Browse > Article
http://dx.doi.org/10.5516/NET.04.2012.091

AN ANALYSIS OF TECHNICAL SECURITY CONTROL REQUIREMENTS FOR DIGITAL I&C SYSTEMS IN NUCLEAR POWER PLANTS  

Song, Jae-Gu (Korea Atomic Energy Research Institute)
Lee, Jung-Woon (Korea Atomic Energy Research Institute)
Park, Gee-Yong (Korea Atomic Energy Research Institute)
Kwon, Kee-Choon (Korea Atomic Energy Research Institute)
Lee, Dong-Young (Korea Atomic Energy Research Institute)
Lee, Cheol-Kwon (Korea Atomic Energy Research Institute)
Publication Information
Nuclear Engineering and Technology / v.45, no.5, 2013 , pp. 637-652 More about this Journal
Abstract
Instrumentation and control systems in nuclear power plants have been digitalized for the purpose of maintenance and precise operation. This digitalization, however, brings out issues related to cyber security. In the most recent past, international standard organizations, regulatory institutes, and research institutes have performed a number of studies addressing these systems cyber security.. In order to provide information helpful to the system designers in their application of cyber security for the systems, this paper presents methods and considerations to define attack vectors in a target system, to review and select the requirements in the Regulatory Guide 5.71, and to integrate the results to identify applicable technical security control requirements. In this study, attack vectors are analyzed through the vulnerability analyses and penetration tests with a simplified safety system, and the elements of critical digital assets acting as attack vectors are identified. Among the security control requirements listed in Appendices B and C to Regulatory Guide 5.71, those that should be implemented into the systems are selected and classified in groups of technical security control requirements using the results of the attack vector analysis. For the attack vector elements of critical digital assets, all the technical security control requirements are evaluated to determine whether they are applicable and effective, and considerations in this evaluation are also discussed. The technical security control requirements in three important categories of access control, monitoring and logging, and encryption are derived and grouped according to the elements of attack vectors as results for the sample safety system.
Keywords
Instrumentation and Control Systems; Nuclear Power Plant; Cyber Security; Technical Security Controls; Critical Digital Assets;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 Kee-choon Kwon and Myeongsoo Lee, Technical review on the localized digital instrumentation and control systems, Nuclear engineering and technology Vol.41 No.4 May 2009 - Special issue in celebration of the 40th anniversary of the Korean Nuclear Society, 2009.   과학기술학회마을   DOI   ScienceOn
2 10 CFR Part 73.54, Protection of Digital Computer and Communication Systems and Networks, U.S. Nuclear Regulatory Commission, Washington, DC., 2009.
3 Regulatory Guide 5.71, Cyber Security Programs for Nuclear Facilities, U.S. Nuclear Regulatory Commission, January 2010.
4 KINS/RG-N08.22, Cyber Security of Instrumentation and Control Systems, Korea Institute of Nuclear Safety, 2009.
5 IAEA Nuclear Security Series No.17 Technical guidance Computer security at nuclear facilities, 2011.
6 IEEE Standard 7-4.3.2-2010, Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations, August 2, 2010.
7 Marcelo Masera, Igor Nai Fovino, Bogdan Vamanu, ICT aspects of power systems and their security, Institute for the Protection and Security of the Citizen, Joint Research Centre, November 2010.
8 Igor Nai Fovino, Luca Guidi, Marcelo Masera, and Alberto Stefanini, Cyber security assessment of a power plant, Electric Power Systems Research, (81), pp518-526, Elsevier, 2011.
9 NIST Special Publication 800-82, Guide to Industrial Control Systems (ICS) Security, June 2011.
10 Common Cyber Security Vulnerabilities Observed in DHS Industrial Control Systems Assessments, Homeland Security, July 2009.
11 Recommended Practice: Improving Industrial Control Systems Cyber security with Defense-In-Depth Strategies, Homeland Security, October 2009.
12 Control Systems Cyber Security: Defense in Depth Strategies, INL/EXT-06-11478, David Kuipers, Mark Fabro, Idaho National Laboratory, Idaho Falls, Idaho, May 2006.
13 Critical Infrastructure Protection, Challenges and Efforts to Secure Control Systems, GAO-04-354, United States General Accounting Office, March 2004.
14 Gee-Yong Park, Cheol Kwon Lee, Jong Gyun Choi, Dong Hoon Kim, Young Jun Lee, and Kee-Choon Kwon, Cyber Security Analysis by Attack Trees for a Reactor Protection System, Transactions of the Korean Nuclear Society Autumn Meeting PyeongChang, Korea, October 30-31, 2008.
15 Jung-Woon Lee, Cheol-Kwon Lee, Jae-Gu Song, and Dong-Young Lee, Cyber Security Considerations in the Development of I&C Systems for Nuclear Power Plants, The 2011 International Conference on Security and Management (SAM'11), Las Vegas, USA, July 18-21, 2011.
16 Jae-Gu Song, Jung-Woon Lee, Cheol-Kwon Lee, Kee-Choon Kwon, and Dong-Young Lee, A cyber security risk assessment for the design of I&C systems in nuclear power plants, Nuclear engineering and technology, Vol.44 No.8 December 2012.   과학기술학회마을   DOI   ScienceOn
17 Jung-Woon Lee, Jae-Gu Song, Cheol-Kwon Lee, and Dong-Young Lee, A Conceptual Framework for Securing Digital I&C Systems in Nuclear Power Plants, The 2012 International Conference on Security and Management (SAM'12), Las Vegas, USA, July 16 - 19, 2012.
18 NIST Special Publication 800-53 Revision 3, Recommended Security Controls for Federal Information Systems, August 2009.
19 NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems, July 2002.
20 http://searchsecurity.techtarget.com/definition/attack-vector
21 NEI 04-04 Revision 1, Cyber Security Program for Power Reactors, Nuclear Energy Institute, November 18, 2005.
22 NIST Special Publication 800-82, Guide to Industrial Control Systems (ICS) Security, June 2011.
23 Common Vulnerability and Exposures (CVE), http://cve.mitre.org.
24 NEI 03-12 Revision 6, Security Plan, Training and Qualification Plan, and Safeguards Contingency Plan, Nuclear Energy Institute.