Small Modular Reactors (SMRs) are defined as “newer generation reactors designed to generate electric power typically up to 300 MW”. It is known that SMRs will have different design characteristics versus existing large Nuclear Power Plants (NPPs). According to the developer’s needs, regulatory bodies in the U.S., U.K., and Canada are developing the Design-Specific Review Standard (DSRS) and...
The insider threat is one of the major risks for nuclear facilities. Since most computer-based systems in nuclear facilities are isolated from external access, the insider who has the authorized access to the systems becomes the first breakthrough point. Moreover, due to the concern of affecting the existing systems, there are usually few security monitoring mechanisms for insiders. Even if...
Recently, iris recognition systems are greatly used for identification to control gaining access to essential assets which require very high level of security such as nuclear facilities. These iris recognition systems can be susceptible to numerous privacy and security attacks, especially when iris data is transmitted from local stations to a remote centralized database server for the decision...
This paper will review and explore the key challenges to recruiting and retaining the next generation of cyber security professional to the nuclear field.
The nuclear industry is dependent on a highly specialised and motivated workforce for its continued sustainability. For over 60 years, the UK’s nuclear energy has powered homes and businesses. The sector will also help the UK reach net...
As new nuclear power reactors incorporate uses of emerging technologies such as remote and autonomous monitoring, drones, and robotics, the current perimeter-based security model and domination of physical controls to address threat and vulnerabilities may be reduced in effectiveness. New technologies such as drones, wireless technology, and remote management do not neatly fit into the...
Collecting and analyzing the increasingly sophisticated patterns of cyberattacks targeting existing nuclear facilities takes work. However, to prevent an attack in advance and respond to it quickly when it occurs, it is necessary to collect various attack patterns and establish strategies for detecting and responding to them.
A well-built honeynet is required to collect accurate attack data...
The proposed paper will explore and report on adaptive thematic techniques employed by the UK civil nuclear regulator to inspect dutyholder capabilities and arrangements in place to lead the management of cybersecurity risk.
The UK civil nuclear regulator has historically adopted a repeating cyclic vertically based methodology for performing inspections upon dutyholder arrangements in place...
The Indonesian government has launched the Net Zero Emission (NZE) policies by including nuclear power plants (NPP) on the energy sector development roadmap which are projected to be connected to the grid in 2049 and will reach 35 GW in 2060. In the operation of nuclear installations, accuracy, reliability, and effectiveness of parameter observation are very necessary so that the use of...
The essential requirement for ongoing security testing and validation is driven by the fact that cyber-threats are becoming more pervasive and sophisticated every day. Cyberattacks on digital instrumentation and control (DI&C) systems in nuclear power plants (NPP) pose a severe security concern. EWS, OPS, IO Servers, historians, which are comparable to a normal industrial control system. It is...
ANSTO is one of Australia’s largest public research organisations and is widely recognised as an international player in the field of nuclear science and technology. ANSTO operates a diverse range of nuclear facilities including the OPAL multipurpose reactor, for radiopharmaceutical manufacturing, commercial irradiation services, scientific research and a range of other purposes.
We are...
Computer-based systems are growing in the field of nuclear and radiological environments, subsequently, Computer security is playing an integral role in security and safety assurance at nuclear facilities. Sensitive digital assets have to be protected against cyber-attack, manipulation, or sabotage behavior.
The attributes and characteristics of potential insider and/or external adversaries...
Information security at nuclear and radioactive facilities in Indonesia describes efforts to protect computer and non-computer equipment, facilities, data, and information from misuse by irresponsible people. Information security is intended to achieve confidentiality, availability, and integrity of information resources in a nuclear installation. However, information security vulnerabilities...
Abstract: Cyber security in Instrumentation and Control (I&C) networks is one of the major challenges. In the present age, all systems in I&C facilities are digitalized and use computer systems connected through an isolated network for their operation and control. I&C network use a graded approach to strengthen computer security and protect I&C facility functions. Further computer security...
Historically, cybersecurity regulations for nuclear security have focused on nuclear facilities which are associated with severe to high unacceptable consequences such as Nuclear Power Plants (NPPs). The US NRC published 10 Code for Regulation (CFR) 73.54, “the cyber rule” on Mar. 27, 2009, with a subsequent Regulatory Guide 5.71 in January of 2010. This regulation and subsequent efforts,...
NPPs are complex systems that require harmonization of security and safety. Trust is a ubiquitous concept in all mechanisms of the NPPs, enabling proper functioning. Since NPPs have multiple layers of regulation and actors, their trustworthy functionality affects safety and security. Additionally, NPPs have interdependencies with various actors (complex supply chain) and services (software...
The primary goal of incident response in nuclear is the expedited, economical, and safe return to a stable state of operations. Identification of the infection vector through root cause analysis is a secondary goal. Designing an IRP specifically for a computer security event is imperative for several reasons. Member states cannot rely on existing corporate ICT IR plans, because OT involves...
Evaluating the maturity of a cyber security program and its progression over times is a key aspect of program planning, resource investment, and continuous improvement. In 2014 the U.S. Department of Energy in partnership with the U.S. Department of Homeland Security released the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2). Developed in collaboration with the...
The CSA Group recently updated the Canadian standard on cyber security for nuclear facilities, N290.7:21. The major updates include significant enhancements to the standard with respect to a Defensive Cyber Security Architecture (DCSA), the use of security zones, and a focus on detection and response for high-consequence cyber essential assets (CEAs).
