The concept of critical infrastructure differs from country to country. The US government lists 16 critical infrastructure sectors. Three of these, dams, energy and “nuclear reactors, materials and waste” are directly related to power systems. Lists from other countries may be different, but most would include the nuclear sector and nuclear power plants (NPPs), some with more than one nuclear reactor.
Any incident or accident at a nuclear installation can have potentially catastrophic human and environmental consequences. There is increased concern also as NPPs become prime targets for cyber attacks from a number of actors (criminal, state or parastatal).
Taking into account that 444 nuclear reactors were in operation in the world as of June 2016, with 66 more under construction and an additional 172 planned, ensuring robust cyber security and resilience of these installations to cyber threats is not to be taken lightly.
NPPs built for physical protection and safety, not cyber threats
The main systems within a nuclear power plant fall broadly into two categories.
Primary systems control the reactor itself and, when needed, shut it down and maintain it in a safe condition to protect it. Secondary systems control the power generation equipment. Many of these systems, built years ago, are still based on analogue equipment that is not connected to the network and so is less susceptible to cyber attacks.
However, both systems in older NPPs are being gradually retrofitted with digital equipment, while new NPPs are designed with fully digital primary and secondary systems.
A 2015 nuclear safety report by the London-based Royal Institute of International Affairs notes that the nuclear sector has adopted digital systems later than other types of critical infrastructure. The report says that “the cyber security risk is growing as nuclear facilities become increasingly reliant on digital systems and make increasing use of commercial ‘off-the-shelf’ software, which offers considerable cost savings but increases vulnerability to hacking attacks”.
In October 2016, International Atomic Energy Agency (IAEA) Director General, Yukiya Amano, told Reuters news agency that “this issue of cyber attacks on nuclear-related facilities or activities should be taken very seriously.”
Long IEC involvement in cyber security
The IEC has been closely involved in the development of standards relevant to cyber security for years through its work in ISO/IEC JTC 1/SC 27: IT security techniques. This Subcommittee was set up by the IEC and ISO Joint Technical Committee for information technology.
IEC/ISO JTC 1/SC 27 has prepared dozens of documents covering various aspects of IT security techniques, including the ISO/IEC 27000 family of Standards on information security management systems.
Other series of IEC Standards are relevant to the protection of communication networks, control systems and power installations against cyber threats. They include:
- IEC 62443: Industrial communication networks – Network and system security
- IEC 61850: Communication networks and systems for power utility automation
- IEC 60870: Telecontrol equipment and systems
- IEC 62351: Power systems management and associated information exchange
But most, except IEC 62443, which is relevant also to NPPs, fail to address certain special needs of the nuclear industry.
To fill this gap, IEC SC 45A: Instrumentation, control and electrical systems of nuclear facilities, set out to develop specific standards for cyber security. The scope of this SC, a Subcommittee of IEC TC 45: Nuclear instrumentation, includes the preparation of “Standards applicable to the electronic and electrical functions and associated systems and equipment used in nuclear energy generation facilities (…) to improve the efficiency and safety of nuclear energy generation”. It implements principles and terminology of the IAEA safety and security guides.
Greater focus on NPPs
IEC SC 45A focused on safety, including some software aspects, but didn’t tackle the generic issue of NPP cyber security. In recent years it started developing specific standards to prevent, detect and react to cyberattacks, which it defined as “malicious acts by digital means on Instrumentation and Control (I&C) programmable digital systems. This includes any unsafe situation, equipment damage or plant performance degradation that could result from such an act”.
IEC SC 45A published its first standard addressing cyber security issues in August 2014. The second, comprehensively overhauled, edition of this standard, IEC 62645:2019, Nuclear power plants – Instrumentation, control and electrical power systems – Cybersecurity requirements, has just been published. It excludes site physical security and non-malevolent actions and events.
The standard notes that “ISO/IEC 27001 and ISO/IEC 27002 are not directly applicable “to the cyber protection of nuclear I&C programmable digital systems. This is mainly due to the specificities of these systems, including the regulatory and safety requirements inherent to nuclear facilities”.
However, it also states that “this standard builds upon their valid high-level principles and main concepts of the generic security standards (…) adapts and completes them to fit the nuclear context and coordinates with the IEC 62443 series.”
IEC 62645 includes coverage of the following issues:
- managing a nuclear I&C programmable digital system security programme. This includes overall concepts for the preparation of programme, policies and procedures, roles and responsibilities, establishment, implementation and operation of the programme
- Life-cycle implementation for I&C programmable digital system security, which embraces requirements, planning, design, installation, operation and maintenance activities and more
- All aspects (technical, physical and administrative) of cyber security controls, such as policy, organizing security, asset management, access control, etc.
IEC 62645, was developed “to prevent and/or minimize the impact of attacks against I&C programmable digital systems on nuclear safety and plant performance. It covers programme level, architectural level and system level requirements.”
“It is intended to be used by designers and operators of NPPs (utilities), licensees, systems evaluators, vendors, subcontractors and licensors.”
Unlike the first edition of the standard this one gives a table of high-level correspondence between the IEC 62443 series and IEC 62645, listing dozens of subclauses related to context of the organization, lifecycle implementation for I&C programmable digital system security and security controls.
Together with other relevant IEC Standards it should contribute significantly to the protection and resilience of NPPs against cyber attacks.