VGB

Pow

erTe

ch -

All

right

s re

serv

ed -

Alle

Rec

hte

vorb

ehal

ten

- ©

201

5

>>> VGB DIGITAL <<<

VGB

Pow

erTe

ch -

All

right

s res

erve

d -

Alle

Rec

hte

vorb

ehal

ten

- ©

201

5

27

VGB PowerTech 5 l 2017 Cyber security in nuclear power plants

Authors

Kurzfassung

Cybersecurity in Kernkraftwerken und ihre Anwendung in weiteren industriellen Infrastrukturen

Stromerzeugung ist verstärkt auf dezentrali­sierte und vernetzte Rechensysteme angewie­sen. Begriffe wie „Industrial Internet of Things“ des Industrial Internet Consortium (IIC) und „Industrie 4.0“ bahnen sich heute ihren Weg auch in diese bedeutende Industriebranche. Die Risiken einer gezielten Ausnutzung von Fehlern und Schwachstellen nehmen mit der Komplexi­tät, mit dem Vernetzungsgrad und mit der De­zentralisierung zu. Die inhärent strengen Si­cherheitsanforderungen der Kernenergie­branche und die langjährige Berücksichtigung von Anforderungen im Bereich Cybersecurity in der Entwicklung von Produkten und in projekt­begleitenden Maßnahmen machen sie zum Gold­Standard der Risikovorbeugung. Die ge­wonnenen Erkenntnisse können für die Ablei­tung angepasster Sicherheitsvorkehrungen anderer Branchen dienen. Aus diesem Blickwin­kel heraus wird das Thema Cybersecurity be­trachtet. Der Artikel zeigt gängige Regularien und die Vorgehensweisen zum Schutz vor Cyber angriffen in Kernkraftwerken, sowie auch deren zahlreichen Übertragungsmöglich­keiten auf andere kritische Infrastrukturen, um sie gegen Cyberangriffe und Industriespionage zu wappnen. l

Cyber security in nuclear power plants and its portability to other industrial infrastructuresSébastien Champigny, Deeksha Gupta, Venesa Watson and Karl Waedt

Sébastien ChampignyMBA, Dipl.-Phys., M. Eng.Product manager cyber security for critical infrastructuresDeeksha GuptaM.Sc. in Nuclear Sci. & Tech. Cyber security PhD CandidateVenesa WatsonMaster in Computer Forensics Cyber security PhD CandidateDr. Karl WaedtSenior expert Cyber Security Concepts & ArchitectureAREVA GmbH Erlangen, Germany

Introduction

This technical contribution provides a snapshot of the current cyber security ef-forts in different industry domains. We ar-gue that stringent security controls (coun-termeasures) that are already in place for nuclear power plants (NPP) can be ported to other industry domains. A reason for this is that the nuclear domain is more formally regulated, thus graded security require-ments were already mandated long before the critical infrastructure debates started and before gradual enforcement of the Eu-ropean and national legislation.Note: Generally, in the nuclear and indus-trial automation domain, the term “con-trol” is used mainly to denote Instrumenta-tion and Control (I&C), Industrial Automa-tion and Control Systems (IACS) or SCADA (Supervisory Control and Data Acquisi-tion) referring to control theory tasks. However, in the security context, the term “Security Control” is ubiquitous, and means any countermeasure that can re-duce the systems risk due to security threats. Countermeasures are not limited to add-on provisions at the components or systems level. For example, they also in-clude provisions at the software source code level.In Section 1, we will provide an overview of current international and national cyber security guidance, and how this guidance evolved for IAEA, Nuclear IEC and selected countries. Section 2 summarises the in-creasing cyber security efforts for Indus-trial Automation and Industry 4.0 as well as its Chinese “Manufactured in China 2025” and US “Industrial Internet of Things” counterparts. Section 3 provides reasons for the portability of Security Con-trols from Nuclear to other industrial infra-structure. Summary provides an outlook on the newest cyber security-related activi-ties in the different domains, and con-cludes with a summary of the main steps that are necessary for achieving and main-taining a target security level.

1 Cyber security and safety requirements for NPPs

In the nuclear domain, for Safety, Human Factors Engineering, Physical Security, Ra-

diation Protection and Cyber Security, the international top-level guidance is provid-ed by the International Atomic Energy Agency (IAEA). The IAEA guidance is regu-larly updated based on priorities set by yearly or bi-yearly meetings of representa-tives of all IAEA member states.The overall IAEA Cyber Security guidance is refined, e.g. for Instrumentation & Con-trol (I&C) and Electrical Systems (ES), by the Nuclear IEC subcommittees. However, each country may supersede the interna-tional guidance by providing a mandatory higher priority regulation, as will be ad-dressed in section 1.4 for selected coun-tries.

