A New Approach for the Cyber/Physical Security Evaluation of Operational Systems at a Nuclear Facility

An important aspect of nuclear facility operations is risk management. Until recently, risk management has not been applied in a holistic fashion to evaluate and address potential safety, security, and operational risks to nuclear facilities. The rush to integrate legacy systems and automate building operations, can often introduce potential cyber vulnerabilities in operational systems if system level interactions and interdependencies are not fully understood by cross-domain subject matter experts. To address this problem, the authors have developed and conducted a new type of cyber/physical security evaluation of the operational technology and building automation systems at a domestic nuclear facility. This evaluation involves a three phased approach. The first includes an easy-to-apply cybersecurity programmatic maturity assessment. The next phase, involves a “hands on” cybersecurity assessment of the overall network down to the component-level. This technical examination focuses on identification of control system assets and a search for undocumented vulnerabilities, exposures, and configuration issues. The last phase involves active security testing (e.g., penetration testing) to gauge the effectiveness of system defenses. Each phase of the assessment provides complementary results that support effective risk management decision making. In the first phase of the assessment, several areas for improvement were identified at the nuclear facility. This included the need to formalize an array of cyber/physical security practices, improve cybersecurity threat management and situational awareness, and expand cyber/physical security training and awareness programs. The second phase of the study identified potential network configuration issues and problems with the adequacy of some firewall rule sets. The cost to implement the identified enhancements is relatively low, and the risk reductions achieved should be substantial. With an improved approach to cyber/physical security assessments and risk management, the nuclear facility examined in this study is moving toward an appropriate and cost-effective alignment of cyber, physical, operational, and personnel security.