To reduce the risk of cyber-attacks as far as possible, the Spanish Nuclear Safety Council imposes specific conditions on the computer and communications systems that support systems related directly or indirectly to nuclear and physical safety in nuclear facilities, according to the following basic requirements:
- The licensee of the nuclear facility is obliged to protect the IT systems and networks from cyber-attacks taking into account the base design threat.
- The licensee must develop and maintain written policies and procedures for implementing the cyber security plan, analysing and identifying the IT systems and networks that must be protected and the types of cyber-attacks against which they must be protected.
The cyber security plan forms part of the physical safety plan and both must be approved jointly. It must include the way in which the requirements for protection against cyber-attacks and the response and recovery measures will be implemented.