• Nuclear Engineering and Technology
• /
• 제49권3호
• /
• pp.517-524
• /
• 2017

Cyber security is an important issue in the field of nuclear engineering because nuclear facilities use digital equipment and digital systems that can lead to serious hazards in the event of an accident. Regulatory agencies worldwide have announced guidelines for cyber security related to nuclear issues, including U.S. NRC Regulatory Guide 5.71. It is important to evaluate cyber security risk in accordance with these regulatory guides. In this study, we propose a cyber security risk evaluation model for nuclear instrumentation and control systems using a Bayesian network and event trees. As it is difficult to perform penetration tests on the systems, the evaluation model can inform research on cyber threats to cyber security systems for nuclear facilities through the use of prior and posterior information and backpropagation calculations. Furthermore, we suggest a methodology for the application of analytical results from the Bayesian network model to an event tree model, which is a probabilistic safety assessment method. The proposed method will provide insight into safety and cyber security risks.

• Nuclear Engineering and Technology
• /
• 제54권7호
• /
• pp.2467-2474
• /
• 2022

Nuclear Power Plants (NPPs) are the most protected facilities among all critical infrastructures (CIs). In addition to physical security, cyber security becomes a significant concern for NPPs since swift digitalization and overreliance on computer-based systems in the facility operations transformed NPPs into targets for cyber/physical attacks. Despite technical competencies, humans are still the central component of a resilient NPP to develop an effective nuclear security culture. Turkey is one of the newcomers in the nuclear energy industry, and Turkish Akkuyu NPP has a unique model owned by an international consortium. Since Turkey has limited experience in nuclear energy industry, specific multinational and multicultural characteristics of Turkish Akkuyu NPP also requires further research in terms of the Facility's prospective nuclear security. Yet, the link between "national cultures" and "nuclear security" is underestimated in nuclear security studies. By relying on Hofstede's national culture framework, our research aims to address this gap and explore possible implications of cross-national cultural differences on nuclear security. To cope with security challenges in the age of hybrid threats, we propose a security management model which addresses the need for cyber-physical security integration to cultivate a robust nuclear security culture in a multicultural working environment.

• 한국산학기술학회논문지
• /
• 제11권9호
• /
• pp.3451-3457
• /
• 2010

사이버보안성 평가는 대상이 되는 시스템이 사이버보안의 목적에 효과적으로 부합하는지 여부를 판단하는 방법이다. 사이버보안성 평가는 시스템의 사이버보안에 대한 신뢰 수준을 측정하고, 관리적 기술적 운영 측면에서의 사이버보안 척도가 요구된 바와 같이 이행되는지를 확인하는 데 필요하다. 최근 원전 계측제어시스템은 디지털 기술의 적용으로 인해 사이버보안에 관한 기술적 및 관리적 대책이 수립되도록 요구되고 있으나, 동 시스템의 사이버보안성 평가 방법론을 포함한 전반적인 사이버보안 프로그램이 마련되어 있지 않은 실정이다. 본 논문은 원전 계측제어 시스템에 적합한 정성적 사이버보안성 평가 방법론을 제시한다. 제안되는 방법론은 원전 계측제어 시스템의 사이버보안에 대한 강점과 취약점을 평가함으로써 원전 계측제어 시스템의 사용자에게 도움이 될 수 있다. 또한, 이 방법론은 원전 계측제어 시스템의 개발자, 감사자 및 규제자가 사이버보안의 관리적, 운영적 및 기술적 통제 항목을 검토하는 지표로 활용될 수 있을 것으로 판단된다.

• Nuclear Engineering and Technology
• /
• 제54권4호
• /
• pp.1245-1252
• /
• 2022

As regulatory bodies require full implementation of security controls in nuclear power plants (NPPs), security functions for critical digital assets are currently being developed. For the ultimate introduction of security controls, not alternative measures, it is important to understand the relationship between possible cyber threats to NPPs and security controls to prevent them. To address the effectiveness of the security control implementation, this study investigated the types of cyber threats that can be prevented when the security controls are implemented through the mapping of the reorganized security controls in RS-015 to cyber threats on NPPs. Through this work, the cyber threat that each security control can prevent was confirmed, and the effectiveness of several strategies for implementing the security controls were compared. This study will be a useful reference for utilities or researchers who cannot use design basis threat (DBT) directly and be helpful when introducing security controls to NPPs that do not have actual security functions.

• 한국정보처리학회:학술대회논문집
• /
• 한국정보처리학회 2015년도 춘계학술발표대회
• /
• pp.449-451
• /
• 2015

When cyber attacks are discovered in nuclear facilities, licensees are required to notify regulatory organizations for quick action. This also helps regulatory organizations to strengthen regulatory capabilities for cyber security. Currently the U.S. issued the final draft rule for Cyber Security Event Notifications. Domestic regulatory activities being at an early stage for cyber security need to implement law for Cyber Security Event Notifications. Since the current laws are focused on the aspect of safety, they are in need of more specific laws for cyber security.

