Protocols play an essential role in Advance Reactor systems. A diverse set of protocols are available to these reactors. Advanced Reactors benefit from technologies that can minimize their resource utilization and costs. Evaluation frameworks are often used when assessing protocols and processes related to cryptographic security systems. The following report discusses the various characteristics associated with these protocol evaluation frameworks, and derives a novel evaluative framework.
As the transportation industry continues to become electrified, introduction of additional digital devices within associated actions such as recharging bring additional potential for cybersecurity attacks. Devices that are designed, implemented, and operated with cybersecurity as a crucial consideration exacerbate these concerns by failing to provide strict boundaries on access to and use of the equipment. Emerging use cases such as Vehicle to Grid (V2G) charging may expand the potential physical effects of a cybersecurity attack by providing indirect access to electrical components of a building microgrid or portions of the larger power grid. This paper serves as an overview of findings and recommendations based on cybersecurity testing performed at a V2G implementation site operated by a member of the Memorandum of Understanding (MOU) to Establish the Vehicle-to-Everything (V2X) Collaboration [1]. The Department of Energy Office of Cybersecurity, Energy Security, and Emergency Response is a signatory of the MOU, and has funded this research paper and associated body of work regarding V2X cybersecurity. Sandia has a large background of previous research focused on Electric Vehicle (EV) cybersecurity, such as reference [2], which includes an overall survey of EV infrastructure cybersecurity and recommendations based on those findings. This report seeks to expand knowledge of EV cybersecurity status and needs by focusing on a specific implementation of V2G charging, and providing recommendations based on the relevant findings. This report serves as a publicly available, sanitized description of applied vulnerability testing on an operational V2G implementation. A more in-depth technical version of the report is provided to the MOU partner, but not available at the time of writing due to inclusion of proprietary information. V2G charging comes with many research problems that must be solved before the technology can securely implemented in sites with unrestricted public access or where cybersecurity attacks could have increased consequences, such as government offices. V2G charging requires many stakeholders such as end users, host sites, equipment vendors, and integrators, which all rely on operational safety and security as well as security and trustworthiness of any associated financial transactions.
Over the past decade, cybersecurity researchers have released multiple studies highlighting the insecure nature of I&C system communication protocols. In response, standards bodies have addressed the issue by adding the ability to encrypt communications to some protocols in some cases, while control system engineers have argued that encryption within these kinds of high consequence systems is in fact dangerous. Certainly, control system information between systems should be protected. But encrypting the information may not be the best way to do so. In fact, while in IT systems vendors are concerned with confidentiality, integrity, and availability, frequently in that order, in OT systems engineers are much more concerned with availability and integrity that confidentiality. In this paper, we will counter specific arguments against encrypting control system traffic, and present potential alternatives to encryption that support nuclear OT system needs more strongly that commodity IT system needs while still providing robust integrity and availability guarantees.
In the dynamic landscape of Operational Technology (OT), and specifically the emerging landscape for Advanced Reactors, the establishment of trust between digital assets emerges as a challenge for cybersecurity modernization. This report reviews existing approaches to authentication in Enterprise environments, and proposed methods for authentication in OT, and analyzes each for its applicability to future Advanced Reactor digital networks. Principles of authentication ranging from underlying cryptographic mechanisms to trust authorities are evaluated through the lens of OT. These facets emphasize the importance of mutual authentication in real-time environments, enabling a paradigm shift from the current approach of strong boundaries to a more malleable network that allows for flexible operation. This work finds that there is a need for evaluation and decision making by industry stakeholders, but current technologies and approaches can be adapted to fit needs and risk tolerances.
A digital twin has intelligent modules that continuously monitor the condition of the individual components and the whole of a system. Digital twins can provide nuclear power plants (NPP) operators an unprecedented level of monitoring, control, supervision, and security by contributing a greater volume of data for more comprehensive data analysis and increased accuracy of insights and predictions for decision making throughout the entire NPP lifecycle. NPP operators and managers have historically relied on limited, second hand or incomplete data. With proper implementation, digital twins can provide a central hub of all intel that allows for a multidisciplinary view of an NPP. This equips operators and managers with the ability to have more information, context, and intel that can be used for greater granularity during planning and decision making. Digital twins can be used in many activities as the technology has many different concepts surrounding it. From the various definitions of a digital twin within the industry, digital twins can be differentiated by levels of integration/automation. The three main models include digital model, digital shadow, and digital twin. Digital twins offer many potential advancements to the nuclear industry that could reduce costs, improve designs, provide safer operation, and improve their overall security.
The use of high-fidelity, real-time physics engines of nuclear power plants in a cyber security training platform is feasible but requires additional research and development. This paper discusses recent developments for cybersecurity training leveraging open-source NPP simulators and network emulation tools. The paper will detail key elements of currently available environments for cybersecurity training. Key elements assessed for each environment are: (i) Management and student user interfaces, (ii) pre-developed baseline and cyber-attack effects, and (iii) capturing student results and performance. Representative and dynamic environments require integration of physics model, network emulation, commercial of the shelf hardware, and technologies that connect these together. Further, orchestration tools for management of the holistic set of models and technologies decrease time in setup and maintenance allow for click to deploy capability. The paper will describe and discuss the Sandia developed environment and open-source tools that incorporates these technologies with click-to-deploy capability. This environment was deployed for delivery of an undergraduate/graduate course with the University of Sao Paulo, Brazil in July 2022 and has been used to investigate new concepts involving Cyber-STPA analysis. This paper captures the identified future improvements, development activities, and lessons learned from the course.
