Publications

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Prescriptive approaches for the cybersecurity of digital nuclear instrumentation and control (I&C) systems can be cumbersome and costly. These considerations are of particular concern for advanced reactors that implement digital technologies for monitoring, diagnostics, and control. A risk-informed performance-based approach is needed to enable the efficient design of secure digital I&C systems for nuclear power plants. This paper presents a tiered cybersecurity analysis (TCA) methodology as a graded approach for cybersecurity design. The TCA is a sequence of analyses that align with the plant, system, and component stages of design. Earlier application of the TCA in the design process provides greater opportunity for an efficient graded approach and defense-in-depth. The TCA consists of three tiers. Tier 1 is design and impact analysis. In Tier 1 it is assumed that the adversary has control over all digital systems, components, and networks in the plant, and that the adversary is only constrained by the physical limitations of the plant design. The plant's safety design features are examined to determine whether the consequences of an attack by this cyber-enabled adversary are eliminated or mitigated. Accident sequences that are not eliminated or mitigated by security by design features are examined in Tier 2 analysis. In Tier 2, adversary access pathways are identified for the unmitigated accident sequences, and passive measures are implemented to deny system and network access to those pathways wherever feasible. Any systems with remaining susceptible access pathways are then examined in Tier 3. In Tier 3, active defensive cybersecurity architecture features and cybersecurity plan controls are applied to deny the adversary the ability to conduct the tasks needed to cause a severe consequence. Tier 3 is not performed in this analysis because of the design maturity required for this tier of analysis.

The research investigates novel techniques to enhance supply chain security via addition of configuration management controls to protect Instrumentation and Control (I&C) systems of a Nuclear Power Plant (NPP). A secure element (SE) is integrated into a proof-of-concept testbed by means of a commercially available smart card, which provides tamper resistant key storage and a cryptographic coprocessor. The secure element simplifies setup and establishment of a secure communications channel between the configuration manager and verification system and the I&C system (running OpenPLC). This secure channel can be used to provide copies of commands and configuration changes of the I&C system for analysis.

The Sliding Scale of Cybersecurity is a framework for understanding the actions that contribute to cybersecurity. The model consists of five categories that provide varying value towards cybersecurity and incur varying implementation costs. These categories range from offensive cybersecurity measures providing the least value and incurring the greatest cost, to architecture providing the greatest value and incurring the least cost. This paper presents an application of the Sliding Scale of Cybersecurity to the Tiered Cybersecurity Analysis (TCA) of digital instrumentation and control systems for advanced reactors. The TCA consists of three tiers. Tier 1 is design and impact analysis. In Tier 1 it is assumed that the adversary has control over all digital systems, components, and networks in the plant, and that the adversary is only constrained by the physical limitations of the plant design. The plant’s safety design features are examined to determine whether the consequences of an attack by this cyber-enabled adversary are eliminated or mitigated. Accident sequences that are not eliminated or mitigated by security by design features are examined in Tier 2 analysis. In Tier 2, adversary access pathways are identified for the unmitigated accident sequences, and passive measures are implemented to deny system and network access to those pathways wherever feasible. Any systems with remaining susceptible access pathways are then examined in Tier 3. In Tier 3, active defensive cybersecurity architecture features and cybersecurity plan controls are applied to deny the adversary the ability to conduct the tasks needed to cause a severe consequence. Earlier application of the TCA in the design process provides greater opportunity for an efficient graded approach and defense-in-depth.

The Information Harm Triangle (IHT) is an approach that seeks to simplify the defense-in-depth design of digital instrumentation and control (I&C) systems. The IHT provides a novel framework for understanding how cyber-attacks targeting digital I&C systems can harm the physical process. The utility of the IHT arises from the decomposition of cybersecurity analysis into two orthogonal vectors: data harm and physical information harm. Cyber-attacks on I&C systems can only directly cause data harm. Data harm is then transformed into physical information harm by unsafe control actions (UCAs) identified using Systems-Theoretic Process Analysis (STPA). Because data harm and physical information harm are orthogonal, defense-in-depth can be achieved by identifying control measures that independently limit data harm and physical information harm. This paper furthers the development of the IHT by investigating the defense-in-depth design of cybersecurity measures for sequences of UCAs. The effects of the order and timing of UCAs are examined for several case studies to determine how to represent these sequences using the IHT. These considerations are important for the identification of data harm and physical information harm security measures, and they influence the selection of efficient measures to achieve defense-in-depth. This research enables the benefits of the IHT's simple approach to be realized for increasingly complex cyber-attack scenarios.

