The Advanced Reactor Cyber Analysis and Development Environment (ARCADE) simplifies the evaluation and assessment of robustness factor and cyber resilience that support secure-by-design for advanced reactor nuclear power plants. In this manner, ARCADE supports risk-informed performance based (RIPB) evaluations of cybersecurity through its integration of plant physics with high-fidelity emulations of control systems. This cross domain approach enables comprehensive analysis of control system sensitivities, cyber-attack scenarios, and their consequences. ARCADE has been custom developed to meet the demands identified in Tier 1 of the Tiered Cyber Analysis (TCA) as outlined in NRC Draft Regulation Guide (RG) 5.96, which provides a RIPB cybersecurity approach for new reactors.
This report presents the current state of knowledge, technology, methodologies, and tools that could be implemented to realize the robust integration of safety, security, and safeguards (3S) for advanced nuclear reactors (ARs) and advanced nuclear fuel cycle facilities. This report was motivated by the global development of ARs which are expected to play a key role in meeting domestic energy and climate objectives. Domestically, with many ARs in the early design phase, the integration of 3S provides an opportunity to achieve risk reduction while using less resources than traditional light water reactors by leveraging interdependencies and synergies between each domain. In addition, domestic policy considerations encourage the convergence of each 3S domain through facility design and operations. Therefore, there is a need to better understand the interdependencies and integration between 3S across ARs and advanced reactor fuel cycle facilities’ lifecycles including design, construction, and operational phases.
This report presents the design of defensive cybersecurity architectures (DCSAs) for High Temperature, Gas-Cooled Reactors (HTGRs). A DCSA is a cybersecurity design feature that places systems into security zones in a graded approach according to the importance of the functions performed by the systems. DCSA design efforts for advanced reactors may commence as early as the system-level design phase. This design approach is consistent with the draft regulatory guide for advanced reactor cybersecurity programs (DG-5075) and enables advanced reactor designers to consider the effects of security-by-design (SeBD) features on their DCSAs. Integration of DCSA design and other cybersecurity activities with the traditional design process as part of a SeBD framework may enable advanced reactor designers to improve the security posture of their plants while reducing implementation and operating costs. This report provides a DCSA template for an exemplar HTGR and describes a DCSA design process using event tree analysis so that the template may be optimized for a given HTGR design.
Cybersecurity is a persistent concern to the safety and security of Nuclear Power Plants (NPPs), but has lacked data-driven, evidence-based research. Rigorous cybersecurity analysis is critical for the licensing of advanced reactors using a performance-based approach. One tool that enables cybersecurity analysis is modeling and simulation. The nuclear industry makes extensive use of modeling and simulation throughout the decision process but lacks a method to incorporate cybersecurity analysis with existing models. To meet this need, the Advanced Reactor Cyber Analysis and Development Environment (ARCADE) was developed. ARCADE is a suite of publicly available tools that can be used to develop emulations of industrial control system devices and networks and integrate those emulations with physics simulators. This integration of cyber emulations and physics models enables rigorous cyber-physical analysis of cyber-attacks on NPP systems. This report provides an overview of key considerations for using ARCADE with existing physics models and demonstrates ARCADE’s capabilities for cybersecurity analysis. Using a model of the Small Modular Advanced High Temperature Reactor (SmAHTR), ARCADE was able to determine the sensitivity of the primary heat exchangers (PHX) to coordinated cyber-attacks. The analysis determined that while the PHX’s failures cause disruption to the reactor, they did not cause any safety limits to be exceeded because of the plant design, including passive safety features. Further development of ARCADE will enable rigorous, repeatable, and automated cyber-physical analysis of advanced reactor control systems. These efforts will also help reduce regulatory uncertainty by presenting similar types of cybersecurity analyses in a common format, driving standard approaches and reporting.
