Nuclear Engineering and Technology

Korean Nuclear Society (한국원자력학회)
권호 표지
DOI QR코드

DOI QR Code

A CYBER SECURITY RISK ASSESSMENT FOR THE DESIGN OF I&C SYSTEMS IN NUCLEAR POWER PLANTS

  • Received : 2011.11.21
  • Accepted : 2012.03.13
  • Published : 2012.12.25
Download PDF
⟨ Previous Next ⟩

Abstract

The applications of computers and communication system and network technologies in nuclear power plants have expanded recently. This application of digital technologies to the instrumentation and control systems of nuclear power plants brings with it the cyber security concerns similar to other critical infrastructures. Cyber security risk assessments for digital instrumentation and control systems have become more crucial in the development of new systems and in the operation of existing systems. Although the instrumentation and control systems of nuclear power plants are similar to industrial control systems, the former have specifications that differ from the latter in terms of architecture and function, in order to satisfy nuclear safety requirements, which need different methods for the application of cyber security risk assessment. In this paper, the characteristics of nuclear power plant instrumentation and control systems are described, and the considerations needed when conducting cyber security risk assessments in accordance with the lifecycle process of instrumentation and control systems are discussed. For cyber security risk assessments of instrumentation and control systems, the activities and considerations necessary for assessments during the system design phase or component design and equipment supply phase are presented in the following 6 steps: 1) System Identification and Cyber Security Modeling, 2) Asset and Impact Analysis, 3) Threat Analysis, 4) Vulnerability Analysis, 5) Security Control Design, and 6) Penetration test. The results from an application of the method to a digital reactor protection system are described.

Keywords

References

  1. ISO/IEC 27001:2005, Information technology - Security techniques - Information security management systems - Requirements, October 2005.
  2. ISO/IEC 27002:2005, Information technology - Code of practice for information security management, June 2005.
  3. ISO/IEC TR 19791:2010(E), Information technology - Security techniques - Security assessment of operational systems, April 2010.
  4. NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems, July 2002.
  5. NIST Special Publication 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, February 2010.
  6. NIST Special Publication 800-39, Managing Information Security Risk, March 2011.
  7. NIST Special Publication 800-53 Revision 3, Recommended Security Controls for Federal Information Systems, August 2009.
  8. NIST Special Publication 800-53A Revision 1, Guide for Assessing the Security Controls in Federal Information Systems, 2010.
  9. NIST Special Publication 800-64 Revision 2, Security Considerations in the System Development Life Cycle, October 2008.
  10. NIST Special Publication 800-82, Guide to Industrial Control Systems (ICS) Security, June 2011.
  11. Regulatory Guide 1.152 revision 2, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants, U.S. Nuclear Regulatory Commission, January 2006.
  12. 10 CFR Part 73.54, Protection of Digital Computer and Communication Systems and Networks, U.S. Nuclear Regulatory Commission, Washington, DC.
  13. Regulatory Guide 5.71, Cyber Security Programs for Nuclear Facilities, U.S. Nuclear Regulatory Commission, January 2010.
  14. Draft Regulatory Guide DG-1249, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants, U.S. Nuclear Regulatory Commission, June 2010.
  15. Draft IAEA Technical Guidance, Computer Security at Nuclear Facilities, International Atomic Energy Agency, 2010.
  16. IEEE Standard 7-4.3.2-2010, Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations, August 2, 2010.
  17. NRC Standard Review Plan NUREG-0800 Chapter 7.0 Instrumentation and Controls - Overview of Review Process, Revision 6, May 2010.
  18. NEI 04-04 Revision 1, Cyber Security Program for Power Reactors, Nuclear Energy Institute, November 18, 2005.
  19. Critical Infrastructure Protection, Challenges and Efforts to Secure Control Systems, GAO-04-354, United States General Accounting Office, March 2004.
  20. Common Cyber Security Vulnerabilities Observed in DHS Industrial Control Systems Assessments, Department of Homeland Security, July 2009.
  21. Recommended Practice: Improving Industrial Control Systems Cyber security with Defense-In-Depth Strategies, Department of Homeland Security, October 2009.
  22. INL/EXT-10-18381, NSTB Assessments Summary Report: Common Industrial Control System Cyber Security Weaknesses, Idaho National Laboratory Idaho Falls, Idaho 83415, May 2010.
  23. NIST National Vulnerability Database version 2.2, http://nvd.nist.gov/home.cfm.
  24. Common Vulnerability and Exposures (CVE), http://cve.mitre.org.
  25. Dong-Young Lee, Jong-Gyun Choi, and Joon Lyou, A Safety Assessment Methodology for a Digital Reactor Protection System, International Journal of Control, Automation, and Systems, vol. 4, no. 1, pp. 105-112, February 2006.

Cited by

  1. An analytical method for developing appropriate protection profiles of Instrumentation & Control System for nuclear power plants pp.1573-0484, 2017, https://doi.org/10.1007/s11227-017-2034-6