• Nuclear Engineering and Technology
• /
• 제52권5호
• /
• pp.995-1001
• /
• 2020

With the development of digital instrumentation and control (I&C) devices, cyber security at nuclear power plants (NPPs) has become a hot issue. The Stuxnet, which destroyed Iran's uranium enrichment facility in 2010, suggests that NPPs could even lead to an accident involving the release of radioactive materials cyber-attacks. However, cyber security research on industrial control systems (ICSs) and supervisory control and data acquisition (SCADA) systems is relatively inadequate compared to information technology (IT) and further it is difficult to study cyber-attack taxonomy for NPPs considering the characteristics of ICSs. The advanced research of cyber-attack taxonomy does not reflect the architectural and inherent characteristics of NPPs and lacks a systematic countermeasure strategy. Therefore, it is necessary to more systematically check the consistency of operators and regulators related to cyber security, as in regulatory guide 5.71 (RG.5.71) and regulatory standard 015 (RS.015). For this reason, this paper attempts to suggest a template for cyber-attack taxonomy based on the characteristics of NPPs and exemplifies a specific cyber-attack case in the template. In addition, this paper proposes a systematic countermeasure strategy by matching the countermeasure with critical digital assets (CDAs). The cyber-attack cases investigated using the proposed cyber-attack taxonomy can be used as data for evaluation and validation of cyber security conformance for digital devices to be applied, and as effective prevention and mitigation for cyber-attacks of NPPs.

• Nuclear Engineering and Technology
• /
• 제51권7호
• /
• pp.1791-1798
• /
• 2019

Instrumentation and Control (I&C) systems of nuclear power plants (NPPs) have been continuously digitalized. These systems have a critical role in the operation of nuclear facilities by functioning as the brain of NPPs. In recent years, as cyber security threats to NPP systems have increased, regulatory and policy-related organizations around the world, including the International Atomic Energy Agency (IAEA), Nuclear Regulatory Commission (NRC) and Korea Institute of Nuclear Nonproliferation and Control (KINAC), have emphasized the importance of nuclear cyber security by publishing cyber security guidelines and recommending cyber security requirements for NPP facilities. As described in NRC Regulatory Guide (Reg) 5.71 and KINAC RS015, challenge response authentication should be applied to the critical digital I&C system of NPPs to satisfy the cyber security requirements. There have been no cases in which the most robust response authentication technology like challenge response has been developed and applied to nuclear I&C systems. This paper presents a challenge response authentication mechanism for a Programmable Logic Controller (PLC) system used as a control system in the safety system of the Advanced Power Reactor (APR) 1400 NPP.

• Nuclear Engineering and Technology
• /
• 제44권8호
• /
• pp.919-928
• /
• 2012

The applications of computers and communication system and network technologies in nuclear power plants have expanded recently. This application of digital technologies to the instrumentation and control systems of nuclear power plants brings with it the cyber security concerns similar to other critical infrastructures. Cyber security risk assessments for digital instrumentation and control systems have become more crucial in the development of new systems and in the operation of existing systems. Although the instrumentation and control systems of nuclear power plants are similar to industrial control systems, the former have specifications that differ from the latter in terms of architecture and function, in order to satisfy nuclear safety requirements, which need different methods for the application of cyber security risk assessment. In this paper, the characteristics of nuclear power plant instrumentation and control systems are described, and the considerations needed when conducting cyber security risk assessments in accordance with the lifecycle process of instrumentation and control systems are discussed. For cyber security risk assessments of instrumentation and control systems, the activities and considerations necessary for assessments during the system design phase or component design and equipment supply phase are presented in the following 6 steps: 1) System Identification and Cyber Security Modeling, 2) Asset and Impact Analysis, 3) Threat Analysis, 4) Vulnerability Analysis, 5) Security Control Design, and 6) Penetration test. The results from an application of the method to a digital reactor protection system are described.

• Nuclear Engineering and Technology
• /
• 제55권6호
• /
• pp.2034-2046
• /
• 2023

Industrial control systems in nuclear facilities are facing increasing cyber threats due to the widespread use of information and communication equipment. To implement cyber security programs effectively through the RG 5.71, it is necessary to quantitatively assess cyber risks. However, this can be challenging due to limited historical data on threats and customized Critical Digital Assets (CDAs) in nuclear facilities. Previous works have focused on identifying data flows, the assets where the data is stored and processed, which means that the methods are heavily biased towards information security concerns. Additionally, in nuclear facilities, cyber threats need to be analyzed from a safety perspective. In this study, we use the system theoretic process analysis to identify system-level threat scenarios that could violate safety constraints. Instead of quantifying the likelihood of exploiting vulnerabilities, we quantify Security Control Measures (SCMs) against the identified threat scenarios. We classify the system and CDAs into four consequence-based classes, as presented in NEI 13-10, to analyze the adversary impact on CDAs. This allows for the ranking of identified threat scenarios according to the quantified SCMs. The proposed framework enables stakeholders to more effectively and accurately rank cyber risks, as well as establish security and response strategies.

• Nuclear Engineering and Technology
• /
• 제53권10호
• /
• pp.3319-3326
• /
• 2021

As a form of industrial control systems (ICS), nuclear instrumentation and control (I&C) systems have been digitalized increasingly. This has raised in turn cyber security concerns. Cyber security for ICS is important because cyber-attacks against ICS can cause not only equipment damage and loss of production but also personal and public safety hazards unlike in general IT environments. Numerous risk analyses have been carried out to enhance the safety of ICS and recently, many studies related to the cyber security of ICS are being conducted. Many existing risk analyses and cyber security studies have considered safety and cyber security separately. However, both safety and cyber security perspectives should be considered when analyzing risks for complex and critical ICS facilities such as nuclear power plants (NPPs). In this paper, the STPA-SafeSec methodology is selected to consider both safety and security perspectives when performing a risk analysis for NPPs in order to assess impacts on the safety by cyber-attacks against the digital I&C systems. The STPA-SafeSec methodology was applied to a test-bed system that simulates a condensate water (CD) system in an NPP. The process of the application up to the development of mitigation strategies is described in detail.