Professional Documents
Culture Documents
This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991
Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000.
Digital Object Identifier 10.1109/ACCESS.2017.DOI
ABSTRACT With the rapid increase in cyber attacks on industrial control systems, the significance of the
application of cyber security controls and the evaluation of security against such attacks has also increased.
Among them, cyber attacks on nuclear power plants (NPPs) can cause not only economic loss, but also
human casualties. Thus, the application of cyber security controls is necessary for mitigating security threats,
especially to NPPs. However, currently, there are limited resources pertaining to information protection,
which is essential to uniformly deploy all the controls required to meet cyber security regulations. To
overcome this challenge, effective cyber security controls need to be identified and adequate information
protection resources must be allocated to each NPP. Although NPPs apply a differential security control
according to its characteristics based on NEI 13-10 (Cyber Security Control Assessments), this alone is not
only insufficient in reflecting the latest security threats, but also fails to confirm whether the security controls
have actually mitigated such threats. To address this challenge, the Electric Power Research Institute (ETRI)
developed the technical assessment methodology (TAM), which can be used to generate a quantitative
score by assessing the effects of potential cyber attacks on an asset and the relevant security controls. This
methodology allows for the application of differential security control based on the score to identify whether
the security controls have actually mitigated the risks. Considering this context, the purpose of this paper is
to conduct a comparative analysis of the results derived from applying security controls and assessing risks
using only NEI 13-10 as well as both NEI 13-10 and TAM on the plant protection system of the nuclear
power reactor APR1400. Furthermore, this paper discusses the scopes for subsequent research by addressing
the limitations of the TAM and considerations for its use.
INDEX TERMS Control system security; Industrial control; Nuclear facility regulation; security
VOLUME 4, 2016 1
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991
operation was interrupted by the malicious code discovered pact of system-specific vulnerability mitigation measures on
in the administrative network of the NPCIL in India. Notably, cyber security—both of which are evaluated in an integrated
the influence of cyber attacks is greater on NPPs than on manner. This method integrates two models into one using
other industrial control systems, as they bear the potential Bayesian networks, whose back-propagation characteristics
to cause human casualties. Thus, cyber security is highly provide information about the components that can respond
significant, and efforts should be made to minimize security to an occurring attack [26].
threats to NPPs by identifying them, applying cyber security In addition to these studies, Alexey et al. (2018) proposed
controls, and evaluating whether the applied security controls a cyber security formula-based risk evaluation method for
are routinely and correctly put in place. critical national infrastructure (CNI) plants, where they con-
Currently, the National Institute of Standards and Technol- sidered not only information protection but also all available
ogy (NIST) provides technical guidance on risk management safety, security, and reliability controls. They employed cyber
and assessment for IT systems [8]–[10], cyber security con- threat sources (I), barriers (B), and vulnerabilities (Vt) in the
trols [11]–[13], and industrial control system security [14], formula, which had the ability to compare the maximum and
[15]. Moreover, the International Atomic Energy Agency current levels specified in the cyber security policy [27].
(IAEA), Nuclear Regulatory Commission (NRC), and Nu- Yasuyuki et al. (2018) identified the priority of threats by
clear Energy Institute (NEI) have released technical guidance devising a method to quantitatively evaluate risks during the
[16]–[22] on cyber security for digital systems within an security design process of control systems. They proposed
NPP. However, despite all these provisions, it is difficult a risk assessment methodology for the risk scoring system
for nuclear licensees to satisfy all the criteria (e.g. NRC (RSS)—CWSS—based on the JASO TP15002 automation
Regulatory Guide 5.71, NEI 08-09). Resources for protecting security guides. Their methodology exhibited better results
information are limited, while their features vary with each in terms of risk score dispersion than those of CRSS, which
target environment. Therefore, the uniform application of is the JASO TP15002 risk assessment methodology [28].
all security requirements, as required by regulations, has Ioannis et al. (2021) proposed a method to quantitatively
the possibility of retaining security loopholes. This indicates assess risks according to their threat probability and damage.
that there is a necessity to identify and differentially apply To calculate the threat probability, a method to configure the
relatively effective cyber security controls that can mitigate adversary and attacker models was proposed, while damages
threats to assets. were calculated according to objective priority and attack
A number of studies have been conducted on the subject impact [29].
