Announcement of a new IAEA Co-ordinated Research Programme (CRP)
|
|
- Carmel Dennis
- 8 years ago
- Views:
Transcription
1 Announcement of a new IAEA Co-ordinated Research Programme (CRP) 1. Title of Co-ordinated Research Programme Design and engineering aspects of the robustness of digital instrumentation and control (I&C) systems in nuclear power plants (NPPs) against malicious acts (tentative title). 2. Brief Summary This document presents a proposal for a CRP on the evaluation, comparison, and improvements of the characteristics of various digital I&C system designs used in NPPs, in terms of their robustness to cyberattacks, or in general, to any internal or external malicious acts. Cybersecurity is currently the object of much attention, in a large part due to the pervasiveness and critical roles of digital systems in modern societies. Similarly, digital I&C systems and equipment play an increasing role in NPPs, either through initial design or through I&C modernizations and upgrades. Malicious attacks on these systems could have serious effects on plant safety, which in turn could lead to severe, unacceptable, societal consequences. Also, particularly in countries where nuclear power represents a significant part of electricity production, NPPs availability and performance can be of vital economic and societal interest. In addition, vulnerability of NPP systems to malicious attacks could undermine the public acceptance of nuclear power. This proposal identifies, and plans to complete, the research, evaluation, comparison and improvements required in the fields of digital I&C systems. The technical subject of the CRP was identified by the IAEA Technical Working Group on Nuclear Power Plant Control and Instrumentation (TWG-NPPIC) as an area of high importance. Many members of the TWG-NPPIC are potential contributors and reviewers of the proposed CRP. Similarly, cyber security of nuclear installations was the subject of a recent initiative of three IAEA divisions (NSNS, NENP, NSNI) resulting in a workshop which took place in February 2011 and a large technical meeting to be held in May Background situation analysis (Rationale/Problem) 3.1 Solutions good for Information Technology (IT) systems are not always applicable to digital I&C systems in NPPs Very significant efforts have already been devoted to the general issue of cybersecurity, resulting in various approaches, methods, techniques, standards, regulatory requirements and guidelines. However, these results were mainly developed for, and applied to, general IT systems, and are not always directly applicable, and should not be applicable, to NPP digital systems, especially in systems important to safety. In particular, most of these NPP systems are, to various degrees, of importance to plant safety, availability and / or performance. Most of these systems are also real-time systems, the actions of which must be performed within strict time intervals. Examples of such actions are reactor trips, limitation actions, alarms signalling to operators. Therefore, it is absolutely essential that cybersecurity measures do not risk preventing or delaying necessary actions. This is particularly true for actions also involving human actions, like those of control-room or field operators. It is equally important that cybersecurity measures do not risk causing spurious or incorrect actions that could lead to plant trips, plant equipment damage, or worse, accident conditions. Such risks could occur if cybersecurity measures introduce additional complexity in the system design to the point where verification & validation (V&V) is less effective and there is an increased potential for failure due to unnecessary complex designs. For example, whereas encryption is a cybersecurity technique commonly used in IT Systems, it is generally avoided in I&C systems.
2 Similarly, cybersecurity measures should not add significant complexity to, or lengthen, plant and I&C systems operation and maintenance activities, such as surveillance, diagnostics, repairing and recovery from failures NPP digital I&C systems have specific cybersecurity needs Another reason why cybersecurity measures applicable to IT systems are not always appropriate to NPP digital systems is that NPP digital systems have distinct cybersecurity needs. In particular, most NPP systems put a lesser emphasis on information confidentiality (e.g. access to temperature and pressure data does not in itself lead to direct threats on the plant), and a higher emphasis on system and information integrity (e.g. prevention of unauthorised changes, preclusion of undetected modifications) and system availability. 4. Overall Objective The overall objectives of the proposed CRP is to strengthen Member States capabilities for optimization of nuclear power plants performance and service life by means of improved understanding of the related engineering and management areas of cyber security. This includes making appropriate measures against malicious acts targeting the digital I&C systems of NPPs. The objectives of the CRP are in line with, and directly support, Project Engineering support for design, operation, maintenance, and plant life management for safe long term operation under Sub-programme Integrated Support for Operating Nuclear Facilities in the Programme Cycle. 5. Specific Research Objective (Purpose) The objective of this CRP and its research approach are listed below Terminology Cybersecurity practices have been extensively developed to protect IT systems. Consequently, the associated terminology and concepts concerning this issue primarily relate to the protection of information systems during the conduct of information exchange and storage. For nuclear power plants, a primary concern is the assurance of the functionality of active control and safety systems and the integrity of real-time data upon which those systems rely. Therefore, it is necessary to ensure that the terminology within the cybersecurity discipline is appropriately translated and expanded to accommodate the unique considerations of nuclear power plants digital I&C systems. Enhancement of a context-specific glossary of cybersecurity terminology is a key unifying activity to advance the treatment of potential vulnerabilities and application of mitigation techniques Analysis of Standards, Regulatory Requirements, Guidance and Practices In addition to general security standards like ISO 17799, several standards and guides relating to cybersecurity for nuclear facilities have been recently released or are currently under development. Specifically, the IAEA is developing a draft guide for computer security at nuclear facilities. The International Electrotechnical Commission is currently generating an initial standard (IEC 62645) on security programs for computer-based systems. The U.S. Nuclear Regulatory Commission has issued guidance on cybersecurity programs at nuclear facilities in Regulatory Guide (RG) In addition, RG 1.152, Rev. 2, contains guidance on cybersecurity considerations throughout the lifecycle of digital I&C system. The Nuclear Energy Institute also provides cybersecurity guidelines for the U.S. nuclear power industry. Additional standards are being developed by ISA99 and IEC TC65 for computer security of industrial automation. An analysis of these standards and others will be conducted under this research program to capture commonalities and differences, identify gaps in guidance, and provide the basis for development of a harmonized approach.
