Publications

Abstract not provided.

Cybersecurity is a persistent concern to the safety and security of Nuclear Power Plants (NPPs), but has lacked data-driven, evidence-based research. Rigorous cybersecurity analysis is critical for the licensing of advanced reactors using a performance-based approach. One tool that enables cybersecurity analysis is modeling and simulation. The nuclear industry makes extensive use of modeling and simulation throughout the decision process but lacks a method to incorporate cybersecurity analysis with existing models. To meet this need, the Advanced Reactor Cyber Analysis and Development Environment (ARCADE) was developed. ARCADE is a suite of publicly available tools that can be used to develop emulations of industrial control system devices and networks and integrate those emulations with physics simulators. This integration of cyber emulations and physics models enables rigorous cyber-physical analysis of cyber-attacks on NPP systems. This report provides an overview of key considerations for using ARCADE with existing physics models and demonstrates ARCADE’s capabilities for cybersecurity analysis. Using a model of the Small Modular Advanced High Temperature Reactor (SmAHTR), ARCADE was able to determine the sensitivity of the primary heat exchangers (PHX) to coordinated cyber-attacks. The analysis determined that while the PHX’s failures cause disruption to the reactor, they did not cause any safety limits to be exceeded because of the plant design, including passive safety features. Further development of ARCADE will enable rigorous, repeatable, and automated cyber-physical analysis of advanced reactor control systems. These efforts will also help reduce regulatory uncertainty by presenting similar types of cybersecurity analyses in a common format, driving standard approaches and reporting.

The Canada-US Blended Cyber-Physical Exercise was a successful, first of its kind, multiorganization and multi-laboratory exercise that culminated years of complex system development and planning. The project aimed to answer three driving research questions, (1) How do cyberattacks support malicious acts leading to theft or sabotage [at a nuclear site]? (2) What are aspects of an effective combined cyber-physical response? (3) How to evaluate effectiveness of that response? Which derived the following primary objectives, 1. The May 2023 Cyber-Physical Exercise shall present a cyber-attack scenario that supports malicious acts leading to theft or sabotage. 2. The May 2023 Cyber-Physical Exercise shall define aspects of an effective combined cyber-physical response. 3. Analysis of the May 2023 Cyber-Physical Exercise shall evaluate the effectiveness of the incident response against pre-established exercise evaluation criteria. 4. Analysis of the May 2023 Cyber-Physical Exercise shall assess the effectiveness of the evaluation criteria itself. 5. Exercises shall be performed in a real-life environment. The team believes these objectives were met, and the evidence will be presented in this report. Due to the novelty of the exercise, there were several lessons learned that will be presented in this report.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

The Information Harm Triangle (IHT) is an approach that seeks to simplify the defense-in-depth design of digital instrumentation and control (I&C) systems. The IHT provides a novel framework for understanding how cyber-attacks targeting digital I&C systems can harm the physical process. The utility of the IHT arises from the decomposition of cybersecurity analysis into two orthogonal vectors: data harm and physical information harm. Cyber-attacks on I&C systems can only directly cause data harm. Data harm is then transformed into physical information harm by unsafe control actions (UCAs) identified using Systems-Theoretic Process Analysis (STPA). Because data harm and physical information harm are orthogonal, defense-in-depth can be achieved by identifying control measures that independently limit data harm and physical information harm. This paper furthers the development of the IHT by investigating the defense-in-depth design of cybersecurity measures for sequences of UCAs. The effects of the order and timing of UCAs are examined for several case studies to determine how to represent these sequences using the IHT. These considerations are important for the identification of data harm and physical information harm security measures, and they influence the selection of efficient measures to achieve defense-in-depth. This research enables the benefits of the IHT's simple approach to be realized for increasingly complex cyber-attack scenarios.

The Information Harm Triangle (IHT) is a novel approach that aims to adapt intuitive engineering concepts to simplify defense in depth for instrumentation and control (I&C) systems at nuclear power plants. This approach combines digital harm, real-world harm, and unsafe control actions (UCAs) into a single graph named “Information Harm Triangle.” The IHT is based on the postulation that the consequences of cyberattacks targeting I&C systems can be expressed in terms of two orthogonal components: a component representing the magnitude of data harm (DH) (i.e., digital information harm) and a component representing physical information harm (PIH) (i.e., real-world harm, e.g., an inadvertent plant trip). The magnitude of the severity of the physical consequence is the aspect of risk that is of concern. The sum of these two components represents the total information harm. The IHT intuitively informs risk-informed cybersecurity strategies that employ independent measures that either act to prevent, reduce, or mitigate DH or PIH. Another aspect of the IHT is that the DH can result in cyber-initiated UCAs that result in severe physical consequences. The orthogonality of DH and PIH provides insights into designing effective defense in depth. The IHT can also represent cyberattacks that have the potential to impede, evade, or compromise countermeasures from taking appropriate action to reduce, stop, or mitigate the harm caused by such UCAs. Cyber-initiated UCAs transform DH to PIH.