In recent years, infections and damage caused by malware have increased at exponential rates. At the same time, machine learning (ML) techniques have shown tremendous promise in many domains, often out performing human efforts by learning from large amounts of data. Results in the open literature suggest that ML is able to provide similar results for malware detection, achieving greater than 99% classifcation accuracy [49]. However, the same detection rates when applied in deployed settings have not been achieved. Malware is distinct from many other domains in which ML has shown success in that (1) it purposefully tries to hide, leading to noisy labels and (2) often its behavior is similar to benign software only differing in intent, among other complicating factors. This report details the reasons for the diffcultly of detecting novel malware by ML methods and offers solutions to improve the detection of novel malware.
This report presents an analysis of the Emergency Core Cooling System (ECCS) for a generic Boiling Water Reactor (BWR)-4 NPP. The Electric Power Research Institute (EPRI) developed Hazards and Consequences Analysis for Digital Systems (HAZCADS) process is applied to the ECCS and its subsystems to identify unsafe control actions (UCAs) which act as possible cyber events of concern. The analysis is performed for two design basis events: Small-break Loss of Coolant Accident (SLOCA) and general transients (TRANS), such as unintended reactor trip. In previous work, HAZCADS UCAs were combined with other cyber-attack analysis to develop a risk-informed approach; however, this was for a single system. This report explores advanced systems engineering modeling approaches to model the interactions between digital assets across multiple systems which may be targeted by cyber adversaries. The complex and interdependent design of digital systems has the potential to introduce emergent cyber properties that are generally not covered by hazard analyses nor formal nuclear Probabilistic Risk Assessment (PRA). The R&D and supporting analysis presented here explores approaches to predict and manage how interdependent system properties effect risk. To show the potential impact of a successful cyber-attack to formal PRA event tree probabilities, HAZCADS analysis was also used. HAZCADS was also used to model the automatic depressurization system (ADS) automatic actuation. This analysis extended to an integrated system analysis for common-cause failure (CCF). In this aspect, the HAZCADS analysis continued by analyzing plant design details for system connectivity in support of critical plant functions. A dependency matrix was developed to depict the integrated functionality of the interconnected systems. Areas of potential CCF are indicated. Future work could include adversary attack development to show how CCF could be caused, resulting in PRA events. Across the multiple systems that comprise the ECCS, the analysis shows that the change in such probabilities was very different between systems. This indicates that some systems have a larger potential risk impact from successful cyber-attack or digital failure, which indicates a need for these systems to have a higher priority for design and defensive measures. Furthermore, we were able to establish that a risk analysis using any arbitrary threat model establishes an ordering of components with regard to cyber-risk. This ordering can be used to influence the overall system design with an eye to lowering risk, or as a way to understand real-time risk to operational systems based on a current threat landscape. Expert knowledge of both the analysis process and the system being analyzed is required to perform a HAZCADS analysis. The need for a tiered risk analysis is demonstrated by the results of this report.
Cybersecurity for industrial control systems is an important consideration that advance reactor designers will need to consider. How cyber risk is managed is the subject of on-going research and debate in the nuclear industry. This report seeks to identify potential cyber risks for advance reactors. Identified risks are divided into absorbed risk and licensee managed risk to clearly show how cyber risks for advance reactors can potentially be transferred. Absorbed risks are risks that originate external to the licensee but may unknowingly propagate into the plant. Insights include (1) the need for unification of safety, physical security, and cybersecurity risk assessment frameworks to ensure optimal coordination of risk, (2) a quantitative risk assessment methodology in conjunction with qualitative assessments may be useful in efficiently and sufficiently managing cyber risks, and (3) cyber risk management techniques should align with a risked informed regulatory framework for advance reactors.
Seven generation III+ and generation IV nuclear reactor types, based on twelve reactor concepts surveyed, are examined using functional decomposition to extract relevant operational technology (OT) architecture information. This information is compared to existing nuclear power plants (NPPs) OT architectures to highlight novel and emergent cyber risks associated with next generation NPPs. These insights can help inform operational technology architecture requirements that will be unique to a given reactor type. Next generation NPPs have streamlined OT architectures relative to the current generation II commercial NPP fleet. Overall, without compensatory measures that provide sufficient and efficient cybersecurity controls, next generation NPPs will have increased cyber risk. Verification and validation of cyber-physical testbeds and cyber risk assessment methodologies may be an important next step to reduce cyber risk in the OT architecture design and testing phase. Coordination with safety requirements can result in OT architecture design being an iterative process.
Machine learning (ML) techniques are being used to detect increasing amounts of malware and variants. Despite successful applications of ML, we hypothesize that the full potential of ML is not realized in malware analysis (MA) due to a semantic gap between the ML and MA communities-as demonstrated in the data that is used. Due in part to the available data, ML has primarily focused on detection whereas MA is also interested in identifying behaviors. We review existing open-source malware datasets used in ML and find a lack of behavioral information that could facilitate stronger impact by ML in MA. As a first step in bridging this gap, we label existing data with behavioral information using open-source MA reports-1) altering the analysis from identifying malware to identifying behaviors, 2)~aligning ML better with MA, and 3)~allowing ML models to generalize to novel malware in a zero/few-shot learning manner. We classify the behavior of a malware family not seen during training using transfer learning from a state-of-the-art model for malware family classification and achieve 57%-84% accuracy on behavioral identification but fail to outperform the baseline set by a majority class predictor. This highlights opportunities for improvement on this task related to the data representation, the need for malware specific ML techniques, and a larger training set of malware samples labeled with behaviors.