked about a particular threat actor, APT45 which is extensively been targeting the nuclear reactors and sectors in India. So. So buckle up. I unfortunately think they're going to be more and I think it ot that's sort of a
big issue. We tend to think of cybersecurity as the geeks behind the keyboards alone and then physical security. But the reality is technology has a vote in this and the bad guys have a vote in this. And, and, and I'm having a harder time discerning the difference between it ot because it is converging and it's converging fast and, and often for very good reasons, efficiency and, and the like. But, but it
also brings about new, new vulnerabilities we need to think about. I, I do want to pull on sort of the advent as you highlighted, of, of small modular reactors micro. What about startups? What should they be thinking? And do we have a good handle on the supply chain? That becomes a big issue. If ET is phoning home and it's inside your system, that could be an issue. Right. So I'd be curious
what some of your thoughts are there. Absolutely. I mean the supply chain issue is Dr. Marion Messmer: huge and especially, I mean I think at this point in time it's an issue Dr. Marion Messmer: for both traditional power plants, but also for small modular reactors, of course, especially because Dr. Marion Messmer: they are often built and designed by a much larger number of different actors where
Dr. Marion Messmer: you might have, you know, the firm that does the initial design might outsource other Dr. Marion Messmer: aspects of design to other companies that specialize in it. But it also means that Dr. Marion Messmer: the more actors you've got involved in that design process, the less of a handle
Dr. Marion Messmer: you actually have on who does what. What do different stacks look like? You know, Dr. Marion Messmer: they might even have completely inadvertent vulnerabilities just because they're relying on a certain library Dr. Marion Messmer: that might be out of date or that might not be fully secure anymore. And, Dr. Marion Messmer: and I think we're also really seeing here the difference in commercial design standards versus
Dr. Marion Messmer: design standards if someone is used to working on more sensitive technology. Because, because a Dr. Marion Messmer: lot of startup culture is around building a product fast. But specifically when you're working Dr. Marion Messmer: with nuclear materials and all nuclear reactors obviously have to go through a really rigorous
Dr. Marion Messmer: certification process. But I think that there is a risk here that specifically the cybersecurity Dr. Marion Messmer: side of things might not get enough attention because we've got a lot of regulation Dr. Marion Messmer: when it comes to the actual nuclear materials, but significantly less when it comes to
Dr. Marion Messmer: the cybersecurity aspect. And you know, if you were in a situation where a subcontractor Dr. Marion Messmer: that's working on a software solution just isn't quite as used to, you know, working Dr. Marion Messmer: with the level of sensitivity that you need to when you are working on something Dr. Marion Messmer: so critical, then that could introduce accidental vulnerabilities. And I think, you know, we have,
Dr. Marion Messmer: we have seen some of that. I mean, the nuclear power sector is obviously a Dr. Marion Messmer: relatively mature sector at this point. And I think that is something that we can Dr. Marion Messmer: learn about the period of sort of retrofitting traditional nuclear power plants when different software
Dr. Marion Messmer: solutions were introduced and when different industrial steering software, you know, was introduced. Like at Dr. Marion Messmer: one point you had very bespoke systems and no one really thought about cyber security Dr. Marion Messmer: because the idea was that these systems are so bespoke that there isn't necessarily going
Dr. Marion Messmer: to be a risk here. But then over time you, you ended up with these Dr. Marion Messmer: now very modern looking kind of different patchworks of IT solutions where you might have Dr. Marion Messmer: some like HR software that talks to your intranet, that talks to something else. And Dr. Marion Messmer: it all of a sudden means that you are using quite a lot of off Dr. Marion Messmer: the shelf software. And that then means that you might be introducing vulnerabilities that you
Dr. Marion Messmer: previously hadn't really thought about just because they are in that commercial software solution. But Dr. Marion Messmer: we now have quite a lot of guidance around how to operate in that. And Dr. Marion Messmer: I think the small modular reactor space gives us the opportunity to design with these Dr. Marion Messmer: principles in mind. As long as the startups understand that that is something that needs
Dr. Marion Messmer: to happen. Right. And I think the IAEA has done a lot to try and Dr. Marion Messmer: put that guidance out there and there are some companies that really try to work Dr. Marion Messmer: with that. But I think we do need to do a lot more to make Dr. Marion Messmer: sure that all the nuclear power startups that we're seeing actually want to embrace the Dr. Marion Messmer: existing best practice knowledge rather than sort of like distancing themselves from the existing sector.