3 5.3. Identification of Security Goals for NPP Digital I&C Systems As noted earlier, NPP digital systems have specific cybersecurity needs. Therefore, one research action of the CRP will be to specify the cybersecurity solutions and good practices for various classes of NPP digital systems and equipment. In particular, attention should be also given to support systems. One example of such systems is the configuration or programming devices, which allow operators to enter or modify systems parameters or systems programming. Other examples are engineering, monitoring and diagnostics workstations Identification of Threats to NPP Digital I&C Systems Threats may occur at various components (entry points) of a complex digital I&C system and at various stages of the digital system lifecycle, in particular during development, manufacturing, installation on site, operation, maintenance and modification. One research action of the CRP will be to identify and characterise these threats along the lifecycle Identification of Constraints Specific to NPP Digital I&C Systems Also as noted earlier, NPP digital I&C systems are submitted to specific constraints. One action of the CRP will be to systematically list these constraints and requirements, for the various classes of NPP digital I&C systems and equipment Solutions and Opportunities This CRP will assess the known protection measures against the identified threats, taking into consideration the identified constraints on digital I&C systems. It may also propose desired features and protections based on the good practices collected and analysed in the CRP. The treatment of cybersecurity in digital I&C systems at nuclear power plants can take many forms. Opportunities to prevent, mitigate, or tolerate cyber threats can arise through technological means, system design, and plant I&C architecture. The identification of approaches and options requires investigation of the cybersecurity features of current and emerging digital I&C systems at nuclear power plants as well as determination of characteristics that can be exploited to address potential threats and provide appropriate levels of protection. The selection of technology upon which to implement digital I&C systems can be informed by consideration of relative strengths and weaknesses related to susceptibility and robustness. Specifically, software-based platforms, programmable logic devices, and mixed mode (analog and digital) circuits offer different cyber-related characteristics. This research program will contribute to the systematic identification of key characteristics offered by various technological options and thus support a clear assessment of potential vulnerabilities. The research results can facilitate exploitation of a range of capabilities through design and architectural configuration to eliminate threats, mitigate risk and minimize the impact of attacks Overall Plant Security Framework These measures could (and should, when appropriate) in a large part rely on measures already taken for plant safety and security, and for system safety and dependability. In particular, physical access to digital systems cabinets is generally necessary to modify parameters or programming, and NPPs provide extensive physical access protection. Also, plant personnel that have access to critical locations are carefully screened. Also, nuclear power plants traditionally employ architectural concepts (such as independence, redundancy, defense in depth, and diversity) to support safety. These architectural considerations can be exploited to contribute to cybersecurity. For example, diversity in system design or technology usage can reduce commonalities in vulnerability among key safety or control systems. This research
4 program will investigate the impact of various architectural approaches (redundancy, diversity, voting, etc.) on achieving the goals of safety, availability and security Dependability & Safety Measures Already Applied to NPP Digital I&C Systems This research program will investigate effective approaches to ensure adequate treatment of cybersecurity considerations in design throughout the system lifecycle. Digital I&C system design generally provides for realization of functional and performance requirements with specified quality and reliability characteristics. Historically, cybersecurity has not been given significant consideration in the design of I&C systems at nuclear power plants because these systems have traditionally been invulnerable to cyberattack due to rigid (i.e., hardwired or analog) implementation, segregation (i.e., stove-piped or isolated systems), and a general absence of interactive communications (especially with external networks). However, the transition to digital technology is changing the nature of I&C systems at nuclear power plants by enabling extensive interconnection of reprogrammable functionally interdependent I&C systems. Thus, cybersecurity must be explicitly considered as part of the system design. Defensive design measures that have been developed to ensure deterministic performance and reliable functionality can be adapted to also address prevention or mitigation of cyber threats. In addition to the digital implementation itself, the design process consists of lifecycle phases in which vulnerabilities can exist, for example through compromise of design or testing tools. Thus, cybersecurity must be addressed not only through design features of the system but also through provision and protections established for the design and development process. In particular, fault avoidance, detection and tolerance approaches, and extensive independent verification & validation (V&V), sometimes based on methods and tools diverse from those used during development, could be credited in the defence against malware that could be introduced during development. Overall, considering what is already done regarding the systems that are the most important to safety, it is expected that limited changes in design and development process will be necessary. However, the same cannot be said of all systems of low safety significance and support systems, and it is likely that more effort will be necessary there. 6. Expected Research Outputs The results of this CRP are planned to be published in a Nuclear Energy Series document when the work of the CRP is completed. Due to the sensitive nature of the subject, the distribution of the report should be restricted. Constrains of confidentiality should also be placed on the developing and execution process of the CRP. 7. Expected Research Outcomes After completing the tasks under this CRP, recommendations to NPP utilities, regulatory bodies, and I&C vendors may be available. Gaps in various national and international standards, guidelines and good practice documents will be identified, to which participants can direct future research activities to improve the resistance of NPP digital I&C systems to malicious acts. Mapping and gap analysis of existing cybersecurity guidance applicable to digital I&C systems in nuclear power plants Compilation of best practices of cybersecurity for system vendors, I&C architects, utilities, regulators Comparison of methods & tools for assessing threats and effectiveness of responses to cyberthreats Comparison of various conceptual designs of digital I&C architectures in terms of their resistance to cyberattacks.