These enhancements increased the...
Thailand enacted Nuclear Energy for Peace Act in B.E. 2559 (2016) and is currently in the process of issuing Ministerial Regulation on Nuclear Security. While the draft regulation covers most aspects of nuclear security for nuclear facilities, there are comparatively few requirements related to computer security.
Through a series of dialogues and recommendations from domestic and...
We live in a digital and information-driven society, and we need to protect information, especially sensitive nuclear information. Unauthorized access and changes to sensitive nuclear information must be prevented. Sensitive digital assets and systems must remain in an operable state to continue to perform their functions. The dynamic and complicated nature of cyber-attacks has made securing...
In 2021, the CNSC proposed amendments [R-1] to the Nuclear Security Regulations (NSR) [R-2] to regulate nuclear security using a performance objective-based approach thereby allowing licensees greater flexibility in the measures and approaches that they use to meet nuclear security requirements. The CNSC will also be updating the nuclear security regulatory documents (REGDOCs) to provide...
Given the exponential growth in the number of systems exposed to the Internet, in recent years the number of cyberattacks has increased. Mainly, the evaluation of cyber threats is approached from the physical point of view in facilities and operations. Nevertheless, it is crucial to deal with administrative systems whose access is frequently and exposed through web servers.
In order to...
Abstract:
each organization, state, person or facility has information that may be classified as general or confidential. loss of this information may lead to loss of its manufacturing process or property.
Information security covers the tools and processes that organizations use to protect information. This includes policy settings that prevent unauthorized people from accessing business...
Currently, computers and related information technologies play an increasingly important role in all aspects of human activities. The nuclear sector is particularly affected by this global trend. In organizations and facilities that use nuclear technology, computerized systems are used both in the execution of routine activities and in the execution of operations that guarantee radiation...
Knowledge management process is very important for efficiency, safety and security of the nuclear facilities and organizations, however some of its method and techniques may cause lack of security, especially that knowledge management process persists throughout the employee life cycle. Knowledge is everything in the nuclear facility including sensitive data and important information, during...
To enhance cybersecurity, independent assessment shall be carried out to check if all regulatory and internal requirements are properly implemented. The EDF independent oversight organization, including cyber security, is compliant with IAEA TDL006 and also IAEA/WANO guideline GL2018-01 (Independent Oversight).
The Independent Cyber Security Oversight organization is composed of different...
Nuclear instrumentation and control systems are meeting a large set of cybersecurity requirements, preferably « by design » before systems are qualified and frozen in configuration for operation. Many provisions are emphasized for the design stage in applicable cybersecurity international standards and guidelines as IAEA NSS documents and IEC standards.
The given requirements articulate...
The computer security threat landscape is constantly shifting. Cyber threat actors continue to devise new ways to penetrate digital systems for malicious intent. Compliance-based computer security programs foster a ‘set-it and forget it’ attitude with their security control planning and implementation strategies that often fall short in defending against a changing threat. Security controls...
Computer Security Hazard on Online Nuclear Material Licensing in Indonesia had been identified. This study was conducted based on Government Regulation number 5 in the year 2021 about the Implementation of Risk-Based Business Licensing. Recently now Online Nuclear Material Licensing in Indonesia is still under development in integration with the Online Single Submission (OSS) coordinated by...
Information Technology (IT) is integrated in all sectors and its rapid development is associated with a definite threat from malicious acts. Data is regularly hacked. In Cameroon, the President of the Republic promulgated Law No. 2010/012 of 21 December 2010 on Cybersecurity and Cybercrime. Despite this law, in 2015 National Agency for Information and Communication Technologies (ANTIC)...
The different nuclear research centers around the world carry out their daily activities supported by information technology (IT) and operating technology (OT). This trend of digitalization means that more people are using technology, more services are connected to the Internet, and even depend on information systems for their operation, which means that vulnerabilities, risks and threats are...
Ensuring computer security throughout the supply chain management is important to Critically look at Computer Security in Supply Chain Management, and Cyber security of the supply chain as part of its safety measures that focus on the management of the required cybersecurity which includes information technology systems, software, and networks. Supply chain management has a high risk of...
Cases of computer security breaches are on the rise in Zimbabwe. Sectors that have been affected to date include the banking industry, healthcare and telecommunications sectors. The Covid-19 pandemic arose a new work from home culture that has seen employees working from home, thus giving an opportunity for cyber criminals to target unsuspecting victims. In response to cyber security breaches,...
In this communication, authors, EDF as operator and Framatome as vendor, jointly provide an overview of the full computer security maintenance journey to maintain computer security posture and maintain security by design architecture during the full critical industrial assets’ computer systems lifecycle. Purposes, stakes, main contributors, and different stages of the approach are presented...
To protect nuclear power plants from cyber-attacks, the Republic of Korea (ROK) established their computer security standards following the IAEA’s NSS#17(Computer Security at Nuclear Facilities) and the computer security program is implemented under those ROK’s regulatory requirements. A nuclear control system has been implementing by the Nuclear Safety and Security Commission (NSSC) from...
Information security as well as the protection of computer-based systems against malicious acts is one of the key challenges of our time.
With the ‘Malicious Acts Guideline’ for other radioactive materials (Malicious Acts Guideline for protection against disruptive actions or other interference by third parties) enacted in 2021, Germany has implemented security regulations for the use and...