1.1 Stringent and graded security requirements for I&C already since 1986

Safety and security grading are essential when addressing critical industrial infra-structures. Grading by Safety Categories in IEC 61226 and Safety Classes in IEC 61513, were already in place since the first edi-tions of these standards. The software-spe-cific requirements for software implement-ing Category A or Category B and C I&C functions, are also graded by the respective standards IEC 60880:1986 and IEC 62138. The first edition of IEC 60880:1986 already contained explicit requirements on securi-ty during software development and secu-rity during software deployment, two es-sential phases in the software development lifecycle.

1.2 Overall IAEA Cyber security Guidance

The IAEA Cyber security Guidance is pub-lished in the IAEA Nuclear Security Series (NSS). Currently the top-level guidance is IAEA NSS 17 from 2011. Developing this guidance took several years with consider-able input by member states provided since 2006, and essential agreements being achieved during the first major IAEA cyber security conference in summer 2011. IAEA NSS 17 introduces a graded security ap-proach with 5 security levels and recom-mendations on security zones.IAEA NSS 17 is complemented by IAEA NSS 8 on preventive and protective meas-ures against insider threats, and further IAEA NSS guidance, including IAEA

VGB

Pow

erTe

ch -

All

right

s re

serv

ed -

Alle

Rec

hte

vorb

ehal

ten

- ©

201

5

>>> VGB DIGITAL <<<

VGB

Pow

erTe

ch -

All

right

s res

erve

d -

Alle

Rec

hte

vorb

ehal

ten

- ©

201

5

28

Cyber security in nuclear power plants VGB PowerTech 5 l 2017

NSS  12, on a comprehensive educational program in nuclear security.

1.3 Nuclear IEC Cyber security Standards

Subsequently, the three major Nuclear IEC cyber security standards will be intro-duced.

1.3.1 The Top-level Nuclear IEC Cyber security Standard

After initial attempts to structure the top-level nuclear IEC standard according to nu-clear safety and other criteria, finally, a core-team devised the alignment with the most popular information security stand-ard ISO/IEC 27001:2005 then in place. This structuring was proposed mainly in order to reduce the initial training needs of security staff already familiar with the mainstream standards, and in order to avoid annexes with cumbersome map-pings.While ISA99 experts were involved in the development of the first top-level nuclear IEC 62645:2013 cyber security standard, an alignment with ISA99 industrial cyber security standards or the corresponding IEC 62443-x-x was ultimately not attempt-ed, as several planned parts of the IEC 62443-x-x series were not yet available and because the Security grading follows a dif-ferent approach, as will be addressed in a subsequent section.

1.3.2 Coordinating safety and cyber security by IEC 62859

Whether safety and cyber security should be considered jointly or subsequently, is a part of ongoing debates in different indus-try domains. For nuclear, the security grad-ing is directly related to the potential im-pact of a security attack on nuclear safety.F i g u r e 1 shows the hierarchical refine-ment from Safety Objectives (level 1) down to I&C Functions (level 3 and 4). Main safe-ty objectives are control of reactivity, re-sidual heat removal and confinement of radioactive material.

Cyber security is applied at the level of I&C and IT equipment while considering the potential impact of manipulations on Safe-ty Functions and Safety Objectives.IEC 62859:2016 [1] specifies the main re-quirements for coordinating safety and cy-ber security. In other industries, work on this important topic was just started, e.g. by the new working group WG20 of IEC TC65.1.3.3 Detailed security controls for

nuclear by IEC 63096Similar to the alignment of IEC 62645 with ISO/IEC 27001, the new working draft IEC 63096 is being aligned with the ISO/IEC JTC1/SC27 WG1 standard ISO/IEC 27002:2013. This nuclear IEC standard ex-tends the generic security controls of ISO/IEC 27002 by recommendations for each security level: BR (Baseline Requirements), S3, S2 and S1 (highest security level). It also provides guidance for the main I&C and ES (Electrical Systems) lifecycle phas-es: Product & Platform Development, Engi-neering and Operation & Maintenance. Ad-ditionally, it provides security control spe-cific guidance for legacy I&C and ES systems.As a sector-specific standard, similar to ISO/IEC 27009 [3], for non-nuclear utili-

ties, IEC 63096 provides guidance that is structured and formatted in principle in line with ISO/IEC 27009 which provides common guidance on the elaboration of sector-specific security controls and Infor-mation Security Management Systems (ISMS) standards.

1.4 International and national nuclear cyber security regulations

F i g u r e 2 lists the international standards discussed above, along with the national standards for Germany, USA and the UK. In Germany, SEWD (Schutz gegen Stör-maßnahmen oder sonstige Einwirkungen Dritter/Protection against Disruptive Acts or Other Intervention of Third Parties) is a requirement found in § 6 para. 2 no. 4 Atomic Energy Act. released in 1959.[7]. Licenses for the storage of nuclear fuels are only granted once risks and threats, as a result of SEWD, can be considered as negli-gible. Created by Congress in 1974, the USA’s NRC regulates commercial nuclear power plants and other uses of nuclear ma-terials. NRC RG 5.71 [4] provides guide-lines for the protection of digital computer and communication systems and networks from cyberattacks, against which licensees should provide assurance. The Nuclear En-ergy Institute (NEI) 08-09 “Cyber Security Plan for Nuclear Power Reactors” provides a generic template for a cyber security plan, which must be used by licensees to develop their cyber security plans to be submitted to the NRC [8]. The HMG IA (In-formation Assurance) Standard is intended for us by IA practitioners, working espe-cially with UK Government ICT systems, as the foundation for their Information Risk Management Policy. This standard pro-vides a methodology by which these practi-tioners can “identify, assess and determine the level of risk to an ICT system and a framework for the selection of appropriate risk treatments.” Requirements from these international nu-clear Cyber Security standards are applica-ble for the whole nuclear power plant. F i g u r e  3 shows the scope of applicability