5 8. Relationship to Sub-programme Objective The expected research outputs of the proposed CRP would contribute to the objectives of Project Engineering support for design, operation, maintenance, and plant life management for safe long term operation under Sub-programme Integrated Support for Operating Nuclear Facilities in the Programme Cycle: To enhance performance and safe lifetime operation of nuclear power plants. 9. Action Plan (Activities) Description of Activity 1. Identification and Description of Programme Objectives (1) (2) (3) The technical areas for research, assessment, and comparisons, that need to be developed under the CRP, will be identified. CRP objectives, a three-year workplan, and the expected results of the CRP will be established. 2. Evaluation of Proposals and Selection of Participating Organizations The CRP will require the participation of several key organizations covering the subjects of the CRP. Research agreements will be awarded to the organizations submitting the best proposals to achieve CRP objectives. Chief Scientific Investigators (CSI) from each participating organization will be identified. 3. First Research Co-ordination Meeting (RCM) to Establish Research Activities Organizing the 1 st meeting for the CRP. Participating organizations will present their research proposals and their related experience. A work plan and draft outline of the expected CRP report on the subject will be developed. Post-meeting assignments will be given to participants. 4. Exchange of Information During the First and the Second of the CRP The IAEA Secretariat and the CSIs will arrange for the exchange of information between the meetings. During the first year of the CRP, an interim report will be drafted and circulated before the next meeting. 5. Second Research Co-ordination Meeting to Report on First Results and Write First Draft of Report on the Subject Participating organizations will present their reports on the activities and results from the first year of CRP. The interim report on the subject will be developed from the results of the activities in the first and the second year of CRP and published as a working document.
6 Description of Activity 6. Exchange of Information During the Second and the Third of the CRP (1) (2) (3) IAEA Secretariat and the CSIs will exchange information during the second and the third year of the CRP. The draft CRP report will be updated and further developed using the results and information obtained during the first and second year of the CRP. The draft report will be circulated before the next meeting. 7. Third Research Co-ordination Meeting to Evaluate Research Results Achieved in All Areas of Engineering Solutions Participating organizations will present working groups and national reports on the activities and results from the third year of the CRP. The second draft of the report on the CRP will be prepared including new information based on experience and the activities in the third year of the CRP. 8. Publish an NE-Series Report on the Results of the CRP 10. Assumptions It is assumed that limited financial resources will be available from both the IAEA and the participations organizations. It is also assumed that participating organizations commit themselves to the execution of the project for its entire duration. Specific assumptions are mentioned in Section 13. Equally important is the consensus between NENP, NSNI, and NSNS on the scope, objectives, and deliverables of the CRP. 11. Foreseen Participation It is expected that proposals for research agreements will be submitted from Member States with operating NPPs, or NPPs under construction, such as Canada, China, Finland, France, Germany, Hungary, Japan, Republic of Korea, Russian Federation, Sweden, Switzerland, Ukraine, United Kingdom, United States of America. Proposals may be received from additional Member States. Potential participating organizations could be NPP I&C vendors, nuclear utilities, regulatory bodies and their TSOs, research laboratories, and international organisations. 12. Links to Technical Cooperation (TC) Projects Outputs of the CRP can be used in related national and regional TC projects, if such projects are initiated for the cybersecurity of digital I&C systems in NPPs. This may include the use of CRP-based reports and working materials as workshop/training materials. Also, results of benchmarking or design comparisons produced under the CRP can serve as teaching tools. CRP participants are also potential lecturers and experts at future TC workshops and expert missions. The successful conclusion of the CRP may also lead to new TC projects on the subject.
7 13. Logical Framework The table below describes the Logical Framework for the CRP. Narrative summary Specific Research Objective: The objective of this CRP is to define and coordinate research to support the assessment and comparison of Existing good practices in designing, implementing, and operating digital I&C systems from the viewpoint of cybersecurity The characteristics of the ideal I&C systems resistant to cyberattacks Consistent terminology used in cybersecurity of IT systems and digital I&C systems in NPPs, in order to accommodate the unique considerations of NPP digital I&C systems. Objective verifiable indicators The R&D areas identified in the CRP workplan are progressing and the CRP draft report is updated periodically. CRP meetings are held and significant contributions are received from the CSIs. Enhancement of a contextspecific glossary of cybersecurity terminology for digital I&C systems in NPPs. Means of verification Progress reports and the CRP draft report are reviewed periodically by NENP, NSNI, and NSNS. Important assumptions Support from the CSIs home organization is provided to CRP participants. Continuous coordination occurs between CSIs and the IAEA. Coordinated work is being done between CRP meetings. Appropriate support is provided to the CRP activities by the IAEA Project Officer. Analysis of Standards, Regulatory Requirements, Guidance and Practices Identification of security goals, threats, and constraints specific to NPP digital I&C systems Expected Research Outputs: The result of this CRP will be a Nuclear Energy Series document or a TECDOC describing the results supporting the above objectives. Progress reports and RCM reports will be prepared according to the action plan. CRP draft report is updated periodically. Progress reports and RCM reports are reviewed. The CRP final report is approved by NE-DCT, NSNI, NSNS and PC. Sufficient technical potential, skills, time, and resources are available from participating organizations to conduct the research. CRP members (especially, vendors and NPP utilities) are willing to share designrelated information CRP s research areas are covered by ongoing R&D projects in participating organizations.