The Canada-US Blended Cyber-Physical Exercise was a successful, first of its kind, multiorganization and multi-laboratory exercise that culminated years of complex system development and planning. The project aimed to answer three driving research questions, (1) How do cyberattacks support malicious acts leading to theft or sabotage [at a nuclear site]? (2) What are aspects of an effective combined cyber-physical response? (3) How to evaluate effectiveness of that response? Which derived the following primary objectives, 1. The May 2023 Cyber-Physical Exercise shall present a cyber-attack scenario that supports malicious acts leading to theft or sabotage. 2. The May 2023 Cyber-Physical Exercise shall define aspects of an effective combined cyber-physical response. 3. Analysis of the May 2023 Cyber-Physical Exercise shall evaluate the effectiveness of the incident response against pre-established exercise evaluation criteria. 4. Analysis of the May 2023 Cyber-Physical Exercise shall assess the effectiveness of the evaluation criteria itself. 5. Exercises shall be performed in a real-life environment. The team believes these objectives were met, and the evidence will be presented in this report. Due to the novelty of the exercise, there were several lessons learned that will be presented in this report.
The International Electrotechnical Commission (IEC) Subcommittee SC45A has been active in development of cybersecurity standards and technical reports on the protection of Instrumentation and Control (I&C) and Electrical Power Systems (ES) that perform significant functions necessary for the safe and secure operation of Nuclear Power Plants (NPP). These international standards and reports advance and promote the implementation of good practices around the world. In recent years, there have been advances in NPP cybersecurity risk management nationally and internationally. For example, IAEA publications NSS 17-T [1] and NSS 33-T [2], propose a framework for computer security risk management that implements a risk management program at both the facility and individual system levels. These international approaches (i.e., IAEA), national approaches (e.g., Canada’s HTRA [3]) and technical methods (e.g., HAZCADS [4], Cyber Informed Engineering [5], France’s EBIOS [6]) have advanced risk management within NPP cybersecurity programmes that implement international and national standards. This paper summarizes key elements of the analysis that developed the new IEC Technical Report. The paper identifies the eleven challenges for applying ISO/IEC 27005:2018 [7]. cybersecurity risk management to I&C Systems and EPS of NPPs and a summary comparison of how national approaches address these challenges.
The Sliding Scale of Cybersecurity is a framework for understanding the actions that contribute to cybersecurity. The model consists of five categories that provide varying value towards cybersecurity and incur varying implementation costs. These categories range from offensive cybersecurity measures providing the least value and incurring the greatest cost, to architecture providing the greatest value and incurring the least cost. This paper presents an application of the Sliding Scale of Cybersecurity to the Tiered Cybersecurity Analysis (TCA) of digital instrumentation and control systems for advanced reactors. The TCA consists of three tiers. Tier 1 is design and impact analysis. In Tier 1 it is assumed that the adversary has control over all digital systems, components, and networks in the plant, and that the adversary is only constrained by the physical limitations of the plant design. The plant’s safety design features are examined to determine whether the consequences of an attack by this cyber-enabled adversary are eliminated or mitigated. Accident sequences that are not eliminated or mitigated by security by design features are examined in Tier 2 analysis. In Tier 2, adversary access pathways are identified for the unmitigated accident sequences, and passive measures are implemented to deny system and network access to those pathways wherever feasible. Any systems with remaining susceptible access pathways are then examined in Tier 3. In Tier 3, active defensive cybersecurity architecture features and cybersecurity plan controls are applied to deny the adversary the ability to conduct the tasks needed to cause a severe consequence. Earlier application of the TCA in the design process provides greater opportunity for an efficient graded approach and defense-in-depth.
