This article has been accepted for publication in IEEE Access.

This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991

Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000.
Digital Object Identifier 10.1109/ACCESS.2017.DOI

Cyber Security Controls in Nuclear

Power Plant by Technical Assessment
Methodology
DAUN JUNG1 , JIHO SHIN2 , CHAECHANG LEE3 , KOOKHEUI KWON4 , and JUNG TAEK
SEO5
1
Department of Information Security Engineering, Gachon University, Seongnam 13120, South Korea (e-mail: daunj999@gmail.com)
2
Police Science Institute, Korean National Police University, Asan 31539, South Korea (e-mail: suchme@police.go.kr)
3
Nonproliferation and Control, Korea Institute of Nuclear, Daejeon 34054, South Korea (e-mail: chiching@kinac.re.kr)
4
Nonproliferation and Control, Korea Institute of Nuclear, Daejeon 34054, South Korea (e-mail: vivacita@kinac.re.kr)
5
Department of Computer Engineering, Gachon University, Seongnam 13120, South Korea (e-mail: seojt@gachon.ac.kr)
Corresponding author: Jung Taek Seo (e-mail: seojt@gachon.ac.kr).
This work was supported by Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the
Korean government(MSIT) (No. 2021-0-01806, Development of security by design and security management technology in smart factory,
45%), the Nuclear Safety Research Program through the Korea Foundation of Nuclear Safety (KoFONS) using the financial resource
granted by the Nuclear Safety and Security Commission (NSSC) of the Republic of Korea. (No.2106058, 45%), and the Gachon University
research fund of 2021(GCU-202106330001, 10%)

ABSTRACT With the rapid increase in cyber attacks on industrial control systems, the significance of the
application of cyber security controls and the evaluation of security against such attacks has also increased.
Among them, cyber attacks on nuclear power plants (NPPs) can cause not only economic loss, but also
human casualties. Thus, the application of cyber security controls is necessary for mitigating security threats,
especially to NPPs. However, currently, there are limited resources pertaining to information protection,
which is essential to uniformly deploy all the controls required to meet cyber security regulations. To
overcome this challenge, effective cyber security controls need to be identified and adequate information
protection resources must be allocated to each NPP. Although NPPs apply a differential security control
according to its characteristics based on NEI 13-10 (Cyber Security Control Assessments), this alone is not
only insufficient in reflecting the latest security threats, but also fails to confirm whether the security controls
have actually mitigated such threats. To address this challenge, the Electric Power Research Institute (ETRI)
developed the technical assessment methodology (TAM), which can be used to generate a quantitative
score by assessing the effects of potential cyber attacks on an asset and the relevant security controls. This
methodology allows for the application of differential security control based on the score to identify whether
the security controls have actually mitigated the risks. Considering this context, the purpose of this paper is
to conduct a comparative analysis of the results derived from applying security controls and assessing risks
using only NEI 13-10 as well as both NEI 13-10 and TAM on the plant protection system of the nuclear
power reactor APR1400. Furthermore, this paper discusses the scopes for subsequent research by addressing
the limitations of the TAM and considerations for its use.

INDEX TERMS Control system security; Industrial control; Nuclear facility regulation; security

I. INTRODUCTION alties if they are cyberhacked. Some notable cyber attacks

With the widespread application of the combination of op-
erational technology (OT) and information technology (IT)
environments, an increase in cyber attacks on industrial
control systems has been observed in recent times [1]–[7].
Under such circumstances, nuclear power plants (NPPs) may
encounter not only economic losses, but also human casu-
on NPPS have already taken place—Natanz in Iran (2010),
Monju in Japan (2014), and the Nuclear Power Corporation
of India Limited (NPCIL) in India (2019). In recent years,
one of the most well-known cyber attacks on NPPs occurred
when the centrifuges for nuclear development in Iran were
destroyed by the Stuxnet worm, while the NPP network

VOLUME 4, 2016 1

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
 This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991
Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS
operation was interrupted by the malicious code discovered
in the administrative network of the NPCIL in India. Notably,
the influence of cyber attacks is greater on NPPs than on
other industrial control systems, as they bear the potential
to cause human casualties. Thus, cyber security is highly
significant, and efforts should be made to minimize security
threats to NPPs by identifying them, applying cyber security
controls, and evaluating whether the applied security controls
are routinely and correctly put in place.
Currently, the National Institute of Standards and Technol-
ogy (NIST) provides technical guidance on risk management
and assessment for IT systems [8]–[10], cyber security con-
trols [11]–[13], and industrial control system security [14],
[15]. Moreover, the International Atomic Energy Agency
(IAEA), Nuclear Regulatory Commission (NRC), and Nu-
clear Energy Institute (NEI) have released technical guidance
[16]–[22] on cyber security for digital systems within an
NPP. However, despite all these provisions, it is difficult
for nuclear licensees to satisfy all the criteria (e.g. NRC
Regulatory Guide 5.71, NEI 08-09). Resources for protecting
information are limited, while their features vary with each
target environment. Therefore, the uniform application of
all security requirements, as required by regulations, has
the possibility of retaining security loopholes. This indicates
that there is a necessity to identify and differentially apply
relatively effective cyber security controls that can mitigate
threats to assets.
A number of studies have been conducted on the subject
of cyber security controls (Table I). Song et al. (2013) eval-
uated and discussed the applicability and effects of technical
security requirements based on attack vector elements. Their
study results proposed a methodology that grouped cyber
security requirements into access control, monitoring and
logging, and encryption according to the eight attack vector
elements [23].
Meanwhile, Lee et al. (2018) proposed a method to quan-
titatively evaluate the efficiency of cyber security controls
for NPPs based on the concept of intrusion-tolerant systems.
They proposed the intrusion tolerance-based cyber security
index (InTo-CSI), which configured an intrusion prevention
strategy to protect a system from cyber attacks and also
estimated the probability of strategy failure using the mean
time-to-compromise (MTTC) model. In this study, cyber
security control was evaluated by defining a reduction ratio
for the probability of damage to the system caused by a cyber
attack when using the method [24].
Furthermore, Lee et al. (2020) developed a model that
quantitatively estimated the defective probability of cyber
security controls using a modification of the software change
entropy model, which analyzed the fault activation probabil-
ity by considering the security control, digital device, and
functional requirement group levels [25].
Shin et al. (2015) proposed a cyber security list model
consisting of an activity quality analysis model for assessing
the cyber security regulatory guides of nuclear business oper-
ators and an architecture analysis model for assessing the im-
2 VOLUME 4, 2016
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
pact of system-specific vulnerability mitigation measures on
cyber security—both of which are evaluated in an integrated
manner. This method integrates two models into one using
Bayesian networks, whose back-propagation characteristics
provide information about the components that can respond
to an occurring attack [26].
In addition to these studies, Alexey et al. (2018) proposed
a cyber security formula-based risk evaluation method for
critical national infrastructure (CNI) plants, where they con-
sidered not only information protection but also all available
safety, security, and reliability controls. They employed cyber
threat sources (I), barriers (B), and vulnerabilities (Vt) in the
formula, which had the ability to compare the maximum and
current levels specified in the cyber security policy [27].
Yasuyuki et al. (2018) identified the priority of threats by
devising a method to quantitatively evaluate risks during the
security design process of control systems. They proposed
a risk assessment methodology for the risk scoring system
(RSS)—CWSS—based on the JASO TP15002 automation
security guides. Their methodology exhibited better results
in terms of risk score dispersion than those of CRSS, which
is the JASO TP15002 risk assessment methodology [28].
Ioannis et al. (2021) proposed a method to quantitatively
assess risks according to their threat probability and damage.
To calculate the threat probability, a method to configure the
adversary and attacker models was proposed, while damages
were calculated according to objective priority and attack
impact [29].
From the above discussion, it is evident that prior studies
have primarily focused on implementing quantitative assess-
ment methodologies to analyze the efficacy of security con-
trols or to detect the probability of cyber threats. However,
to identify and differentially apply relatively effective cyber
security controls that can actually mitigate the threats to
assets, both the effectiveness and impact of security controls
on existing systems after their application must be taken into
consideration. Furthermore, the degree of threat mitigation
should also be easily identifiable.
Although NPPs are applied with differential security con-
trols based on NEI 13-10 (Cyber Security Control Assess-
ments) according to the characteristics of the assets, this
alone is not only insufficient for reflecting the latest secu-
rity threats, but also fails to confirm whether the security
controls have actually mitigated the threats. To address this,
the Electric Power Research Institute (ETRI) developed the
technical assessment methodology (TAM), which can be
used to calculate a quantitative score by assessing the impact
of potential cyber attacks on an asset and the effectiveness of
security controls. Moreover, it can also calculate the effects
of the application of security controls on existing systems in
the form of quantitative scores. Therefore, this methodology
enables the application of security control based on the
resulting score to identify whether the security threats have
actually mitigated the risks. Considering this context, the
purpose of this paper is to conduct a comparative analysis
of the results generated on applying security controls and
 This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991

Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS

TABLE I. Comparison of prior research

Type Researcher (Year) Description

• The applicability and effects of technical security requirements are evaluated based on attack vector
Song et al.
elements
(2013)
• Technical security requirements are grouped into three categories to conduct the evaluation.
Establishing
the basis • The efficiency of cyber security controls in NPPs is quantitatively evaluated.
Lee et al.
for applying • Evaluation was performed based on the proportion of damage probability reduction from a cyber
(2018)
cyber security controls attack on a target system.
• The fault activation possibilities of cyber security controls are quantitatively evaluated.
Lee et al.
• Fault activation probabilities are analyzed considering the security control, digital device, and
(2020)
functional requirement group levels.
• The impact of compliance with cyber security regulatory guidelines and mitigation measures for
Shin et al. system-specific vulnerabilities on cyber security are evaluated in an integrated manner.
(2015) • Activity quality analysis and architecture analysis models are integrated using Bayesian networks.
• Cyber security risk assessment is performed based on a formula that takes threat sources, barriers,
Alexet et al.
and vulnerabilities into consideration.
(2018)
Cyber risk assessment • The maximum and current levels specified in cyber security policies can be compared.
methodology • Quantitative risk assessment is performed when designing security for control systems.
Yasuyuki et al. • The RSS-CWSS risk assessment methodology is proposed based on JASO TP15002.
(2018) • RSS-CWSS is performed using 11 metrics that are categorized into basic findings, attack surfaces,
and environmental factors.
loannis et al. • Quantitative risk assessment is performed according to threat probability and damage.
(2021) • Risk assessment is performed according to the attack scenario.

assessing risks when using only NEI 13-10 as well as using
both NEI 13-10 and TAM on the plant protection system of
the nuclear power reactor APR1400. Furthermore, additional
considerations that should be taken into account when TAM
is applied along with NEI 13-10 are proposed.
The remainder of this paper is structured as follows. Part
2 is dedicated to presenting the background of NEI 13-10
and TAM. Following this, Part 3 describes the assets and
network structure of the plant protection system of an NPP,
which is the target environment for applying the proposed
methodology. Part 4 illustrates the results of security control
on using only NEI 13-10 as well as on using it along with
TAM. Next, Part 5 offers a comparative analysis of the results
of a risk assessment analysis performed on two different
cases . Part 6 proposes certain considerations that need to
be taken into account when applying TAM with NEI 13-10.
Finally, Part 7 concludes the study and provides directions
for subsequent research.
II. BACKGROUND
This section describes the general process of applying the
differential security controls of NEI 13-10 and TAM.
A. NEI 13-10
The NEI 13-10 provides guidance on the assessment of cyber
security controls that have been approved by the Nuclear
Regulatory Commission (NRC). It is a methodology for the
application of differential cyber security controls by a critical
digital asset (CDA) type in terms of their consequences. A
CDA that has a low consequence is called a non-direct CDA,
while that which has a high consequence is referred to as
a direct CDA. The former is further divided into indirect
CDA, balance of plant CDA (BOP CDA), and emergency
preparedness CDA (EP CDA) based on specific criteria. No-
VOLUME 4, 2016
tably, baseline cyber security controls are applied to prevent
attack vectors. Furthermore, a direct CDA classifies asset
types according to their hardware and characteristics (i.e.,
A.1–B.3), as well as whether a technical security control can
be applied by the asset type. Furthermore, alternative security
controls are evaluated. Since the evaluation of cyber security
controls requires specific information, such as the presence or
absence of an interface that can be accessed by a user, com-
munication hardware or software, peripherals, interfaces, and
ports, etc., technical security controls (Appendix D) as well
as operational and management security controls (Appendix
E) of the NEI 08-09 are differentially applied. Overall, the
aim of NEI 13-10 is to ensure that nuclear licensees apply
cyber security controls efficiently and effectively [21], [30],
[31].
B. TECHNICAL ASSESSMENT METHODOLOGY
The TAM is a method developed by the EPRI for evaluating
and applying cyber security controls in power plants. It em-
ploys a risk-informed differential approach, which identifies
possible cyber attacks by reviewing the technical composi-
tion of assets and then applies effective security controls to
the actual attack surface [32]–[35]. This method is composed
of three steps that serve to selectively verify whether regu-
latory requirements are observed. The first step (Step 1) is
to characterize attack surfaces by analyzing assets and then
identify the exploit sequence. In Step 2, security controls that
can be applied to the asset are identified and scored according
to the TAM criteria. The target level for each exploit sequence
is also established in this step. Subsequently, security con-
trols are allocated until their total score (the combined secu-
rity effectiveness score) reaches the target level. However, if
the target level cannot be reached even after allocating the
security control, a shared security control that can maintain
3

