Historically, computer security was not given significant consideration in the design of instrumentation and control (I&C) systems at nuclear power plants (NPPs). These systems were traditionally seen as being invulnerable or resilient to cyberattacks due to rigid (i.e. hardwired or analogue) implementation, segregation, independence, redundancy and diversity; isolation from external networks; and a general absence of interactive communications (especially with external networks). However, the transition to digital technology has changed the nature of these systems by enabling extensive interconnection of reprogrammable, functionally interdependent I&C systems. This development has made computer security a necessary element for consideration in I&C system design. Malicious cyberattacks on these systems could have serious effects on plant safety and security, which could have the potential to lead to severe and unacceptable consequences. Also, particularly for countries where nuclear power represents a significant part of electricity production, the availability and performance of NPPs can be of vital economic and societal interest.

Computer security vulnerabilities may be introduced into a system during its design, development, operations or maintenance, and vulnerabilities may be discovered or attacks launched against the system at any time. As a result, computer security needs to be established throughout the I&C system life cycle to prevent computer security incidents that could lead to nuclear security events. The IAEA’s Division of Nuclear Security has prepared an IAEA Nuclear Security Series publication, No. 33-T, Computer Security of Instrumentation and Control Systems at Nuclear Facilities [1], which provides guidance on computer security considerations that need to be addressed during the life cycle of I&C systems at nuclear facilities. This publication [1] describes computer security measures that prevent, manage (i.e. detect, delay and respond), mitigate and foster recovery from cyberattacks.

The members of the Technical Working Group on Nuclear Power Plant Instrumentation and Control (TWG-NPPIC) recognized the relevance of the above mentioned issues, and in their 2015 meeting recommended that the IAEA provide specific, detailed guidance on the application of computer security concepts and measures to protect and mitigate I&C systems at NPPs against hazards arising from cyberattacks. This guidance was to ensure that security concepts and measures are applied in a manner that is compatible with the safety and performance objectives of the I&C systems. The TWG-NPPIC concluded that there is benefit in engaging I&C subject matter experts to address the practical aspects of implementing computer security measures aligned with both safety and security requirements.

As a starting point, this publication considers the computer security issues to be addressed during the life cycle of I&C systems at nuclear facilities, as identified in Ref. [1]. This publication complements Ref. [1] and provides practical guidance for and case study examples of the implementation of computer security measures in I&C architectures and systems. The guidance is consistent with the requirements and recommendations addressing safety and ensures that application of computer security does not affect the ability of systems to perform their required safety functions.

The objective of this publication is to assist Member States in the application of computer security concepts and measures to provide protection from cyberattacks for I&C systems at NPPs; it discusses the benefits and challenges of the various methods. The goal of the publication is to provide an overview of current knowledge, up to date good practices, experience, benefits and challenges. The publication is intended to be used by Member States to support the design, development, implementation, operation, maintenance and modernization of digital I&C systems at NPPs.

This publication covers relevant aspects of computer security in the engineering and design of digital I&C systems for NPPs. The information is useful in supporting new system designs and the improvement of existing systems in operating NPPs.

This publication is applicable to I&C systems and their development, simulation and maintenance environments. Attacks against these environments could lead to errors in the I&C system and result in the I&C system being outside of its design basis. This publication also provides advice for situations where I&C systems are interconnected with enterprise management systems. These non-I&C systems may need to be included as part of the defence in depth (DiD) approach to securing the I&C systems. Finally, there may be circumstances where, as part of a DiD approach, non-computerized I&C systems and non-computerized equipment important to safety, including support systems, can be used to provide protection and mitigation against hazards arising from cyberattacks at NPPs.

This publication is organized into five major sections, three appendices and two annexes. Section 2 defines the key concepts for computer security for I&C systems at NPPs. Section 3 explains the risk informed approach to computer security. Section 4 describes how computer security measures are applied throughout the I&C system life cycle. Section 5 contains a summary and conclusions. Appendices I to III are case studies. Annex I provides information on data communications security and Annex II suggests data to be collected to support the security of I&C systems.

Computer security concepts are applied to the design of I&C systems to ensure that safety and security requirements are met, and that the cost of maintaining computer security and the need to retrofit computer security measures in the future are minimized. A key concept is the fundamental conflict between safety and security, which is discussed below. Other key concepts described are computer security levels, security zones and computer security DiD. These...