SCADA for Nuclear in South Africa & Africa — A Cybersecurity‑First Playbook with ANSSI guidance
A practical guide to secure, resilient nuclear SCADA: governance, IEC 62443 zones & conduits, NNR & IAEA expectations, and ANSSI’s ICS best practices.
Contents
Why this matters now
Nuclear facilities depend on deterministic, high‑availability control systems. A cyber incident that degrades availability, integrity, or operator trust can escalate into safety risk, production loss, and regulatory non‑compliance. Across Africa, utilities and EPCs are modernizing OT, extending plant lifetimes, and planning for future capacity—making robust OT cybersecurity essential.
The regulatory & standards landscape (Africa / South Africa)
- National Nuclear Regulator (NNR, South Africa) — Expects a structured Computer Security program, defense‑in‑depth, and protection of critical digital assets across the facility lifecycle.
- IAEA Nuclear Security — Guidance for computer and information security frames governance, graded approach, and continuous improvement across safety‑significant digital assets.
- IEC 62443 — A practical, widely adopted OT cybersecurity standard. Zones & conduits enable segmentation and security levels tailored to the risk.
- ANSSI (France) — The national cybersecurity agency’s Cybersecurity for Industrial Control Systems guide provides a pragmatic deployment method, management commitment, and OT‑specific practices valuable to African operators and French‑linked ecosystems.
What makes nuclear SCADA different
- Safety is paramount: security controls must not compromise deterministic operation, trip setpoints, or human‑machine interface reliability.
- Long lifecycles & heterogeneity: mixed generations of PLC/DCS/SIS, patching constraints, and legacy protocols—so compensating controls matter.
- Tight regulation: regulators expect a programmatic approach, defense‑in‑depth, and protection of critical digital assets (CDAs).
OT threats we actually see
- Ransomware spillover from IT to OT via shared services or unmanaged remote access.
- Supply‑chain & maintenance laptop risks (engineering stations and media as initial access).
- Protocol misuse (legacy field protocols without native authentication).
- Insider & third‑party exposure (contractor accounts, weak onboarding/offboarding).
Reference architecture aligned to IEC 62443
1) Segmentation with zones & conduits
- Separate Enterprise IT, Site DMZ, Plant DMZ, Operations (SCADA/DCS), and SIS into distinct zones.
- Use monitored conduits (firewalls, data diodes, brokered services) with strict allow‑lists and protocol break‑points.
2) Plant & Operations DMZs
- Terminate remote access, patch/content staging, anti‑malware updates, and historian replication in DMZ layers—not directly in control zones.
3) SIS isolation
- Physically/logically isolate Safety Instrumented Systems; prefer one‑way telemetry; avoid shared admin paths with BPCS/SCADA.
4) Deterministic communications
- Strict allow‑listing at L3/L4 and deep inspection for industrial protocols where feasible; time‑bounded remote sessions.
5) Trusted time & logging
- Signed, centralized logs and secure time sources for forensics and compliance evidence.
12 cybersecurity controls that work in nuclear SCADA
- Asset inventory & CDA identification
- Hardening baselines for servers/HMIs/PLCs/engineering stations
- Strict RBAC & least privilege; MFA for elevated and remote tasks
- Application allow‑listing and controlled removable media
- Patch & vulnerability management with maintenance windows and compensating controls
- Network segmentation with IEC 62443 zones/conduits and DPI firewalls
- Secure remote access via jump hosts and session recording
- Change & configuration management for logic, graphics, and setpoints
- Backups & golden images—offline, tested, tamper‑evident
- OT anomaly detection integrated with a SOC
- Incident response runbooks coordinated with safety procedures (graded)
- Competency & drills for operators, maintainers, and third parties
Program & governance model (what regulators expect)
- Computer Security Program owned by plant leadership; scope includes all CDAs, interfaces, and contractors.
- Risk‑based, graded approach mapped to plant safety significance.
- Periodic reviews & evidence (audits, tests, exercises) integrated with plant safety management.
Where ANSSI fits (and why it helps Africa)
France’s ANSSI guide for Industrial Control Systems is a practical handbook used by utilities and OEMs. It stresses executive sponsorship, a structured deployment method, and OT‑specific compensating controls—highly applicable to African operators modernizing legacy fleets or planning new build.
Read more: ANSSI — Cybersecurity for Industrial Control Systems
Implementation roadmap (first 90 days)
Weeks 0–4 — Baseline & gaps
- Asset inventory, CDA mapping, network walk‑downs
- Quick wins: USB lockdown, remote access hardening
Weeks 5–8 — Reference architecture
- Zone/conduit design, DMZs, logging/time, backup scheme
- Define SOC integration and monitoring scope
Weeks 9–12 — Hardening & evidence
- Apply baselines & allow‑listing
- Test disaster‑recovery and run a tabletop incident drill
- Compile a compliance pack mapped to regulatory expectations
FAQ
Do we need IEC 62443 certification to comply?
Not necessarily. Regulators expect a risk‑based program and defense‑in‑depth. IEC 62443 provides practical methods (zones, conduits, security levels) that help meet those expectations.
Can security controls disrupt deterministic operations?
Controls must be engineered for OT: staged updates, protocol break‑points, and allow‑listing reduce risk while protecting availability and integrity.
Where should remote access terminate?
At DMZ jump hosts with strong authentication, least privilege, and session recording—never directly inside control zones.