Nuclear Engineering and Technology

  • 제55권6호
  • /
  • Pages.2034-2046
  • /
  • 2023
  • /
  • 1738-5733(pISSN)
  • /
  • 2234-358X(eISSN)
한국원자력학회 (Korean Nuclear Society)
권호 표지
DOI QR코드

DOI QR Code

Development of the framework for quantitative cyber risk assessment in nuclear facilities

  • Kwang-Seop Son (Security R&D Team, Korea Atomic Energy Research Institute) ;
  • Jae-Gu Song (Security R&D Team, Korea Atomic Energy Research Institute) ;
  • Jung-Woon Lee (Security R&D Team, Korea Atomic Energy Research Institute)
  • 투고 : 2022.09.16
  • 심사 : 2023.03.20
  • 발행 : 2023.06.25
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

Industrial control systems in nuclear facilities are facing increasing cyber threats due to the widespread use of information and communication equipment. To implement cyber security programs effectively through the RG 5.71, it is necessary to quantitatively assess cyber risks. However, this can be challenging due to limited historical data on threats and customized Critical Digital Assets (CDAs) in nuclear facilities. Previous works have focused on identifying data flows, the assets where the data is stored and processed, which means that the methods are heavily biased towards information security concerns. Additionally, in nuclear facilities, cyber threats need to be analyzed from a safety perspective. In this study, we use the system theoretic process analysis to identify system-level threat scenarios that could violate safety constraints. Instead of quantifying the likelihood of exploiting vulnerabilities, we quantify Security Control Measures (SCMs) against the identified threat scenarios. We classify the system and CDAs into four consequence-based classes, as presented in NEI 13-10, to analyze the adversary impact on CDAs. This allows for the ranking of identified threat scenarios according to the quantified SCMs. The proposed framework enables stakeholders to more effectively and accurately rank cyber risks, as well as establish security and response strategies.

키워드

과제정보

This work was supported by the Nuclear Safety Research Program through the Korea Foundation Of Nuclear Safety (KoFONS) using the financial resource granted by the Nuclear Safety and Security Commission (NSSC) of the Republic of Korea. (No. 2101056).

