DOI QR코드

DOI QR Code

A study on classification of the security controls for the effective implementation to nuclear power plant

  • Han, Sang Min (Department of Nuclear and Quantum Engineering, Korea Advanced Institute of Science and Technology) ;
  • Lee, Chanyoung (Department of Nuclear and Quantum Engineering, Korea Advanced Institute of Science and Technology) ;
  • Chae, Young Ho (Department of Nuclear and Quantum Engineering, Korea Advanced Institute of Science and Technology) ;
  • Seong, Poong Hyun (Department of Nuclear and Quantum Engineering, Korea Advanced Institute of Science and Technology)
  • Received : 2021.06.14
  • Accepted : 2021.10.08
  • Published : 2022.04.25

Abstract

As regulatory bodies require full implementation of security controls in nuclear power plants (NPPs), security functions for critical digital assets are currently being developed. For the ultimate introduction of security controls, not alternative measures, it is important to understand the relationship between possible cyber threats to NPPs and security controls to prevent them. To address the effectiveness of the security control implementation, this study investigated the types of cyber threats that can be prevented when the security controls are implemented through the mapping of the reorganized security controls in RS-015 to cyber threats on NPPs. Through this work, the cyber threat that each security control can prevent was confirmed, and the effectiveness of several strategies for implementing the security controls were compared. This study will be a useful reference for utilities or researchers who cannot use design basis threat (DBT) directly and be helpful when introducing security controls to NPPs that do not have actual security functions.

Keywords

Acknowledgement

This research was supported by the National R&D Program through the National Research Foundation of Korea (NRF) funded by the Korean Government. (MSIP: Ministry of Science, ICT and Future Planning) (No. NRF-2016R1A5A1013919)

