Compliance-Driven Cybersecurity Planning Based on Formalized Attack Patterns for Instrumentation and Control Systems of Nuclear Power Plants

The instrumentation and control (I&C) system of a nuclear power plant (NPP) employs a cybersecurity program regulated by the government. Through regulation, the government requires the implementation of security controls in order for a system to be developed and operated. Accordingly, the licensee of an NPP works to comply with this requirement, beginning in the development phase. The compliance-driven approach is efficient when the government supervises NPPs, but it is inefficient when a licensee constructs them. The security controls described in regulatory guidance do not consider system characteristics. In other words, the development organization spends a considerable amount of time excluding unnecessary control items and preparing the evidence to justify their exclusion. In addition, security systems can vary according to the developer’s level of security knowledge, leading to differences in levels of security between systems. This paper proposes a method for a developer to select the appropriate security controls when preparing the security requirements during the early development phase; it is designed to ensure the system’s security and reduce the cost of excluding unnecessary security controls. We have formalized the representation of attack patterns and security control patterns and identified the relationships between these patterns. We conducted a case study applying RG 5.71 in the Plant Protection System (PPS) to confirm the validity of the proposed method.

Download Full-text

CS Measures for Nuclear Power Plant Protection: A Systematic Literature Review

Signals ◽

10.3390/signals2040046 ◽

2021 ◽

Vol 2 (4) ◽

pp. 803-819

Author(s):

Nabin Chowdhury

Keyword(s):

Literature Review ◽

Systematic Literature Review ◽

Cyber Security ◽

Nuclear Power ◽

Power Plants ◽

New Technologies ◽

Plant Protection ◽

Security Requirements ◽

Protection Measures ◽

Defense In Depth

As digital instrumentation in Nuclear Power Plants (NPPs) is becoming increasingly complex, both attack vectors and defensive strategies are evolving based on new technologies and vulnerabilities. Continued efforts have been made to develop a variety of measures for the cyber defense of these infrastructures, which often consist in adapting security measures previously developed for other critical infrastructure sectors according to the requirements of NPPs. That being said, due to the very recent development of these solutions, there is a lack of agreement or standardization when it comes to their adoption at an industrial level. To better understand the state of the art in NPP Cyber-Security (CS) measures, in this work, we conduct a Systematic Literature Review (SLR) to identify scientific papers discussing CS frameworks, standards, guidelines, best practices, and any additional CS protection measures for NPPs. From our literature analysis, it was evidenced that protecting the digital space in NPPs involves three main steps: (i) identification of critical digital assets; (ii) risk assessment and threat analysis; (iii) establishment of measures for NPP protection based on the defense-in-depth model. To ensure the CS protection of these infrastructures, a holistic defense-in-depth approach is suggested in order to avoid excessive granularity and lack of compatibility between different layers of protection. Additional research is needed to ensure that such a model is developed effectively and that it is based on the interdependencies of all security requirements of NPPs.

Download Full-text

Cybersecurity Case for FPGA-Based NPP Instrumentation and Control Systems

Volume 5: Student Paper Competition ◽

10.1115/icone24-60440 ◽

2016 ◽

Cited By ~ 1

Author(s):

Oleg A. Illiashenko ◽

Yevheniia V. Broshevan ◽

Vyacheslav S. Kharchenko

Keyword(s):

Control Systems ◽

Nuclear Power ◽

Power Plants ◽

Subjective Assessment ◽

Security Requirements ◽

Critical Systems ◽

International Regulations ◽

Field Programmable ◽

High Level ◽

And Control

Modern industrial instrumentation and control systems (I&Cs) used in nuclear power plants (NPP) are facing more with cybersecurity threats and vulnerabilities, which were neglected before. Cybersecurity incidents are a subject to grow into more complex attacks with worse consequences than before. The use of field programmable gate arrays (FPGA) in such critical systems causes specific risks for ensuring of safety, as the master-property of such kind of systems, and security as a subordinate property primarily to the NPP reactor trip systems (RTS). Cybersecurity assessment results of industrial I&Cs are mainly based on subjective assessment of the expert judgment and they do not take into account all features of propagating FPGA technology. Nowadays there is a big gap in understanding how to assess and assure the security of FPGA-based NPP I&Cs (FNI&Cs). Conformance of FNI&Cs to security requirements, their verification to high-level standards often is subjective and depends on particular expert. Regulatory and certification bodies, developers and end-users of FNI&Cs are missing the understandable methodology for security assurance of such kind of systems taking into account specific context of the operating environment which allows decreasing time-to-market and thus providing benefits for all interested parties. The paper describes cybersecurity assurance technique of multi-version FNI&Cs. Requirements profile is formulated using the best practices from the following international regulations. The goal of the paper is presentation of the case-based methodology and tool of FNI&Cs cybersecurity assurance based on international regulations. Proposed methodology provides comparable and repeatable process of assurance.

Download Full-text