Publications Details

Development of a new IEC Technical Report on Cybersecurity Risk Management for I&C and ES in Nuclear Power Plants

Rowland, Michael T.; Quinn, Edward L.; Sladek, John

The International Electrotechnical Commission (IEC) Subcommittee SC45A has been active in development of cybersecurity standards and technical reports on the protection of Instrumentation and Control (I&C) and Electrical Power Systems (ES) that perform significant functions necessary for the safe and secure operation of Nuclear Power Plants (NPP). These international standards and reports advance and promote the implementation of good practices around the world. In recent years, there have been advances in NPP cybersecurity risk management nationally and internationally. For example, IAEA publications NSS 17-T [1] and NSS 33-T [2], propose a framework for computer security risk management that implements a risk management program at both the facility and individual system levels. These international approaches (i.e., IAEA), national approaches (e.g., Canada’s HTRA [3]) and technical methods (e.g., HAZCADS [4], Cyber Informed Engineering [5], France’s EBIOS [6]) have advanced risk management within NPP cybersecurity programmes that implement international and national standards. This paper summarizes key elements of the analysis that developed the new IEC Technical Report. The paper identifies the eleven challenges for applying ISO/IEC 27005:2018 [7]. cybersecurity risk management to I&C Systems and EPS of NPPs and a summary comparison of how national approaches address these challenges.