Level 1

Safety objectivesSafety functions

Level 2

Related process functions

Level 3

Specification of I&C functions

Level 4

Implementation of I&C functions

Objectives

Reactivitycontrol

Residual heatremoval

Confinement ofradioactive

material

I&C

Proc

ess

Safe

ty

Fig. 1. Safety functions, process functions and I&C functions.

IAEA Nuclear Security Series (NSS) Germany: SEWD-Guideline IT:2013

Nuclear IEC Cyber security

ISO/IEC

USA: Nuclear Regulatory Commission

UK: HMG (Her Majesty Government)

IAEA NSS 7IAEA NSS 8IAEA NSS 10IAEA NSS 17

IEC 61513IEC 61226IEC 60880IEC 62645IEC 62859IEC 63096

ISO/IEC 27000:ISMSISO/IEC TR 27019

Guideline for the protection of IT-systems in nuclearfacilitiesVS NfD: confidential classified document, only for officialuse

US NRC RG 5.71US NEI 08-09

HMG IA Standard No.1, No. 3.5HMG IA Standard No. 1, No. 3.51

Fig. 2. Examples of international and national nuclear cyber security regulations.

VGB

Pow

erTe

ch -

All

right

s re

serv

ed -

Alle

Rec

hte

vorb

ehal

ten

- ©

201

5

>>> VGB DIGITAL <<<

VGB

Pow

erTe

ch -

All

right

s res

erve

d -

Alle

Rec

hte

vorb

ehal

ten

- ©

201

5

29

VGB PowerTech 5 l 2017 Cyber security in nuclear power plants

of these requirements using the example of a typical nuclear I&C architecture.In F i g u r e 4 , the relationships between safety standards (in purple) and security standards (in orange) from different indus-tries are indicated. All the individual fields have their own specific standards for safety and security. For example, IEC 60601 and IEC 62304 are the safety standards re-ferred in medical field.

2 Gradual consideration of information security in Industry 4.0 and IoT

Industry 4.0 and “Manufactured in China 2025” are governed by a “Reference Archi-tecture Model Industry 4.0” (RAMI) or similar which are typically represented by cubes subdivided as 6x6x6 or 5x5x5. The 3 axis of the cube are “Layers”, “Hierarchy Levels” and “Value Streams”. None of the 6 Layers (Business, Functional, Information, Communication, Integration and Asset) explicitly contains cyber security. Similarly

along the other two axes, cyber security is not explicitly included. This is due to the fact that security and interoperability are considered as integral components in mul-tiple of the 3D elements that built up the complete cube, see F i g u r e   5 .

2.1 Generic information securityOne purpose of generic security standards is to be applicable by any size of an organi-zation, e.g. a one-employee service pro-vider or a multinational organization. The ISO/IEC 27000 series takes credit on meet-ing this criterion. Still, beyond these ge-neric information security standards in the 27000 to 27021 range, additional stand-ards in the 27031 to 27050 and other rang-es provide more in-depth guidance.

2.2 IT security for power generating plants

VGB-S-175 addresses generic security re-quirements, Defense-in-Depth principles, redundancy and diversity, risk manage-ment, risk analysis and security counter-measures for both, new built and power plant modernization projects.Furthermore, VGB provides guidance on intrusion detection and prevention (ad-dressed in more detail by ISO/IEC 27039), patch management (addressed in more de-tail by IEC 62443-2-3), security gateways (addressed in more detail in ISO/IEC 27033-4), wireless (ISO/IEC 27033-6), documentation of security incidents (ISO/IEC 27035-3) and additional countermeas-ures.

2.3 Emerging industrial automation security

Cyber security for Industrial Automation mainly builds on the ISA99 specific stand-ards which are published as IEC 62443-x-x.

Process Information andControl System (PICS)

Integratedprimary

HMI

Dedicatedsecondary

HMI

Preventiveline

Mainline

Riskreduction

lineSevere

accidents

Leve

l 0Le

vel 1

Leve

l 2

PAS RCSL SAS PS DAS SA-I&C

PAC = Priority actuator controlGW = GatewayMSI = Monitoring & service interface Hardwired interface Network interface

Fig. 3. An example of a nuclear I&C architecture (© AREVA).

Energy, PowerSystem

Nuclear Medical Discrete Process Railway Automotive

proposed usagePositioning is not defined

Fig. 4. Safety and Security Interface at the Standards Level (© IEC TC65).

