The generic concept of security controls, as initially deployed in the information security domain, is gradually used in other business domains, including industrial security for critical infrastructure and cybersecurity of nuclear safety instrumentation & control (I&C). A security control, or less formally, a security countermeasure can be any organizational, technical, or administrative measure that helps in reducing the risk imposed by a cybersecurity threat. The new IAEA NST036 lists more than 200 such countermeasures. NIST SP800-53 Revision 4 contains about 450 pages of security countermeasure descriptions, which are graded according to three levels of stringency. In order to facilitate and formalize the process of developing, precisely describing, distributing, and maintaining more complex security controls, the application security controls (ASC) concept is introduced by the new ISO/IEC 27034 multipart standard. An ASC is an extensible semiformal representation of a security control (extensible markup language or javascript object notation-based), which contains a set of mandatory and optional parts as well as possible links to other ASCs. A set of ASCs may be developed by one company and shipped together with a product of another company. ISO/IEC 27034-6 assumes that ASCs are developed by an organization or team specialized in security and that the ASCs are forwarded to customers for direct use or for integration into their own products or services. The distribution of ASCs is supported and formalized by the organization normative frameworks (ONFs) and application normative frameworks (ANFs) deployed in the respective organizational units. The maintenance and continuous improvement of ASCs is facilitated by the ONF process and ANF process. This paper will explore the applicability of these industry standards based ASC lifecycle concepts for the nuclear domain in line with IEC 62645, IEC 62859, and the upcoming IEC 63096. It will include results from an ongoing bachelor thesis and master thesis, mentored by two of the authors, as well as nuclear-specific deployment scenarios currently being evaluated by a team of cybersecurity Ph.D. candidates.

References

1.
IAEA Nuclear Security Series
,
2016
, “
Computer Security of Instrumentation and Control Systems at Nuclear Facilities, Draft Technical Guidance
,” International Atomic Energy Agency, Vienna, Austria IAEA Nuclear Security Series, Standard No. NST036.
2.
ISO/IEC,
2013
, “
Information Technology—Security Techniques—Code of Practice for Information Security Controls
,” International Organization for Standardization and International Electrotechnical Commission, Geneva, Switzerland, Standard No.
ISO/IEC 27002
.http://www.iso27001security.com/html/27002.html
3.
U.S. NRC
,
2010
, “
Cyber Security Programs for Nuclear Facilities
,” U.S. Nuclear Regulatory Commission, Washington, DC, Standard No.
US NRC RG 5.71
.https://www.nrc.gov/docs/ML0903/ML090340159.pdf
4.
NEI
,
2010
, “
Cyber Security Plan for Nuclear Power Reactors
,” Nuclear Energy Institute, Washington, DC, Standard No. NEI 08-09.
5.
ISO/IEC,
2016
, “
Information Technology—Security Techniques—Sector-Specific Application of ISO/IEC 27001—Requirements
,” International Organization for Standardization and International Electrotechnical Commission, Geneva, Switzerland, Standard No.
ISO/IEC 27009
.https://www.iso.org/standard/73907.html
6.
IEC,
2016
, “
DRAFT. Nuclear Power Plants—Instrumentation and Control Systems — Security Controls
,” International Electrotechnical Commission, Geneva, Switzerland, Standard No. IEC 63096.
7.
Bochtler
,
J.
,
Quinn
,
E. L.
, and
Bajramovic
,
E.
,
2017
,
Development of a New IEC Standard on Cybersecurity Controls for Nuclear Power Plants
,
NPIC & HMIT
,
San Francisco, CA
.
8.
ISO/IEC,
2013
, “
Information Technology−Programming Languages−Guidance to Avoiding Vulnerabilities in Programming Languages Through Language Selection and Use
,” International Organization for Standardization and International Electrotechnical Commission, Geneva, Switzerland, Standard No.
ISO/IEC TR 24772
.https://www.iso.org/standard/61457.html
9.
ISO/IEC,
2015
, “
Information Technology—Security Techniques—Application Security—Part 2: Organization Normative Framework
,” International Organization for Standardization and International Electrotechnical Commission, Geneva, Switzerland, Standard No.
ISO/IEC 27034-2
.https://www.iso.org/obp/ui/#iso:std:iso-iec:27034:-2:ed-1:v1:en
10.
ISO/IEC,
2015
, “
Information Technology— Security Techniques—Application Security—Part 6: Case Studies
,” International Organization for Standardization and International Electrotechnical Commission, Geneva, Switzerland, Standard No.