Sabotage, Cyberattacks and malfunctions in nuclear facilities can have major consequences for human health and the environment, so it is extremely important that nuclear facilities are equipped with strong, reliable and additional, multi-layered protection systems for timely warning.
Computer Vision is defined as a solution that uses Artificial Intelligence (AI) to enable computers to obtain...
SMRs are being designed in leading countries in nuclear technology. Most SMRs are trying to reduce construction sites and operating costs by utilizing autonomous operation, remote control, and modularization technologies.
However, these new technologies have not been applied to operating nuclear power plants with regulatory approval. Therefore, system designers and utilities need to work with...
Statistics show that human error plays a key part in 95% of cybersecurity breaches, making it the biggest threat to information systems and assets. The threats can be external or internal, with the risks from internal/insider threats being more severe because they are either not expected or easily go undetected.
Security is not the sole responsibility of IT teams alone. The entire human...
This paper aims to describe an assessment of cyber-attacks impacts in the effectiveness of the security system of a hypothetical Brazilian facility that comprises a small modular reactor of PWR type. The cyber threat affects nuclear risks in at least two ways: It can be used to undermine the security of nuclear materials and facility operations, and it can compromise nuclear command and...
This work presents the framework of the Brazilian Cyber Guardian Exercise (CGE) and its evolution over its four editions, the development and conduction of its latest edition (CGE 4.0), including the development and use of simulators and its lessons learned. The CGE, and especially CGE 4.0, has called international attention in terms of planning and execution and constitutes an effective...
Traditionally, cybersecurity is not considered in the design process. Design engineers typically focus on building safety and reliability into their products and applications. Security against malicious cyber incidents is often an afterthought, resulting in deployment of security solutions during installation or operation. Unfortunately, waiting to consider cybersecurity until later in the...
Cyber-attacks targeting nuclear facilities are an increasing concern for nuclear security. However, unlike physical security, performance testing of cyber-security incident response at nuclear facilities has yet to develop mature, safe and secure methodologies necessary to evaluate facility staff in live or representative conditions.
DOE’s Office of International Security has supported...
Abstract
Cyber security is vital for the protection of novel advanced small modular reactors (SMRs) from both security and safety viewpoints. For a remotely-deployed SMR, it may be operated autonomously or semi-autonomously – with modules operated almost like “nuclear batteries” where they are installed, connected to end user(s), and...
Nuclear facilities are one of the vital objects of the Indonesian state that must be protected both in terms of physical and cyber security. The Center for Utilization of Informatics and Nuclear Strategic Areas which is now integrated with the Data and Information Center (PUSDATIN) of the National Research and Innovation Agency has the function of securing nuclear area installations, both...
Investigating Security Measures and International Requirements
In the presence of ongoing digitalization and globalization supply chains of information and operational technology have become multilayered and increasingly complex over the last years. Recent IT security incidents like the supply chain attacks regarding SolarWinds, Log4J and Kaseya highlight the potential devastating...
Cybersecurity including sensitive information matters is considered as a line of defense to prevent nuclear events (security and safety) as well as physical protection.
Consequently, cybersecurity, a main component of Nuclear Security, included in the EDF nuclear integrated management system and so meets the key common fundamental principles while considering its specificities....
The...
Every nuclear facility needs a defensible network architecture. A defensible architecture is one that not only prevents as much cyber risk as possible, from a network architecture perspective but also facilitates the human defender. Architectures can be designed to be defensible through a variety of principles including strong segmentation such as data diodes, firewalling, micro-segmentation,...
Cyber incidents on nuclear installations have occurred in many countries in the world and have caused extensive damage, not only to cyber infrastructure but furthermore, there are bad impacts felt by humans. Several fatal incidents recorded in countries such as Iran, Japan, and the US prove the importance of handling cyber incidents appropriately at nuclear facilities. This project discusses...
Training is a critical component of any organization. An effective and efficient training program should be designed to enhance or develop the role of the human factor. Dr. Sallam from the Egyptian Nuclear and Radiological Regulatory Authority described the importance of the human factor so eloquently in 2015 as follows:
Technology is an essential component of cyber security, but security...
This paper aims to set out the UK approach to developing and implementing the 2022 Civil Cyber Security Strategy. The five year strategy aims for a UK Civil Nuclear sector which effectively manages and mitigates cyber risk in a collaborative and mature manner, is resilient in responding to and recovering from incidents, and ensures an inclusive culture for all.
The nature of cyberspace and...
The emergence of cyberweapons and the convergence of Information and Communications Technology (ICT) and Operational Technology (OT), contributed to the exponential growth in the number and sophistication of cyber-attacks, targeting critical infrastructure. The nuclear sector has recognized that it must integrate cyber into its DBTs to ensure its most critical systems can defend, detect,...
Türkiye, as a country embarking on nuclear power programme is in phase of updating and improving the regulatory framework and approaches for nuclear security in order to build a better and robust structure for national nuclear security regime. In order to accelerate the phase progress and to create a precise roadmap, in 2021, the IAEA International Physical Protection Advisory Service (IPPAS)...
Ensuring that the cybersecurity workforce is more diverse and inclusive is a security issue and a programme implementation issue. The link between diversity, and inclusion, organizational culture and performance has been demonstrated by WINS in various projects . The WINS Best Practice Guide on Gender and Nuclear Security (2021) demonstrated that a more diverse workforce leads to innovation,...