Value streamIEC 62890Hierarchy levels

IEC 62264 // IEC 61512

(RAMI 4.0)

Layers

Business

Functional

Information

Communication

Integration

Asset

Development

Type

Maintenance/usageMaintenance/usage

Production

Instance

Connected worldEnterpriseWork unitsStationControl deviceProduct

Field device

Fig. 5. Reference Architectural Model Industry 4.0 by ZVEI (© Plattform Industrie 4.0).

VGB

Pow

erTe

ch -

All

right

s re

serv

ed -

Alle

Rec

hte

vorb

ehal

ten

- ©

201

5

>>> VGB DIGITAL <<<

VGB

Pow

erTe

ch -

All

right

s res

erve

d -

Alle

Rec

hte

vorb

ehal

ten

- ©

201

5

30

Cyber security in nuclear power plants VGB PowerTech 5 l 2017

The 13 parts of this series are not yet com-plete. The security grading is based on the risk an attacker imposes and on its strength. This regularly leads to controversy, as the strength of an attacker can change over time, e.g. today’s “script kiddies” have oth-er malicious tools as compared to 10 years earlier.

2.4 Initial Industry 4.0 and IoT proposals

Despite its current incompleteness, IEC 62443-x-x builds a solid basis for cyber se-curity in the Industry 4.0 RAMI framework. Interoperability is a key component of In-dustry 4.0. The multipart IEC 62541 de-fines the Open Connectivity Unified Archi-tecture (OPC UA) not just as a communica-tions protocol, but as a communication architecture that supports among other services, interoperability between digital technologies from different vendors. The services, as provided by the layers of the platform-independent OPC UA, include the semantics of an information model, ad-dress spaces, discovery services, alarm functions, etc.AREVA NP implements Embedded OPC UA, for example, in its SIPLUG family of monitoring sensors, as shown on F i g -u r e   6 . Hence, it can directly be connect-ed to reporting and trend surveillance sys-tems. This feature drastically reduces the costs for interconnecting the respective sensor devices with equipment from differ-ent vendors, as deployed worldwide at NPP sites [6].

Part 2 of IEC 62541 provides the security framework for OPC UA, the main aim of which is to provide security for the data ex-changes facilitated by this architecture.While there seems to be general accept-ance on OPC UA as a part of Industry 4.0 and IoT, the final hard real-time communi-cation protocols and the respective security solutions are still to emerge.

3 Portability of cyber security knowledge and features from nuclear to other industrial infrastructures

The subsequent sections exemplify some domains where solutions from the nuclear domain can be adapted and applied to oth-er domains.

3.1 Joint functional safety and cyber security consideration

One benefit of IEC 62859:2016, as com-pared to generic safety & security relat-ed  solution, is its well delimited context of the applicability for NPPs. The grading is well defined based on the maximum im-pact in the nuclear context. The transi-tion  between the safety states is also well understood due to comprehensive de-terministic and probabilistic safety analy-ses.These results from the functional safety ex-perts can directly be leveraged by the secu-rity staff. This approach can be transferred and adjusted for other business domains. The security grading has to be adjusted to the possible impact levels in the respective business domain. Similarly, an analysis is needed and feasible on which security events can lead to a similar impact as the respective safety events (like equipment faults, failures of supporting assets, spuri-ous actuations). Based on this mapping, a risk management process can be modified in order to adjust and justify the criticality assignment (assignment of security de-grees to systems) and to apply complemen-tary security controls.

3.2 Security gradingThe generic information security standards like ISO/IEC 2700x define no security grading- also called security levels or levels of trust. Unfortunately, in some industries the grading may be defined based on crite-ria that may change over time. Thus, the strength of an attacker may change while the impact will not change or only in well-justified (and easily identifiable) circum-stances, e.g. after power up-rating of an NPP.As for nuclear, in implementing a long-term stable impact-based grading ap-proach, the overall risk management and security control adjustment requirements could be considerably reduced.

3.3 Security awareness trainingSafety Culture and Security Culture have a  long tradition in nuclear, see e.g. IAEA NSS 7 “Nuclear Security Culture” from 2008. With humans as the strongest and also as the weakest link in the security chain, specific security training is essential. Such training can be adapted for other business domains and for different staff roles, like operators, service engineers, physical security staff, cyber security staff and management.

3.4 Strong preventive security controlsOften mimicking the activities of their counterparts in the office IT world, cyber security safety staff deploy network or host monitoring systems, like Network and Host Intrusion Detection Systems (IDS). These detective security controls may be the only option in an office IT environment, where the exact content and frequency and desti-nation of messages sent via communica-tion networks cannot be predicted. How-ever, for nuclear and for many other indus-tries, like process automation and discrete manufacturing, the data exchange is of a periodic nature, e.g. with fixed communi-cation cycle times.This allows the implementation of strong Preventive Security controls beyond base-line firewall filtering. In many cases, the network architecture may be adjusted to include Data Diodes as (preferably optical) Physically Unidirectional Security Gate-ways.Applying these network architecture level improvements ensures reaching and main-taining the required target security degree. An example of preventive security control is provided in F i g u r e  7. On the left half of the figure, an automation system is shown in its standard configuration. On the right half of the figure, the automation system is protected by patented software called OPA-NASec. OPANASec is both a preventive and a detective measure against cyber-attacks

Fig. 6. SIPLUG® OPC UA based example.

