Systematic development of scenarios caused by cyber-attack-induced human errors in nuclear power plants

https://doi.org/10.1016/j.ress.2017.05.046Get rights and content

Highlights

  • To find out the consequences resulting from wrong operator actions due to a cyber-attack, a method to develop a fault tree (FT) for cyber-attacks was suggested.

  • These wrong actions were obtained by analyzing an emergency operating procedure. The wrong actions of the operator were added as basic events in the existing probabilistic safety assessment model.

  • The minimal cut sets (MCSs) consisting of the basic events related to cyber-attacks can be obtained by post processing. These MCSs represent the cyber-attack scenarios which lead to core damage without other random events.

  • As a case study, the feed-and-bleed operation was analyzed using the developed FT and some scenarios which lead to core damage were derived. The results of this study can be used in a penetration test plan generation.

Abstract

The digitalization of the instrumentation and control (I&C) systems in nuclear power plants has increased the threat from cyber-attack. This paper addresses cyber-attack vulnerability from potential attacks on non-safety I&C systems that result in a hazardous plant status. In safety-critical applications such as nuclear power plants, safety systems are separated and isolated from non-safety systems by design. Cyber-attacks on the non-safety systems can however escalate into plant safety threats by inducing wrong operator actions. We focus here on the operator actions that lead to the unavailability of the safety system and cause the failure of accident mitigation. In this study, the effect of safety system unavailability on plant safety is carefully modeled by using n conventional fault tree (FT) analyses, and human actions are analyzed based on emergency operating procedures. Based on the results of the FT analyses in combination with human action analyses, we suggest a novel method to systematically develop cyber-attack propagation scenarios, where a cyber-attack is linked to its consequences. As a case study, the feed-and-bleed operation is analyzed with the developed FT, producing multiple scenarios that lead to core damage. The results of this study are expected to be useful in establishing preventive measures

Introduction

Cyber-attacks on infrastructure including nuclear power plants (NPPs) are a significant issue. Recently, the instrumentation and control (I&C) systems of NPPs have been digitalized to gain several important advantages over the existing obsolete analog systems [1]; the digitalization of these systems has, however, increased their vulnerability to cyber-attacks. Intrusion by an external or internal malicious attacker could violate the confidentiality, integrity, or availability of data [2]. A cyber-attack on an NPP I&C system should therefore be systematically considered as its effects from initiating event generation to accident mitigation may lead to the release of radioactive material to the environment. Kang et al. pointed out that digital system-induced initiating events, including human errors, should be considered in risk assessment [3]. Risk effects of accident initiation by cyber-attack and the deterioration of mitigation functions including human failure have also been studied [4].

Since the control network of NPPs is isolated from external networks, cyber-attacks were initially considered impossible. However, a cyber-attack named Stuxnet in 2010 revealed that an isolated network might be not an effective defense against persistent cyber terror [5]. For the protection of NPP digital systems in terms of cybersecurity, the U.S. Nuclear Regulatory Commission (NRC) provides 10 CFR 73.54 and regulatory guides 5.71 and 1.152 [6], [7], [8]. The Nuclear Energy Institute (NEI) also provides guides for identifying systems and assets subject to cybersecurity rules to support 10 CFR 73.54 [9]. Additionally, numerous studies related to cybersecurity have been conducted in various fields; for example, cyber security models have been suggested that can be utilized for system risk assessment [10], [11], [12]. Yulia presented a comprehensive literature review regarding cybersecurity risk assessment of the supervisory control and data acquisition system and related research challenges [13]. Shin developed a cybersecurity risk model of an NPP I&C system using Bayesian networks [14], where an architecture analysis model including vulnerability and mitigation measures is integrated with an activity-quality model based on regulatory guides. Piètre [15] and Siwar [16] provided overviews of different approaches to the convergence of safety and security in industrial control systems. It should be noted that the reliability of cybersecurity is closely related to the safety of the system on account of the malicious nature of the threats.

The cybersecurity of non-safety systems, particularly displays that can affect the operator, also needs to be considered. In the NEI report, the non-safety system that provides plant status information to the operators is classified as category important-to-safety in 10 CFR 73.54 [9]. In an NPP, plant information is provided through the I&C system, which consists of a safety system, control system, human-machine interface (HMI), and other actuation and supporting systems. Operators usually acquire plant status information through the operator console and large HMI display panel. As revealed in the Three Mile Island accident, inadequate information led to misunderstanding, wrong action of the operator, and ultimately core damage [17]. Despite the crucial importance of proper information, the information and display system of NPPs might have several vulnerabilities, as evidenced by the following incident. In 2003, the Davis–Besse NPP was infected by a Slammer worm that propagated through the corporate network and process control network of the plant. While it did not permanently destroy or change the system, it temporarily disrupted normal operation by generating spurious traffic. As a result, the safety parameter display system was not available for nearly five hours. This case shows the potential for cyber-attacks on the non-safety display system of NPPs, and therefore highlights the need to identify the attack vectors and corresponding anticipated consequences. The implication is that, if a cyber-attack can affect the NPP I&C system, it might also affect the behavior of the operator via HMI systems.

The human element is considered as one of the most important elements in NPP safety [18] and cybersecurity [7], [19], [20]. One report issued by the U.S. General Accountability Office illustrated that a successful attack on control systems can be conducted by denying availability of the networks to operators and sending false information to operators [21]. Several studies [22], [23], [24] implied the possibility that incorrect operator judgment on the plant state can be caused by the violation of data integrity, which might result in disastrous effects for the plant and the environment. These studies however have not yet been extended in detail; therefore, a cyber-attack on a non-safety display along with operator action should be treated systematically. Various other studies have focused on the physical protection of NPPs, which can give insight into the risk from cyber-attack. Sandia National Laboratories has suggested adopting a fault tree (FT) model for vital area identification, and determined the minimal cut set (MCS) representing all possible events resulting from sabotage actions [25], [26]; based on this previous research, a conceptual framework to assess the risk from sabotage has been suggested [27].

