Cybersecurity: Chernobyl and its Cyber Lessons
Looking at cybersecurity through the lens of a nuclear disaster can help your organization be more prepared when emergencies arise
HBO’s recent “Chernobyl” series, which re-told the story of the nuclear accident that threatened much of Europe in 1986, made for compelling viewing. The accident was said to have helped prompt the fall of the Eastern block and bring about a fundamental shift in global politics.
On April 26, 1986, reactor number 4 exploded, throwing radioactive material into the night sky. We may never know how many people suffered as a result of this accident. The official death toll was 31. Or 54. Or several thousand. Or 93,000.
It’s important to understand what contributed to the accident. Official reports cited the following:
- Inexperienced and poorly trained operators.
- Running tests during unusual operating conditions.
- Poor quality of operating procedures and instructions.
- Inadequate “culture of safety.”
- A significant design flaw in the control rods.
- Breach of regulations.
The human factor was considered a major factor in both official reports into the accident, with much focus on an inadequate “culture of safety”—which was prevalent not only in operations but in all stages of the power plant’s lifespan, including design, engineering, construction, manufacturing and regulation.
“The accident can be said to have flowed from a deficient safety culture, not only at the Chernobyl plant, but throughout the Soviet design, operating and regulatory organizations for nuclear power that existed at that time.”
If we apply a cyber lens to the contributing factors to the accident, we can learn a lot about how to keep our organizations safe, not least by generating a culture of security. At a minimum, ask the following questions:
- Are your staff trained and experienced to do the roles they are expected to do?
- How comfortable are your teams at running outside of normal operating conditions?
- How clear are your policies and procedures—are they written to be understood?
- Have you stood back and considered any potential design flaws in how your business operates?
- How compliant are you with law and regulation? Not knowing isn’t a great defense.
CISOs and business leaders must take an unbiased view of their cybersecurity culture. This is one area where bringing in external support can really help. The human dimension can have a massive impact on your management of cyber risk, yet it is easy to be blind to deficient culture, especially when compliance reviews might have shown that on the face of it you have all the right pieces in the right places!
Your security culture needs to be built on shared security values and behaviors that are promoted and understood across the organization. At the very least, staff should:
- Understand very clearly what is expected of them.
- See senior staff and managers leading by example (no one is too senior to display a sound understanding of their security obligations).
- Be supported by policies and procedures that are accurate, written to address their intended audience, readily available and reflect reality.
- Be supported by cybersecurity training and awareness programs that are effective for all staff, no matter what their role or seniority.
- Feel able to report when things aren’t right or when they need help—without fear of repercussions.
When push comes to shove, you might have the best workforce in the world when it comes to business dynamism and a thirst to drive business growth. But remember that this will count for nothing if your people aren’t equipped to play their part in protecting the business from the cyberthreat. Learn from Chernobyl, and don’t consign your organization to the cyber wasteland.
