Cybersecurity Case for FPGA-Based NPP Instrumentation and Control Systems

Modern industrial instrumentation and control systems (I&Cs) used in nuclear power plants (NPP) are facing more with cybersecurity threats and vulnerabilities, which were neglected before. Cybersecurity incidents are a subject to grow into more complex attacks with worse consequences than before. The use of field programmable gate arrays (FPGA) in such critical systems causes specific risks for ensuring of safety, as the master-property of such kind of systems, and security as a subordinate property primarily to the NPP reactor trip systems (RTS). Cybersecurity assessment results of industrial I&Cs are mainly based on subjective assessment of the expert judgment and they do not take into account all features of propagating FPGA technology. Nowadays there is a big gap in understanding how to assess and assure the security of FPGA-based NPP I&Cs (FNI&Cs). Conformance of FNI&Cs to security requirements, their verification to high-level standards often is subjective and depends on particular expert. Regulatory and certification bodies, developers and end-users of FNI&Cs are missing the understandable methodology for security assurance of such kind of systems taking into account specific context of the operating environment which allows decreasing time-to-market and thus providing benefits for all interested parties. The paper describes cybersecurity assurance technique of multi-version FNI&Cs. Requirements profile is formulated using the best practices from the following international regulations. The goal of the paper is presentation of the case-based methodology and tool of FNI&Cs cybersecurity assurance based on international regulations. Proposed methodology provides comparable and repeatable process of assurance.