8 Narrative summary Objective verifiable indicators Means of verification Important assumptions Activities Formation of a team of CSIs representing NPP utilities, I&C vendors, nuclear regulators and TSOs to implement the CRP Research agreements are awarded Approval of the research agreements by NACA. NENP, NSNI, and NSNS agree on the CRP s workplan and the composition of the CSI groups. Organizing the 1 st RCM (2011) 1 st RCM held CRP Progress Report is produced and the CRP draft report is updated. Organizing the 2 nd RCM (2012) 2nd RCM held CRP Progress Report is produced Organizing the 3 rd RCM (2013) 3rd RCM held CRP Progress Report is produced Publishing the CRP Final Report as a Nuclear Energy Series Document or a TECDOC in 2013 The CRP Final Report is produced The CRP Final Report is approved and published Enough number of proposals are submitted from qualified organizations. Research areas are assigned to groups of CSIs covering all relevant areas Research is progressing and the results are being integrated into the CRP draft report. Research tasks are near completion and the CRP draft report is updated. All key CSIs contributed to the CRP draft report and the report is approved by NE-DCT, NSNI, NSNS and PC.
MDEP Generic Common Position No DICWG 02
MDEP Generic Common Position No DICWG 02 Related to: Digital Instrumentation and Controls Working Group activities COMMON POSITION ON SOFTWARE TOOLS FOR THE DEVELOPMENT OF SOFTWARE FOR SAFETY SYSTEMS 1
More informationIAEA 2015 INTERNATIONAL CONFERENCE ON COMPUTER SECURITY IN A NUCLEAR WORLD
IAEA 2015 INTERNATIONAL CONFERENCE ON COMPUTER SECURITY IN A NUCLEAR WORLD A NEW IEC STANDARD FOR CYBERSECURITY FOR NUCLEAR POWER PLANTS: IEC 62645 - REQUIREMENTS FOR SECURITY PROGRAMS FOR COMPUTER-BASED
More informationCOMPUTER SECURITY OF INSTRUMENTATION AND CONTROL SYSTEMS AT NUCLEAR FACILITIES
1 1 1 1 1 1 1 1 0 1 0 1 0 1 NUCLEAR SECURITY SERIES NO. XX NST0 DRAFT, November 01 STEP : Submission to MS for comment COMPUTER SECURITY OF INSTRUMENTATION AND CONTROL SYSTEMS AT NUCLEAR FACILITIES DRAFT
More informationAN ANALYSIS OF TECHNICAL SECURITY CONTROL REQUIREMENTS FOR DIGITAL I&C SYSTEMS IN NUCLEAR POWER PLANTS
http://dx.doi.org/10.5516/net.04.2012.091 AN ANALYSIS OF TECHNICAL SECURITY CONTROL REQUIREMENTS FOR DIGITAL I&C SYSTEMS IN NUCLEAR POWER PLANTS JAE-GU SONG *, JUNG-WOON LEE, GEE-YONG PARK, KEE-CHOON KWON,
More informationCyber Security Considerations in the Development of I&C Systems for Nuclear Power Plants
Cyber Security Considerations in the Development of I&C Systems for Nuclear Power Plants Jung-Woon Lee, Cheol-Kwon Lee, Jae-Gu Song, and Dong-Young Lee I&C and HF Research Division, Korea Atomic Energy
More informationThe Role of Nuclear Knowledge Management
The Role of Nuclear Knowledge Management A. Introduction The Agency has been a focal point for nuclear knowledge and information since its establishment in 1957. Nuclear knowledge management (NKM) came
More informationi-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors
March 25-27, 2014 Steven A. Kunsman i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors ABB Inc. March 26, 2015 Slide 1 Cyber Security for Substation
More informationOECD SERIES ON PRINCIPLES OF GOOD LABORATORY PRACTICE AND COMPLIANCE MONITORING NUMBER 10 GLP CONSENSUS DOCUMENT
GENERAL DISTRIBUTION OCDE/GD(95)115 OECD SERIES ON PRINCIPLES OF GOOD LABORATORY PRACTICE AND COMPLIANCE MONITORING NUMBER 10 GLP CONSENSUS DOCUMENT THE APPLICATION OF THE PRINCIPLES OF GLP TO COMPUTERISED
More informationSteven A. Arndt Division of Engineering Office of Nuclear Reactor Regulation
Current and Future Use of IEEE and IEC Consensus Standards in the Regulation of Digital Instrumentation and Control Systems in the Nuclear Power Industry Steven A. Arndt Division of Engineering Office
More informationIntegrating Cyber Security into Nuclear Power Plant Safety Systems Design
Integrating Cyber Security into Nuclear Power Plant Safety Systems Design Deanna Zhang U.S. Nuclear Regulatory Commission Document Date: 05/21/2010 Objectives To provide methods for utilizing safety features,
More informationSAFETY LIFE-CYCLE HOW TO IMPLEMENT A
AS SEEN IN THE SUMMER 2007 ISSUE OF... HOW TO IMPLEMENT A SAFETY LIFE-CYCLE A SAFER PLANT, DECREASED ENGINEERING, OPERATION AND MAINTENANCE COSTS, AND INCREASED PROCESS UP-TIME ARE ALL ACHIEVABLE WITH
More informationIAEA-TECDOC-1328 Solutions for cost effective assessment of software based instrumentation and control systems in nuclear power plants
IAEA-TECDOC-1328 Solutions for cost effective assessment of software based instrumentation and control systems in nuclear power plants Report prepared within the framework of the Technical Working Group
More informationCyber Security Design Methodology for Nuclear Power Control & Protection Systems. By Majed Al Breiki Senior Instrumentation & Control Manager (ENEC)
Cyber Security Design Methodology for Nuclear Power Control & Protection Systems By Majed Al Breiki Senior Instrumentation & Control Manager (ENEC) 1. INTRODUCTION In today s world, cyber security is one
More information8 Emergency Operating Procedures (EOPs) and Severe Accident Management Guidelines (SAMGs) - Issue 06
8-1 8 Emergency Operating Procedures (EOPs) and Severe Accident Management Guidelines (SAMGs) - Issue 06 Table of contents 8 Emergency Operating Procedures (EOPs) and Severe Accident Management Guidelines
More informationCyber Security and the Canadian Nuclear Industry a Canadian Regulatory Perspective
Cyber Security and the Canadian Nuclear Industry a Canadian Regulatory Perspective Terry Jamieson Vice-President Technical Support Branch Canadian Nuclear Safety Commission August 11, 2015 www.nuclearsafety.gc.ca
More informationFREQUENTLY ASKED QUESTIONS
FREQUENTLY ASKED QUESTIONS Continuous Monitoring 1. What is continuous monitoring? Continuous monitoring is one of six steps in the Risk Management Framework (RMF) described in NIST Special Publication
More informationCyber Security Evaluation of the Wireless Communication for the Mobile Safeguard Systems in uclear Power Plants
Cyber Security Evaluation of the Wireless Communication for the Mobile Safeguard Systems in uclear Power Plants Sooill Lee a*, Yong Sik Kim a, Song Hae Ye a a Central Research Institute, Korea Hydro and
