This document describes the Cybersecurity Research Development and Demonstration (RD&D) Program, established by the Department of Energy Office of Nuclear Energy (NE) to provide sciencebased methods and technologies necessary for cost-effective, cyber-secure digital instrumentation, control and communication in collaboration with nuclear energy stakeholders. It provides an overview of program goals, objectives, linkages to organizational strategies, management structure, and stakeholder and cross-program interfaces.
U. S. Nuclear Power Plants are seeking to implement wireless communications for cost-effective operations. New technology introduced into power plants must not introduce security concerns into critical plant functions. This paper describes the potential for new security concerns with proposed nuclear power plant wireless system implementations and methods of evaluation. While two aspects of concern are introduced, only one (cyber attack vulnerability) is expanded with a description of test setup and methods. A novel method of cyber vulnerability discovery is also described. The goal of this research is to establish wireless technology as a part of a secure operations architecture that brings increased efficiency without introducing new security concerns.
This project explored coupling modeling and analysis methods from multiple domains to address complex hybrid (cyber and physical) attacks on mission critical infrastructure. Robust methods to integrate these complex systems are necessary to enable large trade-space exploration including dynamic and evolving cyber threats and mitigations. Reinforcement learning employing deep neural networks, as in the AlphaGo Zero solution, was used to identify "best" (or approximately optimal) resilience strategies for operation of a cyber/physical grid model. A prototype platform was developed and the machine learning (ML) algorithm was made to play itself in a game of 'Hurt the Grid'. This proof of concept shows that machine learning optimization can help us understand and control complex, multi-dimensional grid space. A simple, yet high-fidelity model proves that the data have spatial correlation which is necessary for any optimization or control. Our prototype analysis showed that the reinforcement learning successfully improved adversary and defender knowledge to manipulate the grid. When expanded to more representative models, this exact type of machine learning will inform grid operations and defense - supporting mitigation development to defend the grid from complex cyber attacks! This same research can be expanded to similar complex domains.
In recognition of their mission and in response to continuously evolving cyber threats against nuclear facilities, Department of Energy - Nuclear Energy (DOE-NE) is building the Nuclear Energy Cyber security Research, Development, and Demonstration (RD&D) Program, which includes a cyber risk management thrust. This report supports the cyber risk management thrust objective which is to deliver "Standardized methodologies for credible risk-based identification, evaluation and prioritization of digital components." In a previous task, the Sandia National Laboratories (SNL) team presented evaluation criteria and a survey to review methods to determine the most suitable techniques [1] . In this task we will identify and evaluate a series of candidate methodologies. In this report, 10 distinct methodologies are evaluated. The overall goal of this effort was to identify the current range of risk analysis techniques that were currently available, and how they could be applied, with an focus on industrial control systems (ICS). Overall, most of the techniques identified did fall into accepted risk analysis practices, though they generally addressed only one step of the multi-step risk management process. A few addressed multiple steps, but generally their treatment was superficial. This study revealed that the current state of security risk analysis in digital control systems was not comprehensive and did not support a science-based evaluation. The papers surveyed did use mathematical formulation to describe the addressed problems, and tied the models to some kind of experimental or experiential evidence as support. Most of the papers, however, did not use a rigorous approach to experimentally support the proposed models, nor did they have enough evidence supporting the efficacy of the models to statistically analyze model impact. Both of these issues stem from the difficulty and expense associated with collecting experimental data in this domain.
Nuclear power plants and facilities have been implementing digital system upgrades into their previously analog systems for well over twenty years. New nuclear facilities’ control, security, and emergency preparedness systems are almost exclusively built on digital architectures with a high degree of communication between the various systems that are often integrated together into a central control station to aid in operation or security of the facility. As digital systems become more widespread in nuclear facility control system architectures, cyber security related issues have become a significant concern to operators, regulators, governments, and other groups. Among the many concerns related to digital systems and cyber security is the area of common cause and common mode failures. This paper introduces, defines, and discusses some sources of common cause failure from a cyber security perspective: common vector access. This refers to specific access points that an adversary can exploit through a single attack sequence that have the potential to provide relational failures through common cause on multiple components, subsystems, systems, or plants. This paper will further discuss interconnected processes where these access points may exist, the importance of limiting or controlling these pinch points, and some methods of protecting common vector access points.
In this paper, we will summarize a group of architectural principles that inform the development of secure control system architectures, followed by a methodology that allows designers to understand the attack surface of components and subsystems in a way that supports the integration of these surfaces into a single attack surface. We will then show how this methodology can be used to analyze the control system attack surface from a variety of threats, including knowledgeable insiders. We close the paper with an overview of how this approach can be folded into a more rigorous mathematical analysis of the system to define the system's security posture.