Cyber Security Assessment of NPP I&C Systems

Introduction

The problem of the information and cyber security assurance of nuclear facilities, including NPP, is becoming more relevant. The basis for the implementation of various practical measures for protection of the NPP I&C systems against cyber threats is the assessment of cyber security.

Cyber security assessment allows to identify possible vectors of cyber-attacks and existing weaknesses in the protection of NPP against cyber threats. Based on the results of the assessment, appropriate cyber security measures are realized for increasing the security of the NPP I&C systems and for reducing the probability of a successful cyber-attack with dangerous consequences for the NPP safety.

The goal of the chapter is the consideration of the main components of the cyber security assessment of the NPP I&C systems:

• •

  Assessments of potential cyber threats;

• •

  Vulnerabilities assessments of the NPP I&C systems;

• •

  Assessment of cyber security measures; and

• •

  Assessment of cyber security risks (if using of risk-based approaches).

Background

Cyber security assessment of the NPP I&C systems is a complex multicomponent task, the solution of which requires an integrated approach and implementation of measures in several areas:

• •

  Development of legislative and regulatory framework;

• •

  Compliance with the general principles of cyber security assurance (e.g., defense-in-depth, graded approach, cyber security policy, cyber security culture, etc.);

• •

  Creation of cyber security teams at I&C systems development companies and NPPs;

• •

  Cyber security assessment;

• •

  Implementation of cyber security measures (including design measures) during the development, manufacturing, implementation, operation and decommissioning of NPP I&C systems;

• •

  Development of procedures and training for response to cyber security incidents; and

• •

  Reporting and investigating cyber security incidents in order to take appropriate measures and industry decisions for prevention of the spread of such incidents to other NPPs and their recurrence in the future.

Cyber security assessment is an important stage that precedes the development and implementation of specific measures to ensure cyber security assurance of the NPP I&C systems. The assessment also allows determining the adequacy of realized measures for protection against cyber threats.

Many international and national documents contain requirements and a description of the procedure for cyber security assessment.

Requirements to cyber security assessment are contained in the document IAEA, 2018, according to that such assessment should be performed for each phase of I&C system life cycle to identify potential threats as well as vulnerabilities and weaknesses. Also, each organization that is responsible for development, deploying, operation, maintenance or decommissioning of I&C systems or their components should perform periodic cyber security assessment and audit.

IAEA, 2016 provides a detailed description of the procedure, scope and content of a cyber security assessment of nuclear installations, including vulnerabilities assessment.

IEC, 2014 requires the cyber security assessment of the final design of I&C system, as well as periodic reassessment of risks and security controls during the operation of I&C system.

NUREG, 2004 is prohibited for the public access, however, according to its name, it contains provisions for self-assessment of cyber security recommended for US NPP.

NIST, 2008 does not apply directly to the NPP I&C systems, however, it is one of the most detailed manuals containing general recommendations for cyber security assessment. The document includes a description of the methods of analysis, identification of the targets of cyber-attacks, identifying of vulnerabilities, planning and conducting a cyber security assessment (including testing).

Particular interest is the study published in the report by Masood, R., 2016, where cyber risk scenarios and threat modeling for NPPs are considered.