This paper examines the impacts of emerging technologies on Cyber Incident Response (IR). With the increasing prevalence of cyberattacks, organizations are under growing pressure to effectively respond to incidents. Emerging technologies such as Artificial Intelligence (AI), Machine Learning (ML), Cloud Computing, and quantum computing are rapidly changing IR, offering new solutions and...
Software-defined networking (SDN) is being adopted by organizations of all sizes, from small businesses to large enterprises, and is becoming increasingly important in cloud computing and data center environments, where it can help to automate and simplify network management. The deployment of SDN in operation technology (OT) environments can bring numerous benefits, including improved...
In the US, both safety and security of commercial nuclear power plants is regulated by a single regulatory body, the Nuclear Regulatory Commission (NRC), but the regulatory frameworks for safety and security are different in that the security framework is solely rooted on the facility’s conduct of operations while the safety framework factors in the facility’s design in addition to operations....
The OT Watch team at Dragos monitors and conducts threat hunts within numerous client networks across a variety of OT industry verticals. They amplify existing Security Operations Centers (SOCs) and reduce the mean discovery time of incidents. This paper documents many of the lessons learned from their experience. facilitating incident response. It will also describe their approach to...
The used equipment over the years of operation of nuclear power plants changed a lot and the IT-based systems increased. With this increase, threats for the equipment changes and attacks were seen also in NPPs. As the NPPs in Germany started mainly in the late 1970s and in the 1980s there are six relevant and dedicated time intervals identified, where a detailed look on infrastructure,...
This work presents the working in progress of a basic principle integrated Small Modular Reactor simulator model designed to support computer security academic studies for instrumentation and control, remote modes of operation and use of wireless technologies. It has been developed to provide an overview of plant processes and a fundamental understanding of the modes of operation while...
Field Programmable Gate Arrays (FPGAs) possess certain advantages over traditional analog circuits, as well as microprocessors, for nuclear instrumentation applications. The advantages of applying FPGA designs are to keep the long-life supply of designed units, improving testability (verification), and to reduce the drift which may occur in analog-based system. This paper describes the use of...
In 2021, a French new decree about Nuclear Security was published integrating all components of nuclear security (physical protection, NMAC, computer security, information security…) in an holistic approach. In parallel, since 2020, the French Nuclear security Authority (DSN) launched a work to revise regulatory requirements and to write different ministerial orders with a dedicated chapter...
The main French Nuclear Operators (ANDRA, CEA, EDF, FRAMATOME and ORANO) created in March 2022 the French CoE to enhance in priority national nuclear security and computer security capacity through human resource development, education and training and technology qualification.
We will present why the French CoE has been created, under the state umbrella and within all the French nuclear...
How Reported Incidents Help Improving Cybersecurity
In the past, several platforms to share and learn from incidents in nuclear facilities such as the International Reporting System (IRS) have been established. The common goal of these platforms is to elevate nuclear safety by shared operational experience. In Germany, these incident reports are evaluated extensively from a safety...
Design of new and upgraded OT infrastructure of EDF NPP French fleet follows a complete set of cybersecurity rules and principles consistent with IAEA NSS documents, IEC standards and in accordance with French regulation to maximize safety and security. The paper aims at presenting an overview of such rules, but also feedback and challenges when establishing and applying them.
These rules...
U.S. nuclear power plants contain a significant amount of equipment that is classified as “balance of plant” (BOP) (i.e., systems, structures, and components that are not part of the nuclear steam supply system). BOP digital equipment could potentially be within the regulatory scope of two U.S. Federal cyber security regulations, one from the U.S. Nuclear Regulatory Commission (NRC) and one...
Computer security and computer network security are becoming more and more important and necessary in today's society. It is even more important for a regulatory body. However, human resources for information technology in general and human resources for computer security, in particular now are lacking. Therefore, human resources to ensure quality for computer security become more and more...
The use of simulation platforms for the training of cybersecurity specialists is today quite common. In particular, universities training cybersecurity engineers widely use this type of equipment. These platforms are based on virtualization technics and make it possible to recreate dozens of interconnected machines similar to an information system in place in significant companies. On the...
Title of the Paper: Implementation of a Cyber DBT in a Nuclear Security Program
C.Romao
cesar.romao@presidencia.gov.br
System for the Protection of the Brazilian Nuclear Program Department
Abstract. This work aims to describe how the Design Basis Threat (DBT) Methodology regulatory requirements apply in Cyber Security, according to NSS10. The paper proposes key challenging...
[In the context of Barakah NPP commissioning]
The paper is intended to highlight the regulatory approach in the implementation of a robust cyber security regulatory functions by the Federal Authority for Nuclear Regulation (FANR). The presentation will discuss FANR cyber security regulatory framework and regulatory oversight, focusing on the Cyber Security implementation at Barakah Nuclear...
Threats to the global supply chain affect the cybersecurity of systems, processes, and facilities that use radioactive material. The Office of Radiological Security (ORS) is a US Department of Energy National Nuclear Security Administration program that works with users of high-activity radioactive materials to better protect them from acts of terrorism. As manufacturers of security components...
Security of (other) radioactive material and sources was covered long time by the security regime for nuclear material in Germany. Starting in 2009, a dedicated security regime for other radioactive material was developed. Finally, a malicious acts guideline for protection against disruptive actions or other interference by third parties for handling and transportation of other radioactive...