of cyber security controls (Table I). Song et al. (2013) eval- From the above discussion, it is evident that prior studies
uated and discussed the applicability and effects of technical have primarily focused on implementing quantitative assess-
security requirements based on attack vector elements. Their ment methodologies to analyze the efficacy of security con-
study results proposed a methodology that grouped cyber trols or to detect the probability of cyber threats. However,
security requirements into access control, monitoring and to identify and differentially apply relatively effective cyber
logging, and encryption according to the eight attack vector security controls that can actually mitigate the threats to
elements [23]. assets, both the effectiveness and impact of security controls
Meanwhile, Lee et al. (2018) proposed a method to quan- on existing systems after their application must be taken into
titatively evaluate the efficiency of cyber security controls consideration. Furthermore, the degree of threat mitigation
for NPPs based on the concept of intrusion-tolerant systems. should also be easily identifiable.
They proposed the intrusion tolerance-based cyber security Although NPPs are applied with differential security con-
index (InTo-CSI), which configured an intrusion prevention trols based on NEI 13-10 (Cyber Security Control Assess-
strategy to protect a system from cyber attacks and also ments) according to the characteristics of the assets, this
estimated the probability of strategy failure using the mean alone is not only insufficient for reflecting the latest secu-
time-to-compromise (MTTC) model. In this study, cyber rity threats, but also fails to confirm whether the security
security control was evaluated by defining a reduction ratio controls have actually mitigated the threats. To address this,
for the probability of damage to the system caused by a cyber the Electric Power Research Institute (ETRI) developed the
attack when using the method [24]. technical assessment methodology (TAM), which can be
Furthermore, Lee et al. (2020) developed a model that used to calculate a quantitative score by assessing the impact
quantitatively estimated the defective probability of cyber of potential cyber attacks on an asset and the effectiveness of
security controls using a modification of the software change security controls. Moreover, it can also calculate the effects
entropy model, which analyzed the fault activation probabil- of the application of security controls on existing systems in
ity by considering the security control, digital device, and the form of quantitative scores. Therefore, this methodology
functional requirement group levels [25]. enables the application of security control based on the
Shin et al. (2015) proposed a cyber security list model resulting score to identify whether the security threats have
consisting of an activity quality analysis model for assessing actually mitigated the risks. Considering this context, the
the cyber security regulatory guides of nuclear business oper- purpose of this paper is to conduct a comparative analysis
ators and an architecture analysis model for assessing the im- of the results generated on applying security controls and
2 VOLUME 4, 2016
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991
assessing risks when using only NEI 13-10 as well as using tably, baseline cyber security controls are applied to prevent
both NEI 13-10 and TAM on the plant protection system of attack vectors. Furthermore, a direct CDA classifies asset
the nuclear power reactor APR1400. Furthermore, additional types according to their hardware and characteristics (i.e.,
considerations that should be taken into account when TAM A.1–B.3), as well as whether a technical security control can
is applied along with NEI 13-10 are proposed. be applied by the asset type. Furthermore, alternative security
The remainder of this paper is structured as follows. Part controls are evaluated. Since the evaluation of cyber security
2 is dedicated to presenting the background of NEI 13-10 controls requires specific information, such as the presence or
and TAM. Following this, Part 3 describes the assets and absence of an interface that can be accessed by a user, com-
network structure of the plant protection system of an NPP, munication hardware or software, peripherals, interfaces, and
which is the target environment for applying the proposed ports, etc., technical security controls (Appendix D) as well
methodology. Part 4 illustrates the results of security control as operational and management security controls (Appendix
on using only NEI 13-10 as well as on using it along with E) of the NEI 08-09 are differentially applied. Overall, the
TAM. Next, Part 5 offers a comparative analysis of the results aim of NEI 13-10 is to ensure that nuclear licensees apply
of a risk assessment analysis performed on two different cyber security controls efficiently and effectively [21], [30],
cases . Part 6 proposes certain considerations that need to [31].
be taken into account when applying TAM with NEI 13-10.