ISO/IEC 27034-6
.https://www.iso.org/obp/ui/#iso:std:iso-iec:27034:-6:ed-1:v1:en
11.
ISO/IEC,
2014
, “
Nuclear Power Plants—I&C Systems—Requirements for Security Programmes for Computer-Based Systems
,” International Organization for Standardization and International Electrotechnical Commission, Geneva, Switzerland, Standard No. IEC 62645.
12.
IEC,
2016
, “
Nuclear Power Plants—Instrumentation and Control Systems—Requirements for Coordinating Safety and Cybersecurity
,” International Electrotechnical Commission, Geneva, Switzerland, Standard No.
IEC 62859
.https://webstore.iec.ch/publication/26131
13.
IAEA,
2011
, “
Nuclear Security Series 17, Technical Guidance, Computer Security at Nuclear Facilities
,” International Atomic Energy Agency, Vienna, Austria, Standard No. IAEA NSS 17.
14.
IEC,
2013
, “
Industrial Communication Networks—Network and System Security—Part 3-3: System Security Requirements and Security Levels
,” International Electrotechnical Commission, Geneva, Switzerland, Standard No. IEC 62443-3-3.
15.
Lillo
,
E.
, and
Waedt
,
K.
,
2015
, “
Challenges in Considering National and International Cybersecurity Requirements and Performing a Criticality Analysis
,”
IAEA International Conference on Computer Security in a Nuclear World: Expert Discussion and Exchange
, Vienna, Austria, June 1–5.
16.
ISO/IEC,
2011
, “
Information Technology—Security Techniques—Information Security Risk Management
,” International Organization for Standardization and International Electrotechnical Commission, Geneva, Switzerland, Standard No.
ISO/IEC 27005
.https://www.iso.org/standard/56742.html
17.
National Technical Authority for Information Assurance,
2009
, “
HMG IA Standard 1, Technical Risk Assessment, Issue 3.51
,” United Kingdom National Technical Authority for Information Assurance, Gloucestershire, UK, Standard No. 1.
18.
Waedt
,
K.
,
Kuskov
,
A.
, and
Zavarsky
,
P.
,
2015
, “
Domain Specific Cybersecurity Applied to I&C
,”
IAEA International Conference on Computer Security in a Nuclear World: Expert Discussion and Exchange
, Vienna, Austria, June 1–5.
19.
IAEA,
2011
, “
Nuclear Security Series 13, Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities
,” International Atomic Energy Agency, Vienna, Austria, Standard No.
IAEA NSS 13
.https://www-pub.iaea.org/MTCD/Publications/PDF/Pub1481_web.pdf
20.
Zavarsky
,
P.
,
Waedt
,
K.
, and
Kuskov
,
A.
,
2015
, “
High Assurance Cybersecurity Controls against Persistent and Targeted Attacks on Instrumentation and Control Systems in Nuclear Facilities
,”
Ninth International Conference on Nuclear Plant Instrumentation, Control & Human‐Machine Interface Technologies
(
NPIC & HMIT
), Charlotte, NC, Feb. 26.https://www.researchgate.net/publication/271910002_High_Assurance_Cybersecurity_Controls_against_Persistent_Threats_and_Targeted_Attacks_on_IC_Systems_in_Nuclear_Facilities
21.
Langner
,
R.
,
2012
, “
Chapter in Robust Control System Networks: How to Achieve Reliable Control After Stuxnet
,”
Requirements and System Specification
,
Momentum Press
, New York.
22.
Clausing
,
R.
,
Gao
,
Y.
,
Parekh
,
M.
,
Dittmann
,
J.
,
Waedt
,
K.
, and
Ding
,
Y.
,
2016
, “
Proposal for a Public Reference Architecture for Vulnerability Testing in Nuclear Power Plants
,”
IAEA International Conference on Nuclear Security: Commitments and Actions
, Vienna, Austria, Dec. 5–9.
23.
Bajramovic
,
E.
,
Waedt
,
K.
,
Gao
,
Y.
, and
Parekh
,
M.
,
2016
, “
Cybersecurity Aspects in the I&C Design of Nuclear Power Plants
,”
Third International Nuclear Power Plants Summit
, Istanbul, Turkey, Mar. 8.
24.
ISO/IEC,
2015
, “
Information Technology—Security Techniques—Guidelines for the Analysis and Interpretation of Digital Evidence
,” International Organization for Standardization and International Electrotechnical Commission, Geneva, Switzerland, Standard No.
ISO/IEC 27042
.https://www.iso.org/standard/44406.html
25.