References

  1. Burns, D. Robert, WASH 1400-reactor safety study, Prog. Nucl. Energy 6 (1-3) (1980) 117-140. https://doi.org/10.1016/0149-1970(80)90016-5
  2. William C. Potter, Less Well Known Cases of Nuclear Terrorism and Nuclear Diversion in Russia, 8, 1997, p. 2015. NTI. Retrieved November.
  3. Ted G. Lewis, Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation, John Wiley & Sons, 2019.
  4. Nicolas Falliere, Liam O. Murchu, Eric Chien, "W32. Stuxnet dossier." White Paper, 6, Symantec Corp., 2011, p. 29. Security Response 5.
  5. Albright David, et al., "Stuxnet malware and Natanz" Institute for science and international security, 16 Feb, https://isis-online.org/uploads/isis-reports/documents/stuxnet_update_15Feb2011.pdf, 2011. (Accessed 2 February 2021). accessed.
  6. Japan Today, Monju power plant facility PC infected with virus, 07 January, http://www.japantoday.com/category/national/view/monju-power-plantfacility-pc-infected-with-virus, 2014. (Accessed 2 February 2021). accessed.
  7. T.D. Maiziere, Die lage der it-sicherheit in deutschland 2014, Bundesamt fur Sicherheit in der Informationstechnik (2014).
  8. Christoph Steitz, Eric Auchard, German Nuclear Plant Infected with Computer Viruses, Operator Says, Reuters, 2016. http://www.reuters.com/article/usnuclearpower-cyber-germany-idUSKCN0XN2OS. (Accessed 18 September 2021). accessed.
  9. Top 10 web application security risks, open web application security project. https://owasp.org/www-project-top-ten/, 2019. (Accessed 18 September 2021) accessed.
  10. The STRIDE threat model, microsoft. https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20)?redirected From=MSDN, 2009. (Accessed 18 September 2021) accessed.
  11. Christopher Alberts, et al., Introduction to the OCTAVE Approach, Carnegie-Mellon Univ Pittsburgh Pa Software Engineering Inst, 2003.
  12. Common Vulnerability Scoring System, V3 development update. First.org, inc., Retrieved November 13, 2015, https://www.first.org/cvss/. (Accessed 18 September 2021). accessed.
  13. Cybersecurity Risks, National Institute of standards and technology, Retrieved August 11, 2015, https://www.nist.gov/itl/smallbusinesscyber/cybersecuritybasics/cybersecurity-risks. (Accessed 18 September 2021). accessed.
  14. Cynthia Phillips, Laura Painton Swiler, A graph-based system for network-vulnerability analysis, in: Proceedings of the 1998 Workshop on New Security Paradigms, 1998.
  15. Sheung Yin Kevin Mo, Peter A. Beling, Kenneth G. Crowther, Quantitative assessment of cyber security risk using Bayesian Network-based model, in: 2009 Systems and Information Engineering Design Symposium, IEEE, 2009.
  16. Silvia Tolo, John Andrews, Nuclear Facilities and Cyber Threats, 2019.
  17. Rafiullah Khan, et al., STRIDE-based threat modeling for cyber-physical systems, in: 2017 IEEE PES Innovative Smart Grid Technologies Conference Europe (ISGT-Europe), IEEE, 2017.
  18. Rahat. Masood, Assessment of Cyber Security Challenges in Nuclear Power Plants Security Incidents, Threats, and Initiatives, Cybersecurity and Privacy Research Institute the George Washington University, 2016.
  19. Woogeun Ahn, et al., Development of cyber-attack scenarios for nuclear power plants using scenario graphs, Int. J. Distributed Sens. Netw. 11 (9) (2015) 836258. https://doi.org/10.1155/2015/836258
  20. I. Lee, H. Kang, H. Son, An Analysis of Cyber-Attack on NPP Considering Physical Impact, Korean Nuclear Society Spring Meeting, 2016.
  21. Seungmin Kim, et al., Cyber attack taxonomy for digital environment in nuclear power plants, Nuclear Engineering and Technology 52 (5) (2020) 995-1001. https://doi.org/10.1016/j.net.2019.11.001
  22. Regulations (NRC, 10 CFR), U.S. NRC. https://www.nrc.gov/reading-rm/doccollections/cfr/part073/part073-0001.html, 2021. (Accessed 14 June 2021) accessed.
  23. Enforcement Decree of the act on physical protection and radiological emergency, Presidential Decree No. 28211, Jul. 26, https://elaw.klri.re.kr/kor_service/lawView.do?hseq=46895&lang=ENG, 2017. (Accessed 14 June 2021). accessed.
  24. Development, Use and Maintenance of the Design Basis Threat. IAEA. NSS. No.10-G, Development, Use and Maintenance of the Design Basis Threat, 2009.
  25. Engineering safety aspects of the protection of nuclear power plants against sabotage: technical guidance, IAEA. NSS. No 4 (2011).
  26. US Nuclear Regulatory Commission, Cyber Security Programs for Nuclear Facilities. US Nuclear Regulatory Commission, Office of Nuclear Regulatory Research, 2010.
  27. Status of NRC licensees' implementation of cyber security plans, US. NRC. NRC/FERC Joint Commission Meeting, February 23 (, 2017).
  28. KINAC/RS-015.01, "Regulatory Standard on Cyber Security for Nuclear Facilities", 2016. December.
  29. Hyundoo. Kim, Study on the position enhancement for cyber security organization of the nuclear facilities. Proceedings of the Korean Radioactive Waste Society Conference, Korean Radioactive Waste Society, 2017.
  30. Y.D. Kang, Nuclear I&C and Huma Factor Engineering from the Regulator Perspective, in: Nuclear Safety & Security Information Conference 2016, DCC, Daejeon, South Korea, 2016.
  31. Sang Min Han, Poong Hyun Seong, Development of Initiating Cyber Threat Scenarios and the Probabilities Based on Operating Experience Analysis, Transactions of the Korean Nuclear Society Spring Meeting, Jeju, Korea, 2020.
  32. Sang Min Han, Poong Hyun Seong, Suggestion of initiating threats and bounding groups for nuclear power plant cyber-risk assessment, Annals of DAAAM & Proceedings 30 (2019).