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
 This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991
Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS
FIGURE 1. Step1: characterize the attack surface and identify the exploit
sequence
a connectivity/spatial/programmatic relationship with other
assets is allocated in Step 3 until the score reaches the target
level. These steps are explored in further detail below.
1) TAM STEP 1
In Step 1, the functions and characteristics of the assets are
analyzed to limit the assessment scope and the features of
the attack surface are identified to derive an exploit sequence
(Fig. 1). To limit the scope of assessment, analyses of as-
set composition, asset decomposition, technical installation
availability (TIA) level, installed configuration, data flow,
and critical data are conducted. After this, the attack surfaces
are categorized according to their characteristics. Lastly, an
exploit sequence composed of attack pathways, exploit ob-
jectives, and exploit mechanisms are drawn out based on the
attack surface.
2) TAM STEP 2
In Step 2 of the TAM, security controls that are applicable
to the assets are first identified and scored and then allo-
cated to the exploit sequences until the combined security
effectiveness score exceeds the target level (Fig. 2). First,
the target level, which refers to a potential attack result level
associated with the exploit sequence, is established. It should
be noted that this also serves as the criterion to allocate
security controls. This target level can be categorized from
A to E—the larger the potential attack results, the closer the
target level approaches A (i.e., A ≥ 3.30 > B ≥ 2.60 >
C ≥ 2.00 > D ≥ 1.30 > E ≥ 0.70). Subsequently,
the security control that can be applied to the asset can be
identified by calculating its (1) security effectiveness score
and (2) efficacy score based on its security functions (i.e.,
Protect, Detect, Response & Recover).
(1) The security effectiveness score is used to determine
the level of mitigation of the exploit sequence—calculated
within the range of 0.10 to 3.00—according to implemen-
tation effectiveness and exploit difficulty. Furthermore, im-
plementation effectiveness is divided into implementation
type (i.e., administrative, operational, and technical) and
security function, while exploit difficulty is divided into
configuration, information, authentication, and persistence.
As the score increases, the corresponding mitigation level of
exploit also increases. This security control scoring method
4 VOLUME 4, 2016
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
FIGURE 2. Step2: engineered security control method identification,
scoring, and allocation
is configured as a means to calculate quantitative results
through qualitative evaluations.
(2) The efficacy score is used to evaluate the suitability
of the security control application—calculated in terms of 1
to 5—according to security effectiveness and implementation
burden. The latter is further classified to also consider the
initial implementation burden—the burden on the operation
or assets associated with NPPs on the initial implementation
of security controls. Meanwhile, operations and maintenance
burden refers to the burden on the operations or assets of
NPPs to maintain and support the security controls applied
to the assets.
In addition, if there is a collision between the assets or
system operations when applying security controls, it is eval-
uated as a conflict. Moreover, the larger the efficacy score,
the more suitable the corresponding security control. In other
words, if the efficacy score is 1 or 2, another security control
should be considered for application. Once both the target
level and security control score are calculated, security con-
trols are allocated until the combined security effectiveness
score surpasses the target level. However, in cases where this
score is below the target level, the respective exploit sequence
is termed the residual exploit sequence, which is mitigated in
Step 3.
3) TAM Step 3
In Step 3, the relationship between assets is grouped into
relationship sets(i.e. connectivity, spatial and programmatic)
to mitigate the residual exploit sequence. The shared security
controls that can be applied to the assets in the relationship
sets are identified, scored, and then allocated to the residual
exploit sequence (Fig. 3). After the shared security controls
are identified and scored, they are allocated to the exploit
sequence until they exceed the target level.
III. TARGET NPP SYSTEM ANALYSIS
Part 3 of the TAM involves establishing a target to be allo-
cated with security controls by using the relevant methodol-
ogy and performing a risk assessment on the targets having
no allocated security controls. The target in this study is a
plant protection system that is one of the safety systems of the
NPP model APR1400—a reactor trip-related system [36]–
[42]. The asset, network diagram, and data flow are defined
 This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991

Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS

to configure the plant protection system. Subsequently, the B. NETWORK DIAGRAM AND DATA FLOW
security status is checked before allocating a security control An NPP network is configured with DMZ, enterprise server
by performing an initial risk assessment on the target based farm, enterprise network, iDMZ, control network, and plant
on the NIST SP 800-30 risk assessment method [9]. protection network 1,2 (Fig. 4). Furthermore, the plant pro-
tection system is divided into two networks, while the HMI
A. DEFINITION OF THE ASSETS and EWS are both located within the control network. The
The target plant protection system is configured with bistable data flow between each of the assets defined in Section 3.1 is
processor PLC (BP PLC), coincidence processor PLC (CP depicted in Table IV.
PLC), interface and test processor PLC (ITP PLC), and main-
tenance and test panel PC (MTP PC) (Table II). Moreover,
the components that communicate with the plant protection
system are configured with auxiliary process cabinet-safety
(APC-S), reactor trip switchgear system (RTSS), engineered
safety feature-component control system (ESF-CCS), human
machine interface (HMI), information processing system
(IPS), and engineering workstation server (EWS) (Table III).

FIGURE 3. Step3: shared security control method identification, scoring,

FIGURE 4. The plant protection system
and allocation

TABLE II. Description of the elements in the plant protection system

Elements Description
• Determine trip after comparing received data with set points
BP PLC
• Trip signal sending to CP PLC when the set point is exceeded
• Perform coincidence logic after receiving BP PLC value
CP PLC • Trip initiation signal is transmitted to reactor trip switchgear system (RTSS) based on operations.
• Engineered safety feature system (ESFAS) initiation value is transmitted to engineered safety feature-component control system
(ESF-CCS)
• Role of data communication gateway
ITP PLC
• Monitor safety system status and provide information to qualified indication and alarm system (QIAS)
• Indication of status information about PLC variables
MTP PC • Use for manual monitoring tests
• Provide control and maintenance functions
• Provide information to diagnose maintenance and tests into the information processing system (IPS)

TABLE III. Roles and characteristics of assets connected to the plant protection system

Elements Description
APC-S • Sends the measured value of the safety field sensor to the BP PLC
RTSS • Determines the trip
• Generates ESP activation signals and starts the ESF system
ESF-CCS • Controls the valve, pump, and heater
• Displays the status of the PLC variables
HMI • Carries out control and maintenance functions
IPS • Provides real-time and stored information to the operator
• Uploads/downloads the control logic to/from the PLC
EWS • Downloads firmware on the PLC

VOLUME 4, 2016 5

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
 This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991

Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS

TABLE IV. Data exchanged between virtual test-bed component

Component relationship Exchange data

CPM, APC-S −→ BP PLC Status information of process parameters (pressure and pump speed)
•
BP PLC −→ CP PLC • Trip determination information
• BP −→ ITP • ITP −→ BP

BP PLC ←→ ITP PLC − BP status information and test results − Set point to determine a trip
− Status information − Process parameter-setting information
− Process parameters
• CP −→ ITP • ITP −→ CP
CP PLC ←→ ITP PLC − CP status information and test results − Set point to determine the trip and ESFAS initiation
− Status information
• BP PLC, CP CPL −→ EWS • EWS −→ BP PLC, CP CPL
− Ladder logic − Control logic
BP PLC, CP CPL ←→ EWS
− Local address and communication parameters − Local address and communication parameters
− Password for authentication
• ITP −→ HMI, MTP • HMI −→ ITP
ITP PLC ←→ HMI & MTP PC − ITP collection information (process parameter status − Setpoint to determine a trip
information) − Trip breaker control data (Reset)
MTP PC −→ IPS • MTP collection information
CP PLC −→ RTSS • Trip initiation signal
CP PLC −→ ESF-CCS • ESFAS initiation signal

