Cyber Security Controls in Nuclear Power Plant by Technical Assessment Methodology

Abstract

With the rapid increase in cyber attacks on industrial control systems, the significance of the application of cyber security controls and the evaluation of security against such attacks has also increased. Among them, cyber attacks on nuclear power plants (NPPs) can cause not only economic loss, but also human casualties. Thus, the application of cyber security controls is necessary for mitigating security threats, especially to NPPs. However, currently, there are limited resources pertaining to information protection, which is essential to uniformly deploy all the controls required to meet cyber security regulations. To overcome this challenge, effective cyber security controls need to be identified and adequate information protection resources must be allocated to each NPP. Although NPPs apply a differential security control according to its characteristics based on NEI 13-10 (Cyber Security Control Assessments), this alone is not only insufficient in reflecting the latest security threats, but also fails to confirm whether the security controls have actually mitigated such threats. To address this challenge, the Electric Power Research Institute (ETRI) developed the technical assessment methodology (TAM), which can be used to generate a quantitative score by assessing the effects of potential cyber attacks on an asset and the relevant security controls. This methodology allows for the application of differential security control based on the score to identify whether the security controls have actually mitigated the risks. Considering this context, the purpose of this paper is to conduct a comparative analysis of the results derived from applying security controls and assessing risks using only NEI 13-10 as well as both NEI 13-10 and TAM on the plant protection system of the nuclear power reactor APR1400. Furthermore, this paper discusses the scopes for subsequent research by addressing the limitations of the TAM and considerations for its use.