Pakistan Nuclear Regulatory Authority (PNRA) was established in 2001 and has taken a leading position in its formation of the national nuclear safety architecture. The PNRA was established as an independent regulatory body under the PNRA Ordinance of 2001, thus separating promotional and regulatory roles in the nuclear field- a requirement that was central to the agreement under the International Convention on Nuclear Safety of 1994 signed by Pakistan. The PNRA in modern trends finds itself at a pivotal point where there is a swift changing technology and a growing number of cyber threats in nuclear safety and security regulation. This point highlights why the strategic role of the Agency is to ensure the protection of the rapidly developing civil nuclear sector. In the existing nuclear environment, the total incorporation of digital technologies into safety and control structures has characterized the nature of the problem, which places responsibility on regulatory measures to adjust and adapt accordingly to ensure that complex cyber-physical risks are mitigated and controlled.
There are operational benefits and increased vulnerabilities to the adoption of digital instrumentation and control (I&C) systems in nuclear power plants and other nuclear installations. Digital technologies provide an opportunity of greater accuracy, effective monitoring, and limited data transfer; at the same time, their integration opens the cyber-attack area of safety, security and emergency preparedness. Although necessary to modern nuclear activities, software-based systems, industrial control networks and information and communications technology (ICT) frameworks present vulnerabilities that may compromise system integrity, availability, and confidentiality without undergoing the benefit of extreme regulation and high-security levels. The PNRA has reacted to this paradigm shift pronouncement by taking the steps to increase its regulatory competence and infrastructural capacity in substantive ways to monitor digitized control systems. They also include specific initiatives focused on strengthening regulatory capacity due to the susceptibility of digitized controls and cyber threats, the application of professional teams and special laboratories.
The risks of cyber security in nuclear plants are especially decisive, as there are possibilities of malicious usage of computerized control systems. These threats cannot be considered as pure hypothetically only; nuclear regulatory frameworks considered cyber security as part of nuclear safety and security all over the world. The International Atomic Energy Agency on computer security advice identifies how digital systems used in the nuclear facilities, even those not directly related to safety functions. Most importantly, potential consequences of sabotage or illegal interference with systems have dire implications on nuclear safety.
IAEA has clearer mention that it is necessary to protect the confidentiality, integrity, and availability of computer-based systems to maintain nuclear safety and security. They promote risk-aware practices, which determine the existence and cover of vulnerable digital resources, and suggest the use of defence-in-depth strategies, which would involve cyber security into broader safety and security programmes.
Regulatory responsibility of the PNRA has now been extended to systematic review, evaluation and inspection of digital and ICT based safety systems to guarantee conformity to both safety and cyber security specifications. To this end, in an effort to achieve this goal, the Authority has pursued strategically coordinated projects that have been approved to strengthen regulatory infrastructure and the development of expertise to evaluate software-based I&C systems in nuclear power plants. The results of these endeavors are the creation of the PNRA Cyber Security and Digital Safety Laboratory which forms the foundation of training, regulatory analysis and assessment of the digital systems safety qualification and cyber security performance.
The active approach of the PNRA in providing the regulatory personnel and other stakeholders with technical capabilities to evaluate and address cyber threats in the nuclear safety environment is also reinforced through training and capacity-building efforts such as courses in digital safety cyber controls and hygiene. The PNRA enhances its regulatory competence through international collaboration and especially international safety standards committees and technical cooperation programmes, which provide information about best practice and emerging technological standards.
PENRA’s vision is consistent with the changing international consensus of the problem that successful cyber governance is a matter beyond technical control and will require institutional cooperation and integration of stakeholders to maintain resilience across the nuclear ecosystem.
PNRA needs to entrench cyber risk factors in all phases of the nuclear licensing, inspection and oversight, to consider cyber security as part of nuclear safety, rather than peripheral to it. To keep up with technology change, it is necessary to constantly invest in continuous professional development, i.e. developing expertise in cyber security, software engineering, system qualification and risk assessment. Further strengthening of partnership with international organization such as the IAEA, regional regulators, and national cyber authorities will facilitate information exchange, standardization, and the establishment of mutual preparedness against developing threats. Beyond technical solutions, the culture of cyber security as a subset of safety culture among all stakeholders in the nuclear sector can be used to reduce the vulnerabilities.
Regulatory frameworks must be shaped dynamically to adapt to the pace of technological innovation the emergence of artificial intelligence and machine learning to feature in key control systems; such that regulatory foresight is not in pace with emerging capabilities. The golden jubilee of the PNRA is not only a point of reflection on what has been accomplished in the past but also a strategic point of junction in an age of digital transformation and cyber complexity. Attention to cyber resilience in the context of nuclear safety regulation, empowering institutional knowledge, and following the path of the international community and international collaboration will allow the PNRA to remain effective in protecting the nuclear environment in Pakistan. This proactive regulatory custodianship is prerequisite to the fact that nuclear technology will be a safe and secure national development catalyst for the next several decades.
Author: Muhammad Shahzad Akram, is a Research Officer at the Centre for International Strategic Studies, AJK. He holds an MPhil in International Relations from Quaid-i-Azam University, Islamabad. He is an alumnus of the Near East South Asia (NESA) Centre for Strategic Studies, National Defence University (NDU), Washington, DC. His expertise includes cyber warfare and strategy, arms control, and disarmament.