Finally, Part 7 concludes the study and provides directions B. TECHNICAL ASSESSMENT METHODOLOGY
for subsequent research. The TAM is a method developed by the EPRI for evaluating
and applying cyber security controls in power plants. It em-
II. BACKGROUND ploys a risk-informed differential approach, which identifies
This section describes the general process of applying the possible cyber attacks by reviewing the technical composi-
differential security controls of NEI 13-10 and TAM. tion of assets and then applies effective security controls to
the actual attack surface [32]–[35]. This method is composed
A. NEI 13-10 of three steps that serve to selectively verify whether regu-
The NEI 13-10 provides guidance on the assessment of cyber latory requirements are observed. The first step (Step 1) is
security controls that have been approved by the Nuclear to characterize attack surfaces by analyzing assets and then
Regulatory Commission (NRC). It is a methodology for the identify the exploit sequence. In Step 2, security controls that
application of differential cyber security controls by a critical can be applied to the asset are identified and scored according
digital asset (CDA) type in terms of their consequences. A to the TAM criteria. The target level for each exploit sequence
CDA that has a low consequence is called a non-direct CDA, is also established in this step. Subsequently, security con-
while that which has a high consequence is referred to as trols are allocated until their total score (the combined secu-
a direct CDA. The former is further divided into indirect rity effectiveness score) reaches the target level. However, if
CDA, balance of plant CDA (BOP CDA), and emergency the target level cannot be reached even after allocating the
preparedness CDA (EP CDA) based on specific criteria. No- security control, a shared security control that can maintain
VOLUME 4, 2016 3
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991
FIGURE 1. Step1: characterize the attack surface and identify the exploit FIGURE 2. Step2: engineered security control method identification,
sequence scoring, and allocation
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991
to configure the plant protection system. Subsequently, the B. NETWORK DIAGRAM AND DATA FLOW
security status is checked before allocating a security control An NPP network is configured with DMZ, enterprise server
by performing an initial risk assessment on the target based farm, enterprise network, iDMZ, control network, and plant
on the NIST SP 800-30 risk assessment method [9]. protection network 1,2 (Fig. 4). Furthermore, the plant pro-
tection system is divided into two networks, while the HMI
A. DEFINITION OF THE ASSETS and EWS are both located within the control network. The
The target plant protection system is configured with bistable data flow between each of the assets defined in Section 3.1 is
processor PLC (BP PLC), coincidence processor PLC (CP depicted in Table IV.
PLC), interface and test processor PLC (ITP PLC), and main-
tenance and test panel PC (MTP PC) (Table II). Moreover,
the components that communicate with the plant protection
system are configured with auxiliary process cabinet-safety
(APC-S), reactor trip switchgear system (RTSS), engineered
safety feature-component control system (ESF-CCS), human
machine interface (HMI), information processing system
(IPS), and engineering workstation server (EWS) (Table III).
Elements Description
• Determine trip after comparing received data with set points
BP PLC
• Trip signal sending to CP PLC when the set point is exceeded
• Perform coincidence logic after receiving BP PLC value
CP PLC • Trip initiation signal is transmitted to reactor trip switchgear system (RTSS) based on operations.
• Engineered safety feature system (ESFAS) initiation value is transmitted to engineered safety feature-component control system
(ESF-CCS)
• Role of data communication gateway
ITP PLC
• Monitor safety system status and provide information to qualified indication and alarm system (QIAS)
• Indication of status information about PLC variables
MTP PC • Use for manual monitoring tests
• Provide control and maintenance functions
• Provide information to diagnose maintenance and tests into the information processing system (IPS)
TABLE III. Roles and characteristics of assets connected to the plant protection system
Elements Description
APC-S • Sends the measured value of the safety field sensor to the BP PLC
RTSS • Determines the trip
• Generates ESP activation signals and starts the ESF system
ESF-CCS • Controls the valve, pump, and heater
• Displays the status of the PLC variables
HMI • Carries out control and maintenance functions
IPS • Provides real-time and stored information to the operator
• Uploads/downloads the control logic to/from the PLC
EWS • Downloads firmware on the PLC
VOLUME 4, 2016 5
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991
BP PLC ←→ ITP PLC − BP status information and test results − Set point to determine a trip
− Status information − Process parameter-setting information
− Process parameters
• CP −→ ITP • ITP −→ CP
CP PLC ←→ ITP PLC − CP status information and test results − Set point to determine the trip and ESFAS initiation
− Status information
• BP PLC, CP CPL −→ EWS • EWS −→ BP PLC, CP CPL
− Ladder logic − Control logic
BP PLC, CP CPL ←→ EWS
− Local address and communication parameters − Local address and communication parameters
− Password for authentication
• ITP −→ HMI, MTP • HMI −→ ITP
ITP PLC ←→ HMI & MTP PC − ITP collection information (process parameter status − Setpoint to determine a trip
information) − Trip breaker control data (Reset)
MTP PC −→ IPS • MTP collection information
CP PLC −→ RTSS • Trip initiation signal
CP PLC −→ ESF-CCS • ESFAS initiation signal
TABLE V. Initial risk assessment results (before applying controls) IV. APPLICATION OF SECURITY CONTROL USING NEI
13-10 AND TAM
(1) (2)
This study compared and analyzed the results of allocating
Data forgery or Data forgery or
alteration through alteration through a security controls using only NEI 13-1 (Case 1) and using both
Threat Event
portable and mobile maintenance service NEI 13-10 and TAM (Case 2) on the BP PLC1 of the plant
devices provider protection system.
