RAISING AWARENESS OF CYBER-SECURITY ISSUES IN SYSTEM OWNERS

摘要

Digital control systems and devices are increasingly making their way into process protection, control, and monitoring systems at nuclear power plants. These devices have operating systems and connectivity that allow benefits such as predictive and preventative maintenance, as well as improved transient control capability. Cyber-security awareness by the system "owners" is critical to keeping these devices secure. This can be complicated by the fact that these systems are sometimes "owned" by engineers or operators with little or no digital system experience. The normal maintenance problems these owners tend to deal with concern the mechanical portions of their systems. For many of these owners, the digital control system is nothing more than a "black box" located in a control panel. This paper will explore some of the key gaps in awareness and describe methods and guidelines to address and close these gaps. The paper focuses primarily on nuclear significant digital systems that are within the scope of the approved security plans for nuclear plants; however, the discussions also apply to fossil and hydro power plant digital control systems. Topics covered include limitations and control of digital connectivity, recovery planning, physical and logical access controls, and identification and remediation of cyber-vulnerabilities. The relative importance of confidentiality, integrity, and availability when considering digital security design principles will be explored as well as the tradeoffs of employing a Defense-in-Depth design strategy.