As previous research has not provided detailed connections between safety and operator action under cyber-attack, this study seeks to actively discuss the relation between a cyber-attack and failure of mitigation because of the wrong actions of the operator. Here, a probabilistic approach is preferentially adopted over a deterministic approach, as the former develops a scenario and models the mitigation of an initiating event in detail. Multiple failures are considered as important events, and a human reliability assessment is considered in detail. The FT model employed here is one of the consistent and well-proven probabilistic safety assessment (PSA) models for NPP safety assessments. By identifying the MCSs related to cyber-attacks, the resulting scenarios to core damage can be known. The objective of this work is to provide a complete set of safety-related attack scenarios by analyzing existing FT analysis results; the authors regard this as a top-down approach rather than a conventional bottom-up approach. Meanwhile, while cyber-attacks on the non-safety NPP I&C systems cannot directly cause the failure of the safety systems—as only one-way data flow from the safety to the non-safety system is allowed [7]—nevertheless failures related to the HMI and corresponding safety-related action failure by the operator need to be considered together. To investigate the consequences induced by wrong actions of the operator due to a cyber-attack, the basic events related to the actions of the operator are identified from the emergency operating procedure (EOP). The result of this study is expected to be useful in the development of preventive measures to improve security level, or for the establishment of regulation criteria for a cyber-attack on a non-safety system, for example in the selection of penetration test target components and target information.

Section snippets

Considerations of wrong operator actions

Unlike other systems, there are manual backups for the safety functions in NPPs. Since the safety features are automated and implemented in the safety platform, the operator only needs to confirm whether the system is working properly, and generate the manual actuation signal based on the EOP. The operator might also undo the safety actions depending on the status of the plant; in this case, however, the safety functions cannot be turned back on automatically. Therefore, if the operator's

Methodology development

In this section, the developed scenario identification process is presented. The types of operator error used in this process are identified with corresponding basic events described. Post-processing to obtain the scenarios needed to develop preventive measures is also described.

Target operation

To apply the methodology for scenario development concerning a cyber-attack on the information display system of an NPP, a case study is considered here. The target operation is the feed and bleed (F&B) operation in case of a loss of all feed water (LOAF) accident in a pressurized water reactor (PWR). The F&B operation directly cools down the reactor coolant system (RCS) when adequate residual heat removal by the secondary cooling system is not available. To initiate F&B, the operator has to

Conclusion

This study demonstrated that a cyber-attack on non-safety systems could threaten the safety of NPPs. While the HMI display is not a safety system, it affects the safety actions of operators. The risk induced by a cyber-attack can be identified by using PSA results, which describe the failures that lead to core damage. Therefore, the MCSs related to a cyber-attack and the related consequences were identified. Since wrong actions by the operator caused by a cyber-attack have the same effect as

Acknowledgment

This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT & Future Planning (NRF-2016R1A5A1013919).

References (39)

  • BG Kim et al.

    Dynamic sequence analysis for feed-and-bleed operation in an OPR1000

    Ann Nucl Energy

    (2014)
  • Committee on application of digital instrumentation and control systems to nuclear power plant operations and safety

    (1997)
  • IN Fovino et al.

    Cyber security assessment of a power plant

    Electr Power Syst Res

    (2011)
  • HG Kang

    Risk Effect of Possible Cyber Terror to Nuclear Plants

  • TM Chen et al.

    Lessons from Stuxnet

    Computer

    (2011)
  • USNRC, 2009. 10 CFR Part 73.54, Protection of digital computer and communication systems and...
  • USNRC, 2010. Regulatory Guide 5.71, Cyber security programs for nuclear facilities....
  • USNRC, 2006. Regulatory Guide 1.152 revision 2, criteria for use of computers in safety systems of nuclear power...
  • Nuclear Energy Institute. Identifying systems and assets subject to the cyber security rule....
  • Cited by (17)

    • Modelling cyber resilience in a water treatment and distribution system

      2022, Reliability Engineering and System Safety
      Citation Excerpt :

      For example, feeding the model with (near-) real-time data might substantiate live anomaly detection. Currently, the actions of human operators have not been modeled, even though they represent an additional source of variability, both positive (increasing system resilience to cyber attacks) and negative (facilitating a cyber vulnerability [72,73]). Additional variability on system functioning can be also considered by modeling the WDN with a more dynamic approach, e.g., considering leaks [74], or by modeling cyber attacks against WDN's smart devices, too [33].

    • Development of a method for securing the operator's situation awareness from manipulation attacks on NPP process data

      2022, Nuclear Engineering and Technology
      Citation Excerpt :

      In addition, these safety systems are developed considering the stringent cybersecurity regulatory requirements for NPPs. For these reasons, non-safety-grade systems might be more vulnerable to cyberattacks than the safety systems [27]. If an attacker infiltrates an non-safety system and compromises the MMIS, the operator can be deceived by misinformation and may take inappropriate actions.

    • Evaluating attractiveness of cyberattack path using resistance concept and page-rank algorithm

      2022, Annals of Nuclear Energy
      Citation Excerpt :

      According to ORNL (ORNL, 2007), Byzantine failure may occur in communication between non-safety systems even if the safety system operates normally. And also, Kim et al. (2017) showed that the NPP can be severe state by attacking several non-safety components. Theoretically, complete fault tolerance against Byzantine failure can be guaranteed by using 3n + 1 components.

    View all citing articles on Scopus
    View full text