Threat Sources Adversarial Adversarial
Threat Capability Moderate Moderate
Source Intent High High A. CASE 1: APPLICATION OF SECURITY CONTROL
Characteristics Targeting High High USING NEI 13-10
Relevance Confirmed Confirmed
Likelihood of Attack The NEI 13-10 allocates security controls according to the
Initiation High High
type of asset, as described in Section 2.1. On classifying the
Vulnerabilities and
Predisposing Conditions Moderate Moderate target asset based on the CDA type classification criteria of
Severity Pervasiveness Very High Very High NEI 13-10 (Table VI), it is concluded that it belongs to the
Likelihood of Success category of direct CDAs because (1) the BP PLC does not
of the Initiated Attack Very High Very High
Overall Likelihood Very High Very High support emergency response alone, (2) it can have adverse
Level of Impact High High effects on other linked safety CDAs in the event of a cyber
Risk High High attack, and (3) any damage or malfunction in the target asset
can have adverse effects on safety functions. Furthermore,
the results of identifying the detailed type of direct CDA
C. TARGET RISK ASSESSMENT
revealed that it belongs to the B.3 category [21], according
to the class description noted in APPENDIX D of NEI 13-10
Since it is important to first check the security status be- (Table VII).
fore allocating security controls, an initial risk assessment A total of 10 security controls, based on NEI 13-10, were
should be performed on the target based on the assessment identified for direct allocation to the target asset belonging to
criteria of NIST SP 800-30 Revision 1. In this paper, a the B.3 category of direct CDAs. The operation methods for
risk assessment is performed on the BP PLC1 of the plant each of these security controls are defined in Table VIII [19].
protection system because both NEI 13-10 and TAM-specific
assets are considered for identifying and allocating a security B. CASE 2: APPLICATION OF SECURITY CONTROLS
control. In this context, two risks pertaining to the BP PLC USING NEI 13-10 AND TAM
are identified—(1) “PLC control logic is downloaded on
Additional security controls not identified in Section 4.1 been
an unauthorized laptop installed with EWS” and (2) “data
is identified using TAM. This application process begins
forgery after accessing the system through a maintenance ser-
with Step 1, with the identification of the attack surface
vice provider.” Moreover, the risk assessment results showed
characteristics and the exploit sequence based on the com-
that both the risks were “High” level ones (Table V).