TABLE V. Initial risk assessment results (before applying controls) IV. APPLICATION OF SECURITY CONTROL USING NEI
13-10 AND TAM
(1) (2)
This study compared and analyzed the results of allocating
Data forgery or Data forgery or
alteration through alteration through a security controls using only NEI 13-1 (Case 1) and using both
Threat Event
portable and mobile maintenance service NEI 13-10 and TAM (Case 2) on the BP PLC1 of the plant
devices provider protection system.
Threat Sources Adversarial Adversarial
Threat Capability Moderate Moderate
Source Intent High High A. CASE 1: APPLICATION OF SECURITY CONTROL
Characteristics Targeting High High USING NEI 13-10
Relevance Confirmed Confirmed
Likelihood of Attack The NEI 13-10 allocates security controls according to the
Initiation High High
type of asset, as described in Section 2.1. On classifying the
Vulnerabilities and
Predisposing Conditions Moderate Moderate target asset based on the CDA type classification criteria of
Severity Pervasiveness Very High Very High NEI 13-10 (Table VI), it is concluded that it belongs to the
Likelihood of Success category of direct CDAs because (1) the BP PLC does not
of the Initiated Attack Very High Very High
Overall Likelihood Very High Very High support emergency response alone, (2) it can have adverse
Level of Impact High High effects on other linked safety CDAs in the event of a cyber
Risk High High attack, and (3) any damage or malfunction in the target asset
can have adverse effects on safety functions. Furthermore,
the results of identifying the detailed type of direct CDA
C. TARGET RISK ASSESSMENT
revealed that it belongs to the B.3 category [21], according
to the class description noted in APPENDIX D of NEI 13-10
Since it is important to first check the security status be- (Table VII).
fore allocating security controls, an initial risk assessment A total of 10 security controls, based on NEI 13-10, were
should be performed on the target based on the assessment identified for direct allocation to the target asset belonging to
criteria of NIST SP 800-30 Revision 1. In this paper, a the B.3 category of direct CDAs. The operation methods for
risk assessment is performed on the BP PLC1 of the plant each of these security controls are defined in Table VIII [19].
protection system because both NEI 13-10 and TAM-specific
assets are considered for identifying and allocating a security B. CASE 2: APPLICATION OF SECURITY CONTROLS
control. In this context, two risks pertaining to the BP PLC USING NEI 13-10 AND TAM
are identified—(1) “PLC control logic is downloaded on
Additional security controls not identified in Section 4.1 been
an unauthorized laptop installed with EWS” and (2) “data
is identified using TAM. This application process begins
forgery after accessing the system through a maintenance ser-
with Step 1, with the identification of the attack surface
vice provider.” Moreover, the risk assessment results showed
characteristics and the exploit sequence based on the com-
that both the risks were “High” level ones (Table V).
position, decomposition, and TIA levels (Table IX). Among
the identified exploit sequences, the one related to the two
6 VOLUME 4, 2016

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
 This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991

Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS

TABLE VI. NEI 13-10 CDA type and criteria of classification

Type Criteria of classification

Direct CDAe • CDAs except for non-direct CDA
• Even if corresponding assets are compromised, it does not adversely affect safety or security
Indirect CDA functions
• CDA that users have alternative means
• Performing important parts for safety functions
• In case that only the No. 5 question is relevant out of questions about major systems that are important
to the safety
provided in section 5 of NEI 10-04.
Non-Direct CDA Balance of Plant (BOP)
CDA − (No. 5 question) Structure, system, or component in the balance of plant that could directly or
indirectly affect the reactivity of NPPs and could result in an unplanned reactor shutdown or
transient.
• The cyber attack on the CDA has no adverse impact on safety CDA.
• Independent means that performs emergency preparedness function
Emergency Preparedness
• Only EP functions are supported, and other safety and security functions are not performed or
(EP) CDA supported.

TABLE VII. Determination criteria and results of direct CDA for the target

Class descriptions B.2 B.3 Target CDA

Program code • Impossible code change and insertion • Possible code change and insertion B.3
Configuration change • Use of maintenance tools • Use of maintenance tools B.3
• Changeable from locally and remotely
• File system accessible externally from X
Externally accessible • File system accessible externally from X B.3
• Possible large-capacity data extraction,
file system configuration load, and storage
Software
Attributes Firmware update • Impossible firmware update • Possible firmware update & replacement B.3
• Use of industrial protocols • Use of industrial protocols
• Possible function & configuration change B.3
Communication • Communication functions do not change
configuration & program modification • Impossible code/ command modification
and code insertion
Console port /command • Local console ports & command-line • Local console port & command-line B.2
line interpreter interpreters not provided interpreter provided
• Possible large-capacity storage • Possible large-capacity storage B.2
Bulk storage
• Impossible external access • Possible external access
Hardware
Attributes • Use of RS-232, RS-422, and RS-485 • Use of RS-232, RS-422, and RS-485
Serial communication B.2
interfaces interfaces
interface
• Use of vendor proprietary HW interface

TABLE VIII. List of cyber security controls applied through NEI 13-10

Security Control Description and operation method (summary)

Identity and Access Management
Physical Access Control
Disable Unused Ports
Lock Session
Mobile Device Access Management
Maintenance Tools
Audit Event Log
Identify and Document Asset
Monitor Insider Activity
Data Integrity Verification
• Only the administrator can access the PLC and Limits the number of failed login attempts
• Carries out authentication when uploading/downloading the control logic (password)
• Sends a notification in the case of access control monitoring and unauthorized access
• Responsible for cabinet lock and communication cable storage
• Prevents cable tampering
• Identifies and disables unused ports
• Sets the session timeout
• Performs continuous user authentication
• Controls and monitors mobile device access
• Checks whether devices linked to the assets are connected to another asset or network
• Checks for malicious codes on the device
• Checks if the maintenance tool is linked to another device or network
• Monitors maintenance tools
• Checks maintenance tool integrity
• Logs and analyzes audit events
• Documents asset identification and modifications
• Identifies and logs the other assets communicating with this asset
• Documents devious activities and checks integrity
• Collects and logs user activity audits
• Tests the software and data integrity

VOLUME 4, 2016 7

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
 This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991

Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS

TABLE IX. Exploit sequence of BP PLC (part)

Exploit Sequence
Attack pathway Exploit objective Exploit mechanism
identifier
Stored OEM-defined
Mobile media and device access using A malicious control logic is downloaded using a laptop
E04.A02.N4 program/configuration data
RS-232C port installed with the EWS SW
forgery or alteration
Stored OEM-defined The system is accessed by bypassing the maintenance
E04.A03.N3 Network access using RS-485 port program/configuration data service provider and the settings on the MTP PC are
forgery or alteration modified
A DoS attack is launched using the points of contact
E08.A05.N2 Network access using RS-485 port Denial of Service (DoS) connected to an external network, leading to CVE
vulnerability

TABLE X. Results of scoring NEI 13-10 security controls

Security Efficacy
Identifier Security control effectiveness score score
P D RR P D RR
M1 Identity and Access Management 2.49 2.49 - 3 3 -
M2 Physical Access Control 2.51 2.01 - 4 4 -
M3 Disable Unused Ports 2.51 2.01 - 4 4 -
M4 Lock Session 2.49 1.99 - 4 3 -
M5 Mobile Device Access Management 2.43 2.43 - 4 4 -
M6 Maintenance Tools 1.83 - - 3 - -
M7 Log Audit Events - 2.09 2.59 - 4 4
M8 Identify and Document Asset 1.01 1.01 1.01 3 3 3
M9 Monitor Insider Activity - 2.49 2.49 - 3 3
M10 Data Integrity Verification - 1.44 1.07 - 4 3

