Text

Enabling Innovation through Outcome Focused Regulation Paul Shanes Professional Lead for Cyber Security 12 March 2024 UK OFFICIAL

ONRs Statutory Purposes nuclear safety nuclear site health and safety nuclear security nuclear safeguards nuclear transport

ONR is the UKs independent nuclear regulator, with legal authority to regulate nuclear safety, security, safeguards, transport and site health and safety.

This includes the UKs existing fleet of operating reactors, fuel cycle facilities, waste management and decommissioning sites, new nuclear facilities, the sectors diverse supply chain and the transport of materials by road, rail, air and sea.

UK OFFICIAL

ONRs Regulatory Journey

Our outcome focused regulatory approach aligns with our mature non-prescriptive nuclear safety regime.

It provides clarity that responsibility for ownership and control of nuclear security rests with dutyholders.

2001 2004 2007 2010 2013 2016 2019 2022 Office for Civil Nuclear Security (OCNS)

Established Nuclear Industries Security Regulations (NISR)

Enacted Technical Guidance Document (TRD)

Produced TGD Replaced with Technical Requirements Document (TRD)

OCNS transferred to Nuclear Installations Inspectorate (NII)

Office for Nuclear Regulation (ONR)

Established National Objectives, Requirements and Model Standards (NORMS) Replace TRD Security Assessment Principles (SyAPs)

Replaces NORMS All Dutyholders have SyAPs Aligned Plans UK OFFICIAL

ONRs Approach to Regulating Innovation

Our outcome focused regulatory regime is technology neutral and therefore does not seek to prescribe individual design solutions.

This enabling approach provides a constructive, open and safe environment for innovative solutions to thrive.

As a regulator we are expected to minimise regulatory burden and be open to innovation, however that openness cannot come at any cost. Ultimately, we are here to protect society.

We support industry to realise the benefits of new technologies and novel approaches by providing a stable, yet progressive, regulatory regime that enables cost-effective safety and security.

This approach aligns to UK Government expectations to deliver a proportionate regulatory approach that removes unnecessary burdens and provides confidence to those we regulate.

UK OFFICIAL

Regulatory Focus for Cyber Security Our dutyholders acknowledge the need to invest further to protect against the ever-evolving threat landscape, in line with commitments made under the 2022 Civil Nuclear Cyber Security Strategy.

Our thematic priorities in this area contribute to the cross-cutting theme on cyber security within the 2023 CNIs Annual Report.

UK OFFICIAL

Thematic Regulatory Priorities Completion of a targeted campaign of face-to-face board level briefings on effective cyber security leadership and strategies.

Increased scrutiny of leadership, governance and culture delivered through a thematic programme of interventions across dutyholders.

1. Governance arrangements, including the leadership of cyber security and resultant culture across dutyholder organisations.

Delivery of the cyber benchmarking exercise to enhance regulatory intelligence, enable cross sector analysis and trend identification.

Targeted methodologies to provide further assurance that a cyber-attack could not result in an unacceptable radiological release.

2. Risk management and cyber protection capabilities, at our highest category sites and where interfaces exist between operational and information technology.

Clarifying expectations for dutyholders to conduct appropriate and proportionate assurance activities against their approved plans.

Increased scrutiny of assurance activities delivered through assessments and inspections as part of regulatory engagements.

3. Independent intelligence-led assurance activities as part of a holistic approach to evidencing the adequacy of arrangements within approved security plans.

UK OFFICIAL

What Might the Future Hold?

Emerging Trends Data Science (AI /

Machine Learning)

Automated Malware, Integrity of Information, Safety & Security Decision Making, Black Box Lack of Transparency, Amalgamation and Protection of Data (Analysis of Large Datasets)

Quantum Computing Encryption Breaches, Manipulation of Data, Automation of Attacks, Lack of Quantum Resistant Measures/Cryptographic Techniques, Legacy/Historic Data Holdings and Losses Robotics Lack of Understanding of Technology, Assurance Arrangements, Non-Security Considerations that Affect Outputs (e.g. Structural/Engineering)

Wi-Fi/Mobile Comms Wider Attack Surface, Encryption Standards, Conflicting Policies Cloud Data Sovereignty, Legislation, Data Governance, Third Party Management, Assurance, Organisational Information Management Policies, Identity Access Management (IdAM)

Supply Chain Information Sharing, Quality Assurance, Organisational Assurance, Grey Goods IoT / BYOD Third Party Assurance, Lower Capacity Devices (Security Features), Asset Management, Identity Access Management (IdAM)

Distributed Ledger (Blockchain)

Endpoint Protection/Permissions, Safeguards Compliance requiring International Consensus OT/IT Convergence Safety/Security Interface, Obsolescence, Legacy Devices, Pace of Security vs Licencing Constraints, Convergence of Environments (Cloud, IT, OT), Different Cultures/Mindsets Remote Monitoring of Facilities Reduction in Safety Risk vs Increased Reliance in Security, Redundancy of Infrastructure/Comms, Zero Trust Architecture, High Integrity Expectations for C,I,A Software Validation DevOps, Agile Approach, ~ Lines of Code, Vulnerability Exposure vs Patching, Automating Security, Zero Trust High Risk Vendors Hostile States, Counterfeit Assets, Loss of Intellectual Property, Supply Chain Mapping Relevant Good Practice Defined (e.g. Legislation, Approved Codes of Practice)

Established (e.g. Licence Conditions, Regulatory Guidance, Frameworks)

Interpretive (e.g. Industry Agreed Approaches, Principles, Codes)

Business as Usual / Doing the Basics UK OFFICIAL

Regulatory Sandboxing Although our outcome focused approach is inherently flexible to accommodate innovation, dutyholders must adequately demonstrate that safety, security and environmental requirements have been met.

This can be challenging for particularly novel innovations where there is little relevant good practice and experience of deployment to draw on.

Sandboxing gives regulators, academia and industry the opportunity to work together to explore potential deployments and provides important input for the development of regulatory frameworks.

It is now a key element in ONRs approach to enabling innovation where it is in the interest of society and consistent with regulatory expectations.

ONR, US NRC and CNSC are developing a principles paper on the regulation of AI as a result of learning from regulatory sandboxing.

Problem Mock Security Plan Sprint Deep Dives Reporting Specific Innovations UK OFFICIAL

What Have We Learned?

Our outcome focused approach was a radical departure with some dutyholders embracing it from the outset while others struggled.

Advantages Greater integration with safety Greater senior level engagement Transfer of ownership to licensees Upskilling and professionalisation Greater flexibility and adaptiveness to novel, innovative proposals Challenges Scale and complexity of the change Culture of prescription, difficult to change Legislation hasnt kept pace and can be a limiting factor Resourcing and upskilling required on both sides of the table

The approach enables and promotes innovation in line with expectations set out by UK Government.

Regulators must be open to innovation, encourage a diverse range of views and facilitate discussion, however, to have a beneficial outcome there must be a clear problem statement and specific applications rather than abstract concepts.

Both ONR and dutyholders must consider what actions they need to focus on and prioritise now in order to ready themselves for the future.

UK OFFICIAL

Any Questions?

UK OFFICIAL