Communication Communication

Sensors Actuators Sensors ActuatorsAutomationsystem(PLC)

Automationsystem(PLC)

Fingerprint

Key lock

Switch

or others

Messaging

Log file

Alerts

or others

OPANASec

Ethe

rnet

USB

WLA

N

Ethe

rnet

USB

WLA

N

Fig. 7. Security control using patented software OPANASec.

VGB

Pow

erTe

ch -

All

right

s re

serv

ed -

Alle

Rec

hte

vorb

ehal

ten

- ©

201

5

>>> VGB DIGITAL <<<

VGB

Pow

erTe

ch -

All

right

s res

erve

d -

Alle

Rec

hte

vorb

ehal

ten

- ©

201

5

31

VGB PowerTech 5 l 2017 Cyber security in nuclear power plants

on the automation system. It protects the system’s integrity by detecting any read or write access to the automation system and announces it to the operator in the main control room, by means of a red traffic light for example. It also prevents information retrieval and any modifications of the auto-mation system by locking read and write access.

3.5 Forensic readinessReports on system intrusions and manipu-lations without a trace to the identity and location of hackers or threat agents are, in general, frequently reported in technical magazines, but also more and more by commercial media. Typically, the reason for this is that no forensic readiness specific security controls are in place. Also, the im-plementation of the forensic readiness se-curity controls (e.g. log files related) may not be adequate for the target security level.As for nuclear, this can be improved by sys-tematically performing attack tree analy-ses and assigning appropriate forensic readiness security controls in line with the security grading.

3.6 Incident responseWhile incident response on Safety related incidents has a long tradition with nuclear, cyber security incident management is cur-rently in the focus of the first IAEA financed cyber security R&D with 14 international partners.As one of the major partners in the IAEA Coordinated Research Proposal (CRP) J02008, AREVA NP, together with one of its  German partner Universities, can leverage the results for other business do-mains.

3.7 Security testingThe appropriate assignment of security controls based on a continuous risk man-agement, is essential for achieving a high security posture. However, the implemen-tation or configuration of some security controls may be flawed. Even more impor-tant, the implementation and configura-tion of the software and FPGA-based sys-tems may include vulnerabilities, some of which may be security relevant.This mandates a selective, prioritised, in-depth penetration and fuzz-testing. We are  currently working on an extensive R&D together with multiple German part-ner universities and several Cyber securi-ty  PhD candidates, as part of the partial-ly  BMWi Ministry funded the SMART-EST R&D project on “smart” (model based) cyber security testing. The respective re-sults can be leveraged, as most of the six  (6) Industrial Automation platforms deployed in NPPs and analyzed by the project, are also deployed in other indus-tries.

3.8 Security modellingThe I&C and ES Architecture of NPPs com-prises multiple distributed I&C systems that are built-up from several subsystems and components. Modelling these systems together with models of the physical pro-cess (including pumps, valves …) is com-mon practices for several decades. Typi-cally, this includes simulators which run in real-time or faster than real-time. There are modelling approaches which include the security control definitions into exist-ing 3D models (for physical security relat-ed security controls) and 2D models, e.g. for network architectures. These models support the systematic generation and analysis of attack trees, far beyond any pa-per-based manual analysis. This approach can be leveraged by using the same model-ling framework (e.g. AutomationML from the Industry 4.0 context) for other business domains. The initial investment in defining the models is compensated not only by the more comprehensive analysis, but also by the opportunities that the models provide for training of different staff and even for advertising security features of the custom-er products.

3.9 Security asset managementImplicit asset identification is unavoidable in order to purchase and install the equip-ment. However, an asset management in line with ISO 55000 and ISO/IEC 19770-x (4 layers of maturity) is needed in order to leverage the relevant knowledge about as-sets. This is a precondition for correct patch management. It can be well applied in many industries.

3.10 Secure human-machine interactionMain control rooms and I&C maintenance rooms equipped with HMI equipment are common for power plants and stringently regulated for NPPs, e.g. with regard to the explicit documentation for plant operators. Different solutions exist for secure human-machine interaction. An example of it is a Qualified Display System (QDS), which limits functionalities accessible to the op-erator. The respective security provision may be transferred or adapted for other HMI related user activities.

