Better cybersecurity for nuclear plants

The IEC publishes the first International Standard to tackle cyber-attacks in nuclear power plants

By Morand Fachot

Safeguarding the security of critical infrastructure from malicious acts by digital means (cyber-attacks) is becoming a priority for most countries. Energy installations, nuclear power plants in particular, may be seen as prime targets for such attacks. The first IEC International Standard aimed at defining "adequate programmatic measures for the prevention of, detection of, and reaction to malicious acts by cyber-attacks" on computer-based systems in nuclear power plants, has just been published, so addressing this risk.

Nuclear power plant are sensitive installations Nuclear power plant are sensitive installations

Multiple actors attacking multiple targets

The range and cost of global malicious cyber activities is growing. The latter was estimated in a January 2014 McKinsey & Company report as having the potential to "materially slow the pace of technology and business innovation with as much as USD 3 trillion in aggregate impact" by 2020. Recent examples of risks posed by cyber-attacks include:

  • A warning issued in late August 2014 by the head of IOSCO (International Organization of Securities Commissions), a global financial watchdog, that the next major financial shock would be triggered by cyber-attacks
  • Reports published in June 2014 indicating that an 18-month cyber-attack was believed to have compromised the computer systems of more than 1 000 European and US energy companies
  • Hackers breaking into the systems of a major US retailer and stealing the personal information of 70 million people and the payment card data of 40 million customers in November 2013

Beyond potentially large financial losses, one very serious risk posed by cyber-attacks concerns critical infrastructure, such as power grids in general and nuclear power plants in particular.

IEC long involvement in cybersecurity

The IEC has been closely involved in the development of Standards for cybersecurity for years through its work in ISO/IEC JTC (Joint Technical Committee) 1 SC 27: IT security techniques.

IEC/ISO JTC 1/SC 27 has prepared dozens of documents covering various aspects of IT security techniques, including the information security management system family of Standards. In this area it published ISO/IEC 27001:2103 and ISO/IEC 27002:2013, late last year (see article on ISO/IEC 27001:2013 in e-tech December 2013).

However, previous Standards developed by IEC/ISO JTC 1/SC 27 have not addressed certain specific needs of the nuclear industry. As a result IEC SC (Subcommittee) 45A: Instrumentation, control and electrical systems of nuclear facilities, set out to develop a Standard to prevent, detect and react to cyber-attacks on NPPs (nuclear power plants).

This Standard, IEC 62645:2014, Nuclear power plants – Instrumentation and control systems – Requirements for security programmes for computer-based systems, has just been published.

From nuclear safety to cybersecurity

The scope of IEC SC 45A includes the preparation of "standards applicable to the electronic and electrical functions and associated systems and equipment used in nuclear energy generation facilities (…) to improve the efficiency and safety of nuclear energy generation".

Until recently SC 45A had dealt with safety, including some software aspects, but not tackled the generic issue of NPP cybersecurity. It has now started to address the latter with the publication of IEC 62645.

The Standard notes that "ISO/IEC 27001 and ISO/IEC 27002 are not directly applicable to the cyber protection of nuclear" computer-based systems "due to the specificities of these systems, including the regulatory and safety requirements inherent to nuclear facilities."

However, it also states that "this standard builds upon the valid high-level principles and main concepts of ISO/IEC 27001 and 27002, adapts them and completes them to fit the nuclear context".

Covering all aspects

Like other IEC SC 45A Standards, IEC 62645 was prepared taking into account "principles and basic safety aspects provided in the IAEA (International Atomic Energy Agency) code on the safety of NPPs". The terminology and definitions used by SC 45A Standards are consistent with those used by the IAEA. The Standard refers to various IAEA publications, in particular its Computer Security at Nuclear Facilities manual.

The Standard also compares the overall security framework described in IEC 62645 with that of the framework developed by NIST (National Institute of Standards and Technology) in SP 800 82 and other supporting NIST documentation.

IEC 62645 covers the following issues, among others:

  • Establishing and managing a nuclear computer-based system security programme. This includes overall concepts for the preparation of programme, policies and procedures, roles and responsibilities, establishment, implementation and operation of the programme
  • Life-cycle implementation for system security, which embraces requirements, planning, design, installation, operation and maintenance activities and more
  • All aspects of security controls, such as policy, organizing security, asset management, access control, etc.

IEC 62645, developed to prevent and/or minimize the impact of attacks against computer-based systems is intended to be used by designers and operators of NPPs (utilities), licensees, systems evaluators, vendors and subcontractors, and by licensors.

It is the first of its kind specifically designed for cybersecurity in NPPs. As such, it should prove essential for the nuclear power industry. Together with other TC 45 International Standards, IEC 62645 will help improve safety and security in nuclear power installations.

Nuclear power plant are sensitive installations Nuclear power plant are sensitive installations
Cyberattacks present a serious security risk for the nuclear industry Cyberattacks present a serious security risk for the nuclear industry
Nuclear power plant control rooms rely on IT infrastructure Nuclear power plant control rooms rely on IT infrastructure