The Sliding Scale of Cybersecurity is a framework for understanding the actions that contribute to cybersecurity. The model consists of five categories that provide varying value towards cybersecurity and incur varying implementation costs. These categories range from offensive cybersecurity measures providing the least value and incurring the greatest cost, to architecture providing the greatest value and incurring the least cost. This paper presents an application of the Sliding Scale of Cybersecurity to the Tiered Cybersecurity Analysis (TCA) of digital instrumentation and control systems for advanced reactors. The TCA consists of three tiers. Tier 1 is design and impact analysis. In Tier 1 it is assumed that the adversary has control over all digital systems, components, and networks in the plant, and that the adversary is only constrained by the physical limitations of the plant design. The plant’s safety design features are examined to determine whether the consequences of an attack by this cyber-enabled adversary are eliminated or mitigated. Accident sequences that are not eliminated or mitigated by security by design features are examined in Tier 2 analysis. In Tier 2, adversary access pathways are identified for the unmitigated accident sequences, and passive measures are implemented to deny system and network access to those pathways wherever feasible. Any systems with remaining susceptible access pathways are then examined in Tier 3. In Tier 3, active defensive cybersecurity architecture features and cybersecurity plan controls are applied to deny the adversary the ability to conduct the tasks needed to cause a severe consequence. Earlier application of the TCA in the design process provides greater opportunity for an efficient graded approach and defense-in-depth.

The International Electrotechnical Commission (IEC) Subcommittee SC45A has been active in development of cybersecurity standards and technical reports on the protection of Instrumentation and Control (I&C) and Electrical Power Systems (ES) that perform significant functions necessary for the safe and secure operation of Nuclear Power Plants (NPP). These international standards and reports advance and promote the implementation of good practices around the world. In recent years, there have been advances in NPP cybersecurity risk management nationally and internationally. For example, IAEA publications NSS 17-T [1] and NSS 33-T [2], propose a framework for computer security risk management that implements a risk management program at both the facility and individual system levels. These international approaches (i.e., IAEA), national approaches (e.g., Canada’s HTRA [3]) and technical methods (e.g., HAZCADS [4], Cyber Informed Engineering [5], France’s EBIOS [6]) have advanced risk management within NPP cybersecurity programmes that implement international and national standards. This paper summarizes key elements of the analysis that developed the new IEC Technical Report. The paper identifies the eleven challenges for applying ISO/IEC 27005:2018 [7]. cybersecurity risk management to I&C Systems and EPS of NPPs and a summary comparison of how national approaches address these challenges.

The Sliding Scale of Cybersecurity is a framework for understanding the actions that contribute to cybersecurity. The model consists of five categories that provide varying value towards cybersecurity and incur varying implementation costs. These categories range from offensive cybersecurity measures providing the least value and incurring the greatest cost, to architecture providing the greatest value and incurring the least cost. This paper presents an application of the Sliding Scale of Cybersecurity to the Tiered Cybersecurity Analysis (TCA) of digital instrumentation and control systems for advanced reactors. The TCA consists of three tiers. Tier 1 is design and impact analysis. In Tier 1 it is assumed that the adversary has control over all digital systems, components, and networks in the plant, and that the adversary is only constrained by the physical limitations of the plant design. The plant’s safety design features are examined to determine whether the consequences of an attack by this cyber-enabled adversary are eliminated or mitigated. Accident sequences that are not eliminated or mitigated by security by design features are examined in Tier 2 analysis. In Tier 2, adversary access pathways are identified for the unmitigated accident sequences, and passive measures are implemented to deny system and network access to those pathways wherever feasible. Any systems with remaining susceptible access pathways are then examined in Tier 3. In Tier 3, active defensive cybersecurity architecture features and cybersecurity plan controls are applied to deny the adversary the ability to conduct the tasks needed to cause a severe consequence. Earlier application of the TCA in the design process provides greater opportunity for an efficient graded approach and defense-in-depth.