position, decomposition, and TIA levels (Table IX). Among
the identified exploit sequences, the one related to the two
6 VOLUME 4, 2016
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991
TABLE VII. Determination criteria and results of direct CDA for the target
TABLE VIII. List of cyber security controls applied through NEI 13-10
VOLUME 4, 2016 7
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991
Exploit Sequence
Attack pathway Exploit objective Exploit mechanism
identifier
Stored OEM-defined
Mobile media and device access using A malicious control logic is downloaded using a laptop
E04.A02.N4 program/configuration data
RS-232C port installed with the EWS SW
forgery or alteration
Stored OEM-defined The system is accessed by bypassing the maintenance
E04.A03.N3 Network access using RS-485 port program/configuration data service provider and the settings on the MTP PC are
forgery or alteration modified
A DoS attack is launched using the points of contact
E08.A05.N2 Network access using RS-485 port Denial of Service (DoS) connected to an external network, leading to CVE
vulnerability
Security Efficacy
Identifier Security control effectiveness score score
P D RR P D RR
M1 Identity and Access Management 2.49 2.49 - 3 3 -
M2 Physical Access Control 2.51 2.01 - 4 4 -
M3 Disable Unused Ports 2.51 2.01 - 4 4 -
M4 Lock Session 2.49 1.99 - 4 3 -
M5 Mobile Device Access Management 2.43 2.43 - 4 4 -
M6 Maintenance Tools 1.83 - - 3 - -
M7 Log Audit Events - 2.09 2.59 - 4 4
M8 Identify and Document Asset 1.01 1.01 1.01 3 3 3
M9 Monitor Insider Activity - 2.49 2.49 - 3 3
M10 Data Integrity Verification - 1.44 1.07 - 4 3
types of threats identified in Section 3.3, as well as the exploit relation set and NEM of the target asset are identified. Based
sequence newly identified in TAM Step 1, are configured. Ex- on this, three shared security controls that can be allocated
ploit sequences are as follows: 1) The attacker can download to the asset are identified and scored (Table XIV) [17],
the control logic by directly accessing the asset if he/she has [18], [52], [53]. Subsequently, the shared security controls
access to a laptop installed with an EWS SW exclusive to for mitigating the residual exploit sequence E08.A05.N2 are
the asset, 2) The attacker can bypass the maintenance service allocated (Table XV). Furthermore, it allows confirmation of
provider to access the MTP PC and modify its asset settings, whether all the exploit sequences have been mitigated.
and 3) The attacker can launch a DoS attack when the asset is
connected to an external network as a result of administrative C. COMPARISON OF RESULTS AFTER ALLOCATING
fault or a firmware version with CVE vulnerability that SECURITY CONTROLS IN CASE 1 AND CASE 2
makes it possible to launch a DoS attack [43]–[52].
The evaluation of the results on allocating security controls
Next, the target level for the exploit sequence is fixed. In to Cases 1 and 2 suggests that those allocated in Case 2
this study, the target level is A (3.30 or higher) because the provide more favorable results (Table XVI). A comparison
concerned asset falls within the direct CDA category. of Cases 1 and 2 shows that the TAM exhibits five signif-
Before identifying the security control in Step 2, it first icant advantages: 1) It can identify threats that could not
needs to be verified whether the exploit sequence can be be identified in the past. While new threats have not been
mitigated by the security control identified by NEI 13-10. identified, aside from those detected during the initial risk
Therefore, the security control of NEI 13-10 needs to be assessment in Case 1, Case 2 shows that additional threats
scored (Table X) and then allocated to the exploit sequence (the possibility of service denial because of the asset’s usage
(Table XI). The results of this exercise indicate that there of a firmware version with DoS vulnerability when connected
are some limitations to mitigating the exploit sequence using to an external network) can be detected in the process of
NEI 13-10 security controls alone. identifying the exploit sequence of TAM Step 1, 2) Security
Additionally, the security controls in TAM Step 2 are iden- controls not mentioned in NEI 13-10 can be identified by the
tified, scored, and allocated with the purpose of mitigating TAM. In Case 2, the degree of exploit sequence mitigation
the exploit sequence (Table XII and Table XIII) [17], [18], was verified by scoring and allocating NEI 13-10 security
[52], [53]. The results of allocating the security controls controls. The results showed that while there are limitations
of the TAM exhibit the successful mitigation of all exploit to this mitigation, the TAM can further mitigate this exploit
sequences, except one. sequence by using the additionally identified and shared se-
Moreover, to identify the TAM shared security control that curity controls. 3) The security controls of NEI 13-10 can be
can mitigate the residual exploit sequence E08.A05.N2, the scored (effectiveness score) to accurately identify and replace
8 VOLUME 4, 2016
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991
TABLE XI. Result of allocating NEI 13-10 security controls to the BP PLC
TABLE XIII. Results of allocating additional TAM security controls to the BP PLC
those security controls that can weigh down the operation of threat mitigation can be identified to adjust the allocation of
the target environment. In this study, the security controls in security controls while using TAM. Since TAM can be used
Case 2 were not replaced by those in NEI 13-10 because to verify whether a threat has been mitigated by comparing
the former had a lower effectiveness score than the latter. the quantitative target level and the total score (the combined
However, we confirmed that other security controls that can security effectiveness score) of the security controls, one can
replace the current ones can also be allocated in the case selectively allocate the identified security controls instead of
that a security control in NEI 13-10 with a low effectiveness allocating all of them.
