Nuclear cyber security research sharpens digital upgrade valuations
The Electric Power Research Institute (EPRI) is preparing to release a new risk-informed cyber security methodology and an improved documentation process to improve supply chain transparency, Matt Gibson, EPRI's Principal Technical Leader Nuclear I&C and Cyber Security, said.
As nuclear operators apply the latest digital technology to generation assets, they face a widening array of cyber security challenges. Data analytics is key to reducing nuclear operating costs and operators will need to apply cost-effective cyber defence strategies to maximize gains.
In October, the United States Computer Emergency Readiness Team (US-CERT) warned of an advanced persistent threat activity targeting energy sectors including nuclear power. The alert followed investigations by the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).
In July, consultancy group PwC reported “suspected state actors” had used fake emails to penetrate the administration systems of multiple U.S. nuclear plants. In September, cyber security firm Symantec said it believed a sophisticated cyber espionage group known as Dragonfly was behind a recent wave of cyber attacks on European and U.S. power generation companies.
Through a suite of research projects, the EPRI is aiming to reduce plant sensitivity to escalating cyber security threats and help companies integrate cyber security methods into digital engineering in existing plants. The industry-funded research will improve design and implementation efficiency and allow companies to assess facility level risks to ensure efficient resource allocation.
Cyber security strategies must take into account the relatively slow change-management processes in the nuclear power industry, Gibson told the 2nd annual Nuclear Plant Digitalization Conference in November.
"One thing that is unique about nuclear is that we have very deliberate change management processes...What we wanted to do was to figure out ways so that the plants are not sensitive to changes in the threat capabilities," he said.
Another key area of the research is the integration of cyber security into engineering processes so that digital innovations can be implemented efficiently and costs can be minimized.
In December 2015, the Nuclear Energy Institute (NEI) called on operators to reduce generating costs by 30% between 2016 and 2018. Digitization is seen as key to reducing operation and maintenance (O&M) costs and operators such as Exelon are implementing the latest data analytics technologies to predict asset performance and enable condition-based maintenance.
Cyber security concerns can prevent operators introducing new technology such as sensors and Instrumentation and Control (I&C) systems, into their plants, Gibson noted.
"We want to change that dynamic, so that now... Whether you are a vendor or in-house engineer, you can make rational engineering trade-offs between what you need to accomplish and how you need to secure it," Gibson said.
US nuclear operating costs ($bn)
The EPRI has used a qualitative approach to build a risk-informed cyber security methodology. This process calculates the "exploit difficulty" of cyber attack methods, using threat capability intelligence, and measures this against the probability of consequential equipment failure. The method has already been used in physical security strategies.
This risk-informed approach should reduce nuclear industry costs by limiting mitigation measures to an effective scope, aligning resources with actual risks while also providing insights into wider digital technology risks, Gibson said.
The standardization of a consistent assessment process should also facilitate information sharing and help improve cyber security capabilities across the nuclear industry, Gibson said.
Active pilot partners for these risk-informed processes include Arizona’s 4 GW Palo Verde plant, Duke Energy, Areva and small modular reactor (SMR) developer NuScale. EPRI plans to test the method at Duke Energy's 2.5 GW Oconee Nuclear Station in South Carolina, Gibson said.
"Our goal is to have these things repetitively used and have meaningful results before the true risk analysis part of it goes live," Gibson said.
EPRI plans to publish its risk analysis basis in the second quarter of 2018 and follow this with a cyber security program guidance, which provides a template for risk-informed cyber plan creation.
The guidance will incorporate actual vulnerability analysis, vulnerability mitigation and plant level risks and is expected to be available by 2019.
EPRI's ongoing research includes updated guidance on supply chain security to incorporate risk-informed Technical Assessment Methodology (TAM).
The TAM process aims to ensure secure development, integration and delivery of technology by allocating “residual vulnerabilities” between vendors and utilities.
The TAM allows companies to document cyber security risks of supply chain components and recommended applications, separating vulnerabilities observed at the raw material and manufacturing stage from integration and implementation risks.
Documented TAMs can be collected at every stage of the supply process and analyzed for cyber security threats at the final design implementation stage.
Workshops were conducted with early adopters in 2017 and the TAM guidance is set to be widely available by summer of 2018.
Going forward, the TAM guidance will inform a new sustainable engineering-based cyber security assessment and mitigation methodology. This will include plant level consequence and likelihood methods.
EPRI's supply chain research is also set to incorporate the latest disruptive technologies such as blockchain, Gibson noted.
"We have a proposal next year to expand our supply chain research...There is an opportunity there to start leveraging the blockchain in the supply chain," he said.
Nuclear Energy Insider