Chernobyl and its Cyber Lessons – Part 1

HBO’s recent ‘Chernobyl’ series, which re-told the story of the nuclear accident that threatened much of Europe in 1986, made for compelling viewing. The accident was said to have helped prompt the fall of the Eastern block and bring about a fundamental shift in global politics.

On April 26th, 1986, reactor number 4 exploded, throwing radioactive material into the night sky. We may never know how many people suffered as a result of this accident. The official death toll was 31. Or 54. Or several thousand. Or 93,000. 

It’s important to understand what contributed to the accident. Official reports cited the following: 

  • Inexperienced and poorly trained operators. 
  • Running tests during unusual operating conditions. 
  • Poor quality of operating procedures and instructions. 
  • Inadequate “culture of safety”. 
  • A significant design flaw in the control rods. 
  • Breach of regulations. 

The human factor was considered a major factor in both official reports into the accident, with much focus on an inadequate “culture of safety” – which was prevalent not only in operations, but in all stages of the power plant’s lifespan, including design, engineering, construction, manufacturing and regulation. 

The accident can be said to have flowed from a deficient safety culture, not only at the Chernobyl plant, but throughout the Soviet design, operating and regulatory organizations for nuclear power that existed at that time.” 

If we apply a cyber lens to the contributing factors to the accident, we can learn a lot about how to keep our organisations safe, not least by generating a culture of security. At a minimum, ask the following questions: 

  • Are your staff trained and experienced to do the roles they are expected to do? 
  • How comfortable are your teams at running outside of normal operating conditions? 
  • How clear are your policies and procedures – are they written to be understood? 
  • Have you stood back and considered any potential design flaws in how your business operates? 
  • How compliant are you with law and regulation? Not knowing isn’t a great defence. 

I’d advise CISOs to take an unbiased view of their security culture. This is one area where bringing in external support can really help – because the human dimension can have a massive impact on your management of cyber risk, yet it is easy to be blind to deficient culture, especially when compliance reviews might have shown that on the face of it you have all the right pieces in the right places! 

Your security culture needs to be built on shared security values and behaviours which are promoted and understood across the organisation. At the very least, staff should: 

  • Understand very clearly what is expected of them. 
  • See senior staff and managers leading by example (no one is too senior to display a sound understanding of their security obligations). 
  • Be supported by policies and procedures that are accurate, written to address their intended audience, readily available and reflect reality. 
  • Be supported by cyber security training and awareness programmes that are effective for all staff, no matter what their role or seniority. 
  • Feel able to report when things aren’t right or when they need help – without fear of repercussions. 

When push comes to shove, you might have the best workforce in the world when it comes to business dynamism and a thirst to drive business growth. But remember that this will count for nothing if your people aren’t equipped to play their part in protecting the business from the cyber threat. Learn from Chernobyl, and don’t consign your organisation to the cyber wasteland. 

For part 2 in ‘Chernobyl and its Cyber Lessons’ click here.

About the author

Simon Lacey
Principal Consultant, CRMG
Former Cyber Security Policy Manager, Bank of England
Industry of Expertise: Banking, Healthcare
Areas of Specialism: Cyber Security Governance & Policy Management