The use of high-fidelity, real-time physics engines of nuclear power plants in a cyber security training platform is feasible but requires additional research and development. This paper discusses recent developments for cybersecurity training leveraging open-source NPP simulators and network emulation tools. The paper will detail key elements of currently available environments for cybersecurity training. Key elements assessed for each environment are: (i) Management and student user interfaces, (ii) pre-developed baseline and cyber-attack effects, and (iii) capturing student results and performance. Representative and dynamic environments require integration of physics model, network emulation, commercial of the shelf hardware, and technologies that connect these together. Further, orchestration tools for management of the holistic set of models and technologies decrease time in setup and maintenance allow for click to deploy capability. The paper will describe and discuss the Sandia developed environment and open-source tools that incorporates these technologies with click-to-deploy capability. This environment was deployed for delivery of an undergraduate/graduate course with the University of Sao Paulo, Brazil in July 2022 and has been used to investigate new concepts involving Cyber-STPA analysis. This paper captures the identified future improvements, development activities, and lessons learned from the course.

The research investigates novel techniques to enhance supply chain security via addition of configuration management controls to protect Instrumentation and Control (I&C) systems of a Nuclear Power Plant (NPP). A secure element (SE) is integrated into a proof-of-concept testbed by means of a commercially available smart card, which provides tamper resistant key storage and a cryptographic coprocessor. The secure element simplifies setup and establishment of a secure communications channel between the configuration manager and verification system and the I&C system (running OpenPLC). This secure channel can be used to provide copies of commands and configuration changes of the I&C system for analysis.

Prescriptive approaches for the cybersecurity of digital nuclear instrumentation and control (I&C) systems can be cumbersome and costly. These considerations are of particular concern for advanced reactors that implement digital technologies for monitoring, diagnostics, and control. A risk-informed performance-based approach is needed to enable the efficient design of secure digital I&C systems for nuclear power plants. This paper presents a tiered cybersecurity analysis (TCA) methodology as a graded approach for cybersecurity design. The TCA is a sequence of analyses that align with the plant, system, and component stages of design. Earlier application of the TCA in the design process provides greater opportunity for an efficient graded approach and defense-in-depth. The TCA consists of three tiers. Tier 1 is design and impact analysis. In Tier 1 it is assumed that the adversary has control over all digital systems, components, and networks in the plant, and that the adversary is only constrained by the physical limitations of the plant design. The plant's safety design features are examined to determine whether the consequences of an attack by this cyber-enabled adversary are eliminated or mitigated. Accident sequences that are not eliminated or mitigated by security by design features are examined in Tier 2 analysis. In Tier 2, adversary access pathways are identified for the unmitigated accident sequences, and passive measures are implemented to deny system and network access to those pathways wherever feasible. Any systems with remaining susceptible access pathways are then examined in Tier 3. In Tier 3, active defensive cybersecurity architecture features and cybersecurity plan controls are applied to deny the adversary the ability to conduct the tasks needed to cause a severe consequence. Tier 3 is not performed in this analysis because of the design maturity required for this tier of analysis.

Abstract not provided.

Cyber security has been difficult to quantify from the perspective of defenders. The effort to develop a cyber-attack with some ability, function, or consequence has not been rigorously investigated in Operational Technologies. This specification defines a testing structure that allows conformal and repeatable cyber testing on equipment. The purpose of the ETE is to provide data necessary to analyze and reconstruct cyber-attack timelines, effects, and observables for training and development of Cyber Security Operation Centers. Standardizing the manner in which cyber security on equipment is investigated will allow a greater understanding of the progression of cyber attacks and potential mitigation and detection strategies in a scientifically rigorous fashion.

Abstract not provided.

This document is intended to be utilized with the Equipment Test Environment being developed to provide a standard process by which the ETE can be validated. The ETE is developed with the intent of establishing cyber intrusion, data collection and through automation provide objective goals that provide repeatability. This testing process is being developed to interface with the Technical Area V physical protection system. The document will overview the testing structure, interfaces, device and network logging and data capture. Additionally, it will cover the testing procedure, criteria and constraints necessary to properly capture data and logs and record them for experimental data capture and analysis.

The supply chain attack pathway is being increasingly used by adversaries to bypass security controls and gain unauthorized access to sensitive networks and equipment (e.g., Critical Digital Assets). Cyber-attacks targeting supply chain generally aim to compromise the environments, products, or services of vendors and suppliers to inject, add, or substitute authentic software and hardware with malicious elements. These malicious elements are deemed to be authentic as they arise from the vendor or supplier (i.e., the supply chain). This research aims to leverage findings and assumptions made from the previous report to determine the security benefits and drawbacks of a smart card- based hardware root of trust. Smart cards can provide devices inside Nuclear Power Plants (NPP) with a secure environment to store keys in and perform sensitive operations such as digital signature generation. These abilities can be leveraged to increase supply chain cybersecurity by autonomously providing NPP Licensees with reports on device integrity, authenticity and measurements of executable and non-executable data.