More informationFeature. SCADA Cybersecurity Framework
Feature Samir Malaviya, CISA, CGEIT, CSSA, works with the Global Consulting Practice-GRC practice of Tata Consultancy Services and has more than 17 years of experience in telecommunications, IT, and operation
More informationA CYBER SECURITY RISK ASSESSMENT FOR THE DESIGN OF I&C SYSTEMS IN NUCLEAR POWER PLANTS
http://dx.doi.org/10.5516/net.04.2011.065 A CYBER SECURITY RISK ASSESSMENT FOR THE DESIGN OF I&C SYSTEMS IN NUCLEAR POWER PLANTS JAE-GU SONG, JUNG-WOON LEE *, CHEOL-KWON LEE, KEE-CHOON KWON, and DONG-YOUNG
More informationThis is a preview - click here to buy the full publication
TECHNICAL REPORT IEC/TR 62443-3-1 Edition 1.0 2009-07 colour inside Industrial communication networks Network and system security Part 3 1: Security technologies for industrial automation and control systems
More informationESRS guidelines for software safety reviews
IAEA Services Series No. 6 ESRS guidelines for software safety reviews Reference document for the organization and conduct of Engineering Safety Review Services (ESRS) on software important to safety in
More informationFPGA- based technology and systems for I&C of existing and advanced reactors
International Conference on Opportunities and Challenges for Water Cooled Reactors in the 21st Century Vienna, Austria, 27 30 October 2009 FPGA- based technology and systems for I&C of existing and advanced
More informationSpreading the Word on Nuclear Cyber Security
Spreading the Word on Nuclear Cyber Security Clifford Glantz, Guy Landine, Philip Craig, and Robert Bass Pacific Northwest National Laboratory (PNNL) PO Box 999; 902 Battelle Blvd Richland, WA 99352 USA
More informationSession 14: Functional Security in a Process Environment
Abstract Session 14: Functional Security in a Process Environment Kurt Forster Industrial IT Solutions Specialist, Autopro Automation Consultants In an ideal industrial production security scenario, the
More informationCyber Security Implications of SIS Integration with Control Networks
Cyber Security Implications of SIS Integration with Control Networks The LOGIIC SIS Project Standards Certification Education & Training Publishing Conferences & Exhibits Presenter Zach Tudor is a Program
More information8/27/2015. Brad Schuette IT Manager City of Punta Gorda bschuette@pgorda.us (941) 575-3354. Don t Wait Another Day
Brad Schuette IT Manager City of Punta Gorda bschuette@pgorda.us (941) 575-3354 2015 FRWA Annual Conference Don t Wait Another Day 1 SCADA Subsystems Management Physical Connectivity Configuration Mgmt.
More informationCYBER SECURITY INDUSTRY GUIDELINES
CYBER SECURITY INDUSTRY GUIDELINES Aron Sorensen, Chief Marine Technical Officer, BIMCO 1 BIMCO Founded in 1905-2,300 members in around 130 countries Membership includes shipowners, operators, managers,
More informationFuture cybersecurity threats and research needs.
www.thalesgroup.com Future cybersecurity threats and research needs. 3 rd Franco-American Workshop on Cybersecurity Lyon Kreshnik Musaraj kreshnik.musaraj@thalesgroup.com December 9. 2014 2 / Challenges
More informationAchieving Functional Safety with Global Resources and Market Reach
Achieving Functional Safety with Global Resources and Market Reach 0A 0B Burner management systems Combustion controls Electric vehicle components (on-board, off board) Electrosensitive equipment Elevator
More informationNuclear Power Plant Electrical Power Supply System Requirements
1 Nuclear Power Plant Electrical Power Supply System Requirements Željko Jurković, Krško NPP, zeljko.jurkovic@nek.si Abstract Various regulations and standards require from electrical power system of the
More informationProtect Your Assets. Cyber Security Engineering. Control Systems. Power Plants. Hurst Technologies
Protect Your Assets Cyber Security Engineering Control Systems. Power Plants. Hurst Technologies Cyber Security The hackers are out there and the cyber security threats to your power plant are real. That
More informationTechnical Meeting on Evaluation and Dependability Assessment of Software for Safety Instrumentation and Control Systems at Nuclear Power Plants
Technical Meeting on Evaluation and Dependability Assessment of Software for Safety Instrumentation and Control Systems at Nuclear Power Plants Hosted by the Government of the Republic of Korea through
More informationTraining in Emergency Preparedness and Response
Working to Protect People, Society and the Environment Training in Emergency Preparedness and Response Nuclear Safety and Security Programme Nuclear Safety and Security Programme Training in Emergency
More informationSystem Aware Cyber Security
System Aware Cyber Security Application of Dynamic System Models and State Estimation Technology to the Cyber Security of Physical Systems Barry M. Horowitz, Kate Pierce University of Virginia April, 2012
More informationELECTROTECHNIQUE IEC INTERNATIONALE 61508-3 INTERNATIONAL ELECTROTECHNICAL
61508-3 ª IEC: 1997 1 Version 12.0 05/12/97 COMMISSION CEI ELECTROTECHNIQUE IEC INTERNATIONALE 61508-3 INTERNATIONAL ELECTROTECHNICAL COMMISSION Functional safety of electrical/electronic/ programmable
More informationDocument ID. Cyber security for substation automation products and systems
Document ID Cyber security for substation automation products and systems 2 Cyber security for substation automation systems by ABB ABB addresses all aspects of cyber security The electric power grid has
More informationSelecting Sensors for Safety Instrumented Systems per IEC 61511 (ISA 84.00.01 2004)
Selecting Sensors for Safety Instrumented Systems per IEC 61511 (ISA 84.00.01 2004) Dale Perry Worldwide Pressure Marketing Manager Emerson Process Management Rosemount Division Chanhassen, MN 55317 USA
More informationSafety and security interdependencies in complex systems and SoS: Challenges and perspectives
Complex Systems Design & Management 2011 Safety and security interdependencies in complex systems and SoS: Challenges and perspectives Sara Sadvandi (Sodius) ssadvandi@sodius.com Nicolas Chapon (C-S) nicolas.chapon@c-s.fr
More informationWho s next after TalkTalk?
Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many
More informationOptions for Cyber Security. Reactors. April 9, 2015
Options for Cyber Security Design Requirements for Power Reactors April 9, 2015 Scope Discuss options for including cyber security design requirements for power reactors into NRC regulations Scope does
More informationCyber Security. perspective of an operator of a critical infrastructure. 1st CAMINO Workshop. Rolf Brunner Fachstelle IT-Sicherheit
Cyber Security perspective of an operator of a critical infrastructure 1st CAMINO Workshop Rolf Brunner Fachstelle IT-Sicherheit CH-5325 Leibstadt Telefon +41(0)56 267 71 11 www.kkl.ch Agenda Leibstadt
More informationThe rocky relationship between safety and security
The rocky relationship between safety and security Best practices for avoiding common cause failure and preventing cyber security attacks in Safety Systems Abstract: An industry practice reflected in the
More informationA DEVELOPMENT FRAMEWORK FOR SOFTWARE SECURITY IN NUCLEAR SAFETY SYSTEMS: INTEGRATING SECURE DEVELOPMENT AND SYSTEM SECURITY ACTIVITIES
A DEVELOPMENT FRAMEWORK FOR SOFTWARE SECURITY IN NUCLEAR SAFETY SYSTEMS: INTEGRATING SECURE DEVELOPMENT AND SYSTEM SECURITY ACTIVITIES JAEKWAN PARK * and YONGSUK SUH Korea Atomic Energy Research Institute
More informationIAEA Research Reactor Operations & Maintenance Support 2014 TRTR Meeting August 3rd-7th, 2014 Benson Hotel Portland Oregon
IAEA Research Reactor Operations & Maintenance Support 2014 TRTR Meeting August 3rd-7th, 2014 Benson Hotel Portland Oregon By Charles R Morris Personal Nuclear History Contents 1. Introduction 2. Digital
More informationCyber Security in a Nuclear Context
Cyber Security in a Nuclear Context Mitchell Hewes & Nick Howarth UNCLASSIFIED Who are we? Our Facilities Synchrotron Accelerators Cyclotron OPAL Lucas Heights Campus Some Considerations We have an interesting
More informationCloud security architecture
ericsson White paper Uen 284 23-3244 January 2015 Cloud security architecture from process to deployment The Trust Engine concept and logical cloud security architecture presented in this paper provide
More informationCyber Security nei prodotti di automazione
Cyber Security nei prodotti di automazione Marco Biancardi, ABB SpA, Power System Division 11 dicembre 2013, Roma Why is it an issue? Isolated devices Point to point interfaces Proprietary networks Standard
More informationCyber Security and Privacy - Program 183
Program Program Overview Cyber/physical security and data privacy have become critical priorities for electric utilities. The evolving electric sector is increasingly dependent on information technology
More informationApplication of FPGA-based Safety Controller for Implementation of NPPs I&C Systems Vladimir Sklyar, Technical Director
Application of FPGA-based Safety Controller for Implementation of NPPs I&C Systems Vladimir Sklyar, Technical Director Seminar FPGA-based I&C Systems in Nuclear Applications February 4, 2015, Energiforsk,
More informationORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT
2 OECD RECOMMENDATION OF THE COUNCIL ON THE PROTECTION OF CRITICAL INFORMATION INFRASTRUCTURES ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT The OECD is a unique forum where the governments of
More informationChanging data needs from a life cycle perspective in the context of ISO 55000
Changing data needs from a life cycle perspective in the context of ISO 55000 Mr. Ed de Vroedt and Mr. Peter Hoving Affiliation: UMS Group Europe; edevroedt@umsgroup.com, +316 1026 6162 ABSTRACT This paper
More informationWHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK
WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012 Table of Contents 1. Introduction... 2 2. Need for securing Telecom Networks... 3 3. Security Assessment Techniques...