score is allocated. 4) It was noted that security controls
can be allocated and threats mitigated over a broader range V. ANALYSIS OF RISK ASSESSMENT RESULTS
by identifying relationship sets. NEI 13-10 has limitations An assessment of the threats identified in Section 3.3 and
when it comes to identifying security controls because the the additional threats identified using TAM in Section 4.2
relationship between the respective asset and other assets indicate a total of three types of threats—(1) downloading
cannot be recognized. However, TAM can mitigate threats PLC control logic using a laptop installed with EWS, (2) data
by applying not only the security controls that can be directly accessed and forged/modified by bypassing the maintenance
allocated to the asset, but also the ones that can be allocated service provider, and (3) launching a DoS attack by taking
to other related assets. 5) Lastly, the quantitative degree of advantage of CVE vulnerability through a contact point
VOLUME 4, 2016 9
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991
TABLE XV. Result allocating shared security controls to residual exploit sequences in the BP PLC
connected to an external network. The risk assessment results that the level of Threats (1) and (2) reduced from high to low,
are compared and analyzed in terms of the allocation of the while the level of Threat (3) was assessed to be high (Table
security controls identified for Cases 1 and case2. XVIII).
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991
services provided by assets and data flow diagrams of NPPs, of the target levels, but also other applicable cyber security
are necessary when applying TAM. controls that should be additionally taken into account.
12 VOLUME 4, 2016
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991
[15] ——, “Guide to ot security,” NIST, USA, Tech. Rep. NIST Special Nov 2018. [Online]. Available: https://www.epri.com/research/products/
Publication 800-82 Revision 3 (Draft), April 2022. 3002008023
[16] IAEA, “Computer security techniques for nuclear facilities,” IAEA, USA, [36] Korea Electric Power Corporation and Korea Hydro & Nuclear Power
Tech. Rep. IAEA Nuclear Security Series No. 17-T Revision 1, September CO., LTD, “Apr1400 design control document tire 2: chapter 7
2021. instrumentation and control,” NRC, Washington, DC, USA, Technical
[17] ——, “Computer security of instrumentation and control systems at nu- Report, Dec 2014, NEI 13-10 [Revision 5]. [Online]. Available:
clear facilities,” IAEA, USA, Tech. Rep. IAEA Nuclear Security Series https://www.nrc.gov/docs/ML1500/ML15006A042.pdf
No. 33-T, May 2018. [37] ——, “Safety i&c system,” NRC, Washington, DC, USA, Technical
[18] NRC, “Cyber security programs for nuclear facilities,” NRC, Washington, Report APR1400-Z-J-NR-14001-NP, Rev.0, Nov 2014. [Online].
DC, USA, Technical Report Regulatory Guide 5.71, January 2010. Available: https://www.nrc.gov/docs/ML1500/ML15009A131.pdf
[19] ——, “Cyber security programs for nuclear power reactors,” NRC, Wash- [38] ——, “Safety i&c system for the apr1400,” NRC, Washington, DC, USA,
ington, DC, USA, Technical Report Draft Regulatory Guide DG-5061 Technical Report APR1400-Z-J-EC-13001-NP Rev.0, Sep 2013. [Online].
Revision 1, February 2022. Available: https://www.nrc.gov/docs/ML1330/ML13304B288.pdf
[20] Nuclear Energy Institute, “Cyber security plan for nuclear power [39] C. kwon Lee, “Establishment and utilization of nuclear power plant i&c
reactors,” Nuclear Energy Institute, Washington, DC, USA, Technical cybersecurity testbed,” 2017, 2017 Nuclear Safety & Security Information
Report NEI 08-09 Revision 6, April 2010. [Online]. Available: Conference.
https://www.nrc.gov/docs/ML1011/ML101180437.pdf [40] K. hoon Jung, “European arp1400 i&c protection in depth and diversity
[21] ——, “Identifying systems and assets subject to the cyber security rule,” (d3) design.”
