The transition to digital technology has changed the nature of instrumentation and control (l&C) systems by enabling extensive interconnection of reprogrammable, functionally interdependent I&C systems. This development has made computer security a necessary element for consideration in I&C system design. The benefits and challenges of the various computer security methods and controls with their implementation in nuclear power plant I&C systems are discussed and described in this publication. The publication provides an overview of current knowledge, up to date good practices, experience, and benefits and challenges related to the application of computer security measures. The publication defines the key concepts for computer security for I&C systems at nuclear facilities, explains the risk informed approach to computer security and describes how computer security measures are applied throughout the l&C system life cycle. Situations where I&C systems are interconnected with enterprise management systems are also addressed. The three appendices present case studies with practical application examples.

• 1. INTRODUCTION
  • 1.1. Background
  • 1.2. Objective
  • 1.3. Scope
  • 1.4. Structure
• 2. KEY CONCEPTS FOR COMPUTER SECURITY FOR NPP I&C SYSTEMS
  • 2.1. Safety concepts in overall I&C architecture
  • 2.2. Safety concepts and DiD
  • 2.3. Computer security concepts
  • 2.4. Computer security levels
  • 2.5. Defensive computer security architecture specification
    • 2.5.1. Trust models
    • 2.5.2. DCSA requirements for computer security DiD
  • 2.6. DCSA implementation
    • 2.6.1. Computer security DiD
    • 2.6.2. Computer security zones
  • 2.7. Information technology and I&C computer systems
  • 2.8. Types of computer security measures
  • 2.9. Security of design artefacts
  • 2.10. Interface between safety and security
  • 2.11. Opportunities to enhance computer security
  • 2.12. Supply chain considerations
• 3. RISK INFORMED APPROACH TO COMPUTER SECURITY
  • 3.1. Modelling
    • 3.1.1. Attack surface modelling
    • 3.1.2. Threat modelling
    • 3.1.3. Facility and system security modelling
  • 3.2. Example scenario analysis
  • 3.3. Common mechanism issues
  • 3.4. Common cause access
  • 3.5. Scenario analysis for common mechanism risk
• 4. COMPUTER SECURITY IN THE I&C SYSTEM LIFE CYCLE
  • 4.1. General guidance for computer security
  • 4.2. Secure development environment
  • 4.3. Contingency plans
  • 4.4. I&C vendors, contractors and suppliers
  • 4.5. Computer security training
  • 4.6. Common elements of all life cycle phases
    • 4.6.1. Management systems
    • 4.6.2. Computer security reviews and audits
    • 4.6.3. Configuration management for computer security
    • 4.6.4. Verification and validation, testing
    • 4.6.5. Computer security assessments
    • 4.6.6. Documentation
    • 4.6.7. Design basis
    • 4.6.8. Access control
    • 4.6.9. Protection of the confidentiality of information
    • 4.6.10. Security monitoring
    • 4.6.11. Considerations for the overall DCSA
    • 4.6.12. DiD against compromise
  • 4.7. Specific life cycle activities
    • 4.7.1. Computer security requirements specification
    • 4.7.2. Selection of predeveloped items
    • 4.7.3. I&C system design and implementation
    • 4.7.4. I&C system integration
    • 4.7.5. System validation
    • 4.7.6. Installation, overall I&C system integration and commissioning
    • 4.7.7. Operations and maintenance
    • 4.7.8. Modification of I&C systems
    • 4.7.9. Decommissioning
• 5. SUMMARY AND CONCLUSIONS
• Appendix I SOFTWARE MODIFICATION VIA REMOVABLE MEDIA
• Appendix II SEPARATION OF SERVICE SYSTEMS AND EXTERNAL COMMUNICATION FROM CLOSED LOOP OPERATION
• Appendix III NUCLEAR FUEL DEGRADATION DETECTION SYSTEM
• REFERENCES
• Annex I DATA COMMUNICATIONS SECURITY
• Annex II RECOMMENDATIONS FOR ESSENTIAL DATA COLLECTION
• ABBREVIATIONS
• CONTRIBUTORS TO DRAFTING AND REVIEW