The Sliding Scale of Cybersecurity is a framework for understanding the actions that contribute to cybersecurity. The model consists of five categories that provide varying value towards cybersecurity and incur varying implementation costs. These categories range from offensive cybersecurity measures providing the least value and incurring the greatest cost, to architecture providing the greatest value and incurring the least cost. This paper presents an application of the Sliding Scale of Cybersecurity to the Tiered Cybersecurity Analysis (TCA) of digital instrumentation and control systems for advanced reactors. The TCA consists of three tiers. Tier 1 is design and impact analysis. In Tier 1 it is assumed that the adversary has control over all digital systems, components, and networks in the plant, and that the adversary is only constrained by the physical limitations of the plant design. The plant’s safety design features are examined to determine whether the consequences of an attack by this cyber-enabled adversary are eliminated or mitigated. Accident sequences that are not eliminated or mitigated by security by design features are examined in Tier 2 analysis. In Tier 2, adversary access pathways are identified for the unmitigated accident sequences, and passive measures are implemented to deny system and network access to those pathways wherever feasible. Any systems with remaining susceptible access pathways are then examined in Tier 3. In Tier 3, active defensive cybersecurity architecture features and cybersecurity plan controls are applied to deny the adversary the ability to conduct the tasks needed to cause a severe consequence. Earlier application of the TCA in the design process provides greater opportunity for an efficient graded approach and defense-in-depth.
Prescriptive approaches for the cybersecurity of digital nuclear instrumentation and control (I&C) systems can be cumbersome and costly. These considerations are of particular concern for advanced reactors that implement digital technologies for monitoring, diagnostics, and control. A risk-informed performance-based approach is needed to enable the efficient design of secure digital I&C systems for nuclear power plants. This paper presents a tiered cybersecurity analysis (TCA) methodology as a graded approach for cybersecurity design. The TCA is a sequence of analyses that align with the plant, system, and component stages of design. Earlier application of the TCA in the design process provides greater opportunity for an efficient graded approach and defense-in-depth. The TCA consists of three tiers. Tier 1 is design and impact analysis. In Tier 1 it is assumed that the adversary has control over all digital systems, components, and networks in the plant, and that the adversary is only constrained by the physical limitations of the plant design. The plant's safety design features are examined to determine whether the consequences of an attack by this cyber-enabled adversary are eliminated or mitigated. Accident sequences that are not eliminated or mitigated by security by design features are examined in Tier 2 analysis. In Tier 2, adversary access pathways are identified for the unmitigated accident sequences, and passive measures are implemented to deny system and network access to those pathways wherever feasible. Any systems with remaining susceptible access pathways are then examined in Tier 3. In Tier 3, active defensive cybersecurity architecture features and cybersecurity plan controls are applied to deny the adversary the ability to conduct the tasks needed to cause a severe consequence. Tier 3 is not performed in this analysis because of the design maturity required for this tier of analysis.
The research investigates novel techniques to enhance supply chain security via addition of configuration management controls to protect Instrumentation and Control (I&C) systems of a Nuclear Power Plant (NPP). A secure element (SE) is integrated into a proof-of-concept testbed by means of a commercially available smart card, which provides tamper resistant key storage and a cryptographic coprocessor. The secure element simplifies setup and establishment of a secure communications channel between the configuration manager and verification system and the I&C system (running OpenPLC). This secure channel can be used to provide copies of commands and configuration changes of the I&C system for analysis.
The use of high-fidelity, real-time physics engines of nuclear power plants in a cyber security training platform is feasible but requires additional research and development. This paper discusses recent developments for cybersecurity training leveraging open-source NPP simulators and network emulation tools. The paper will detail key elements of currently available environments for cybersecurity training. Key elements assessed for each environment are: (i) Management and student user interfaces, (ii) pre-developed baseline and cyber-attack effects, and (iii) capturing student results and performance. Representative and dynamic environments require integration of physics model, network emulation, commercial of the shelf hardware, and technologies that connect these together. Further, orchestration tools for management of the holistic set of models and technologies decrease time in setup and maintenance allow for click to deploy capability. The paper will describe and discuss the Sandia developed environment and open-source tools that incorporates these technologies with click-to-deploy capability. This environment was deployed for delivery of an undergraduate/graduate course with the University of Sao Paulo, Brazil in July 2022 and has been used to investigate new concepts involving Cyber-STPA analysis. This paper captures the identified future improvements, development activities, and lessons learned from the course.