The Sliding Scale of Cybersecurity is a framework for understanding the actions that contribute to cybersecurity. The model consists of five categories that provide varying value towards cybersecurity and incur varying implementation costs. These categories range from offensive cybersecurity measures providing the least value and incurring the greatest cost, to architecture providing the greatest value and incurring the least cost. This paper presents an application of the Sliding Scale of Cybersecurity to the Tiered Cybersecurity Analysis (TCA) of digital instrumentation and control systems for advanced reactors. The TCA consists of three tiers. Tier 1 is design and impact analysis. In Tier 1 it is assumed that the adversary has control over all digital systems, components, and networks in the plant, and that the adversary is only constrained by the physical limitations of the plant design. The plant’s safety design features are examined to determine whether the consequences of an attack by this cyber-enabled adversary are eliminated or mitigated. Accident sequences that are not eliminated or mitigated by security by design features are examined in Tier 2 analysis. In Tier 2, adversary access pathways are identified for the unmitigated accident sequences, and passive measures are implemented to deny system and network access to those pathways wherever feasible. Any systems with remaining susceptible access pathways are then examined in Tier 3. In Tier 3, active defensive cybersecurity architecture features and cybersecurity plan controls are applied to deny the adversary the ability to conduct the tasks needed to cause a severe consequence. Earlier application of the TCA in the design process provides greater opportunity for an efficient graded approach and defense-in-depth.

The Information Harm Triangle (IHT) is a novel approach that aims to adapt intuitive engineering concepts to simplify defense in depth for instrumentation and control (I&C) systems at nuclear power plants. This approach combines digital harm, real-world harm, and unsafe control actions (UCAs) into a single graph named “Information Harm Triangle.” The IHT is based on the postulation that the consequences of cyberattacks targeting I&C systems can be expressed in terms of two orthogonal components: a component representing the magnitude of data harm (DH) (i.e., digital information harm) and a component representing physical information harm (PIH) (i.e., real-world harm, e.g., an inadvertent plant trip). The magnitude of the severity of the physical consequence is the aspect of risk that is of concern. The sum of these two components represents the total information harm. The IHT intuitively informs risk-informed cybersecurity strategies that employ independent measures that either act to prevent, reduce, or mitigate DH or PIH. Another aspect of the IHT is that the DH can result in cyber-initiated UCAs that result in severe physical consequences. The orthogonality of DH and PIH provides insights into designing effective defense in depth. The IHT can also represent cyberattacks that have the potential to impede, evade, or compromise countermeasures from taking appropriate action to reduce, stop, or mitigate the harm caused by such UCAs. Cyber-initiated UCAs transform DH to PIH.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

This report presents an analysis of the Emergency Core Cooling System (ECCS) for a generic Boiling Water Reactor (BWR)-4 NPP. The Electric Power Research Institute (EPRI) developed Hazards and Consequences Analysis for Digital Systems (HAZCADS) process is applied to the ECCS and its subsystems to identify unsafe control actions (UCAs) which act as possible cyber events of concern. The analysis is performed for two design basis events: Small-break Loss of Coolant Accident (SLOCA) and general transients (TRANS), such as unintended reactor trip. In previous work, HAZCADS UCAs were combined with other cyber-attack analysis to develop a risk-informed approach; however, this was for a single system. This report explores advanced systems engineering modeling approaches to model the interactions between digital assets across multiple systems which may be targeted by cyber adversaries. The complex and interdependent design of digital systems has the potential to introduce emergent cyber properties that are generally not covered by hazard analyses nor formal nuclear Probabilistic Risk Assessment (PRA). The R&D and supporting analysis presented here explores approaches to predict and manage how interdependent system properties effect risk. To show the potential impact of a successful cyber-attack to formal PRA event tree probabilities, HAZCADS analysis was also used. HAZCADS was also used to model the automatic depressurization system (ADS) automatic actuation. This analysis extended to an integrated system analysis for common-cause failure (CCF). In this aspect, the HAZCADS analysis continued by analyzing plant design details for system connectivity in support of critical plant functions. A dependency matrix was developed to depict the integrated functionality of the interconnected systems. Areas of potential CCF are indicated. Future work could include adversary attack development to show how CCF could be caused, resulting in PRA events. Across the multiple systems that comprise the ECCS, the analysis shows that the change in such probabilities was very different between systems. This indicates that some systems have a larger potential risk impact from successful cyber-attack or digital failure, which indicates a need for these systems to have a higher priority for design and defensive measures. Furthermore, we were able to establish that a risk analysis using any arbitrary threat model establishes an ordering of components with regard to cyber-risk. This ordering can be used to influence the overall system design with an eye to lowering risk, or as a way to understand real-time risk to operational systems based on a current threat landscape. Expert knowledge of both the analysis process and the system being analyzed is required to perform a HAZCADS analysis. The need for a tiered risk analysis is demonstrated by the results of this report.

Abstract not provided.

Abstract not provided.