As work continues to advance the security posture of ICS systems across the UKNDA estate, opportunities arise to consider the deployment of deception technologies. With high-profile attacks on ICS occurring more frequently, and increasing numbers of adversaries developing ever more sophisticated techniques, strategies to try and stay ahead of the curve become increasingly necessary. Honeypots...
Incident response and recovery from cyber-attack are important elements of an organization’s cyber security program. Exercises are a well-recognized means to train, demonstrate and evaluate preparedness. Canadian Nuclear Laboratories (CNL) has been conducting table top, hands-on, and cyber-physical incident response exercises as a tool for organizations to practice their incident response...
Nowadays, the dependance on digital technologies is a feature of most of the industrial activities in the Information Era. This dependance is an intrinsic consequence of the technological progress and an indicator showing that not only the number of devices, processes and people connected to a net is increasing but also the number, complexity and variety of vulnerabilities, risks and threats...
Over the past decade, cybersecurity researchers have released multiple studies highlighting the insecure nature of I&C system communication protocols. In response, standards bodies have addressed the issue by adding the ability to encrypt communications to some protocols in some cases, while control system engineers have argued that encryption within these kinds of high consequence systems is...
The interdependencies between information Security and computer security have obviously increased due to the use of digital technology. Sensitive information which might have been on paper, sent discretely and accessed on a need to know basis is mostly now in digital forms and needs to be protected.
If information labels such as 'secret' or 'confidential' are used on physical documents based...
In the UK civil nuclear sector, regulated entities are required to prepare a Nuclear Site Security Plan, which sets out the standards procedures and arrangements necessary to ensure the security of the premises, nuclear material, equipment, and sensitive nuclear information. The Plan is constructed of a series of claims, arguments and evidence which together make the case for proportionate...
Safety and security serve a common objective (the protection of the public and the environment) and typically reflect a common philosophy of defence in depth. According to the IAEA document’s definition, nuclear safety is the achievement of proper operating conditions, prevention of accidents or mitigation of accident consequences, resulting in protections of workers, the public and the...
CSIRTs have been addressing information- and cyber-security problems since the 1990s and are thus one of the most qualified to handle incidents when they occur. CSIRTs can address many sorts of problems and are usually well-equipped to do a detailed analysis of malware, investigate breaches of local network environments or inspect network traffic anomalies. In that way, they can provide...
Cybersecurity is a relatively new domain of computer science associated with potentially significant impacts to Nuclear Security. Many functions that provide Nuclear Security rely upon computer-based systems to perform significant functions, thereby increasing demands on national and international capacity to provide cybersecurity.
IAEA Nuclear Security Series No. 31-G publication “Building...
Remote inspections became a necessity for regulators to continue cybersecurity inspections in a time of lockdowns and social distancing measures in response to the COVID-19 pandemic. These remote inspections provided for advantages in flexibility; cost and time savings; and an increase in frequency of inspections and are expected to be used as a key element of regulatory inspections once COVID...
Adapting the MITRE ATT&CK framework for nuclear facilities
Critical infrastructures including nuclear facilities are facing a highly dynamic, constantly evolving cybersecurity threat landscape. The German TSO GRS analyses the relevant threat landscape by continuously screening reports of cybersecurity incidents, vulnerabilities in industrial control systems and attacker activities....
Member states are rapidly amending regulations to include computer security provisions for their nuclear facilities. However, they are not only amending regulations for nuclear facilities, but also for radioactive material and associated facilities, and nuclear and other radioactive material out of regulatory control (hereinafter ‘the operator’). Many member states have noticed, that while...
This paper presents some key cybersecurity principles and aspects of French NUWARDTM SMR design at the conceptual design stage in accordance with regulatory requirements, IAEA NSS and the highest nuclear cybersecurity standards.
A quick recall about the NUWARDTM product, its features, and its overall I&C architecture main characteristics, will be made. The paper will list various and...
Nigeria in 1995 established the Nigerian Nuclear Regulatory Authority through Act 19 of 1995. By the Act the NNRA is to ensure nuclear safety and radiological protection regulation in Nigeria. Section 47 of the Act empowers the NNRA to make Regulations prescribing anything that needs to be prescribed under the Act. Consequently, the NNRA has developed a number of regulations. Prominent among...
Historically separated Supervisory Control and Data Acquisition (SCADA) systems are now interconnected due to the requirements of Industry 4.0. The resulting connections lead to new attack vectors threatening critical infrastructure like power plants and electrical distribution networks.
The focus of this paper will be the early detection of failures and alterations within control systems....
Time series are timestamped data sequences of measured values. In industrial environments, time series are stored by historians for incident response, reporting or for later analysis. Sources of time series can be, for example, radiation detection sensors, temperature or pressure sensors in the nuclear field.
In some cases, we do not have enough real life time series data or it cannot be...
Strategies for effective allocation of budgetary expenditure to computer security during the life phases of nuclear facilities are crucial in the nuclear world. In this study, we consider budgetary costs associated with computer security during the stages of design, construction, commissioning, operations, and decommissioning. A goal programming model is proposed; and in this model, five...
As smart, or Internet of Things (IoT), devices, sensors, and applications are becoming normalized in everyday activities, this increased connectivity facilitates exponential growth in efficiency and productivity. However, the same IoT connectivity brings potential cyber security vulnerabilities to otherwise secure systems. We are at a critical point in understanding how IoT technology connects...
