1 Announcement of a new IAEA Co-ordinated Research Programme (CRP) 1. Title of Co-ordinated Research Programme Design and engineering aspects of the robustness of digital instrumentation and control (I&C) systems in nuclear power plants (NPPs) against malicious acts (tentative title). 2. Brief Summary This document presents a proposal for a CRP on the evaluation, comparison, and improvements of the characteristics of various digital I&C system designs used in NPPs, in terms of their robustness to cyberattacks, or in general, to any internal or external malicious acts. Cybersecurity is currently the object of much attention, in a large part due to the pervasiveness and critical roles of digital systems in modern societies. Similarly, digital I&C systems and equipment play an increasing role in NPPs, either through initial design or through I&C modernizations and upgrades. Malicious attacks on these systems could have serious effects on plant safety, which in turn could lead to severe, unacceptable, societal consequences. Also, particularly in countries where nuclear power represents a significant part of electricity production, NPPs availability and performance can be of vital economic and societal interest. In addition, vulnerability of NPP systems to malicious attacks could undermine the public acceptance of nuclear power. This proposal identifies, and plans to complete, the research, evaluation, comparison and improvements required in the fields of digital I&C systems. The technical subject of the CRP was identified by the IAEA Technical Working Group on Nuclear Power Plant Control and Instrumentation (TWG-NPPIC) as an area of high importance. Many members of the TWG-NPPIC are potential contributors and reviewers of the proposed CRP. Similarly, cyber security of nuclear installations was the subject of a recent initiative of three IAEA divisions (NSNS, NENP, NSNI) resulting in a workshop which took place in February 2011 and a large technical meeting to be held in May Background situation analysis (Rationale/Problem) 3.1 Solutions good for Information Technology (IT) systems are not always applicable to digital I&C systems in NPPs Very significant efforts have already been devoted to the general issue of cybersecurity, resulting in various approaches, methods, techniques, standards, regulatory requirements and guidelines. However, these results were mainly developed for, and applied to, general IT systems, and are not always directly applicable, and should not be applicable, to NPP digital systems, especially in systems important to safety. In particular, most of these NPP systems are, to various degrees, of importance to plant safety, availability and / or performance. Most of these systems are also real-time systems, the actions of which must be performed within strict time intervals. Examples of such actions are reactor trips, limitation actions, alarms signalling to operators. Therefore, it is absolutely essential that cybersecurity measures do not risk preventing or delaying necessary actions. This is particularly true for actions also involving human actions, like those of control-room or field operators. It is equally important that cybersecurity measures do not risk causing spurious or incorrect actions that could lead to plant trips, plant equipment damage, or worse, accident conditions. Such risks could occur if cybersecurity measures introduce additional complexity in the system design to the point where verification & validation (V&V) is less effective and there is an increased potential for failure due to unnecessary complex designs. For example, whereas encryption is a cybersecurity technique commonly used in IT Systems, it is generally avoided in I&C systems.
2 Similarly, cybersecurity measures should not add significant complexity to, or lengthen, plant and I&C systems operation and maintenance activities, such as surveillance, diagnostics, repairing and recovery from failures NPP digital I&C systems have specific cybersecurity needs Another reason why cybersecurity measures applicable to IT systems are not always appropriate to NPP digital systems is that NPP digital systems have distinct cybersecurity needs. In particular, most NPP systems put a lesser emphasis on information confidentiality (e.g. access to temperature and pressure data does not in itself lead to direct threats on the plant), and a higher emphasis on system and information integrity (e.g. prevention of unauthorised changes, preclusion of undetected modifications) and system availability. 4. Overall Objective The overall objectives of the proposed CRP is to strengthen Member States capabilities for optimization of nuclear power plants performance and service life by means of improved understanding of the related engineering and management areas of cyber security. This includes making appropriate measures against malicious acts targeting the digital I&C systems of NPPs. The objectives of the CRP are in line with, and directly support, Project Engineering support for design, operation, maintenance, and plant life management for safe long term operation under Sub-programme Integrated Support for Operating Nuclear Facilities in the Programme Cycle. 