More informationU.S. NUCLEAR REGULATORY COMMISSION January 2010 REGULATORY GUIDE OFFICE OF NUCLEAR REGULATORY RESEARCH. REGULATORY GUIDE 5.71 (New Regulatory Guide)
U.S. NUCLEAR REGULATORY COMMISSION January 2010 REGULATORY GUIDE OFFICE OF NUCLEAR REGULATORY RESEARCH REGULATORY GUIDE 5.71 (New Regulatory Guide) CYBER SECURITY PROGRAMS FOR NUCLEAR FACILITIES A INTRODUCTION
More informationEA-ISP-012-Network Management Policy
Technology & Information Services EA-ISP-012-Network Management Policy Owner: Adrian Hollister Author: Paul Ferrier Date: 01/04/2015 Document Security Level: PUBLIC Document Version: 1.00 Document Ref:
More informationInformation Security in Business: Issues and Solutions
Covenant University Town & Gown Seminar 2015 Information Security in Business: Issues and Solutions A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information
More informationIEC 61508 Overview Report
IEC 61508 Overview Report A Summary of the IEC 61508 Standard for Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems exida Sellersville, PA 18960, USA +1-215-453-1720
More informationHow To Write A Contract For Software Quality Assurance
U.S. Department of Energy Washington, D.C. NOTICE DOE N 203.1 Approved: Expires: 06-02-01 SUBJECT: SOFTWARE QUALITY ASSURANCE 1. OBJECTIVES. To define requirements and responsibilities for software quality
More informationViewpoint on ISA TR84.0.02 Simplified Methods and Fault Tree Analysis Angela E. Summers, Ph.D., P.E., President
Viewpoint on ISA TR84.0.0 Simplified Methods and Fault Tree Analysis Angela E. Summers, Ph.D., P.E., President Presented at Interkama, Dusseldorf, Germany, October 1999, Published in ISA Transactions,
More informationA Security Approach in System Development Life Cycle
A Security Approach in System Development Life Cycle (1) P.Mahizharuvi, Research Scholar, Dept of MCA, Computer Center, Madurai Kamaraj University, Madurai. mahiconference@gmail.com (2) Dr.K.Alagarsamy,
More informationCyber security and critical national infrastructure
120 Dr Richard Piggin Manager Defence, Aerospace & Communications Atkins Cyber security and critical national infrastructure Abstract Cyber security is an all-embracing term, meaning different things to
More informationAUDIT REPORT. Cybersecurity Controls Over a Major National Nuclear Security Administration Information System
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections AUDIT REPORT Cybersecurity Controls Over a Major National Nuclear Security Administration Information System DOE/IG-0938
More informationCybersecurity & the Water Sector
Cybersecurity & the Water Sector NAWC Water Summit October 6, 2013 San Diego, CA Kevin Morley, AWWA How to deal with Cyber Threat? How would our operations change if we did not have SCADA working? How
More informationHelp for the Developers of Control System Cyber Security Standards
INL/CON-07-13483 PREPRINT Help for the Developers of Control System Cyber Security Standards 54 th International Instrumentation Symposium Robert P. Evans May 2008 This is a preprint of a paper intended
More information1 ISA Security Compliance Institute
1 ISA Security Compliance Institute Internationally Accredited Conformance Scheme ISASecure certification programs are accredited as an ISO/ IEC Guide 65 conformance scheme and ISO/IEC 17025 lab operations
More informationImproving regulatory practices through the OECD-NEA Stress Corrosion Cracking and Cable Ageing Project (SCAP)
Improving regulatory practices through the OECD-NEA Stress Corrosion Cracking and Cable Ageing Project (SCAP) A. Yamamoto a, A. Huerta a, K. Gott b, T. Koshy c a Nuclear Safety Division, OECD Nuclear Energy
More informationDevelopment and Application of POSAFE-Q PLC Platform
Development and Application of POSAFE-Q PLC Platform MyeongKyun Lee a, SeungWhan Song a, DongHwa Yun a a POSCO ICT Co. R&D center, Korea Techno-complex 126-16, 5-ka, Anam-dong, Sungbuk, Seoul, Republic
More informationThe President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
More informationCompany Management System. Business Continuity in SIA
Company Management System Business Continuity in SIA Document code: Classification: Company Project/Service Year Document No. Version Public INDEX 1. INTRODUCTION... 3 2. SIA S BUSINESS CONTINUITY MANAGEMENT
More informationOffice of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget
Office of the Auditor General Performance Audit Report Statewide Oracle Database Controls Department of Technology, Management, and Budget March 2015 071-0565-14 State of Michigan Auditor General Doug
More informationA New Standards Project on Avoiding Programming Language Vulnerabilities
A New Standards Project on Avoiding Programming Language Vulnerabilities Jim Moore Liaison Representative from IEEE Computer Society to ISO/IEC JTC 1/SC 7 Liaison Representative between ISO/IEC JTC 1/SC
More informationPROJECT BOEING SGS. Interim Technology Performance Report 1. Company Name: The Boeing Company. Contract ID: DE-OE0000191
Interim Techlogy Performance Report 1 PROJECT BOEING SGS Contract ID: DE-OE0000191 Project Type: Revision: V2 Company Name: The Boeing Company December 10, 2012 1 Interim Techlogy Performance Report 1
More informationNuclear Security and Incident Response
Hitachi Review Vol. 62 (2013), No. 3 168 Nuclear Security and Incident Response Kazuhiko Tanimura Hisayuki Ito Hiroyuki Kimura OVERVIEW: Since the Great East Japan Earthquake, there has been a requirement
More informationCommittees Date: Subject: Public Report of: For Information Summary
Committees Audit & Risk Management Committee Finance Committee Subject: Cyber Security Risks Report of: Chamberlain Date: 17 September 2015 22 September 2015 Public For Information Summary Cyber security
More informationSafety Requirements Specification Guideline
Safety Requirements Specification Comments on this report are gratefully received by Johan Hedberg at SP Swedish National Testing and Research Institute mailto:johan.hedberg@sp.se -1- Summary Safety Requirement
More informationDefending the Internet of Things
