Any incident at a nuclear installation can have potentially catastrophic human and environmental consequences. Concern is growing as nuclear power plants become prime targets for cyber attacks from a variety of threat actors (criminal, state or state-sponsored).
Considering that 444 nuclear reactors were in operation in the world as of June 2016, with 66 more under construction and an additional 172 planned, ensuring robust cyber security and resilience of these installations to cyber threats is cause for serious concern.
Nuclear plants not built for cyber threats
The main systems within a nuclear power plant fall broadly into two categories.
Primary systems control the reactor itself and, when needed, shut it down and maintain it in a safe condition to protect it. Secondary systems control the power generation equipment. Many of these systems, built years ago, are still based on analogue equipment that is not connected to the network and so is less susceptible to cyber attacks.
However, both systems in older nuclear plants are being gradually retrofitted with digital equipment, while new plants are designed with fully digital primary and secondary systems.
The nuclear sector has adopted digital systems later than other types of critical infrastructure. A 2016 report by the the London-based Royal Institute of International Affairs says “the cyber security risk is growing as nuclear facilities become increasingly reliant on digital systems and make increasing use of commercial ‘off-the-shelf’ software, which offers considerable cost savings but increases vulnerability to hacking attacks”.
Long IEC involvement in cyber security
The IEC has been closely involved in the development of standards relevant to cyber security for years through its work in ISO/IEC JTC 1/SC 27: IT security techniques. This Subcommittee was set up by the IEC and ISO Joint Technical Committee for information technology.
IEC/ISO JTC 1/SC 27 has prepared dozens of documents covering various aspects of IT security techniques, including the ISO/IEC 27000 family of Standards on information security management systems.
Other series of IEC Standards are relevant to the protection of communication networks, control systems and power installations against cyber threats. They include:
- IEC 62443: Industrial communication networks — Network and system security
- IEC 61850: Communication networks and systems for power utility automation
- IEC 60870: Telecontrol equipment and systems
- IEC 62351: Power systems management and associated information exchange
But most, except IEC 62443, which is relevant also to nuclear power plants, fail to address certain special needs of the nuclear industry.
To fill this gap, IEC SC 45A: Instrumentation, control and electrical systems of nuclear facilities, set out to develop specific standards for cyber security. The scope of this SC, a Subcommittee of IEC TC 45: Nuclear instrumentation, includes the preparation of “Standards applicable to the electronic and electrical functions and associated systems and equipment used in nuclear energy generation facilities (…) to improve the efficiency and safety of nuclear energy generation”. It implements principles and terminology of the IAEA safety and security guides.
Greater focus on nuclear power plants
IEC SC 45A focused on safety, including some software aspects, but didn’t tackle the generic issue of cyber security for nuclear plants. In recent years it started developing specific standards to prevent, detect and react to cyberattacks, which it defined as “malicious acts by digital means on Instrumentation and Control (I&C) programmable digital systems. This includes any unsafe situation, equipment damage or plant performance degradation that could result from such an act”.
IEC SC 45A published its first standard addressing cyber security issues in August 2014. The second, comprehensively overhauled, edition of this standard, IEC 62645:2019, Nuclear power plants — Instrumentation, control and electrical power systems — Cybersecurity requirements, has just been published. It excludes site physical security and non-malevolent actions and events.
The standard notes that “ISO/IEC 27001 and ISO/IEC 27002 are not directly applicable “to the cyber protection of nuclear I&C programmable digital systems. This is mainly due to the specificities of these systems, including the regulatory and safety requirements inherent to nuclear facilities”.
However, it also states that “this standard builds upon their valid high-level principles and main concepts of the generic security standards (…) adapts and completes them to fit the nuclear context and coordinates with the IEC 62443 series.”
IEC 62645 includes coverage of the following issues:
- managing a nuclear I&C programmable digital system security programme. This includes overall concepts for the preparation of programme, policies and procedures, roles and responsibilities, establishment, implementation and operation of the programme
- Life-cycle implementation for I&C programmable digital system security, which embraces requirements, planning, design, installation, operation and maintenance activities and more
- All aspects (technical, physical and administrative) of cyber security controls, such as policy, organizing security, asset management, access control, etc.
IEC 62645, was developed “to prevent and/or minimize the impact of attacks against I&C programmable digital systems on nuclear safety and plant performance. It covers programme level, architectural level and system level requirements.”
It is intended to be used by designers and operators of nuclear power plants, as well as licensees, systems evaluators, vendors, subcontractors and licensors.
Unlike the first edition of the standard this one gives a table of high-level correspondence between the IEC 62443 series and IEC 62645, listing dozens of sub-clauses related to context of the organization, lifecycle implementation for I&C programmable digital system security and security controls.
Together with other relevant IEC Standards it should contribute significantly to the protection and resilience of nuclear power plants against cyber attacks.
This is an edited version of a story that originally appeared in the print edition of e-tech