3.11 Domain specific application security controls

The semi-formal approach of the up-com-ing ISO/IEC 27034-x is applied to the nu-clear context. A key concept is the Applica-tion Security Controls (ASCs). An ASC pro-vides a semi-formal definition of a security control. It also includes the indication of the security grade that the ASC can meet, the status of the ASC implementation (e.g. whether verification and validation were completed), the role assignment according to RACI (Responsible, Accountable, Con-sulted, Informed) and the specification of links to other ASCs. AREVA NP even con-

siders advanced features, like ASC inherit-ance, not yet included in the current ISO/IEC 27034-x standard versions.As an example of the adaptation of the ASCs concept, the default grading of 10 levels of trust has to be adjusted to the do-main specific grading, or a grading has to be introduced for the target domain. Addi-tionally, the accompanying concepts of an Organization Normative Framework and an Application Normative Framework can be adapted.This is in line with the key concepts of ASCs, which promote the development and delivery of high-quality specialised ASCs by standards-conforming sub-suppliers.

3.12 Advanced persistent threatsTargeted Advanced Persistent Threats (APT), like Stuxnet, are the most feared at-tack scenarios in any business domain. The combination of several of the aforemen-tioned approaches, including a compre-hensive asset management, semi-formal modelling of the assets and supporting as-sets, semi-formal description of the Appli-cation Security Controls, targeted security testing, Forensic Readiness Security Con-trols and further security controls related to the secure software development will support in systematically increasing the se-curity posture and thus, the effort needed to be spent by an APT agent.Similar APT analysis can be performed for other business domain, provided the above listed preparations, like asset management and semi-formal modelling are already in place or are implemented.The knowledge areas described above should be organised in different products and services offered to selected critical in-dustries for efficient application. An exam-ple of how to implement this is shown in F i g u r e 8 .

Summary

Monitoring agencies like the “US Industrial Control Systems Cyber Emergency Re-sponse Team (ISC-CERT)”, the “French Na-tional Agency for Information systems’ se-curity” and the “German Federal Office for Information Security” (BSI) all record steep increases in cyberattacks on compa-nies and institutions in general, and on critical infrastructures in particular. For example, the BSI reported an increase of 20 % in the number of known malicious program versions, from 2015 to 2016, up to 560 million a year. Hence, overall public awareness of cyber security threats, as well as of legislators, of power plant operators and of their owners, is also on a steep rise.Preemptive cyber security measures not only avoid loss of revenues, costs of crisis management, costs of reimbursements and  higher insurance premiums. They also  avoid upcoming legal penalties for

VGB

Pow

erTe

ch -

All

right

s re

serv

ed -

Alle

Rec

hte

vorb

ehal

ten

- ©

201

5

>>> VGB DIGITAL <<<

VGB

Pow

erTe

ch -

All

right

s res

erve

d -

Alle

Rec

hte

vorb

ehal

ten

- ©

201

5

32

Cyber security in nuclear power plants VGB PowerTech 5 l 2017

infringement of an increasingly intransi-gent legislation.AREVA NP’s long-standing expertise in nu-clear cyber security relies on in-depth knowledge of industrial and legislative re-quirements and of the corresponding com-panies’ protection needs. As shown above, it applies to a great extent to any industrial infrastructure using control systems. Not only the energy sector, but also the manu-facturing sector, the water and wastewater

systems sector and the defense industrial base sector benefit from such an expertise.

References[1] IEC 62859:2016, Nuclear Power Plants – I&C

Systems – Requirements for Coordinating Safety and Cyber security.

[2] IEC 62443-3-3:2013, Industrial communica­tion networks – Network and system security – Part 3­3: System security requirements and security levels.

[3] ISO/IEC 27009:2016, Information technology – Security techniques – Sector-specific applica­tion of ISO/IEC 27001 – Requirements.

[4] U.S. Nuclear Regulatory Commission (2010). Regulatory Guide 5.71 Cyber Security Pro­grams for Nuclear Facilities. Available at: https://www.nrc.gov/docs/ML0903/ML090340159.pdf.

[5] Th. Poussier, S. Gomes-Augusto, K. Waedt: Cyber security Aspects of a Safety Display Sys­tem. IAEA International Conference on Computer Security in a Nuclear World: Ex-pert Discussion and Exchange, Vienna, 2015-06.

[6] OPC Foundation (2016), Unified Architec­ture: Interoperability for Industrie 4.0 and the Internet of Things. Available at: https://opc-foundation.org/wp-content/uploads/2016/ 05/OPC-UA-Interoperability-For-Industrie4- and-IoT-EN-v5.pdf.

[7] (BMUB) Federal Ministry for the Environ-ment, Nature Conservation, Building and Nuclear Safety (2015): Constitution and Laws. Available at: http://www.bmub.bund.de/en/topics/nuclear-safety-radiological-protection/nuclear-safety/legal-provisions-technical-rules/constitution-and-laws/.

[8] Department of Homeland Security (2015). Cyber security Framework Implementation Guidance for U.S. Nuclear Power Reactors. Available at: https://www.us-cert.gov/sites/default/files/c3vp/framework_guid-ance/nuclear-framework-implementation-guide-2015-508.pdf. l

* in collaboration with partners

Detection/ Analysisof Threats

Implementation ofCountermeasures

Surveillance& Tests*

System Hardening

AutomationSecurity

Power SystemManagement*

Physical Protection

Process ControlEngineering

ISMS acc. to*ISO/IEC 27000

Security Simulations

Audit Support

Awareness Trainings*

Consulting& Service

Products& Solutions

Products Security& Service

Fig. 8. Overview of cyber security portfolio.

