A New Look at Cyber Security for Nuclear Power Plants: The Cyber Hazards Analysis Risk Methodology (CHARM)

Year
2016
Author(s)
Adam D. Williams - Sandia National Laboratories
Timothy A. Wheeler - Sandia National Laboratories
Phillip L. Turner - Sandia National Laboratories
Abstract
The U.S. nuclear power industry currently employs a variety of hazard and failure analysis methods for evaluating and managing potential failures of nuclear power facility structures, systems, and components—including digital instrumentation and control (DI&C) systems. The Electric Power Research Institute (EPRI) and Sandia National Laboratories (SNL) are investigating the feasibility of applying hazard and failure analysis models to assessing cyber security for nuclear power plants. This paper applies three hazard analysis methods—fault tree analysis (FTA), systems theoretic process analysis (STPA) and information design assurance red team (IDART)—in an integrated process that symbiotically leverages respective strengths for evaluating and managing potential failures in nuclear power plant safety systems controlled by DI&C systems. Specifically, this paper investigates this synergistic applicability by identifying cyber domain vulnerabilities resulting from digital assets and translating them into potential failure(s) of the nuclear power plant’s safety systems. The intent is to design and implement optimal cyber security controls as prioritized based on the ultimate risks of cyber domain vulnerabilities on nuclear plant safety. To evaluate the Cyber Hazards Analysis Risk Methodology (CHARM), a DI&C system for a notional auxiliary feedwater system (AFWS) for pressurized water reactor (PWR) nuclear power plants is analyzed. STPA identifies potential hazardous control actions for the DI&C system that would generate hazardous safety system behaviors. These become “cyber-hazard informed” basic events analyzed via the safety system’s existing fault trees. The resulting “cyber-hazard informed cut sets” are then evaluated using IDART, helping to focus the analysis within the context of a cyber attacker’s desire to bring the nuclear power plant safety system to failure. This proof-of-principle evaluation of CHARM suggests the risk-informed insights gained from leveraging synergies between STPA, FTA and IDART can be used for developing and implementing cyber security controls. Both engineering and cyber security personnel can use CHARM as an aid in understanding the complexities associated with digital control of safety-critical systems within nuclear power plants.