ISO/IEC,
2015
, “
Information Technology—Security Techniques—Incident Investigation Principles and Processes
,” International Organization for Standardization and International Electrotechnical Commission, Geneva, Switzerland, Standard No.
ISO/IEC 27043
.https://www.iso.org/standard/44407.html
26.
Li
,
J.
,
Bajramovic
,
E.
,
Gao
,
Y.
, and
Parekh
,
M.
,
2016
,
Graded Security Forensics Readiness for SCADA Systems
,
Informatik
,
Klagenfurt, Austria
.
27.
Waedt
,
K.
,
Xie
,
X.
,
Gao
,
Y.
, and
Ding
,
Y.
,
2015
, “
Chipset Level Cybersecurity Issues
,”
Eighth International Workshop on Application of Field Programmable Gate Arrays in Nuclear Power Plants
, Shanghai, China, Oct. 13–16.
28.
Martyak
,
P.
, and
Thow
,
M.
,
2015
,
Enhancing Defense-in-Depth and Monitoring Programs to Protect Critical Digital Assets from Tampering
,
NPIC & HMIT
,
Charlotte, NC
.
29.
Seibt
,
S.
,
Waedt
,
K.
, and
Odorfer
,
S.
,
2016
,
3D Modeling of Selected Assets, Security Zones and Conduits
,
Informatik
,
Klagenfurt, Austria
.
30.
ISO/IEC,
2014
, “
Asset Management—Overview
,” Principles and Terminology, International Organization for Standardization and International Electrotechnical Commission, Geneva, Switzerland, Standard No. ISO 55000-1.
31.
ISO,
2014
, “
Asset Management—Management Systems—Requirements
,” International Organization for Standardization and International Electrotechnical Commission, Geneva, Switzerland, Standard No.
ISO 55000-2
.https://www.iso.org/standard/55089.html
32.
Waedt
,
K.
,
Ciriello
,
A.
,
Parekh
,
M.
, and
Bajramovic
,
E.
,
2016
, “
Automatic Assets Identification for Smart Cities—Prerequisites for Cybersecurity Risk Assessments
,”
IEEE Second International Smart Cities Conference
(
ISC2
), Trento, Italy, Sept. 12–15.
33.
ISO/IEC,
2012
, “
Information Technology—Software Asset Management—Processes & Tiered Assessment of Conformance
,” International Organization for Standardization and International Electrotechnical Commission, Geneva, Switzerland, Standard No.
ISO/IEC 19770-1
.https://www.iso.org/standard/56000.html
34.
ISO/IEC,
2015
, “
Information Technology—Software Asset Management—Software Identification Tag
,” International Organization for Standardization and International Electrotechnical Commission, Geneva, Switzerland, Standard No.
ISO/IEC 19770-2
.https://www.iso.org/standard/65666.html
35.
ISO/IEC,
2012
, “
Information Technology—IT Asset Management—Overview and Vocabulary
,” International Organization for Standardization and International Electrotechnical Commission, Geneva, Switzerland, Standard No. ISO/IEC 19770-5.
36.
Waedt
,
K.
,
Ding
,
Y.
,
Gao
,
Y.
, and
Xie
,
X.
,
2015
, “
I&C Modeling for Cybersecurity Analyses
,”
First TÜV Rheinland China Symposium—Functional Safety in Nuclear and Industrial Applications
, Shanghai, China.
37.
ISO/IEC,
2014
, “
Engineering Data Exchange Format for Use in Industrial Automation Systems Engineering—Automation Markup Language—Architecture and General Requirements
,” International Organization for Standardization and International Electrotechnical Commission, Geneva, Switzerland, Standard No. IEC 62714-1.
38.
Waedt
,
K.
,
Parekh
,
M.
,
Tong
,
X.
,
Gao
,
Y.
,
Ding
,
Y.
, and
Xie
,
X.
,
2016
, “
Nuclear Safety and Risk Based Cybersecurity Testing
,”
47th Annual Meeting on Nuclear Technology
, Hamburg, Germany, May 10–12.
39.
Gao
,
Y.
,
Waedt
,
K.
,
Clausing
,
R.
,
Parekh
,
M.
,
Bajramovic
,
E.
, and
Gupta
,
D.
,
2016
, “
Cybersecurity Modelling for Nuclear Facilities: Interactions Between System Specifications and Security Controls
,”
IAEA International Conference on Nuclear Security: Commitments and Actions
, Vienna, Austria, Dec. 5–9.
You do not currently have access to this content.