Dr. Marion Messmer: Which is also something that can happen because of the sort of like public opinion Dr. Marion Messmer: part of it. Right. That I mentioned earlier where like some people just think of Dr. Marion Messmer: Chernobyl when they hear nuclear power. And so you see some startups that really want Dr. Marion Messmer: to put a huge amount of distance between themselves and that aspect of the sector. Mariana, I'm so glad you brought that up because I mean it. It also provides
great opportunities to do things right. We've had this bolt on effect with cybersecurity for years. A theme that's very near and dear to my institute and Auburn University is cyber informed engineering, or baking security into the design of architectures, or secure by design, as the Cybersecurity and Infrastructure Security Agency at DHS refers to it. I think we've got to take this beyond a good idea and make it real. So anything you
can do to foot stomp all of that, please continue. Because I think this, if you don't get it early, it's a lot harder to get after the fact. And I think there are some opportunities with new technologies that are being fielded. I just hope that that also becomes part of that broader supply chain discussion and it's not purely a cost function, but an ounce, a penny here could save a whole lot there. Let's get into some of the recommendations and some of the international legal protections
and challenges. And you underscored the importance of public private partnerships. But I think it's somewhat similar in the uk, Europe and elsewhere to the US where nuclear is almost treated in its own silo, which has great advantages, but it also misses out on opportunities in being part of the broader ecosystem. In terms of awareness and partnerships, what
are your some? What are some? If you can help us unpack the regime, the landscape that you see right now and what some of your thoughts are there, that would be great. Absolutely. I mean, I think one really big area is exactly what Dr. Marion Messmer: you address, more cooperation. Even if it's just, just at an awareness raising level where Dr. Marion Messmer: you bring people who work in the nuclear sector together with people who work on
Dr. Marion Messmer: cyber security and other sectors just for that exchange. Because, because the nuclear sector is Dr. Marion Messmer: so siloed, you sometimes get into this mindset that you have to start solving every Dr. Marion Messmer: problem from scratch, but especially when it comes to cybersecurity, there is so much best Dr. Marion Messmer: practice out there. And, you know, as I mentioned, so much of the software is
Dr. Marion Messmer: now off the shelf. So you could really benefit from looking at how other, you Dr. Marion Messmer: know, even very sensitive sectors have sort of arranged their cyber security practices, what they Dr. Marion Messmer: do, what they do in order to keep up to date, you know, what kind Dr. Marion Messmer: of training they provide, what kind of risk management they've got. And there's a lot Dr. Marion Messmer: there that I would like to see a lot more of. I think there's also
Dr. Marion Messmer: a lot of scope for international exchange on this. You know, for example, between the Dr. Marion Messmer: US and the uk, there are already so many exchanges on so many other. Pretty strong. Yeah, yeah, so, so you know that. Why not also focus specifically on cybersecurity Dr. Marion Messmer: when it comes to nuclear power? And then I think, you know, the, the IAEA
Dr. Marion Messmer: already provides so many good blueprints around this as well. But what we're seeing is Dr. Marion Messmer: that they're depending on the state, of course, but for some states, there's quite a
Dr. Marion Messmer: lot of gap between the best practice recommendation and then the implementation. So in some Dr. Marion Messmer: cases, you know, you also see that a state might have a really good strategy, Dr. Marion Messmer: but then the strategy timeline, which is actually something that, you know, is also the Dr. Marion Messmer: case for the uk, the timeline of implementation for the strategy is so long that
Dr. Marion Messmer: you kind of wonder, isn't there a way to do that quicker, especially when it's Dr. Marion Messmer: for some very standard cyber security recommendations that we've kind of known about for years
Dr. Marion Messmer: at this point? So, yeah, I think when it comes to public private partnership, it's Dr. Marion Messmer: breaking out of these silos and then also seeing whether we can perhaps move a Dr. Marion Messmer: little quicker on some of the more common and sort of like very common sense Dr. Marion Messmer: approaches to cybersecurity. And what about international law? I mean, you can see how various and existing, almost a patchwork of different laws, regulations and the like can fit