Cyber-attacks continue to upsurge around the globe despite the advancement in cyber security measures. This type of attack can occur at any stage of the lifecycle of software development to the end user's computer devices. This attack usually goes through a series of interdependent supply chain participants—component manufacturers, sub-contractors, suppliers, distributors, etc. Hence, Supply...
The protection of information systems, in nuclear installations, is an important part of nuclear security. The Nuclear Regulatory Authority (UJD) and operators of nuclear facilities pay close attention to the realization of protective measures against cyber threats described in DBT. Even the legislation in force does not contain detailed provisions on cyber security; the UJD encourages and...
Remote operations and management of nuclear power systems is becoming an attractive design option for system designers to reduce both the costs and the technical footprint of reactor installations. In fact, due to the lower margins associated with small modular reactor systems coupled with the new deployment models these systems support remote operational management may in some cases become a...
Digital Twins (DT) – virtual representations of real-world entities – use historical and real-time data to perform calculations and simulations in the virtual space, providing many benefits to the nuclear sector. DTs allow system operators and asset owners to explore their systems in ways that have previously been too difficult or too dangerous, and have been proposed for predictive...
Cybersecurity is a necessary part of a State’s Nuclear Security Regime. However, demand for cybersecurity experts far exceeds supply, which makes systematic training and education programmes important to ensuring Nuclear Security. The US Department of Energy’s Office of International Nuclear Security (INS) offers many cybersecurity training courses to global partners as well as collaborates...
Although the nuclear industry has put a great deal of effort and resources into operator-led international assessments in the realm of nuclear safety, similar efforts in nuclear security have been much more limited. Bruce Power, the Nuclear Threat Initiative Cyber-Nuclear Forum (CNF) and the World Institute of Nuclear Security (WINS) are working together to pilot an international computer...
In December 2009 the Emirates Nuclear Energy Corporation (ENEC) announced that it had selected a bid to build four APR1400 reactors at the Barakah site. The Prime Contract was signed 27 December 2009. The Prime Contract required delivery of a full scope engineering procurement construction (EPC) “turnkey” nuclear power facility with four APR1400 reactors. The first unit began commercial...
The enormous number of hackers attacking technology and information systems in Indonesia today makes cyber security knowledge very important and relevant. The attack imposed on the Indonesian government is a warning that cyber security must continue to be rolled out in accordance with cyber security knowledge. Later, it is feared that these attacks and threats will target vulnerable state...
Network segmentation involves partitioning a network into smaller networks, while network segregation involves developing and enforcing a ruleset for controlling the communications between specific hosts and services.
When implementing network segmentation and segregation, the aim is to restrict the level of access to sensitive information, hosts and services while ensuring production...
In the Senegal Emerging Plan (PSE), the government intend to improve economic and social condition of people beyond 2035. One of the major axes of the PSE, aims to promote security, peace and cooperation. Based on this national strategy plan, a sectorial strategy called Senegal Digital plan (SN2025) was adopted in 2016 in order to ensure the digital development and computer security was
one...
New nuclear power plants installed in Pakistan are different in technology since analogue-based instrumentation and control is being replaced gradually with software and digital based I&C. This paradigm shift has posed a challenge for ensuring safety and security of such NPPs which shall therefore be one of the prime concerns for regulators. PNRA’s strategy to this end revolves around building...
Organizational Behavior Management (OBM) is a research field dedicated for developing processes to modify human behavior in organizational environment. It is derived from Behavior Analysis, a methodology for studying human behavior with three characteristics that enables research to be translated into applied technology: Quantification, variables can be quantified and standardized; Repetition,...
Training staff on cybersecurity topics in the modern environment can be very challenging. Lectures centered around PowerPoint presentations do not provide adult learners with an environment conducive to knowledge transfer; traditional classroom settings are prohibitive for providing adult learners with the skillset necessary for responding to and investigating a computer security incident in...
The ultimate goal of conducting computer security assessments is to ensure data is protected at all costs.
However, protection against cyber-attacks comes with its own challenges.
Challenges
RPA – (Radiation Protection Authority) encountered some challenges with implementing computer security assessment’s due to a lack of a Security Policy document which stipulates controls and rules to...
Against cyber threats on nuclear facilities, anomaly detection systems have steadily advanced and been adopted mainly by monitoring network traffic. Nevertheless, sometimes, detecting cyber threats by monitoring networks seems to have a limit in that such as it couldn't detect what happened under the internal network especially infiltrated from the field area, or the next steps of malicious...
From 2017 to 2021, the U.S. Nuclear Regulatory Commission (NRC) inspected nuclear power plants to evaluate the full implementation of their cybersecurity programs. These inspections resulted in the identification of over 100 findings and violations. Under the NRC’s Reactor Oversight Process, inspectors also identify the cross-cutting aspect (i.e., primary contributing cause) of each...
It is hard to test the cyber security on operating NPPs because of the safety problems. So, it is necessary to develop a test-bed to test both the cyber security of NPPs and the effect of cyber-attack on NPPs. KINAC has been developing NPPs test-bed to evaluate the cyber security of NPPs, validate cyber security controls of licensee and train the inspectors. In this paper, the conceptual...
The cybersecurity industry is in an architectural transitionary phase. Zero Trust Architecture (ZTA) is becoming the new standard for cybersecurity architectures. It has been a notional concept for the past decade but only recently has technology come to a point where ZTA is achievable. Zero Trust assumes that a cyber security breach is inevitable or has likely already occurred. It transitions...
