The issue of nuclear energy may partly determine trends in the European energy market, therefore its cybersecurity aspects are more than important. In a way, nuclear power plants (NPPs) are just factories that produce electric power from uranium or other nuclear fuel; rumor even has it that a former CEO of Paks NPP had a poster in his office, stating that the facility was, in fact, a chemical plant with electricity as a byproduct. Of course, the two are different. From a cybersecurity perspective, the threat landscape of a nuclear power plant partly differs from that of a manufacturing plant and this has implications for security measures and rules.
Both manufacturing and NPPs should be aware of supply chain vulnerabilities and attacks, legacy systems or insider threats. However, NPPs have unique and highly consequential risks due to the critical nature of nuclear operations. NPP operators must take into account the following threats too:
Given the high stakes of cybersecurity at nuclear power plants, robust defenses, continuous monitoring, incident response planning and collaboration between government agencies – plant operators – cybersecurity experts, mitigating risks and ensuring safe operations is a delicate balancing act. Let’s look at some of the basic principles that enable the best cyber defense.
At first glance, the security requirements for nuclear power plants are the same as for factories: to stop or prevent malicious actors from causing damage (i.e. harming human life, damaging equipment, or reducing its reliability). And, of course, to do this in the most cost-effective way possible. This is what the ALARA principle is all about – reducing risks to be As Low As Reasonably Achievable (ALARA), where reasonably achievable, includes financial acceptability.
Better and more secure controls mean higher costs and the ALARA principle allows the operator to focus investment where it counts. By applying the ALARA principle, risks can be minimized to a reasonable level. Experts can assess all sources of risk and provide an appropriate response to each one. But cyber security is often threatened by threats that no one would think of, which is where another principle comes into play: defense-in-depth.
The idea is to organize security into layers so that when a malicious actor penetrates one layer, it is confronted with another line of defense. This principle is widely used in all areas of security but has a slightly different definition in nuclear cybersecurity and safety. (The two should not be confused, ‘safety’ deals with errors and accidental failures, not malicious actors.)
Defense-in-depth in cybersecurity encourages defense experts to think with the attacker’s head and also to consider scenarios where the attack is partially successful. Hardware and software components are almost guaranteed to contain hidden flaws and vulnerabilities. Unique solutions specific to nuclear operations are no exception. Cybersecurity experts therefore need to deploy multiple lines of defense across a facility to confidently repel an ongoing attack. Some concrete examples include:
There is no universal method for the selection and placement of defense-in-depth elements, as it all depends on the attacker model and the system architecture. When designing a plant (or introducing major changes), a risk analysis process should be carried out to identify potential intrusive routes. Any of these routes that are high risk should be subject to additional controls. International standards such as ANSI/ISA 62443 describe exactly how to carry out this process.
There’s only one situation where no one can compromise a device through another – if those devices are separated in the technical sense. This security measure (disabling communication between a group of devices and the outer world) is not always affordable though. The solution is to do something similar instead: logical zoning. Cybersecurity experts divide the infrastructure into zones and restrict inter-zone connections heavily. This is a major improvement in the application of defense-in-depth and is used widely in safety-critical plants. In a nuclear facility, it is mandatory according to relevant standards like the NST047.
Policies can be defined for both inter-zone and intra-zone traffic, and cybersecurity specialists are provided with several practical tools to enforce them with zoning like firewalls or physical data diodes. These can be thought of as one-way cables that are physically incapable of transmitting information backward.
Imagine a plant where a programmable logic controller (PLC; industrial computer control system) controls certain equipment, and an analyst needs real-time data about the PLC’s behavior. The same analyst produces reports in an office software package and has access to the Internet, so his computer cannot be fully protected. Through a data diode, a PLC operating in the internal logic zone can report data to the computer, but the computer cannot send malicious traffic back to the PLC, even if it is compromised.
ALARA, defense-in-depth and zoning are not specific to the nuclear field, they can be found in other sensitive industrial applications. This could lead someone to think NPP security is no different from OT security and they would be not far from the truth. A nuclear power plant does resemble a factory in some terms but it’s exceptionally safety-critical. In Hungary, the core damage frequency must be below 10-6 / reactor year for newly built blocks. This means they should provide electricity for an expected theoretical 100,000 years before any serious event occurs, although reactors are typically intended to be decommissioned after just a few decades.
A successful cyber attack in this environment will definitely cause serious losses. Even if an International Nuclear and Radiological Event Scale (INES, a seven-grade scale to classify event severity) accident is prevented, potentially damaged equipment is expensive to replace or repair and any news about this topic can spark social-political issues. Defending an NPP is even more difficult than an average OT system, too. Attacker models that define the basis of defense are quite different from those in an everyday factory. Remember Stuxnet? It was one of the biggest cyber attacks that was originally aimed at Iran’s nuclear facilities and has since mutated and spread to other industrial and energy-producing facilities. It proved that nation-state actors are present and relevant in cyber warfare.
Luckily, NPP operators and their contractors are not alone in fighting attackers: state intelligence usually helps with this kind of protection. They provide invaluable information on potential actors’ capabilities and alert them when they learn about imminent penetration attempts. State services also check the backgrounds of each supplier, contractor and even personnel that comes in contact with an NPP.
Therefore, security requirements differ from those in everyday industrial facilities. Controls must be verifiably stronger. There are detailed decrees which list rules and expectations which are often derived from International Atomic Energy Agency (IAEA) recommendations. It is the operator’s obligation to demonstrate that their NPP meets the required level of protection. This evidence is always thoroughly examined by the national nuclear agency, and it’s rejected if any part of it is inadequate. This makes nuclear cyber security particularly challenging, as it is often far from trivial to find the right answer to all requirements. Moreover, proving their compliance may even require scientific research.
International and national standards guide protective measures but typically do not prescribe the exact steps to be taken. Instead, they impose requirements and leave implementation (and justification for implementation) to the operator. Standards are intended to remain up to date for years, so they are more about general principles than day-to-day specifics.
When looking for specific tips and procedures, you should study the latest scientific publications. Research is ongoing to find out how to apply the latest standards and what other approaches might work. The best results will be incorporated into the next generation of standards that will make the nuclear field ever safer.
At Ukatemi, we have already developed a risk assessment process for an NPP, building on our expertise in OT security, and we continue to train our team of experts, gaining domain-specific knowledge and aiming to create a safer energy industry.
Copyright 2023 Ukatemi Technologies Plc.