in this sector. But is there one overriding or should there be one overriding? I don't want to say regime per se, but, but, but how would you see that legal framework playing out in terms of insurance? Yeah, I mean, the, the legal framework Dr. Marion Messmer: is also sort of a patchwork framework. There isn't one overarching principle or one overarching Dr. Marion Messmer: legal regime that covers nuclear power as such, but there are different aspects of international
Dr. Marion Messmer: law that speak to it in different ways and different principles that apply. So in Dr. Marion Messmer: our analysis, we found that, you Know, probably what exists is good enough, but part Dr. Marion Messmer: of the issue with international law is of course that there isn't one enforcement agency Dr. Marion Messmer: or there isn't a sort of international police that makes sure that you follow the
Dr. Marion Messmer: rules. So there's a lot of, there's a lot of leeway up to states and Dr. Marion Messmer: it relies on states goodwill to actually follow the rules. And I think that we Dr. Marion Messmer: are going to see specifically issues around that when it comes to the question of
Dr. Marion Messmer: nuclear reactors in conflict. Because, you know, like this is, this is in part what Dr. Marion Messmer: inspired us to do the analysis because there were various attempts to safeguard the Ukrainian
Dr. Marion Messmer: nuclear power plants and specifically the nuclear power plant in South Rhysia better. But at Dr. Marion Messmer: the end of the day, you know, if Russia as the aggressor in that, in Dr. Marion Messmer: that situation doesn't take the responsibility to like self regulate what, what they will and Dr. Marion Messmer: won't do around a nuclear power plant, then there's a limited amount that others can
Dr. Marion Messmer: do other than call out and you know, call for more responsible behavior and that Dr. Marion Messmer: sort of thing. So as I said initially, that's something that I personally worry we're Dr. Marion Messmer: actually going to see more of because there is such a huge potential for small Dr. Marion Messmer: modular reactors to actually really change the game in terms of energy security, which is
Dr. Marion Messmer: obviously hugely important. But at the same time it also means we might see, we Dr. Marion Messmer: might see nuclear reactors in environments where they do find themselves in an active combat Dr. Marion Messmer: zone or something similar like that. Yeah, and you touch on an issue very near and dear to me, and I don't mean to pull you into this fully, but, but for a while here we've been blaming victims and you know what, everyone should
be doing more. But, but it's also putting some pain and ensuring imposition of cost and consequence on some of this bad behavior. And that's where I know it gets delicate because cyber is its own thing, but it has to be seen in its entirety of diplomacy, statecraft, national security, military strategy and the like. But I do think when I think nuclear, I think that would demand a response. Now again, I think if you were to ask the average British or American citizen, they would think so
too. But, but obviously it's a little more nuanced. And the question I have is what's lacking in any of this if, if anything? Or is it more how to translate nouns into verbs, how to invoke, enforce some of this. What are some of your thoughts there? I think enforcement is missing. And then the other really big challenge Dr. Marion Messmer: where I'm not sure how we can do better to address it is that so
Dr. Marion Messmer: much of the international system only works when you've got a consensus around it. And Dr. Marion Messmer: what we are unfortunately seeing at the moment is that that consensus is breaking up Dr. Marion Messmer: or at the very least weakening quite significantly. And some of the actors who we Dr. Marion Messmer: really need on side to enforce some of this are some of the ones who
Dr. Marion Messmer: we see also weakening the system. You know, I already mentioned Russia and I think Dr. Marion Messmer: they are doing quite a lot to, to undermine the system in that way. And Dr. Marion Messmer: that's a huge challenge. And that's one, you know, where we were, we at Chatham Dr. Marion Messmer: House tried from so many different angles to see if we can get a handle
Dr. Marion Messmer: on it. But really, you know, at the end of the day, one has to Dr. Marion Messmer: ask the question whether that's something that the Putin regime really wants or whether they Dr. Marion Messmer: actually benefit from all the undermining of the international system that they're doing and all Dr. Marion Messmer: of these different aspects. And that's why they are unfortunately going. To continue to do it, keep fighting that fight. And I mean, if you look back to the Cold