Nowadays; there is a lack of awareness, both at the level of regulators and operators, about the basic measures that must be adopted in order to prevent Cybercrime from infiltrating our organizations. This fact can cause potential harm, to the point of triggering damages of incalculable cost as well as exposing extremely sensitive information.
The aim of this paper is to mention several...
The previous IAEA CRP J02008 led to the development of the open-source “Asherah” Simulator that allows for advanced cyber security training and research and development. Asherah is a hypothetical Pressurized Water Reactor (PWR) that was validated using nuclear thermal hydraulics codes (i.e., PARC/RELAP5).
In a similar manner, a project proposed by Sandia National Laboratories (SNL) and...
The Nuclear Regulatory Authority, created in 1997 by Law 24804, is the Argentine State agency that exercises regulatory and supervisory functions in the areas of radiological and nuclear safety, physical protection, safeguards and non-proliferation.
Currently, there are two applicable standards for Physical Security: Standard AR 10.13.1 "Standard for the physical protection of nuclear...
The paper discusses regional efforts of the Association of Southeast Asian Nations (ASEAN) to enhance cyber security governance and cooperation in Southeast Asia. It explores how such growing cyber security cooperation can enhance nuclear security in the region. The paper recommends the adoption of a regional action plan/roadmap that will outline measures on fully integrating cyber security ...
Atomic Energy Regulatory Board (AERB) was established in 1983, for the safety regulation of nuclear and radiation facilities in India. The regulation of Engineering Aspects of nuclear security (having bearing on safety) at Nuclear Power Plants and Projects was taken up by AERB w.e.f. October 2009.
AERB has identified following 3 Core Processes for the regulation of security Aspects:-...
Nuclear and other radioactive materials, associated facilities and materials outside of regulatory control all depend on computer-based systems which play an essential role in all aspects of their safety and security. These applications increases as technology advances.
Cyber-Physical systems are becoming prime targets for cyber attacks and the nuclear industry is not immune. Cyber attacks...
CNCAN had its first computer security regulation NSC-01 “Regulation regarding protection of nuclear facilities against cyber threats” published in November 2014, this first issuance was a result of compliance with the recommendations of the 2012 IPPAS mission in Romania. The scope of the paper is to present the changes in requirements for computer security over time, the necessity of revision,...
Slovenian Nuclear Safety Administration (SNSA), together with international partners from the USA and Switzerland, conducted and hosted a two-day summer computer security event »S^3 Nuclear Cyber Best Practices Exchange«. The main goal was to promote international cooperation in the form of knowledge and experience sharing, as well as forming new connections. The event took place in August...
In the “Safety First” culture of the nuclear industry, the nuanced differences between security and safety can be lost. The use of powerful software-programmable digital technology provides the means to transform instrumentation and control systems but also provides unparalleled opportunity for malicious action by criminals and others. Computer security is therefore increasingly vital to...
The OPC Unified Architecture (OPC UA) is a widely adopted machine-to-machine (M2M) communication protocol in the nuclear industry. Its security model, defined in the IEC 62451-2:2020 specification, is crucial due to its deployment in critical infrastructures and increase in nuclear power plants, as, e.g., addressed in a new IEC TR of SC45A WG3. The security model must be applied or improved...
Slovenian Nuclear Safety Administration (SNSA) is a governmental body, therefore, it must ensure a high level of information security of their information systems and networks according to the Information Security Act (Official Gazette of the Republic of Slovenia, no. 30/18 and 95/21). Herein, the critical information systems in average represent more than half of all information systems...
Nuclear power plants (NPP) have thousands of digital assets throughout their facility. Typically, NPPs have asset and configuration management programs that capture the make, model, and version of a component. This information, however, usually only includes first- or second-tier components and does not capture the complete enumeration of software components and their dependencies within...
IEC 62443 4-2 standard is widely used in industry to ensure security on industrial automation and control systems. Whereas in the nuclear industry, many nuclear licensees commonly refer to RG 5.71, which guides security requirements, and NEI 13-10, which gives a graded approach to alleviate 101 security requirements stated in RG 5.71. In this paper, IEC 62443 4-2 will be compared thoroughly...
Cyber threats are continuously increasing since digital technologies have been widely used in nuclear facilities. In Korea, licensees establish the cyber security program according to the KINAC/RS-015. However, security controls are implemented primarily within the framework of operational and management controls. Technical controls for cyber intrusion detection are rarely installed. This can...
The supply chain is widely recognized as a credible pathway for committing cyber-attacks. Critical infrastructure operators including those that produce power, treat water, and operate trains, are dependent on the supply chain for the thousands of digital devices and software applications they employ. Operators are also dependent on the supply chain for services related to these digital...
Threats to the global cyber supply chain affect the security and stability of all nuclear facilities and infrastructure. Counterfeit parts, low quality or reused components, poor code hygiene, and non-availability of hardware and software can lead to unexpected vulnerabilities in mission critical systems. Supply chain inspection and risk management are critical for nuclear owners and...
The Covid-19 pandemic has resulted in significant changes in the way that we conduct business, including more use of online tools to support remote or hybrid activities. Reflecting this situation, and a more general desire to provide flexible, engaging, and sustainable computer security training courses, the International Atomic Agency (IAEA) and the AIT Austrian Institute of Technology...