Nuclear Energy Institute, Washington, DC, USA, Technical Report NEI [41] KEPCO, “Arp1400 i&c system.”
10-04 Revision 2, July 2012. [42] I. seok Oh et al., “Development of system integration and evaluation
of components/systems: development of non-safety system architecture
[22] ——, “Cyber security control assessments,” NEI, Washington, DC,
and evaluation of components/systems,” Doosan Heavy Industries
USA, Technical Report NEI 13-10 [Revision 5], August 2017. [Online].
& Construction, Changwon, ROK, Technical Report KAERI/RR-
Available: https://www.epri.com/research/products/3002008023
2870/2007, Oct 2007. [Online]. Available: https://inis.iaea.org/collection/
[23] J.-G. SONG, J.-W. LEE, G.-Y. PARK, K.-C. KWON, D.-Y. LEE, and
NCLCollectionStore/_Public/39/121/39121\486.pdf?r=1&r=1
C.-K. LEE, “An analysis of technical security control requirements for
[43] G.-C. Gwon, D.-Y. Lee, C.-H. Kim, and C.-H. Choe, “Developed nuclear
digital i&c systems in nuclear power plants,” Nuclear Engineering and
power plant safety class control device (plc),” Nuclear industry, vol. 27,
Technology, vol. 45, no. 5, pp. 637–652, 2013. [Online]. Available:
no. 2, pp. 43–47, 2007.
https://www.sciencedirect.com/science/article/pii/S1738573315300498
[44] K.-S. Son, D.-H. Kim, and C.-W. Son, “Development of the high
[24] C. Lee, H. B. Yim, and P. H. Seong, “Development of a quantitative reliable safety plc for the nuclear power plants,” The transactions
method for evaluating the efficacy of cyber security controls in npps of The Korean Institute of Electrical Engineers, vol. 62, no. 1,
based on intrusion tolerant concept,” Annals of Nuclear Energy, vol. 112, pp. 109–119, 2013. [Online]. Available: http://koreascience.or.kr/article/
pp. 646–654, 2 2018. [Online]. Available: https://linkinghub.elsevier.com/ JAKO201931765047962.page
retrieve/pii/S0306454917303869 [45] H. seong Park et al., “A development of the digital reactor safety
[25] C. Lee, S. M. Han, and P. H. Seong, “Development of a quantitative system: study on the high reliable communication for hard real time
method for identifying fault-prone cyber security controls in npp environment,” Korea Atomic Energy Research Institute (KAERI),
digital i&c systems,” Annals of Nuclear Energy, vol. 142, p. 107398, Daejeon, ROK, Technical Report KAERI/CM-1078/2007, 2007.
2020. [Online]. Available: https://www.sciencedirect.com/science/article/ [Online]. Available: https://inis.iaea.org/collection/NCLCollectionStore/
pii/S0306454920300967 _Public/41/067/41067\591.pdf
[26] J. Shin, H. Son, R. Khalil ur, and G. Heo, “Development of a cyber [46] K. Koo, B. You, T.-W. Kim, S. Cho, and J. S. Lee, “Development of appli-
security risk model using bayesian networks,” Reliability Engineering cation programming tool for safety grade plc (posafe-q),” in Transactions
& System Safety, vol. 134, pp. 208–217, 2015. [Online]. Available: of the Korean Nuclear Society Spring Meeting, 2006, pp. 25–26.