5. Specific Research Objective (Purpose) The objective of this CRP and its research approach are listed below Terminology Cybersecurity practices have been extensively developed to protect IT systems. Consequently, the associated terminology and concepts concerning this issue primarily relate to the protection of information systems during the conduct of information exchange and storage. For nuclear power plants, a primary concern is the assurance of the functionality of active control and safety systems and the integrity of real-time data upon which those systems rely. Therefore, it is necessary to ensure that the terminology within the cybersecurity discipline is appropriately translated and expanded to accommodate the unique considerations of nuclear power plants digital I&C systems. Enhancement of a context-specific glossary of cybersecurity terminology is a key unifying activity to advance the treatment of potential vulnerabilities and application of mitigation techniques Analysis of Standards, Regulatory Requirements, Guidance and Practices In addition to general security standards like ISO 17799, several standards and guides relating to cybersecurity for nuclear facilities have been recently released or are currently under development. Specifically, the IAEA is developing a draft guide for computer security at nuclear facilities. The International Electrotechnical Commission is currently generating an initial standard (IEC 62645) on security programs for computer-based systems. The U.S. Nuclear Regulatory Commission has issued guidance on cybersecurity programs at nuclear facilities in Regulatory Guide (RG) In addition, RG 1.152, Rev. 2, contains guidance on cybersecurity considerations throughout the lifecycle of digital I&C system. The Nuclear Energy Institute also provides cybersecurity guidelines for the U.S. nuclear power industry. Additional standards are being developed by ISA99 and IEC TC65 for computer security of industrial automation. An analysis of these standards and others will be conducted under this research program to capture commonalities and differences, identify gaps in guidance, and provide the basis for development of a harmonized approach.
3 5.3. Identification of Security Goals for NPP Digital I&C Systems As noted earlier, NPP digital systems have specific cybersecurity needs. Therefore, one research action of the CRP will be to specify the cybersecurity solutions and good practices for various classes of NPP digital systems and equipment. In particular, attention should be also given to support systems. One example of such systems is the configuration or programming devices, which allow operators to enter or modify systems parameters or systems programming. Other examples are engineering, monitoring and diagnostics workstations Identification of Threats to NPP Digital I&C Systems Threats may occur at various components (entry points) of a complex digital I&C system and at various stages of the digital system lifecycle, in particular during development, manufacturing, installation on site, operation, maintenance and modification. One research action of the CRP will be to identify and characterise these threats along the lifecycle Identification of Constraints Specific to NPP Digital I&C Systems Also as noted earlier, NPP digital I&C systems are submitted to specific constraints. One action of the CRP will be to systematically list these constraints and requirements, for the various classes of NPP digital I&C systems and equipment Solutions and Opportunities This CRP will assess the known protection measures against the identified threats, taking into consideration the identified constraints on digital I&C systems. It may also propose desired features and protections based on the good practices collected and analysed in the CRP. The treatment of cybersecurity in digital I&C systems at nuclear power plants can take many forms. Opportunities to prevent, mitigate, or tolerate cyber threats can arise through technological means, system design, and plant I&C architecture. The identification of approaches and options requires investigation of the cybersecurity features of current and emerging digital I&C systems at nuclear power plants as well as determination of characteristics that can be exploited to address potential threats and provide appropriate levels of protection. The selection of technology upon which to implement digital I&C systems can be informed by consideration of relative strengths and weaknesses related to susceptibility and robustness. Specifically, software-based platforms, programmable logic devices, and mixed mode (analog and digital) circuits offer different cyber-related characteristics. This research program will contribute to the systematic identification of key characteristics offered by various technological options and thus support a clear assessment of potential vulnerabilities. The research results can facilitate exploitation of a range of capabilities through design and architectural configuration to eliminate threats, mitigate risk and minimize the impact of attacks Overall Plant Security Framework These measures could (and should, when appropriate) in a large part rely on measures already taken for plant safety and security, and for system safety and dependability. In particular, physical access to digital systems cabinets is generally necessary to modify parameters or programming, and NPPs provide extensive physical access protection. Also, plant personnel that have access to critical locations are carefully screened. Also, nuclear power plants traditionally employ architectural concepts (such as independence, redundancy, defense in depth, and diversity) to support safety. These architectural considerations can be exploited to contribute to cybersecurity. For example, diversity in system design or technology usage can reduce commonalities in vulnerability among key safety or control systems. This research