types of threats identified in Section 3.3, as well as the exploit
sequence newly identified in TAM Step 1, are configured. Ex-
ploit sequences are as follows: 1) The attacker can download
the control logic by directly accessing the asset if he/she has
access to a laptop installed with an EWS SW exclusive to
the asset, 2) The attacker can bypass the maintenance service
provider to access the MTP PC and modify its asset settings,
and 3) The attacker can launch a DoS attack when the asset is
connected to an external network as a result of administrative
fault or a firmware version with CVE vulnerability that
makes it possible to launch a DoS attack [43]–[52].
Next, the target level for the exploit sequence is fixed. In
this study, the target level is A (3.30 or higher) because the
concerned asset falls within the direct CDA category.
Before identifying the security control in Step 2, it first
needs to be verified whether the exploit sequence can be
mitigated by the security control identified by NEI 13-10.
Therefore, the security control of NEI 13-10 needs to be
scored (Table X) and then allocated to the exploit sequence
(Table XI). The results of this exercise indicate that there
are some limitations to mitigating the exploit sequence using
NEI 13-10 security controls alone.
Additionally, the security controls in TAM Step 2 are iden-
tified, scored, and allocated with the purpose of mitigating
the exploit sequence (Table XII and Table XIII) [17], [18],
[52], [53]. The results of allocating the security controls
of the TAM exhibit the successful mitigation of all exploit
sequences, except one.
Moreover, to identify the TAM shared security control that
can mitigate the residual exploit sequence E08.A05.N2, the
8 VOLUME 4, 2016
relation set and NEM of the target asset are identified. Based
on this, three shared security controls that can be allocated
to the asset are identified and scored (Table XIV) [17],
[18], [52], [53]. Subsequently, the shared security controls
for mitigating the residual exploit sequence E08.A05.N2 are
allocated (Table XV). Furthermore, it allows confirmation of
whether all the exploit sequences have been mitigated.
C. COMPARISON OF RESULTS AFTER ALLOCATING
SECURITY CONTROLS IN CASE 1 AND CASE 2
The evaluation of the results on allocating security controls
to Cases 1 and 2 suggests that those allocated in Case 2
provide more favorable results (Table XVI). A comparison
of Cases 1 and 2 shows that the TAM exhibits five signif-
icant advantages: 1) It can identify threats that could not
be identified in the past. While new threats have not been
identified, aside from those detected during the initial risk
assessment in Case 1, Case 2 shows that additional threats
(the possibility of service denial because of the asset’s usage
of a firmware version with DoS vulnerability when connected
to an external network) can be detected in the process of
identifying the exploit sequence of TAM Step 1, 2) Security
controls not mentioned in NEI 13-10 can be identified by the
TAM. In Case 2, the degree of exploit sequence mitigation
was verified by scoring and allocating NEI 13-10 security
controls. The results showed that while there are limitations
to this mitigation, the TAM can further mitigate this exploit
sequence by using the additionally identified and shared se-
curity controls. 3) The security controls of NEI 13-10 can be
scored (effectiveness score) to accurately identify and replace

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
 This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991

Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS

TABLE XI. Result of allocating NEI 13-10 security controls to the BP PLC

Exploit sequence The combined security Allocated security

Security function Target level Mitigation status
identifier effectiveness score controls
Protection A (Above 3.30) 4.19 O M2, M3
E04.A02.N4 Detection A (Above 3.30) 4.15 O M1, M9
Response & Recovery A (Above 3.30)) 4.25 O M7, M9
Protection A (Above 3.30) 1.83 X M6
E04.A03.N3 Detection A (Above 3.30) 3.57 O M7, M10
Response & Recovery A (Above 3.30) 3.79 O M7, M10
Protection A (Above 3.30) 1.01 X M8
E08.A05.N2 Detection A (Above 3.30) 1.01 X M8
Response & Recovery A (Above 3.30) 1.01 X M8

TABLE XII. Identification and scoring of TAM security controls

Security effectiveness Efficacy

Identifier Security control Description and operate method (summary) score score
P D RR P D RR
Manage External • Checking for external network connections through Shodan 2.50 1.62 1.62 4 3 3
M11
Network Connections • Changing settings to disable external network connections
M12 Install HIDS • Installing host IDS - 2.59 2.09 - 4 4
• Configuring PLC in terms of Primary/Secondary
- - 2.49 - - 3
M13 Dual PLC • Recovering the primary device when the secondary device is
operational
M14 Monitor PLC Operation • Monitoring PLC operations - 2.49 1.99 - 4 3
Manage Password for • Changing the password to download the default control 1.99 1.61 - 4 4 -
M15
Control Logic Download logic
M16 Back Up Data • Backing up the data on the PLC 1.88 1.88 2.39 3 3 4
Manage Software and • Performing an integrity test when installing the software 2.09 2.59 2.09 4 4 4
M17
Firmware Installation and firmware
Manage Device and • Assessing the device and network vulnerability 1.62 1.99 1.62 2 2 2
M18
Network Vulnerability
M19 Supply chain security • Blocking access outside designated hours 2.17 1.29 - 3 3 -

TABLE XIII. Results of allocating additional TAM security controls to the BP PLC

Exploit sequence The combined security Allocated security

Security function Target level Mitigation status
identifier effectiveness score controls
Protection A (Above 3.30) 1.83 → 3.39 O M19
E04.A03.N3 Detection A (Above 3.30) 3.57 O -
Response & Recovery A (Above 3.30) 3.79 O -
Protection A (Above 3.30) 1.01 → 4.34 O M11, M17
E08.A05.N2 Detection A (Above 3.30) 1.01 → 2.67 X M18
Response & Recovery A (Above 3.30) 1.01 → 4.53 O M13, M16

those security controls that can weigh down the operation of
the target environment. In this study, the security controls in
Case 2 were not replaced by those in NEI 13-10 because
the former had a lower effectiveness score than the latter.
However, we confirmed that other security controls that can
replace the current ones can also be allocated in the case
that a security control in NEI 13-10 with a low effectiveness
score is allocated. 4) It was noted that security controls
can be allocated and threats mitigated over a broader range
by identifying relationship sets. NEI 13-10 has limitations
when it comes to identifying security controls because the
relationship between the respective asset and other assets
cannot be recognized. However, TAM can mitigate threats
by applying not only the security controls that can be directly
allocated to the asset, but also the ones that can be allocated
to other related assets. 5) Lastly, the quantitative degree of
VOLUME 4, 2016
threat mitigation can be identified to adjust the allocation of
security controls while using TAM. Since TAM can be used
to verify whether a threat has been mitigated by comparing
the quantitative target level and the total score (the combined
security effectiveness score) of the security controls, one can
selectively allocate the identified security controls instead of
allocating all of them.
V. ANALYSIS OF RISK ASSESSMENT RESULTS
An assessment of the threats identified in Section 3.3 and
the additional threats identified using TAM in Section 4.2
indicate a total of three types of threats—(1) downloading
PLC control logic using a laptop installed with EWS, (2) data
accessed and forged/modified by bypassing the maintenance
service provider, and (3) launching a DoS attack by taking
advantage of CVE vulnerability through a contact point
9

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
 This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991

Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS

TABLE XIV. Identification and scoring of BP PLC shared security controls

Security effectiveness Efficacy

Shared
Identifier Description and operate method (summary) score score
security control
P D RR P D RR
• Providing ACLs based on the white list (Performing media
Firewall setup using access control address filtering) 2.59 2.59 2.09 4 4 4
S1
the white list • Analyzing traffic monitoring and performing intrusion
detection
• Analyzing network traffic and detecting abnormal traffic - 2.58 2.08 - 3 3
S2 Abnormal traffic detection • Analyzing IP, MAC, and OP codes
• Collecting and analyzing data
Data flow management - 2.39 1.88 - 4 3
S3 • Visualizing data flow and generating reports
and leak alarm
• Sending alarms and reporting when data leak are detected

TABLE XV. Result allocating shared security controls to residual exploit sequences in the BP PLC

Exploit sequence The combined security Allocated shared

Security function Target level Mitigation status
identifier effectiveness score security controls
Protection A (Above 3.30) 4.34 O -
E08.A05.N2 Detection A (Above 3.30) 2.67 → 4.37 X S1
Response & Recovery A (Above 3.30) 4.53 O -

TABLE XVI. Comparison of security controls allocation

NEI 13-10 and

Identifier Security Controls NEI 13-10
TAM
M1 Identity and Access Management ✓ ✓
M2 Physical Access Control ✓ ✓
M3 Disable Unused Ports ✓ ✓
M4 Lock Session ✓ -
M5 Mobile Device Access Management ✓ -
M6 Maintenance Tools ✓ ✓
M7 Log Audit Events ✓ ✓
M8 Identify and Document Asset ✓ ✓
M9 Monitor Insider Activity ✓ ✓
M10 Data Integrity Verification ✓ ✓
M11 Manage External Network Connections - ✓
M12 Install HIDS - -
M13 Implement Dual PLC - ✓
M14 Monitor PLC Operation - -
M15 Manage Password for Control Logic Download - -
M16 Back Up Data - ✓
M17 Manage Software and Firmware Installation - ✓
M18 Manage Device and Network Vulnerabilities - ✓
M19 Supply Network Security - ✓
S1 Firewall Setup Using Whitelist - ✓
S2 Abnormal traffic detection - -
S3 Data Flow Management and Leak Alarm - -

connected to an external network. The risk assessment results that the level of Threats (1) and (2) reduced from high to low,
are compared and analyzed in terms of the allocation of the while the level of Threat (3) was assessed to be high (Table
security controls identified for Cases 1 and case2. XVIII).