War, one of my heroes, Ronald Wright, Trust but verify. It gets even harder when we're looking in the cyber domain combined with nuclear. Let's go to some of the other solutions and strategies around cooperation you underscored in your report. Anything there in terms of how national policies can be tailored to address the unique needs around of nuclear facilities and the like. Anything in particular there that you'd like to comment on? Because I think you did spend a lot of time coming up with
some great ideas there. Yeah, definitely. I mean, there's two things in particular that I Dr. Marion Messmer: would like to point out. So one is around incident response planning because I think Dr. Marion Messmer: that's something that's super important and where we again see huge variability how that's implemented Dr. Marion Messmer: even, even within one nation state. Because sometimes, sometimes you have, you have the right
Dr. Marion Messmer: intent at the, at the national government level. But then, you know, especially if incident Dr. Marion Messmer: response is something that might be devolved to local government, then it might also require Dr. Marion Messmer: the local government to have the awareness to give the, the impulse for that training. Dr. Marion Messmer: And so given that a lot of countries that rely on nuclear power might have
Dr. Marion Messmer: nuclear reactors in lots of different locations. I mean, I guess in the US this Dr. Marion Messmer: would probably all be at state level. Right. So like that, that is, that is Dr. Marion Messmer: something where you could potentially have a really different level of preparedness depending on how Dr. Marion Messmer: aware a local government is that this is something that they need to brief their
Dr. Marion Messmer: first responders on. So ideally what we would See, here is, and again, there are Dr. Marion Messmer: a lot of really good blueprints for how this could be done. So if, if Dr. Marion Messmer: a government wanted to do more on that, there's a lot out there to, to
Dr. Marion Messmer: improve. But what you essentially would need to do is you would, you would probably Dr. Marion Messmer: run, you know, maybe once a year, maybe a few times a year, sort of Dr. Marion Messmer: training simulations where you simulate how first responders would respond if you have an incident Dr. Marion Messmer: at a nuclear facility. And so in this case you probably, you know, would want
Dr. Marion Messmer: to go through a few different scenarios. So like a cyber attack that's perhaps a Dr. Marion Messmer: ransomware attack or I don't know, like the release of, of, of sensitive data, perhaps Dr. Marion Messmer: of employees where you have staff members that might be worried for their safety and Dr. Marion Messmer: like what kind of recourse they have. And then of course you also need to
Dr. Marion Messmer: game through what you would do if there was a radiation release. And I think Dr. Marion Messmer: this is where especially local first responders might have really different levels of preparedness. And Dr. Marion Messmer: it can really help to make sure that your local fire brigade, your local police
Dr. Marion Messmer: have at least some like basic level of CBRN awareness and response. Because if you Dr. Marion Messmer: are in that worst case scenario and they are unprepared or not sufficiently prepared, then Dr. Marion Messmer: that could really delay how you go about a quick response and how you go
Dr. Marion Messmer: about helping people. So yeah, this is something that I really like because it brings Dr. Marion Messmer: together a lot of really different stakeholders that all play a big role in local Dr. Marion Messmer: security, national security. And it's also something where we have some really exemplary best practice Dr. Marion Messmer: examples, but they are just not implemented as widespread as I would like them to
Dr. Marion Messmer: see. And, and you know, going back in time on some of the homeland issues and even nuclear specific, we always underscored we shouldn't be exchanging business cards when the bomb goes off on game day when something bad happens. So the reality is, is just building some of the muscle connection between various entities is so essential, so critical and, and we have major exercises in the US that are done tabletops and national
tabletops around grid security and the like. But I do think making that real and just the, just having an event and a reason to think about it before you really need to think about it is, is essential, I think so thinking through some, some of the assumptions that you talked about strategies and President Eisenhower said in preparation for battle, I've often found plans to be useless, but planning to be indispensable. So plans are going to change and they do change based on first contact of an
adversary. So, so we gotta be thinking through that. Anything else you'd like to underscore in terms of some of the key takeaways? Yeah, there's just, there's just one other Dr. Marion Messmer: recommendation that I'd really like to highlight because I think it's really important. And that's Dr. Marion Messmer: again about the, the hopefully, you know, much wider spread of nuclear power that we're