4 program will investigate the impact of various architectural approaches (redundancy, diversity, voting, etc.) on achieving the goals of safety, availability and security Dependability & Safety Measures Already Applied to NPP Digital I&C Systems This research program will investigate effective approaches to ensure adequate treatment of cybersecurity considerations in design throughout the system lifecycle. Digital I&C system design generally provides for realization of functional and performance requirements with specified quality and reliability characteristics. Historically, cybersecurity has not been given significant consideration in the design of I&C systems at nuclear power plants because these systems have traditionally been invulnerable to cyberattack due to rigid (i.e., hardwired or analog) implementation, segregation (i.e., stove-piped or isolated systems), and a general absence of interactive communications (especially with external networks). However, the transition to digital technology is changing the nature of I&C systems at nuclear power plants by enabling extensive interconnection of reprogrammable functionally interdependent I&C systems. Thus, cybersecurity must be explicitly considered as part of the system design. Defensive design measures that have been developed to ensure deterministic performance and reliable functionality can be adapted to also address prevention or mitigation of cyber threats. In addition to the digital implementation itself, the design process consists of lifecycle phases in which vulnerabilities can exist, for example through compromise of design or testing tools. Thus, cybersecurity must be addressed not only through design features of the system but also through provision and protections established for the design and development process. In particular, fault avoidance, detection and tolerance approaches, and extensive independent verification & validation (V&V), sometimes based on methods and tools diverse from those used during development, could be credited in the defence against malware that could be introduced during development. Overall, considering what is already done regarding the systems that are the most important to safety, it is expected that limited changes in design and development process will be necessary. However, the same cannot be said of all systems of low safety significance and support systems, and it is likely that more effort will be necessary there. 6. Expected Research Outputs The results of this CRP are planned to be published in a Nuclear Energy Series document when the work of the CRP is completed. Due to the sensitive nature of the subject, the distribution of the report should be restricted. Constrains of confidentiality should also be placed on the developing and execution process of the CRP. 7. Expected Research Outcomes After completing the tasks under this CRP, recommendations to NPP utilities, regulatory bodies, and I&C vendors may be available. Gaps in various national and international standards, guidelines and good practice documents will be identified, to which participants can direct future research activities to improve the resistance of NPP digital I&C systems to malicious acts. Mapping and gap analysis of existing cybersecurity guidance applicable to digital I&C systems in nuclear power plants Compilation of best practices of cybersecurity for system vendors, I&C architects, utilities, regulators Comparison of methods & tools for assessing threats and effectiveness of responses to cyberthreats Comparison of various conceptual designs of digital I&C architectures in terms of their resistance to cyberattacks.
5 8. Relationship to Sub-programme Objective The expected research outputs of the proposed CRP would contribute to the objectives of Project Engineering support for design, operation, maintenance, and plant life management for safe long term operation under Sub-programme Integrated Support for Operating Nuclear Facilities in the Programme Cycle: To enhance performance and safe lifetime operation of nuclear power plants. 9. Action Plan (Activities) Description of Activity 1. Identification and Description of Programme Objectives (1) (2) (3) The technical areas for research, assessment, and comparisons, that need to be developed under the CRP, will be identified. CRP objectives, a three-year workplan, and the expected results of the CRP will be established. 2. Evaluation of Proposals and Selection of Participating Organizations The CRP will require the participation of several key organizations covering the subjects of the CRP. Research agreements will be awarded to the organizations submitting the best proposals to achieve CRP objectives. Chief Scientific Investigators (CSI) from each participating organization will be identified. 3. First Research Co-ordination Meeting (RCM) to Establish Research Activities Organizing the 1 st meeting for the CRP. Participating organizations will present their research proposals and their related experience. A work plan and draft outline of the expected CRP report on the subject will be developed. Post-meeting assignments will be given to participants. 4. Exchange of Information During the First and the Second of the CRP The IAEA Secretariat and the CSIs will arrange for the exchange of information between the meetings. During the first year of the CRP, an interim report will be drafted and circulated before the next meeting. 5. Second Research Co-ordination Meeting to Report on First Results and Write First Draft of Report on the Subject Participating organizations will present their reports on the activities and results from the first year of CRP. The interim report on the subject will be developed from the results of the activities in the first and the second year of CRP and published as a working document.