참고문헌

  1. Hemsley Kevin, Ronald Fisher, A History of Cyber Incidents and Threats Involving Industrial Control Systems, 12th International Conference on Critical Infrastructure Protection, ICCIP), Arlington, VA, United States, Mar. 2018, pp. 215-242.
  2. U.S. Code, Of Federal Regulations, Title 10, Part 73.54, Protection of digital computer and communication systems and networks, Mar 27 (2009).
  3. U.S., Nuclear Regulatory Commission, Regulatory Guide 5.71, Cyber Security Programs for Nuclear Facilities, January, 2010.
  4. Nuclear Energy Institute, NEI 08-09, cyber security plan for nuclear power reactors, Rev. 6 (April 2010).
  5. Nuclear Energy Institute, NEI 10-04, identifying systems and assets subject to the cyber security rule, Rev. 2 (July 2012).
  6. Nuclear Energy Institute, NEI 13-10, cyber security control assessments, Rev. 6 (August 2017).
  7. Eggers Shannon, Katya Le Blanc, Security of cyber risk analysis techniques for use in the nuclear industry, Prog. Nucl. Energy 140 (2021), 103908.
  8. National Vulnerability Database [website], https://www.nist.gov/programsprojects/national-vulnerability-database-nvd, 2022.
  9. CERT Coordination Center [Website], https://www.kb.cert.org/vuls/, 2022.
  10. N.G. Levson, Engineering a safe world, in: System Thinking Applied to Safety, the MIT Press, Cambridge, MA, USA, 2011.
  11. Nancy Leveson, A New Approach to Hazard Analysis for Complex Systems, International Conference of the System Safety Society, 2003.
  12. William Young, Nancy Leveson, Systems thinking for safety and security, in: Proceeding ACSAC'13, ACM Press, 2013, pp. 1-8.
  13. Ivo Friedberg, Kieran McLaughlin, Paul Smith, David Laverty, Sakir Sezer, STPA-SafeSec, Safety and security analysis for cyber-physical systems, J. Inf. Secur. Appl. 34 (2017) 183-196.
  14. Christoph Schmittner, Zhendong Ma, Peter Puschner, Limitation and improvement of STPA-sec for safety and security Co-analysis, in: Lecture Notes in Computer Science, 9923, LNCS, 2016, pp. 195-209.
  15. IEC 60812, Analysis Techniques for System Reliability - Procedure for Failure Mode and Effects, Analysis (FMEA).
  16. IEEE standard 352, in: IEEE Guide for General Principles of Reliability Analysis of Nuclear Power, Generating Station Systems and Other Nuclear Facilities, 2016.
  17. Christoph Schmittner, Thomas Gruber, Peter Puschner, Erwin Schoitsch, Security Application of Failure Mode and Effect Analysis (FMEA), SAFECOMP, 2014.
  18. Vidhyashree Nagaraju, Lance Fiondella, Thierry Wandji, A Survey of Fault and Attack Tree Modeling and Analysis for Cyber Risk Management, 2017 International Symposium on Technologies for Homeland Security, 2017.
  19. Igor Nai Fovino, Alessio Marcelo Masera, Alessio De Cian, Integrating cyber attacks within fault trees, Reliab. Eng. Syst. Saf. 94 (2009) 1394-1402. https://doi.org/10.1016/j.ress.2009.02.020
  20. H. Abdo, M. Kaouk, J.-M. Flaus, F. Masse, A safety/security risk analysis approach of Industrial Control Systems: a cyber bowtie - combining new version of attack tree with bowtie analysis, Comput. Secur. 72 (2018) 175-195. https://doi.org/10.1016/j.cose.2017.09.004
  21. Georg Macher, Harald Sporer, Reinhard Berlach, Eric Armengaud, Christian Kreiner, SAHARA: a security-aware hazard and risk analysis method, in: Design, Automation & Test in Europe Conference & Exhibition, 2015.
  22. Georg Macher, Andrea Holler, Harald Sporer, Eric Armengaud, Christian Kreiner, A combined safety-hazards and security-threat analysis method for automotive systems, Lect. Notes Comput. Sci. 9338 (2015) 237-250.
  23. ISO - International Organization for Standardization, ISO 26262 Road Vehicles Functional Safety Part 1-10, 2011.
  24. Rami Debouk, J. Jeff, Joyce, ISO, Hazard and Risk Assessment Methodology, International System Safety Conference, 2010, 26262.
  25. Rafiullah Khan, Kieran McLaughlin, David Laverty, Sakir Sezer, STRIDE-Based threat modeling for cyber-physical systems, in: 2017 IEEE PES: Innovative Smart Grid Technologies Conference Europe, ISGT-Europe), 2017.
  26. Jinsoo Shin, , Jong-Gyun Choi, Jung-Woon Lee, Cheol-Kwon Lee, Jae-Gu Son, Application of STPA-SafeSec for a cyber-attack impact analysis of NPPs with a condensate water system test-bed, Nucl. Eng. Technol. 53 (2021) 3319-3326. https://doi.org/10.1016/j.net.2021.04.031
  27. Jinsoo Shin, Hanseong Son, Gyunyoung Heo, Cyber security risk evaluation of a nuclear I&C using BN and ET, Nucl. Eng. Technol. 49 (2017) 517-524. https://doi.org/10.1016/j.net.2016.11.004
  28. Jong Woo Park, Seung Jun Lee, A quantitative assessment framework for cyber-attack scenario on nuclear plants using relative difficulty and consequence, Ann. Nucl. Energy 142 (2020), 107432.
  29. EPRI, Cyber Security Technical Assessment Methodology, Risk Informed Exploit Sequence Identification, vol. 1, Rev., 2018. Technical Report.
  30. NIST, Guide for conducting risk assessments, NIST SP 800-30, Rev. 1 (2012).
  31. Common Vulnerability Scoring System Calculator [Website], https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator, 2022.
  32. Nancy G. Leveson, John P. Thomas, STPA Handbook, March 2018.
  33. Seo-Ryong Koo, Seop Hur, Chang-Hwoi Kim, Design Features of Reactor Protection System for SMART, Transaction of the Korea Nuclear Society Spring Meeting, Jeju, Korea, May, 2018.
  34. Kwang-Seop Son, Dong-Hoon Kim, , Chang-Hwoi Kim, Hyun-Gook Kang, Study on the systematic approach of Markov modeling for dependability analysis of complex fault-tolerant features with voting logics, Reliab. Eng. Syst. Saf. 150 (2016) 44-57. https://doi.org/10.1016/j.ress.2016.01.014
  35. Dong-Hoon Kim, System Requirements for Reactor Protection System, NTIPRPS-Sr101, Rev.1, KAERI Design Report, 2015.
  36. Stouffer Keith, Victoria Pillitteri, Marshall Abrams, Adam Hahn, Guide to Industrial Control Systems (ICS) Security, NIST SP 800-82, Rev, vol. 2, May 2015.
  37. NEI, Addressing cyber security controls for nuclear power reactors, NEI 10-09, Rev. (2011), 0.
  38. C. H. Kim et al. Digital Plant Protection System in Nuclear Power Plant, Korea Patent (KR20010076542A).
  39. Seimens, Security with SIMATIC Controller, V2.0, 2016.
  40. NIST, Framework for improving critical infrastructure cybersecurity, Rev. 1.1 (April 2018).
  41. In-kyung Kim, Ye-eun Byun, Kook-heui Kwon, Analysis of the application method of cyber security control to develop regulatory requirement for digital assets in NPP, J. Korea Inst. Informat. Secur. Cryptol. 29 (2019) 1077-1088.