“Ascentor’s considerable experience of CS&IA in the government and defence sectors enabled them to quickly understand ONR’s transition to outcome-focused security regulation under SyAPs. The team took the time and effort to understand and integrate into ONR’s regulatory environment and culture to develop and implement a risk-based, pragmatic, proportionate and cost-effective CS&IA assessment methodology.
“ONR is now using this as part of its ongoing strategy to much improve oversight of the CS&IA of Reg 22 facilities in line with UK government expectations and legislation.”
Tom Parkhouse, Cyber Security Professional Lead, ONR
The challenge
The Office for Nuclear Regulation (ONR) has evolved its approach to civil nuclear sector regulation from prescriptive to outcome-focused. As part of the transition, ONR developed Security Assessment Principles (SyAPs) – formed of ten Fundamental Security Principles (FSyPs), five of which (1, 2, 3, 7 and 8) are considered applicable to civil nuclear supply chain organisations who handle, store and process Sensitive Nuclear Information (SNI). Such organisations must have a facility security clearance (known as ‘List N’). List N facilities are subject to regulatory oversight by ONR as per their responsibilities under Regulation 22 (Reg 22) of the Nuclear Industries Security Regulations 2003 (NISR 2003).
For further details on List N (which is managed by civil nuclear contracting authorities), see Ascentor’s List N page and ONR’s website: www.onr.org.uk/listn
In partnership with Wood RSD, Ascentor was contracted by ONR to:
- Develop and implement a SyAPs-aligned regulatory assessment methodology for inspecting List N facilities which would enable significant improvement to ONR’s future oversight of List N facilities.
- Conduct assessments of 26 List N facilities against the new methodology.
- Support the production of a technical requirements specification for a new List N Regulatory Portal, to automate elements of the methodology in the future, enabling self-assessment, greater understanding of risk and a lighter-touch approach to regulation.
The solution
Bruce Jackman, NDA Security Manager & Chair of the Civil Nuclear Sector Contract Security Working Group:
“Ascentor’s briefings and updates at civil nuclear forums such as the CSWG and CISO’s Forum were professional and essential for stakeholder confidence and buy-in. The ongoing insights into the developing assessment methodology and the analysis and intelligence they began to produce was particularly useful and a welcome benefit of ONR’s initiative to improve oversight of List N facilities.”
Drawing on extensive public sector cyber security and information assurance (CS&IA) experience, Ascentor reached early agreement with ONR that a SyAPs aligned, security risk-based approach along the lines of the MOD’s Cyber Security Model (CSM) would demonstrate alignment with the wider UK government and provide a sound foundation for the assessment methodology.
The approach included up-front assessment of inherent security risk. Through a workshop with ONR, Ascentor matched the expectations of the applicable FSyPs to inherent risk profile levels (Very Low, Low, Moderate or High). This enables inspections to be pragmatic and proportionate. It also enables prioritisation and sampling of inspections and informs a strategic picture of security risk across the civil nuclear supply chain to further improve regulatory intelligence in this area.
Wood RSD coordinated the inspection logistics and project management; Ascentor assessors (occasionally accompanied by ONR Inspectors) conducted on-site inspections and assessments of 26 geographically dispersed List N facilities. The outcome of each assessment was recorded in a draft inspection report, which was passed to ONR for review, agreement, formal issue and onward tracking of any identified issues.
Ascentor also anonymised, collated and analysed management information and intelligence from each inspection report (including common issues, red/amber/green residual risk status and volume of SNI holdings). This began to build a risk-informed picture of the maturity of CS&IA arrangements across List N facilities which ONR can build on in the future.
To keep stakeholders briefed and updated, Ascentor was invited by ONR to present at the Contract Security Working Group (CSWG) and the civil nuclear sector’s Chief Information Security Officer’s (CISO) forum.
At the end of the work, Ascentor and Wood RSD produced a ‘lessons learned’ report based on their experience of the work. ONR shared the report with civil nuclear CISOs and Ascentor presented an overview of findings at the CSWG and CISO forum.
The results
Paul Shanes, Supply Chain Delivery Lead, ONR:
“By taking a proportionate, pragmatic and flexible approach, Ascentor significantly accelerated ONR’s ability to improve CS&IA-focused regulatory oversight across List N facilities. Ascentor worked closely with ONR Inspectors sharing experience and innovative solutions to novel and complex issues, resulting in an up skilling for all involved.”
Ascentor successfully delivered a robust and proven assessment methodology on time and within budget – it has been adopted by ONR for ongoing use.
Additional benefits to ONR include:
- The methodology formed the basis of the business requirements (developed by Wood RSD) for a future online List N portal that ONR will develop and host.
- As well as inputting to the business requirements for the new List N portal, Ascentor identified the requirement for and produced an information security risk assessment, which formed the basis for security-specific requirements for the solution.
- Formalisation of the processes and templates developed for the assessment methodology provided ONR with a complete picture of their intellectual property (delivered by Ascentor). This can be easily understood by ONR Inspectors and referenced and adhered to as part of the future strategy for rolling out inspections across several hundred List N facilities across the UK over the next few years.