Abstract not provided.

Abstract not provided.

Abstract not provided.

This report presents an analysis of the Emergency Core Cooling System (ECCS) for a generic Boiling Water Reactor (BWR)-4 NPP. The Electric Power Research Institute (EPRI) developed Hazards and Consequences Analysis for Digital Systems (HAZCADS) process is applied to the ECCS and its subsystems to identify unsafe control actions (UCAs) which act as possible cyber events of concern. The analysis is performed for two design basis events: Small-break Loss of Coolant Accident (SLOCA) and general transients (TRANS), such as unintended reactor trip. In previous work, HAZCADS UCAs were combined with other cyber-attack analysis to develop a risk-informed approach; however, this was for a single system. This report explores advanced systems engineering modeling approaches to model the interactions between digital assets across multiple systems which may be targeted by cyber adversaries. The complex and interdependent design of digital systems has the potential to introduce emergent cyber properties that are generally not covered by hazard analyses nor formal nuclear Probabilistic Risk Assessment (PRA). The R&D and supporting analysis presented here explores approaches to predict and manage how interdependent system properties effect risk. To show the potential impact of a successful cyber-attack to formal PRA event tree probabilities, HAZCADS analysis was also used. HAZCADS was also used to model the automatic depressurization system (ADS) automatic actuation. This analysis extended to an integrated system analysis for common-cause failure (CCF). In this aspect, the HAZCADS analysis continued by analyzing plant design details for system connectivity in support of critical plant functions. A dependency matrix was developed to depict the integrated functionality of the interconnected systems. Areas of potential CCF are indicated. Future work could include adversary attack development to show how CCF could be caused, resulting in PRA events. Across the multiple systems that comprise the ECCS, the analysis shows that the change in such probabilities was very different between systems. This indicates that some systems have a larger potential risk impact from successful cyber-attack or digital failure, which indicates a need for these systems to have a higher priority for design and defensive measures. Furthermore, we were able to establish that a risk analysis using any arbitrary threat model establishes an ordering of components with regard to cyber-risk. This ordering can be used to influence the overall system design with an eye to lowering risk, or as a way to understand real-time risk to operational systems based on a current threat landscape. Expert knowledge of both the analysis process and the system being analyzed is required to perform a HAZCADS analysis. The need for a tiered risk analysis is demonstrated by the results of this report.

Abstract not provided.

The supply chain attack pathway is being increasingly used by adversaries to bypass security controls and gain unauthorized access to sensitive networks and equipment (e.g., Critical Digital Assets). Cyber-attacks targeting supply chain generally aim to compromise the environments, products, or services of vendors and suppliers to inject, add, or substitute authentic software and hardware with malicious elements. These malicious elements are deemed to be authentic as they arise from the vendor or supplier (i.e., the supply chain). This research aims at providing a survey of technologies that have the potential to reduce exposure of sensitive networks and equipment to these attacks, thereby improving tamper resistance. The recent advances in the performance and capabilities of these technologies in recent years has increased their potential applications to reduce or mitigate exposure of the supply chain attack pathway. The focus being on providing an analysis of the benefits and disadvantages of smart cards, secure tokens, and elements to provide root of trust. This analysis provides evidence that these roots of trust can increase the technical capability of equipment and networks to authenticate changes to software and configuration thereby increasing resilience to some supply chain attacks, such as those related to logistics and ICT channels, but not development environment attacks.

This report describes the risk-informed technical elements that will contribute to a defense-in-depth assessment for cybersecurity. Risk-informed cybersecurity must leverage the technical elements of a risk-informed approach appropriately in order to evaluate cybersecurity risk insights. HAZCADS and HAZOP+ are suitable methodologies to model the connection between digital harm and process hazards. Risk assessment modeling needs to be expanded beyond HAZCADS and HAZOP+ to consider the sequence of events that lead to plant consequences. Leveraging current practices in PRA can lead to categorization of digital assets and prioritizing digital assets commensurate with the risk. Ultimately, the culmination of cyber hazard methodologies, event sequence modeling, and digital asset categorization will facilitate a defense-in-depth assessment of cybersecurity.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.