https://www.sciencedirect.com/science/article/pii/S0951832014002464 [47] M. Lee, S. Song, and D. Yun, “Development and application of posafe-q
[27] A. Poletykin, “Cyber security risk assessment method for scada of indus- plc platform,” International Atomic Energy Agency (IAEA), Daejeon,
trial control systems,” in 2018 International Russian Automation Confer- ROK, Technical Report IAEA-CN–194, 2012. [Online]. Available:
ence (RusAutoCon), 2018, pp. 1–5. https://inis.iaea.org/search/search.aspx?orig_q=RN:43130436
[28] Y. Kawanishi, H. Nishihara, D. Souma, H. Yoshida, and Y. Hata, [48] L. Mlcoch, “Security and hardening of your pi system,”
“A study on quantitative risk assessment methods in security de- 2019, oSIsoft. [Online]. Available: https://www.osisoft.kr/presentations/
sign for industrial control systems,” in 2018 IEEE 16th Intl Conf security-and-hardening-of-your-pi-system/
on Dependable, Autonomic and Secure Computing, 16th Intl Conf [49] H. S. Son, S. J. Hwang, Y. J. Lee, C. H. Kim, and D. Y. Leec, “Devel-
on Pervasive Intelligence and Computing, 4th Intl Conf on Big opment of real time operating system for safety grade plc (posafe-q) for
Data Intelligence and Computing and Cyber Science and Technology nuclear power pplants,” 2006.
Congress(DASC/PiCom/DataCom/CyberSciTech), 2018, pp. 62–69. [50] K. Cha, J. Kim, J. Lee, S. Cheon, and K. Kwon, “Software qualificaiton of
[29] I. Zografopoulos, J. Ospina, X. Liu, and C. Konstantinou, “Cyber-physical a programmable logic controller for nuclear instrumentation and control
energy systems security: Threat modeling, risk assessment, resources, applications,” in Proceedings of the 6th WSEAS International Conference
metrics, and case studies,” IEEE Access, vol. 9, pp. 29 775–29 818, 2021. on Applied Information and Communication, Elounda, Greece. Citeseer,
[30] I.-k. Kim, Y.-e. Byun, and K.-h. Kwon, “Analysis of the application 2006.
method of cyber security control to develop regulatory requirement for [51] K.-S. Son, D.-H. Kim, and C.-W. Son, “Development of the high reliable
digital assets in npp,” The Korea Institute of Information Security and safety plc for the nuclear power plants,” The Transactions of The Korean
Cryptology, vol. 29, no. 5, pp. 1077–1088, 2019. [Online]. Available: Institute of Electrical Engineers, vol. 62, no. 1, pp. 109–119, 2013.
http://koreascience.or.kr/article/JAKO201931765047962.page [52] Y. hyuk Choi and S. jin Lee, “A study on the implementation of technical
[31] K. Kwon, S. Kim, and I. Kim, “Cyber security for direct critical digital security control for critical digital asset of nuclear facilities,” Journal of
assets life-cycle,” 2018. the Korea Institute of Information Security & Cryptology, vol. 29, no. 4,
[32] P. Martyak, “Risk-informed digital engineering update: nuclear i&c pro- pp. 877–884, 2019.
gram,” pp. 23–37, 2019, NEI Cyber Security Implementation Workshop. [53] KINAC, “Cyber security regulatory standard for nuclear facilities,” Korea
[33] M. Thow, “Cyber security technical assessment methodology (tam): Ot Institute of Nuclear Nonproliferation and Control (KINAC), Daejeon,
assessment first principles,” pp. 1–23, 2019. ROK, Technical Report KINAC/RS-015, 2016.
[34] Electric Power Research Institute (EPRI), “Cyber security roadmap,” EPRI
Inc, Washington, DC, USA, Technical Report 000000003002014536,
Dec 2018. [Online]. Available: https://www.epri.com/research/products/
3002014536
[35] EPRI, “Cyber security technical assessment methodology: risk informed
exploit sequence identification and mitigation, revision 1,” EPRI
Inc, Washington, DC, USA, Technical Report 000000003002012752,
VOLUME 4, 2016 13
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2023.3244991
DAUN JUNG received the B.S. degree in In- JUNG TAEK SEO received the M.S. degree
formation Security Engineering from Soonchun- in Computer Engineering from Ajou University,
hyang University, South Korea, in 2020, and the South Korea, in 2001, and the Ph.D. degree in In-
M.S. degree in information security engineering formation Security Engineering from Korea Uni-
from Gachon University, South Korea, in 2022. versity, South Korea, in 2006. He is currently
Her research interests include cyber security of an Associate Professor with the Department of
ICS, cyber risk assessment, and cyber security Computer Engineering, Gachon University. His
regulation. research interests include CPS security, ICS cyber
security, smart grid security, nuclear power plant
security, smart factory security, smart city security,
and automotive cyber security.
14 VOLUME 4, 2016
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4