Computer Security is the protection of computer systems and information from harm, theft, and unauthorized use. Computer security is centered on 3 principles known as CIA, C-Confidentiality, I-Integrity, A-Availability. Computer security starts with identification of sensitive information and applying computer security controls to mitigate threats to loss of sensitive information. Sensitive...
The exponential increase in information and communication technologies and their wide applications in daily, business, and institutional life have brought innumerable benefits and advances, but they have also brought concern about the increase in malicious acts that harm the systems, computer, and electronics such as information theft and digital manipulation of sensitive information from...
We are convinced that there is a broad variety of effective computer security regulatory approaches which are suitable for a nuclear security regime of a state. The legislative and regulatory framework, the organization of the relevant competent authorities, the cultural attitude and social behaviour, the maturity level of competent authorities and operators, the geographical circumstances and...
At the time the Information Technology is climbing worldwide still, the risk of getting attacked is remaining high especially if nuclear applications constitute part of the ongoing activities. This study aims to assist in clarifying the burden of nuclear information security in Sudan with special emphasis on the existing strengths and weaknesses. So the study is conceptual, descriptive and...
The U.S. Department of Energy’s Cybersecurity Capability Maturity Model (C2M2) is helping organizations evaluate and make improvements to their cybersecurity programs and strengthen their operational resilience. A new version of the model, C2M2-Nuclear, customizes the C2M2 for the unique safety, security, operational, and regulatory concerns associated with nuclear facilities. The free,...
Indonesia has three research reactors and plans to operate NPPs that tend to use digital technology. The risk of nuclear computer security should be managed as well. Security is considered to have an important influence on the safety of nuclear reactor design, which can be seen in the use of software in power reactors. Experiences from many countries showed that the very early integration of...
The paper will recap the use of cyber range technology for competence building and awareness raising in computer security through an overview of cyber exercises delivered to the UK’s civil nuclear sector over the past few years. The paper will describe the objectives, scenarios, and participants of these cyber exercises, identify successes and challenges encountered in their development and...
International standards and guidance publications are important in advancing best practices and incorporating lessons learned. This paper will provide an up-to-date overview of the IEC (International Electrotechnical Commission) series of cybersecurity standards dedicated to I&C of nuclear power plants. It will present the outline of the different documents of the series, its dynamics,...
The State has the sole responsibility to legislate and criminalize cyber-attacks on computer systems within the nuclear security regime. Earlier years ‘proved that cybercriminals could not be prosecuted around Zimbabwe, a special need to develop Computer security legislative provisions was therefore established in 2021, to include unique characteristics of offences and modes of operation...
The ongoing global situation has once again proven that the nuclear sector needs to be highly protected from physical attacks as well as cyber-attacks. To accomplish this, many assurance activities must be implemented, including computer security exercises. The value of exercises is even higher if all relevant national and international stakeholders are involved to support the interface...
Computer security is extremely important in the field of security for the safety of radioactive sources. It improves information security and strengthens safety measures to prevent the theft of radioactive sources, their damage, and other malicious acts. Radioactive sources facilities should deploy computer security methods that facilitate accessibility, integrity, accountability, and...
Nuclear Energy Regulatory Agency (BAPETEN) has developed an electronic application for inspection and reporting management for monitoring the safety and security of nuclear installations called Balis SMILE.
Balis stands for BAPETEN Licensing And Inspection System and SMILE stands for System Management for Inspection and Reporting Electronically is a web-based application to improve the...
The nuclear world today is anchored deeply in the cyber sphere and needs to protect itself from ever-changing threats coming from rapidly evolving technologies and increasingly imaginative malicious actors using increasingly sophisticated methods. Strategies and policies both at the national and the facility level must be constantly evaluated and updated so as to effectively address current...
In October 2001, the Office for Civil Nuclear Security (OCNS) was established as an independent security regulator within the UK’s Department for Trade and Industry. Following this, the UK enacted the Nuclear Industries Security Regulations (NISR) 2003 which OCNS was responsible for enforcing. Whilst these regulations are not inherently prescriptive in nature, the dominant culture of the time...
Research and development into applications for improving equipment condition monitoring programs at nuclear facilities has been around since the 1990s. However, while the field has moved from using data-driven machine learning (ML) algorithms for detection and prediction of equipment degradation and failure to prognostic capabilities, these applications are still not widely used in the U.S....
Current proposed ARs involve diverse technologies with a unique set of functions (and systems) that support both nuclear safety and security. To address these challenges, the U.S. Nuclear Regulatory Commission (NRC) is moving toward a risk-informed, performance based and technology-neutral regulation and associated regulatory guides. The U.S. NRC, supported by cybersecurity experts from DOE...
There is a lot of ways to learn computer security: usual classes, hands-on labs, master classes etc. But not only all of these methods lack gamification and show low level of involvement, but also there is no team building. As a result, some students may not skip the classes, but participate poorly.
Global Nuclear Safety and Security Institute created two different scenarios for the...
For vulnerability management, the analysis of vulnerability starts with a base severity score, assigned by a scoring source for instance National Vulnerability Database (NVD–NIST), using a scoring system such as Common Vulnerability Scoring System (CVSS). The base severity score incorporates technical attributes of the vulnerability only. This score is later transformed by confidentiality,...
One of the most effective ways to strengthen nuclear security around the world is to work as a global community, sharing best practices and lessons learned. Although nuclear security is national responsibility, the new challenges and technologies implemented in the nuclear field forces the international community to work together to remain effective and be able to prevent malicious uses of...