A. RISK ASSESSMENT OF CASE 1

The risk assessment results of the target environment allo-
cated with the security controls identified in Case 1 indicate
that the level of Threat (1) reduced from High to Low.
However, there were no changes in Threat (2), while the level
of Threat (3) was assessed to be High (Table XVII).
B. RISK ASSESSMENT OF CASE 2
The risk assessment results of the target environment allo-
cated with the security controls identified in Case 2 indicate
10
C. DISCUSSION
The initial, Case 1 (using NEI 13-10), and Case 2 (using NEI
13-10 and TAM) risk assessment results are assessed and
presented in Table XIX. In Case 1, Threat (1) was the only
one whose level reduced from high to low. However, in Case
2, the risk assessment results of all the threats reduced to the
low level. In other words, limitations to mitigating the threat
level were observed when using only NEI 13-10. In contrast,
TAM could identify new threats that were not detectable
VOLUME 4, 2016

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
 This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991

Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS

TABLE XVII. Case 1 risk assessment results

(1) (2) (3)

Data forgery or alteration Data forgery or alteration
Threat Event through portable and mobile through a maintenance service DoS attack using vulnerabilities
devices provider
Threat Sources Adversarial Adversarial Adversarial
Capability Moderate Moderate Very High
Threat Source Intent High High Very High
Characteristics
Targeting High High Very High
Relevance Confirmed Confirmed Confirmed
Likelihood of Attack Initiation Very Low High High
Vulnerabilities and Predisposing Conditions Moderate Moderate High
Severity Pervasiveness Very High Very High Moderate
Likelihood of Success of the Initiated Attack Very High Very High Very High
Overall Likelihood Low Very High Very High
Level of Impact High High High
Risk Low High High

TABLE XVIII. Case 2 risk assessment results

(1) (2) (3)

Data forgery or alteration Data forgery or alteration
Threat Event through portable and mobile through a maintenance service DoS attack using vulnerabilities
devices provider
Threat Sources Adversarial Adversarial Adversarial
Capability Moderate Moderate Very High
Threat Source Intent High High Very High
Characteristics
Targeting High High Very High
Relevance Confirmed Confirmed Confirmed
Likelihood of Attack Initiation Very Low Very Low Very Low
Vulnerabilities and Predisposing Conditions Moderate Moderate High
Severity Pervasiveness Moderate Moderate Moderate
Likelihood of Success of the Initiated Attack Very High Very High Very High
Overall Likelihood Low Low Low
Level of Impact High High High
Risk Low Low Low

TABLE XIX. Comparison of risk assessment results

Risk Initial Case 1 Case 2

(1) High Low Low
(2) High High Low
New (3) - High Low

in the past. It also made it possible to allocate security above.

controls with a clear understanding of their impacts, enabled
by the numerical values obtained through a comparison of the
quantitative scores of the threats and security controls. The
scores also exhibit the impact of security controls on existing
systems, making it possible to allocate alternative security
controls that can be expected to have significant impacts
on the systems. Therefore, it is evident that threats can be
mitigated more effectively with the application of TAM along
with NEI 13-10, compared to when only NEI 13-10 is used.
VI. CHALLENGES TO APPLYING TAM
While allocating security controls by also taking TAM into
account for enhancing their effectiveness, the limitations of
TAM must be also understood and measures to overcome
them must be devised. This section describes the limitations
of TAM allocation and the four different types of consider-
ations related to it based on the analysis results mentioned
VOLUME 4, 2016
A. THE NEED TO PROVIDE A MEASURE FOR
COLLECTION AND DOCUMENTATION OF DETAILED
INFORMATION ABOUT ASSETS
The exploit sequences in the asset need to be clearly derived
to ensure the application of effective security controls while
using TAM. However, since nuclear licensees are not the
designers of the NPPs, they may not completely understand
the information related to the assets and NPPs. Moreover, if
the CDAs are old devices or discontinued, the related data
may not be fully available or there may be a difference in
the use environment from that conceived during the design
process. In such cases, nuclear licensees are limited to only
performing and documenting the results of the analysis of
cyber attacks and their impact on CDAs. Thus, systems and
tools that can electronically collect, document, and manage
detailed information about assets, such as functions and
11