VGB-Standard

VGB PowerTech Service GmbH Deilbachtal 173 | 45257 Essen | P.O. Box 10 39 32 | Germany Verlag technisch-wissenschaftlicher Schriften Fon: +49 201 8128-200 | Fax: +49 201 8128-302 | E-Mail: mark@vgb.org | www.vgb.org/shop

Bau- und Montageüberwachung bei der Herstellung und Errichtung von Wasserrohrkesseln und zugehörigen Anlagen in WärmekraftwerkenAusgabe/edition 2017 – VGB-S-013-00-2017-04-DE (2. Ausgabe/2nd edition) DIN A4, 152 Pages, Preis für VGB-Mit glie der € 210,–, für Nicht mit glie der € 320,–, zzgl. Ver sand kos ten und MwSt. DIN A4, 152 Pa ges, Pri ce for VGB mem bers € 210.–, for non mem bers € 320.–, plus VAT, ship ping and hand ling.

Der hier vorliegende VGB-Standard für die Bau- und Montageüberwachung bei der Herstellung von Wasserrohrkesseln und zugehörigen Anlagenkomponenten wurde in intensiven Gesprächen zwischen dem Fachverband Dampfkessel-, Behälter- und Rohrleitungsbau e.V. (FDBR) und dem VGB PowerTech e.V. (VGB) überarbeitet und erhielt die Zustimmung des FDBR.Der VGB-Standard dient zur Sicherung der vom Auftraggeber erwarteten bzw. geforderten Qualität.Die Marktsituation zwingt die Auftragnehmer (Hersteller und Fertiger), ihre Produkte und Leistungen immer kostengünstiger anzubieten. Die Erfahrungen zeigen, dass die Kosteneinsparungen bei der Herstellung wesentlich zu Lasten der Qualität durch¬gesetzt werden. Deswegen ist die Vorgabe von Qualitätssicherungs-maßnahmen – beginnend von der Ausschreibung bis zur Abnahme – durch den Auftraggeber (AG) unab-dingbar. Dieser Standard ist eine geeignete Grundlage für den Auftraggeber und den Auftragnehmer (AN) zur Erreichung der geforderten Qualität.Dieser Standard deckt die Prozesse von der Bestellung bis zum Inverkehrbringen des Wasserrohrkessels und deren Anlagenkomponenten ab. Das Inverkehrbringen ist spätestens mit der Inbetriebnahmeprüfung nach § 15 BetrSichV abgeschlossen. Der Prozess der Inbetriebnahme ist nicht Bestandteil dieses Standards.Dabei bedeuten – im Sinne dieses Standards – Bau- und Montageüberwachung (BMÜ):– Bauüberwachung: Qualitätssichernde Maßnahmen während der Herstellung von Anlagenteilen und Komponenten, von der Bestellung über die

Auslegung und Fertigung bis zur Auslieferung auf die Baustelle– Montageüberwachung: Qualitätssichernde Maßnahmen auf der Baustelle von der Eingangsprüfung bis zur Inbetriebnahme der AnlageDer Übergang von der Herstellung nach DGRL zum Betrieb nach BetrSichV, der mit der Prüfung vor der Inbetriebnahme nach § 15 beginnt, ist zwischen AG und AN zu vereinbaren. Insbesondere die Überführung verschiedener Liefer- und Leistungs-pakete sind zu beschreiben und mit der „Zugelassenen Überwachungsstelle“ (ZÜS) abzustimmen.Dieser Standard ist eine Sammlung von Erfahrungen und Empfehlungen, die nicht in jedem Fall den aktuellen Stand der Technik vollständig wieder-geben kann, aber nach bestem Wissen erstellt wurde. Sie bezweckt die Zusammenfassung vorhandener Informationen und Erfahrungen über be-stimmte Erkenntnisse dieses Sachgebietes zur Arbeitserleichterung für den Benutzer. Dieser Standard soll einen wesentlichen Beitrag zur Sicherung der Anlagenqualität und damit auch zur Erreichung der vielfach angestrebten verlängerten Prüffristen für die wiederkehrenden Prüfungen liefern.Der Standard wurde von der VGB-Fachgruppe „Bau- und Montageüberwachung/ Qualitätssicherung“ ausgearbeitet.

VGB PowerTech e.V.Deilbachtal 17345257 Essen | Deutschland

Te l : +49 201 8128 – 200Fax: +49 201 8128 – 302www.vgb.org | mark@vgb.org

VGB-S-013-00-2017-04-DE

VGB-Standard

Bau- und Montageüber-wachung bei der Herstellung und Errichtung von Wasser-rohrkesseln und zugehörigen Anlagen in Wärmekraftwerken

N E U !

NEW!

