Malicious cyber-attacks are becoming increasingly prominent due to the advance of technology and methods over the last decade. These attacks have the potential to bring down critical infrastructures, such as nuclear power plants (NPP’s), which are so vital to the country that their incapacitation would have debilitating effects on national security, public health, or safety. Despite the devastating effects a cyber-attack could have on NPP’s, there is a lack of understanding as to the effects on the plant from a discreet failure or surreptitious sabotage of components and a lack of knowledge in how the control room operators would react to such a situation. In this project, the authors are collaborating with NPP operators to discern the impact of cyber-attacks on control room operations and lay out a framework to better understand the control room operators’ tasks and decision points.
Nuclear power plants are increasingly adding digital components for plant operation, safety, and security. These digital components fill a gap with legacy equipment where replacement components no longer exist. They also benefit operation of the plant by increasing efficiency in power generation, monitoring of equipment and plant parameters, as well as aiding operator control. However, the addition of digital components and systems also adds cyber risks with previously unanalyzed failure modes and attack vectors are introduced with these new systems. These risks are difficult to identify, analyze, and mitigate due to the increasingly complex nature of the digital components and the integration of these components with additional plant processes and communication networks. The research presented in this paper develops a new method that addresses the cyber risk to inform appropriate levels of protection. EPRI and Sandia are working under a Cooperative Research and Development Agreement to develop an effective method of evaluating the cyber risk in production nuclear power facilities. The Cyber Hazards Analysis Risk Methodology (CHARM) focuses on ensuring adequate controls are in place for appropriate cyber protection of the plant from radiological release or generation risk. Existing plant hazards analyses (e.g., PRA, FTA) do not account for software deficiencies or adversarial intent. This method leverages existing plant analyses and MIT’s Systems Theoretic Process Analysis (STPA) to create cyber informed fault trees. These new fault trees will provide the basis for comprehensive cyber risk analysis and help ensure potential gaps in cyber security controls are identified and corrected.
Nuclear power plants and facilities have been implementing digital system upgrades into their previously analog systems for well over twenty years. New nuclear facilities’ control, security, and emergency preparedness systems are almost exclusively built on digital architectures with a high degree of communication between the various systems that are often integrated together into a central control station to aid in operation or security of the facility. As digital systems become more widespread in nuclear facility control system architectures, cyber security related issues have become a significant concern to operators, regulators, governments, and other groups. Among the many concerns related to digital systems and cyber security is the area of common cause and common mode failures. This paper introduces, defines, and discusses some sources of common cause failure from a cyber security perspective: common vector access. This refers to specific access points that an adversary can exploit through a single attack sequence that have the potential to provide relational failures through common cause on multiple components, subsystems, systems, or plants. This paper will further discuss interconnected processes where these access points may exist, the importance of limiting or controlling these pinch points, and some methods of protecting common vector access points.
There are gaps in understanding how a cyber-attack would manifest itself within power plants and what these events would look like within the control room from an operator’s perspective. This is especially true for nuclear power plants where safety has much broader consequences than nonnuclear plants. The operating and emergency procedures that operators currently use are likely inadequate for targeted cyber-attacks. This research focuses on understanding how a cyber event would affect the operation of the plant, how an operator would perceive the event, and if the operator’s actions would keep the plant in a safe condition. This research is part of Sandia’s Laboratory Directed Research and Development program where a nuclear power plant cyber model of the control system digital architecture is coupled with a generic pressurized water reactor plant training simulator. Cyber event scenarios will be performed on the coupled system with plant operators. The scenarios simulate plant conditions that may exist during a cyber-attack, component failure, or insider sabotage, and provide an understanding of the displayed information and the actual plant conditions. These scenarios will determine if plant operators can 1) recognize that they are under cyber-attack and 2) take appropriate actions to keep the plant safe. This will also provide the opportunity to assess the operator cognitive workload during such events and identify where improvements might be made. Experiments with nuclear power plant operators will be carried out over FY 2018 and results of the research are expected by the end of FY 2018.
Global nuclear energy has reached a critical juncture. The footprint of nuclear energy is growing and will continue to grow in coming decades to meet increasing global energy demands, desires for energy security, and mounting concerns about climate change. This growth includes construction of reactors in countries new to the nuclear energy enterprise, in addition to expansion of existing programs. The lack of operational experience coupled with weak regulatory systems in some countries raises the potential of a nuclear accident. The expansion of nuclear energy is also met with an increasingly complex threat environment, with threats to nuclear security from non-state actors as well as the continued risks of state proliferation. The trend towards increasingly digitized and networked nuclear facilities significantly expands operational uncertainty and adds complexity to implementing safeguards and security. These factors merit fresh consideration of potential safety, safeguards, security, and cyber (3SC) risks, as well as approaches for managing those risks in an integrated, sustainable, and internationally cooperative manner. In an effort to explore the emerging challenges and cooperative solutions to the global expansion of nuclear energy The George Washington University Elliott School of International Affairs and Sandia National Laboratories convened a group of more than thirty experts from government, national laboratories, non-government organizations, and academia on May 5th, 2016 at George Washington University to discuss these issues in a not-for-attribution environment.