Safeguarding critical infrastructure – a priority for all countries
The range and cost of global malicious cyber activities is growing. A May 2015 Juniper Research report forecast that the cost to affected businesses will reach USD 2 000 billion by 2019, a threefold increase from the 2015 estimate of USD 500 billion. In addition to financial losses, concern is growing regarding attacks on critical infrastructure.
The concept of critical infrastructure is categorized differently by various countries. The US government lists 16 critical infrastructure sectors. Three of these, dams, energy and “nuclear reactors, materials and waste” are directly related to power systems. Lists from other countries may be similar, or dams and the nuclear sector might be found together under a single energy sector.
Safeguarding various parts of critical infrastructure from malicious acts by digital means (cyber attacks) is becoming a priority for most countries.
Energy installations are central to the entire critical infrastructure. They have become prime targets for cyber attacks in recent years, some, arguably, with a view of identifying possible vulnerabilities that can be exploited with crippling effect at a later date. Power grids have been taken down (Ukraine 2015-2016); dams (US 2013) and NPPs (US 2014) have been targeted.
Of all these, successful attacks on NPPs will have the most devastating consequences.
NPPs were built for safety, not cyber threats
Primary systems control the reactor itself and, when needed, shut it down and maintain it in a safe condition to protect it. Secondary systems control the power generation equipment. Many of these systems, built years ago, are still based on analogue equipment that is not connected to the network and so is less susceptible to cyber attacks.
"Primary systems are designed from the ground up to perform their intended safety function irrespective of any type of natural or manmade phenomenon. There is not a cyber attack that could prevent our safety systems from effectively shutting the reactor down," Gross said, adding that primary and secondary systems in nuclear plants are isolated from each other for greater protection.
However, both systems in older NPPs are being gradually retrofitted with digital equipment, while new NPPs are designed with fully digital primary and secondary systems, he says.
A 2015 nuclear safety report by the London-based Royal Institute of International Affairs, commonly known as Chatham House, notes that digital systems have been adopted later than in other types of critical infrastructure. “In addition, the industry’s long-standing focus on physical protection and safety has meant that while these aspects of risk response are now relatively robust, less attention has been paid to developing cyber security readiness,” the report says.
Furthermore, it adds that “the cyber security risk is growing as nuclear facilities become increasingly reliant on digital systems and make increasing use of commercial ‘off-the-shelf’ software, which offers considerable cost savings but increases vulnerability to hacking attacks”.
In October 2016, International Atomic Energy Agency (IAEA) Director General, Yukiya Amano, speaking of an unspecified "disruptive, not destructive" attack on an NPP "two or three years ago", told Reuters news agency and a German newspaper: “This issue of cyber attacks on nuclear-related facilities or activities should be taken very seriously. We never know if we know everything or if it’s the tip of the iceberg.”
Long IEC involvement in cyber security
The IEC has been closely involved in the development of Standards relevant to cyber security for years through its work in ISO/IEC JTC 1/SC 27: IT security techniques. This Subcommittee was set up by ISO/IEC JTC 1: Information technology, the Joint Technical Committee created by the ISO and the IEC.
IEC/ISO JTC 1/SC 27 has prepared dozens of documents covering various aspects of IT security techniques, including the ISO/IEC 27000 family of Standards on information security management systems.
Other series of IEC Standards are relevant to the protection of communication networks, control systems and power installations against cyber threats. They include:
- IEC 62443: Industrial communication networks – Network and system security
- IEC 61850: Communication networks and systems for power utility automation
- IEC 60870: Telecontrol equipment and systems
- IEC 62351: Power systems management and associated information exchange
Addressing the NPPs’ specific needs
To date, these Standards, and those developed by IEC/ISO JTC 1/SC 27, have not addressed certain special needs of the nuclear industry.
To fill this gap, IEC SC 45A: Instrumentation, control and electrical systems of nuclear facilities, set out to develop specific Standards.
The scope of this SC includes the preparation of “Standards applicable to the electronic and electrical functions and associated systems and equipment used in nuclear energy generation facilities (…) to improve the efficiency and safety of nuclear energy generation”.
Until recently SC 45A had dealt with safety, including some software aspects, but not tackled the generic issue of NPP cyber security. Its ambition was to develop Standards to prevent, detect and react to cyber attacks on NPPs.
This led to the publication in August 2014 of IEC 62645, Nuclear power plants – Instrumentation and control [I&C] systems – Requirements for security programmes for computer-based systems.
The Standard notes that “ISO/IEC 27001 and ISO/IEC 27002 are not directly applicable to the cyber protection of nuclear” computer-based systems “due to the specificities of these systems, including the regulatory and safety requirements inherent to nuclear facilities”.
However, it also states that “this standard builds upon the valid high-level principles and main concepts of ISO/IEC 27001 and 27002, adapts them and completes them to fit the nuclear context”. This IEC Standard “is expected to coordinate more closely with the IEC 62443 series in the next few years”.
This Standard is being revised and the second edition will have a slightly different and more specific title, as Requirements for security programmes for computer-based systems will be replaced by Cyber security requirements.
IEC 62645:2014 was the first IEC International Standard aimed at defining “adequate programmatic measures for the prevention of, detection of, and reaction to malicious acts by cyber attacks” on computer-based systems in NPPs.
IEC 62645 also compares the overall security framework it described with that of the framework developed by NIST (National Institute of Standards and Technology) in SP 800 82 and other supporting NIST documentation.
IEC 62645 includes coverage of the following issues:
- Establishing and managing a nuclear computer-based system security programme. This includes overall concepts for the preparation of programme, policies and procedures, roles and responsibilities, establishment, implementation and operation of the programme
- Life-cycle implementation for system security, which embraces requirements, planning, design, installation, operation and maintenance activities and more
- All aspects of security controls, such as policy, organizing security, asset management, access control, etc.
IEC 62645, developed to prevent and/or minimize the impact of attacks against computer-based systems, is intended to be used by designers and operators of NPPs (utilities), licensees, systems evaluators, vendors, subcontractors and licensors.
It is the first Standard to be specifically designed for cyber security in NPPs. As such, it should prove essential for the nuclear power industry. Together with other TC 45 International Standards, IEC 62645 will help improve safety and security in nuclear power installations.
Second Standard addresses coordination between safety and cyber security
A second Standard, IEC 62859, Nuclear power plants – Instrumentation and control systems – Requirements for coordinating safety and cyber security, “provides a framework to manage the interactions between safety and cyber security for NPP systems, taking into account the current SC 45A standards addressing these issues and the specifics of nuclear I&C programmable digital systems”.
It "establishes requirements and guidance to:
–integrate cyber security provisions in nuclear I&C architectures and systems, which are fundamentally tailored for safety;
–avoid potential conflicts between safety and cyber security provisions;
–aid the identification and the leveraging of the potential synergies between safety and cyber security”.
Referring to ISO/IEC 27001 and ISO/IEC 27002 this Standard notes that “it adapts them and completes them to fit the nuclear context and coordinates with the IEC 62443 series”.
Like other IEC SC 45A Standards, IEC 62645 and IEC 62859 were prepared taking into account the “principles and basic safety aspects provided in the International Atomic Energy Agency code on the safety of NPPs”. The terminology and definitions used by SC 45A Standards are consistent with those used by the IAEA. These Standards refer to various IAEA publications, in particular its Computer Security at Nuclear Facilities manual.
These Standards and ongoing work by IEC SC 45A are set to make a significant contribution to a more robust protection of civil NPPs against cyber threats.