International Journal for Electricity and Heat Generation

Please copy >>> fill in and return by mail or fax

Yes, I would like order a subscription of VGB PowerTech.The current price is Euro 275.– plus postage and VAT.Unless terminated with a notice period of one month to the end of the year, this subscription will be extended for a further year in each case.

Return by fax to

VGB PowerTech Service GmbHFax No. +49 201 8128-302

or access our on-line shop at www.vgb.org | MEDIA | SHOP.

Name, First Name

Street

Postal Code City Country

Phone/Fax

Date 1st Signature

Cancellation: This order may be cancelled within 14 days. A notice must be sent to to VGB PowerTech Service GmbH within this period. The deadline will be observed by due mailing. I agree to the terms with my 2nd signature.

Date 2nd Signature

Vo lu me 89/2009 · ISSN 1435-3199

K 43600

In ter na tio nal Edi ti on

Focus: Power Plants in Competiton

New Power Plant Projects of EskomQuality Assurance for New Power PlantsAdvantages of Flexible Thermal Generation

Market Overview for Imported Coal

In ter na tio nal Jour nalfor Elec tri ci ty and Heat Ge ne ra ti on

Pub li ca ti on ofVGB Po wer Tech e.V.www.vgb.org

Vo lu me 89/2009 · ISSN 1435-3199

K 43600

In ter na tio nal Edi ti on

Focus: VGB Congress

Power Plants 2009

Report on the Activities

of VGB PowerTech

2008/2009

EDF Group Reduces

its Carbon Footprint

Optimising Wind Farm

Maintenance

Concept for Solar

Hybrid Power Plants

Qualifying Power Plant Operators

In ter na tio nal Jour nal

for Elec tri ci ty and Heat Ge ne ra ti on

Pub li ca ti on of

VGB Po wer Tech e.V.

www.vgb.org

Con gress Is sue

Vo lu me 89/2009 · ISSN 1435-3199

K 43600

In ter na tio nal Edi ti on

Focus: Furnaces, Steam Generators and Steam TurbinesUSC 700 °C Power Technology

Ultra-low NOx Combustion

Replacement Strategy of a Superheater StageEconomic Post-combustion Carbon Capture Processes

In ter na tio nal Jour nalfor Elec tri ci ty and Heat Ge ne ra ti onPub li ca ti on ofVGB Po wer Tech e.V.www.vgb.org

Vo lu me 90/2010 · ISSN 1435-3199

K 43600

In ter na tio nal Edi ti on

Fo cus: Pro Quality

The Pro-quality

Approach

Quality in the

Construction

of New Power Plants

Quality Monitoring of

Steam Turbine Sets

Supply of Technical

Documentations

In ter na tio nal Jour nal

for Elec tri ci ty and Heat Ge ne ra ti on

Pub li ca ti on of

VGB Po wer Tech e.V.

www.vgb.org

V

00634 K

9913-5341 NSSI · 5002/58 emulo

International Edition

Schwerpunktthema:

Erneuerbare Energien

Hydrogen Pathways

and Scenarios

Kopswerk II –

Prevailing Conditions

and Design

Arklow Bank

Offshore Wind Park

The EU-Water

Framework Directive

International Journal

for Electricity and Heat Generation

Publication of

VGB PowerTech e.V.

www.vgb.org

Vo lu me 89/2009 · ISSN 1435-3199

K 43600

In ter na tio nal Edi ti on

Focus: Maintenance

of Power Plants

Concepts of

IGCC Power Plants

Assessment of

Generators for

Wind Power Plants

Technical Data for

Power Plants

Oxidation Properties

of Turbine Oils

In ter na tio nal Jour nal

for Elec tri ci ty and Heat Ge ne ra ti on

Pub li ca ti on of

VGB Po wer Tech e.V.

www.vgb.org

PowerTech-CD/DVD!Kontakt: Gregor Scharpey Tel: +49 201 8128-200mark@vgb.org | www.vgb.org

Ausgabe 2016: Mehr als 1.100 Seiten Daten, Fakten und Kompetenz aus der internationalen Fachzeitschrift VGB PowerTech

(einschließlich Recherchefunktion über alle Dokumente)98,- Euro (für Abonnenten der Printausgabe), 198,- Euro (ohne Abonnement), incl. 19 % MWSt. + 5,90 Euro Versand (Deutschland) / 19,90 Euro (Europa)

Jetzt auch als

Jahres-CD 2016

mit allen Ausgaben

der VGB PowerTech

des Jahres: ab 98,– €

Fachzeitschrift: 1990 bis 2016

Diese DVD und ihre Inhalte sind urheberrechtlich geschützt.© VGB PowerTech Service GmbH

Essen | Deutschland | 2016

· 1990 bis 2016 · · 1990 bis 2016 ·

© S

erge

y N

iven

s - F

otol

ia

VGB PowerTech DVD 1990 bis 2016: 27 Jahrgänge geballtes Wissen rund um die Strom- und Wärmeerzeugung Mehr als 27.000 Seiten Daten, Fakten und Kompetenz

Bestellen Sie unter www.vgb.org > shop