Dr. Marion Messmer: going to see over the next few years. When we were thinking about this and Dr. Marion Messmer: doing this analysis, we were thinking that we're already seeing huge differences in the, in Dr. Marion Messmer: the readiness and the capacity to, to ensure that you have good levels of cybersecurity
Dr. Marion Messmer: in different states. And so a lot of the, a lot of the states that Dr. Marion Messmer: might actually really want to invest in small modular reactors or other types of more, Dr. Marion Messmer: you know, like accessible nuclear power are the kind of states that might also actually
Dr. Marion Messmer: struggle with their cyber security capacity. So something that is really important to do and Dr. Marion Messmer: that could actually also be added onto, for example, the non proliferation treaty regime, given Dr. Marion Messmer: that a huge part of that treaty is about ensuring access to peaceful uses. Technology Dr. Marion Messmer: is making sure that the states that then acquire that kind of technology also have
Dr. Marion Messmer: the cybersecurity capacity to keep that safe. And that's something that I've not seen a
Dr. Marion Messmer: huge amount of attention on. But I think that's something that's going to become more Dr. Marion Messmer: and more important as, as nuclear power is going to become so important to push Dr. Marion Messmer: towards net zero and also to ensure that there is more energy security in states Dr. Marion Messmer: that really need it, where it could have a huge economic benefit and a huge
Dr. Marion Messmer: development benefit to have access to nuclear power. Now that's a great set of points. And back to, I mean, truth is we still play, we know it when we see it. But, but defining what an act of war is in cyber becomes very difficult. What are the bright lines and what does that entail in a NATO context, Article 5 and the like. But obviously it has much bigger, broader implications and I think it is pulling all the pieces together with at least an intent to move
in the right direction. And, and don't underestimate just getting people fighting for the same fight. Unifying around that mission, I think is so essential. Marion, just because I know we're coming up at the end of our time, what questions didn't I ask that I should have either on the report or in general in terms of this critical
theme around cyber and nuclear? That's a really good question, I think. I mean, this Dr. Marion Messmer: is honestly something that we also didn't do as much in the report as I
Dr. Marion Messmer: hope we're going to do in future work. But I think there's so much more Dr. Marion Messmer: to be done around how AI might lower the barrier to entry for some cybercriminals Dr. Marion Messmer: and what that then means for critical national infrastructure more broadly might have implications for Dr. Marion Messmer: nuclear, but I think it also has implications for other sectors, you know, as we
Dr. Marion Messmer: discussed earlier, like health, for example, where it could also have horrendous consequences and where Dr. Marion Messmer: we also see a lot of health infrastructure having really outdated technology and therefore actually
Dr. Marion Messmer: being quite vulnerable. So, so I think, you know, there's obviously so much positive in Dr. Marion Messmer: changing technology and the advances we've made, but then there's also so much of commercial Dr. Marion Messmer: hacking tools available, you know, like commercial, commercial software tools available that actually lower the
Dr. Marion Messmer: barrier to entry for criminal actors. And that could be something that spells out huge Dr. Marion Messmer: consequences for a lot of vulnerable sectors in a way that we didn't explore as Dr. Marion Messmer: much in this report as I wish we had. That's a great point. And, and there will be plenty of time, I think, to be thinking that issue through because if you're not, we potentially missing the boat. Because the reality is, is it's not
what we wish it to be. It's here. It's a double edged sword and you can, you can also use it to enhance your resilience and your security. And let's hope that blue can outpace red in this particular fight or the defender. I would argue right now the initiative largely remains with the attacker, but I think AI does provide some opportunities to balance that and level some, some of that playing field. Marion,
thank you so much for spending so much time with us today. Thank you for taking on this important work and I, I am, I'm thrilled you're doing that and keep going and hope to have you back soon sometime. So thank you so much. Dr. Marion Messmer: Thanks so much for having me. Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in
terms of topics, themes or individuals you'd like for us to host. Until next time, stay safe, stay informed and stay curious.