The cybersecurity in the nuclear domain: an examination of NNSA

The National Nuclear Security Administration (NNSA) is responsible for managing the cybersecurity risks of complex systems that extend beyond typical computer networks. These systems are incorporated in nuclear weapon components and the weapons themselves. While the NNSA has been creating policies and practices for risk management in these Information Technology (IT) environments, their efforts to identify, evaluate, and mitigate specific cyber risks to weapons or manufacturing equipment are still emerging. As part of these efforts, the NNSA is working on cataloging systems susceptible to potential cyber threats.

The integration of digital systems and security priorities

The NNSA and its contractors, who manage the agency's laboratories and production sites, are progressively integrating digital systems into nuclear weapons and industrial operations. These digital systems are potential targets for cyber threats. Federal regulations mandate the NNSA to manage cybersecurity risk, identifying this as an essential aspect of the agency's priority. However, even after considerable time, the NNSA and its contractors are in the initial phases of addressing cybersecurity at a system level in operational technology (OT) and nuclear weapons IT environments.

Operational technology and inventory initiatives

Operational technology encompasses manufacturing equipment and industrial control systems with embedded IT. The NNSA estimates a large volume of OT systems spread across the nuclear security enterprise. Initiatives are underway to create an inventory of these systems and assess the associated risks. These initiatives include formulating a guidebook for risk assessment and providing OT training for NNSA and contractor personnel. Nonetheless, the efforts to develop an inventory of OT systems across all sites and to assess and mitigate their risks are still in their early stages and limited in scope.

IT environment of nuclear weapons and its risks

The IT environment within nuclear weapons, or in contact with them, differs significantly from the OT environment, with fewer systems involved. The NNSA has commenced multiple efforts to create an inventory of these systems and assess their cyber risks, but these efforts are not yet finalized. Cyber risks in this area can vary based on the type of nuclear weapon. For instance, current nuclear weapons typically have minimal IT susceptible to risk due to their older technology. However, modern weapons set to join the arsenal after 2030 might contain more IT, potentially increasing cyber risk. Each program is in the process of devising strategies to manage cybersecurity risks as part of the weapon design and development procedure. The initiative includes defining nuclear weapons IT, developing a cybersecurity risk management framework, identifying gaps in the existing engineering processes, and revising internal guidelines.