6 Description of Activity 6. Exchange of Information During the Second and the Third of the CRP (1) (2) (3) IAEA Secretariat and the CSIs will exchange information during the second and the third year of the CRP. The draft CRP report will be updated and further developed using the results and information obtained during the first and second year of the CRP. The draft report will be circulated before the next meeting. 7. Third Research Co-ordination Meeting to Evaluate Research Results Achieved in All Areas of Engineering Solutions Participating organizations will present working groups and national reports on the activities and results from the third year of the CRP. The second draft of the report on the CRP will be prepared including new information based on experience and the activities in the third year of the CRP. 8. Publish an NE-Series Report on the Results of the CRP 10. Assumptions It is assumed that limited financial resources will be available from both the IAEA and the participations organizations. It is also assumed that participating organizations commit themselves to the execution of the project for its entire duration. Specific assumptions are mentioned in Section 13. Equally important is the consensus between NENP, NSNI, and NSNS on the scope, objectives, and deliverables of the CRP. 11. Foreseen Participation It is expected that proposals for research agreements will be submitted from Member States with operating NPPs, or NPPs under construction, such as Canada, China, Finland, France, Germany, Hungary, Japan, Republic of Korea, Russian Federation, Sweden, Switzerland, Ukraine, United Kingdom, United States of America. Proposals may be received from additional Member States. Potential participating organizations could be NPP I&C vendors, nuclear utilities, regulatory bodies and their TSOs, research laboratories, and international organisations. 12. Links to Technical Cooperation (TC) Projects Outputs of the CRP can be used in related national and regional TC projects, if such projects are initiated for the cybersecurity of digital I&C systems in NPPs. This may include the use of CRP-based reports and working materials as workshop/training materials. Also, results of benchmarking or design comparisons produced under the CRP can serve as teaching tools. CRP participants are also potential lecturers and experts at future TC workshops and expert missions. The successful conclusion of the CRP may also lead to new TC projects on the subject.
7 13. Logical Framework The table below describes the Logical Framework for the CRP. Narrative summary Specific Research Objective: The objective of this CRP is to define and coordinate research to support the assessment and comparison of Existing good practices in designing, implementing, and operating digital I&C systems from the viewpoint of cybersecurity The characteristics of the ideal I&C systems resistant to cyberattacks Consistent terminology used in cybersecurity of IT systems and digital I&C systems in NPPs, in order to accommodate the unique considerations of NPP digital I&C systems. Objective verifiable indicators The R&D areas identified in the CRP workplan are progressing and the CRP draft report is updated periodically. CRP meetings are held and significant contributions are received from the CSIs. Enhancement of a contextspecific glossary of cybersecurity terminology for digital I&C systems in NPPs. Means of verification Progress reports and the CRP draft report are reviewed periodically by NENP, NSNI, and NSNS. Important assumptions Support from the CSIs home organization is provided to CRP participants. Continuous coordination occurs between CSIs and the IAEA. Coordinated work is being done between CRP meetings. Appropriate support is provided to the CRP activities by the IAEA Project Officer. Analysis of Standards, Regulatory Requirements, Guidance and Practices Identification of security goals, threats, and constraints specific to NPP digital I&C systems Expected Research Outputs: The result of this CRP will be a Nuclear Energy Series document or a TECDOC describing the results supporting the above objectives. Progress reports and RCM reports will be prepared according to the action plan. CRP draft report is updated periodically. Progress reports and RCM reports are reviewed. The CRP final report is approved by NE-DCT, NSNI, NSNS and PC. Sufficient technical potential, skills, time, and resources are available from participating organizations to conduct the research. CRP members (especially, vendors and NPP utilities) are willing to share designrelated information CRP s research areas are covered by ongoing R&D projects in participating organizations.
8 Narrative summary Objective verifiable indicators Means of verification Important assumptions Activities Formation of a team of CSIs representing NPP utilities, I&C vendors, nuclear regulators and TSOs to implement the CRP Research agreements are awarded Approval of the research agreements by NACA. NENP, NSNI, and NSNS agree on the CRP s workplan and the composition of the CSI groups. Organizing the 1 st RCM (2011) 1 st RCM held CRP Progress Report is produced and the CRP draft report is updated. Organizing the 2 nd RCM (2012) 2nd RCM held CRP Progress Report is produced Organizing the 3 rd RCM (2013) 3rd RCM held CRP Progress Report is produced Publishing the CRP Final Report as a Nuclear Energy Series Document or a TECDOC in 2013 The CRP Final Report is produced The CRP Final Report is approved and published Enough number of proposals are submitted from qualified organizations. Research areas are assigned to groups of CSIs covering all relevant areas Research is progressing and the results are being integrated into the CRP draft report. Research tasks are near completion and the CRP draft report is updated. All key CSIs contributed to the CRP draft report and the report is approved by NE-DCT, NSNI, NSNS and PC.