Cyber Security Assessment of NPP I&C Systems

2020 ◽  
pp. 221-238
Author(s):  
Oleksandr Klevtsov ◽  
Artem Symonov ◽  
Serhii Trubchaninov
Keyword(s):  
Control Systems ◽  
Cyber Security ◽  
Nuclear Power ◽  
Power Plants ◽  
Cyber Attacks ◽  
Security Assessment ◽  
Nuclear Facilities ◽  
Security Risks ◽  
Cyber Threats ◽  
And Control

The chapter is devoted to the issues of cyber security assessment of instrumentation and control systems (I&C systems) of nuclear power plants (NPP). The authors examined the main types of potential cyber threats at the stages of development and operation of NPP I&C systems. Examples of real incidents at various nuclear facilities caused by intentional cyber-attacks or unintentional computer errors during the maintenance of the software of NPP I&C systems are given. The approaches to vulnerabilities assessment of NPP I&C systems are described. The scope and content of the assessment and periodic reassessment of cyber security of NPP I&C systems are considered. An approach of assessment to cyber security risks is described.

scholarly journals Computer Security of NPP Instrumentation and Control Systems: Computer Security Assessment

2020 ◽  
pp. 69-76
Author(s):  
O. Klevtsov ◽  
A. Symonov ◽  
S. Trubchaninov
Keyword(s):  
Computer Security ◽  
Control Systems ◽  
Security Policy ◽  
Security Assessment ◽  
Security Risks ◽  
Security Vulnerabilities ◽  
Evaluation Team ◽  
Local Networks ◽  
Cyber Threats ◽  
And Control

The paper is devoted to the issues of computer security assessment of instrumentation and control systems (I&C systems) of nuclear power plants (NPPs). The authors specified the main areas of assessing the computer security of NPP I&C systems, especially the assessment of cyber threats, vulnerabilities of I&C computer security, sufficiency of applied measures for ensuring I&C systems computer security, risks of I&C system computer security as well as periodic reassessment of I&C computer security. The paper considers the assessment of I&C computer security vulnerabilities, sufficiency of applied measures for ensuring I&C computer security (assessment of cyber threats and the risks of I&C computer security are discussed in detail in other publications from the series “Computer Security of NPP Instrumentation and Control Systems”). Approaches to assessing the computer security vulnerabilities of I&C systems and software at each stage of I&C life cycle are considered. The recommendations for assessing vulnerabilities regarding technical and software protection against unauthorized access or connection to I&C, protection of local networks, implementation of organizational measures and procedures for computer security are provided. The paper describes the scope and procedures for the initial assessment and periodic reassessment of NPP I&C computer security. Recommendations for the formation of an appropriate evaluation team are provided. Methods of assessing I&C computer security are considered, namely: analysis of documents (computer security policy, program, plan, reports, etc.), survey of staff (administrative, operational, service and computer security experts), direct review of I&C systems, their components and local networks. The evaluation stages (collection of information, detailed analysis, reporting) and the scope of work at each stage are described. General information about the possibility and necessity of assessing the computer security risks of I&C systems in the case of using risk-informed approaches is provided. The need to document the results of the assessment is noted separately and specific proposals about the procedure for developing relevant reports are made.

scholarly journals Cyber Resilience Analysis of SCADA Systems in Nuclear Power Plants

2020 ◽  
Author(s):  
Meghan Galiardi ◽  
Amanda Gonzales ◽  
Jamie Thorpe ◽  
Eric Vugrin ◽  
Raymond Fasano ◽  
...  
Keyword(s):  
Control System ◽  
Control Systems ◽  
Cyber Security ◽  
Nuclear Power ◽  
Power Plants ◽  
Nuclear Power Plants ◽  
Cyber Attacks ◽  
Use Case ◽  
Design Features ◽  
Scada Systems

Abstract Aging plants, efficiency goals, and safety needs are driving increased digitalization in nuclear power plants (NPP). Security has always been a key design consideration for NPP architectures, but increased digitalization and the emergence of malware such as Stuxnet, CRASHOVERRIDE, and TRITON that specifically target industrial control systems have heightened concerns about the susceptibility of NPPs to cyber attacks. The cyber security community has come to realize the impossibility of guaranteeing the security of these plants with 100% certainty, so demand for including resilience in NPP architectures is increasing. Whereas cyber security design features often focus on preventing access by cyber threats and ensuring confidentiality, integrity, and availability (CIA) of control systems, cyber resilience design features complement security features by limiting damage, enabling continued operations, and facilitating a rapid recovery from the attack in the event control systems are compromised. This paper introduces the REsilience VeRification UNit (RevRun) toolset, a software platform that was prototyped to support cyber resilience analysis of NPP architectures. Researchers at Sandia National Laboratories have recently developed models of NPP control and SCADA systems using the SCEPTRE platform. SCEPTRE integrates simulation, virtual hardware, software, and actual hardware to model the operation of cyber-physical systems. RevRun can be used to extract data from SCEPTRE experiments and to process that data to produce quantitative resilience metrics of the NPP architecture modeled in SCEPTRE. This paper details how RevRun calculates these metrics in a customizable, repeatable, and automated fashion that limits the burden placed upon the analyst. This paper describes RevRun’s application and use in the context of a hypothetical attack on an NPP control system. The use case specifies the control system and a series of attacks and explores the resilience of the system to the attacks. The use case further shows how to configure RevRun to run experiments, how resilience metrics are calculated, and how the resilience metrics and RevRun tool can be used to conduct the related resilience analysis.

Sign in / Sign up

Export Citation Format

Share Document