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
 This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991
Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS
services provided by assets and data flow diagrams of NPPs,
are necessary when applying TAM.
B. THE NEED TO PROVIDE THE CRITERIA FOR ASSET
GROUPING
The application of TAM requires conducting a process for
analyzing each asset, identifying exploit sequences, and al-
locating cyber security controls until the exploit sequences
are mitigated. Not surprisingly, the execution of these TAM
procedures for every asset necessitates the provision of huge
amounts of time and workforce, because several assets are re-
quired for the effective application of cyber security controls
in NPPs. To address this challenge, grouping assets according
to their product family or network features would be more
efficient for the application of TAM.
C. THE NEED TO USE EXPERTS AND STUDIES ON THE
CRITERIA FOR EXPERT’S COMPETENCY
Exploit sequences and security controls might be identified
differently depending on the evaluator’s security knowledge,
experience, and depth of analysis. The evaluation results of
the security control scores are also derived based on the eval-
uator’s qualitative assessments based on specific evaluation
criteria. Since the evaluation results may differ according to
the evaluator’s cyber security-related knowledge or depth of
analysis, these evaluators must possess a wealth of experi-
ence and knowledge about cyber security and systems. Thus,
it is essential to involve close consultation and participation
of cyber security experts as well as system and control system
experts who are well equipped with professional knowledge
about the target assets and NPPs to accurately calculate
the security effectiveness and efficacy scores of the security
controls through TAM. Moreover, to prevent the occurrence
of differential results depending on the expert’s competency
level, it is necessary to investigate the criteria for evaluating
the competency of experts.
D. THE NEED FOR STUDY ON THE CRITERIA OF THE
TARGET LEVEL
The target level plays a key role as a criterion that can
be considered the minimum security level. However, TAM
proposes criteria according to which target levels can be
set corresponding to the CDA types of NEI 13-10. Such a
circumstance poses certain challenges, such as all exploit
sequences in a single asset may be set at the same target
level, even though they should ideally be set differently by
the security function. Thus, when setting up a target level
according to the CDA types noted in NEI 13-10, the above
factors should be accounted for and further detailed research
is required regarding this context. In addition, a target level
represents the minimum criterion that can mitigate exploit
sequences through cyber security controls. Thus, the appli-
cation of cyber security controls based only on target levels
should be avoided. In other words, fully guaranteeing the
cyber stability of NPPs involves not only the achievement
12
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
of the target levels, but also other applicable cyber security
controls that should be additionally taken into account.
VII. CONCLUSION
The purpose of this paper was to verify the effectiveness
of TAM in overcoming the limitations of using only NEI
13-10 for implementing a differential allocation of security
controls. Developed by EPRI, TAM is a methodology that
identifies threats by analyzing assets and confirms the degree
of threat mitigation by comparing risk and security control
scores. In this paper, a plant protection system environment
for the nuclear reactor APR1400 was first configured, follow-
ing which the threat assessment results were compared and
analyzed according to the allocation of security controls
in cases where only NEI 13-10 was applied, as well as
when it was applied along with TAM. The threat assess-
ment results indicate that there are limitations to mitigating
all the risks when only NEI 13-10 is applied. However, when
it is applied along with TAM, all the threats (including those
that could not be detected in the past) could be mitigated by
utilizing the five significant advantages of TAM, thus making
it possible to overcome the limitations of NEI 13-10 and
mitigate the threats more effectively. However, this study
has several limitations, as mentioned above, with regard to
guaranteeing experts’ competencies and providing accurate
criteria for the target levels. Therefore, further research on
this method is required to overcome the identified limita-
tions.
REFERENCES
[1] X.-F. T. I. Index, “Ibm x-force incident response and intelligence services
(iris),” IBM, New York, USA, Technical Report, 2020.
[2] N. Networks, “Ot/iot security report-trends and countermeasures for
critical infrastructure attacks 2021 2h review,” Nozomi Networks, San
Francisco, USA, Technical Report, 2022.
[3] ——, “Ot/iot security report-cyber war insights, threats and trends, rec-
ommendations 2022 1h review,” Nozomi Networks, San Francisco, USA,
Technical Report, 2022.
[4] OTORIO, “2022 ot cybersecurity survey report,” OTORIO, Israel, Techni-
cal Report, 2022.
[5] Fortinet, “2022 state of operational technoogy and cybersecurity report,”
Fortinet, California, USA, Technical Report, 2022.
[6] T. Micro, “2020 report on threats affecting ics endpoints,” Trend Micro,
California, USA, Technical Report, 2021.
[7] Claroty Team82, “Claroty biannual ics risk & vulnerability report: 1h
2021,” Claroty, New York, USA, Technical Report, 2021.
[8] NIST, “Risk management framework for information systems and or-
ganizations,” NIST, USA, Tech. Rep. NIST Special Publication 800-37
Revision 2, December 2018.
[9] ——, “Guide for conducting risk assessments,” NIST, USA, Tech. Rep.
NIST Special Publication 800-30 Revision 1, September 2012.
[10] ——, “Managing information security risk,” NIST, USA, Tech. Rep. NIST
Special Publication 800-39, March 2011.
[11] ——, “Security and privacy controls for information systems and or-
ganizations,” NIST, USA, Tech. Rep. NIST Special Publication 800-53
Revision 5, September 2020.
[12] ——, “Assessing security and privacy controls in information systems and
organizations,” NIST, USA, Tech. Rep. NIST Special Publication 800-53A
Revision 5, January 2022.
[13] ——, “Control baselines for information systems and organizations,”
NIST, USA, Tech. Rep. NIST Special Publication 800-53B Revision 5,
October 2020.
[14] ——, “Guide to industrial control systems (ics) security,” NIST, USA,
Tech. Rep. NIST Special Publication 800-82 Revision 2, May 2015.
VOLUME 4, 2016
 This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991
Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS
[15] ——, “Guide to ot security,” NIST, USA, Tech. Rep. NIST Special
Publication 800-82 Revision 3 (Draft), April 2022.
[16] IAEA, “Computer security techniques for nuclear facilities,” IAEA, USA,
Tech. Rep. IAEA Nuclear Security Series No. 17-T Revision 1, September
2021.
[17] ——, “Computer security of instrumentation and control systems at nu-
clear facilities,” IAEA, USA, Tech. Rep. IAEA Nuclear Security Series
No. 33-T, May 2018.
[18] NRC, “Cyber security programs for nuclear facilities,” NRC, Washington,
DC, USA, Technical Report Regulatory Guide 5.71, January 2010.
[19] ——, “Cyber security programs for nuclear power reactors,” NRC, Wash-
ington, DC, USA, Technical Report Draft Regulatory Guide DG-5061
Revision 1, February 2022.
[20] Nuclear Energy Institute, “Cyber security plan for nuclear power
reactors,” Nuclear Energy Institute, Washington, DC, USA, Technical
Report NEI 08-09 Revision 6, April 2010. [Online]. Available:
https://www.nrc.gov/docs/ML1011/ML101180437.pdf
[21] ——, “Identifying systems and assets subject to the cyber security rule,”
Nuclear Energy Institute, Washington, DC, USA, Technical Report NEI
10-04 Revision 2, July 2012.
[22] ——, “Cyber security control assessments,” NEI, Washington, DC,
USA, Technical Report NEI 13-10 [Revision 5], August 2017. [Online].
Available: https://www.epri.com/research/products/3002008023
[23] J.-G. SONG, J.-W. LEE, G.-Y. PARK, K.-C. KWON, D.-Y. LEE, and
C.-K. LEE, “An analysis of technical security control requirements for
digital i&c systems in nuclear power plants,” Nuclear Engineering and
Technology, vol. 45, no. 5, pp. 637–652, 2013. [Online]. Available:
https://www.sciencedirect.com/science/article/pii/S1738573315300498
[24] C. Lee, H. B. Yim, and P. H. Seong, “Development of a quantitative
method for evaluating the efficacy of cyber security controls in npps
based on intrusion tolerant concept,” Annals of Nuclear Energy, vol. 112,
pp. 646–654, 2 2018. [Online]. Available: https://linkinghub.elsevier.com/
retrieve/pii/S0306454917303869
[25] C. Lee, S. M. Han, and P. H. Seong, “Development of a quantitative
method for identifying fault-prone cyber security controls in npp
digital i&c systems,” Annals of Nuclear Energy, vol. 142, p. 107398,
2020. [Online]. Available: https://www.sciencedirect.com/science/article/
pii/S0306454920300967
[26] J. Shin, H. Son, R. Khalil ur, and G. Heo, “Development of a cyber
security risk model using bayesian networks,” Reliability Engineering
& System Safety, vol. 134, pp. 208–217, 2015. [Online]. Available:
https://www.sciencedirect.com/science/article/pii/S0951832014002464
[27] A. Poletykin, “Cyber security risk assessment method for scada of indus-
trial control systems,” in 2018 International Russian Automation Confer-
ence (RusAutoCon), 2018, pp. 1–5.
[28] Y. Kawanishi, H. Nishihara, D. Souma, H. Yoshida, and Y. Hata,
“A study on quantitative risk assessment methods in security de-
sign for industrial control systems,” in 2018 IEEE 16th Intl Conf
on Dependable, Autonomic and Secure Computing, 16th Intl Conf
on Pervasive Intelligence and Computing, 4th Intl Conf on Big
Data Intelligence and Computing and Cyber Science and Technology
Congress(DASC/PiCom/DataCom/CyberSciTech), 2018, pp. 62–69.
[29] I. Zografopoulos, J. Ospina, X. Liu, and C. Konstantinou, “Cyber-physical
energy systems security: Threat modeling, risk assessment, resources,
metrics, and case studies,” IEEE Access, vol. 9, pp. 29 775–29 818, 2021.
[30] I.-k. Kim, Y.-e. Byun, and K.-h. Kwon, “Analysis of the application
method of cyber security control to develop regulatory requirement for
digital assets in npp,” The Korea Institute of Information Security and
Cryptology, vol. 29, no. 5, pp. 1077–1088, 2019. [Online]. Available:
http://koreascience.or.kr/article/JAKO201931765047962.page
[31] K. Kwon, S. Kim, and I. Kim, “Cyber security for direct critical digital
assets life-cycle,” 2018.
[32] P. Martyak, “Risk-informed digital engineering update: nuclear i&c pro-
gram,” pp. 23–37, 2019, NEI Cyber Security Implementation Workshop.
[33] M. Thow, “Cyber security technical assessment methodology (tam): Ot
assessment first principles,” pp. 1–23, 2019.
[34] Electric Power Research Institute (EPRI), “Cyber security roadmap,” EPRI
Inc, Washington, DC, USA, Technical Report 000000003002014536,
Dec 2018. [Online]. Available: https://www.epri.com/research/products/
3002014536
[35] EPRI, “Cyber security technical assessment methodology: risk informed
exploit sequence identification and mitigation, revision 1,” EPRI
Inc, Washington, DC, USA, Technical Report 000000003002012752,
VOLUME 4, 2016
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
Nov 2018. [Online]. Available: https://www.epri.com/research/products/
3002008023
[36] Korea Electric Power Corporation and Korea Hydro & Nuclear Power
CO., LTD, “Apr1400 design control document tire 2: chapter 7
instrumentation and control,” NRC, Washington, DC, USA, Technical
Report, Dec 2014, NEI 13-10 [Revision 5]. [Online]. Available:
https://www.nrc.gov/docs/ML1500/ML15006A042.pdf
[37] ——, “Safety i&c system,” NRC, Washington, DC, USA, Technical
Report APR1400-Z-J-NR-14001-NP, Rev.0, Nov 2014. [Online].
Available: https://www.nrc.gov/docs/ML1500/ML15009A131.pdf
[38] ——, “Safety i&c system for the apr1400,” NRC, Washington, DC, USA,
Technical Report APR1400-Z-J-EC-13001-NP Rev.0, Sep 2013. [Online].
Available: https://www.nrc.gov/docs/ML1330/ML13304B288.pdf
[39] C. kwon Lee, “Establishment and utilization of nuclear power plant i&c
cybersecurity testbed,” 2017, 2017 Nuclear Safety & Security Information
Conference.
[40] K. hoon Jung, “European arp1400 i&c protection in depth and diversity
(d3) design.”
[41] KEPCO, “Arp1400 i&c system.”
[42] I. seok Oh et al., “Development of system integration and evaluation
of components/systems: development of non-safety system architecture
and evaluation of components/systems,” Doosan Heavy Industries
& Construction, Changwon, ROK, Technical Report KAERI/RR-
2870/2007, Oct 2007. [Online]. Available: https://inis.iaea.org/collection/
NCLCollectionStore/_Public/39/121/39121\486.pdf?r=1&r=1
[43] G.-C. Gwon, D.-Y. Lee, C.-H. Kim, and C.-H. Choe, “Developed nuclear
power plant safety class control device (plc),” Nuclear industry, vol. 27,
no. 2, pp. 43–47, 2007.
[44] K.-S. Son, D.-H. Kim, and C.-W. Son, “Development of the high
reliable safety plc for the nuclear power plants,” The transactions
of The Korean Institute of Electrical Engineers, vol. 62, no. 1,
pp. 109–119, 2013. [Online]. Available: http://koreascience.or.kr/article/
JAKO201931765047962.page
[45] H. seong Park et al., “A development of the digital reactor safety
system: study on the high reliable communication for hard real time
environment,” Korea Atomic Energy Research Institute (KAERI),
Daejeon, ROK, Technical Report KAERI/CM-1078/2007, 2007.
[Online]. Available: https://inis.iaea.org/collection/NCLCollectionStore/
_Public/41/067/41067\591.pdf
[46] K. Koo, B. You, T.-W. Kim, S. Cho, and J. S. Lee, “Development of appli-
cation programming tool for safety grade plc (posafe-q),” in Transactions
of the Korean Nuclear Society Spring Meeting, 2006, pp. 25–26.
[47] M. Lee, S. Song, and D. Yun, “Development and application of posafe-q
plc platform,” International Atomic Energy Agency (IAEA), Daejeon,
ROK, Technical Report IAEA-CN–194, 2012. [Online]. Available:
https://inis.iaea.org/search/search.aspx?orig_q=RN:43130436
[48] L. Mlcoch, “Security and hardening of your pi system,”
2019, oSIsoft. [Online]. Available: https://www.osisoft.kr/presentations/
security-and-hardening-of-your-pi-system/
[49] H. S. Son, S. J. Hwang, Y. J. Lee, C. H. Kim, and D. Y. Leec, “Devel-
opment of real time operating system for safety grade plc (posafe-q) for
nuclear power pplants,” 2006.
[50] K. Cha, J. Kim, J. Lee, S. Cheon, and K. Kwon, “Software qualificaiton of
a programmable logic controller for nuclear instrumentation and control
applications,” in Proceedings of the 6th WSEAS International Conference
on Applied Information and Communication, Elounda, Greece. Citeseer,
2006.
[51] K.-S. Son, D.-H. Kim, and C.-W. Son, “Development of the high reliable
safety plc for the nuclear power plants,” The Transactions of The Korean
Institute of Electrical Engineers, vol. 62, no. 1, pp. 109–119, 2013.
[52] Y. hyuk Choi and S. jin Lee, “A study on the implementation of technical
security control for critical digital asset of nuclear facilities,” Journal of
the Korea Institute of Information Security & Cryptology, vol. 29, no. 4,
pp. 877–884, 2019.
[53] KINAC, “Cyber security regulatory standard for nuclear facilities,” Korea
Institute of Nuclear Nonproliferation and Control (KINAC), Daejeon,
ROK, Technical Report KINAC/RS-015, 2016.
13
 This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991

Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS

DAUN JUNG received the B.S. degree in In- JUNG TAEK SEO received the M.S. degree
formation Security Engineering from Soonchun- in Computer Engineering from Ajou University,
hyang University, South Korea, in 2020, and the South Korea, in 2001, and the Ph.D. degree in In-
M.S. degree in information security engineering formation Security Engineering from Korea Uni-
from Gachon University, South Korea, in 2022. versity, South Korea, in 2006. He is currently
Her research interests include cyber security of an Associate Professor with the Department of
ICS, cyber risk assessment, and cyber security Computer Engineering, Gachon University. His
regulation. research interests include CPS security, ICS cyber
security, smart grid security, nuclear power plant
security, smart factory security, smart city security,
and automotive cyber security.

JIHO SHIN received his M.S. degree in Digital

Forensics from Korea University, Seoul, South
Korea, in 2015, and the Ph.D. degree in Informa-
tion Security Engineering from Soonchunhyang
University, Asan, Republic of Korea, in 2022. His
research interests include Digital Forensics, Cy-
bercrime Response, OT security, Industrial Con-
trol System, and Information Security.

CHAECHANG LEE received the B.S. degree

in Information Mathematics and the M.S. degree
in Information Security from Korea University,
South Korea, in 2007 and 2014. He is currently
a Senior Researcher in Korea Institute of Nuclear
Nonproliferation And Control. His research inter-
ests include ICS and Security.

KOOKHEUI KWON received the B.S. degree in

Computer Engineering from Kyungpook National
University, South Korea, in 2008, the M.S. degree
in Information System Engineering from Aju Uni-
versity, South Korea, in 2013, and the Ph.D. can-
didate in communication and security engineering
from Chungnam National University, South Ko-
rea, in 2018. He was an engineer of nuclear digital
I&C system in KEPCO E&C from 2007 to 2011,
and a senior researcher of nuclear cyber security in
KINAC from 2011. His research interests include ICS cyber security, cyber
risk assessment, and SDLC.

14 VOLUME 4, 2016

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4