Defending the Internet of Things Identity at the Core of Security +1-888-690-2424 entrust.com Table of contents Introduction Page 3 Challenge: protecting & managing identity Page 4 Founders of identity
More informationPatching Off-the-Shelf Software Used in Medical Information Systems
Patching Off-the-Shelf Software Used in Medical Information Systems This Paper was developed by the Joint NEMA/COCIR/JIRA Security and Privacy Committee (SPC) This Paper has been approved by: NEMA (National
More informationHuman Factors in Design and Construction Regulatory Perspective
Further needs in the Area of management systems Safety culture, leadership and preoperational stages of nuclear projects Human Factors in Design and Construction Regulatory Perspective Technical Meeting,
More informationWhy SIL3? Josse Brys TUV Engineer j.brys@hima.com
Why SIL3? Josse Brys TUV Engineer j.brys@hima.com Agenda Functional Safety Good planning if specifications are not right? What is the difference between a normal safety and SIL3 loop? How do systems achieve
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationThe Advantages of an Integrated Factory Acceptance Test in an ICS Environment
The Advantages of an Integrated Factory Acceptance Test in an ICS Environment By Jerome Farquharson, Critical Infrastructure and Compliance Practice Manager, and Alexandra Wiesehan, Cyber Security Analyst,
More informationCyber Security for Nuclear Power Plants Matthew Bowman Director of Operations, ATC Nuclear IEEE NPEC Meeting July 2012
Cyber Security for Nuclear Power Plants Matthew Bowman Director of Operations, ATC Nuclear IEEE NPEC Meeting July 2012 ATC Nuclear ATC-N serves the commercial nuclear utilities in the US and many foreign
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationOCIE CYBERSECURITY INITIATIVE
Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.
More informationAP1000 European 18. Human Factors Engineering Design Control Document
18.2 Human Factors Engineering Program Management The purpose of this section is to describe the goals of the AP1000 human factors engineering program, the technical program to accomplish these goals,
More informationIntegrating ICS Safety and Security. Anna Ellis, Indigon Consulting
Integrating ICS Safety and Security Anna Ellis, Indigon Consulting Aim An upbeat session which looks for positives; what can be done to try to address (sometimes competing) safety and security drivers,
More informationNuclear Plant Information Security A Management Overview
Nuclear Plant Information Security A Management Overview The diagram above is a typical (simplified) Infosec Architecture Model for a nuclear power plant. The fully-developed model would, for example,
More informationRoadmaps to Securing Industrial Control Systems
Roadmaps to Securing Industrial Control Systems Insert Photo Here Mark Heard Eastman Chemical Company Rockwell Automation Process Solutions User Group (PSUG) November 14-15, 2011 Chicago, IL McCormick
More informationCPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS
CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS MARCH 2011 Acknowledgements This Viewpoint is based upon the Recommended Practice: Configuring and Managing Remote Access
More informationCSNI Technical Opinion Papers
Nuclear Safety ISBN 92-64-01047-5 CSNI Technical Opinion Papers No. 7: Living PSA and its Use in the Nuclear Safety Decision-making Process No. 8: Development and Use of Risk Monitors at Nuclear Power
More informationAN APPLICATION STUDY FOR THE CLASS IE DIGITAL CONTROL AND
- 39 - AN APPLICATION STUDY FOR THE CLASS IE DIGITAL CONTROL AND MONITORING SYSTEM m,,,.,.., HIROYUKIFUKUMITSU Nuclear Power Plant Department, EISC MITSUBISHI ELECTRIC CORPORATION Kobe, Japan XA9846493
More informationOlav Mo, Cyber Security Manager Oil, Gas & Chemicals, 28.09.2015 CASE: Implementation of Cyber Security for Yara Glomfjord
Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, 28.09.2015 CASE: Implementation of Cyber Security for Yara Glomfjord Implementation of Cyber Security for Yara Glomfjord Speaker profile Olav Mo ABB
More informationNational Cyber Security Policy -2013
National Cyber Security Policy -2013 Preamble 1. Cyberspace 1 is a complex environment consisting of interactions between people, software and services, supported by worldwide distribution of information
More informationCyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services
Cyber Risk Mitigation via Security Monitoring Enhanced by Managed Services Focus: Up to But Not Including Corporate and 3 rd Party Networks Level 4 Corporate and 3 rd Party/Vendor/Contractor/Maintenance
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationCode of Conduct on the Safety and Security of Radioactive Sources
FOREWORD In recent years there has been a growing awareness of the potential for accidents involving radiation sources, some such accidents having had serious, even fatal, consequences. More recently still,
More informationInformation technology Security techniques Information security management systems Overview and vocabulary
INTERNATIONAL STANDARD ISO/IEC 27000 Third edition 2014-01-15 Information technology Security techniques Information security management systems Overview and vocabulary Technologies de l information Techniques
More informationWhich cybersecurity standard is most relevant for a water utility?
Which cybersecurity standard is most relevant for a water utility? Don Dickinson 1 * 1 Don Dickinson, Phoenix Contact USA, 586 Fulling Mill Road, Middletown, Pennsylvania, USA, 17057 (*correspondence:
More informationNSS 2014 UK NATIONAL PROGRESS REPORT. March 2014
NSS 2014 UK NATIONAL PROGRESS REPORT March 2014 1. Support for the Convention on the Physical Protection of Nuclear Material and the International Convention for the Suppression of Acts of Nuclear Terrorism
More informationHow To Write A Cybersecurity Framework
NIST Cybersecurity Framework Overview Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2nd ENISA International Conference on Cyber Crisis Cooperation and Exercises Executive Order
More information