Systematic development of scenarios caused by cyber-attack-induced human errors in nuclear power plants
Introduction
Cyber-attacks on infrastructure including nuclear power plants (NPPs) are a significant issue. Recently, the instrumentation and control (I&C) systems of NPPs have been digitalized to gain several important advantages over the existing obsolete analog systems [1]; the digitalization of these systems has, however, increased their vulnerability to cyber-attacks. Intrusion by an external or internal malicious attacker could violate the confidentiality, integrity, or availability of data [2]. A cyber-attack on an NPP I&C system should therefore be systematically considered as its effects from initiating event generation to accident mitigation may lead to the release of radioactive material to the environment. Kang et al. pointed out that digital system-induced initiating events, including human errors, should be considered in risk assessment [3]. Risk effects of accident initiation by cyber-attack and the deterioration of mitigation functions including human failure have also been studied [4].
Since the control network of NPPs is isolated from external networks, cyber-attacks were initially considered impossible. However, a cyber-attack named Stuxnet in 2010 revealed that an isolated network might be not an effective defense against persistent cyber terror [5]. For the protection of NPP digital systems in terms of cybersecurity, the U.S. Nuclear Regulatory Commission (NRC) provides 10 CFR 73.54 and regulatory guides 5.71 and 1.152 [6], [7], [8]. The Nuclear Energy Institute (NEI) also provides guides for identifying systems and assets subject to cybersecurity rules to support 10 CFR 73.54 [9]. Additionally, numerous studies related to cybersecurity have been conducted in various fields; for example, cyber security models have been suggested that can be utilized for system risk assessment [10], [11], [12]. Yulia presented a comprehensive literature review regarding cybersecurity risk assessment of the supervisory control and data acquisition system and related research challenges [13]. Shin developed a cybersecurity risk model of an NPP I&C system using Bayesian networks [14], where an architecture analysis model including vulnerability and mitigation measures is integrated with an activity-quality model based on regulatory guides. Piètre [15] and Siwar [16] provided overviews of different approaches to the convergence of safety and security in industrial control systems. It should be noted that the reliability of cybersecurity is closely related to the safety of the system on account of the malicious nature of the threats.
The cybersecurity of non-safety systems, particularly displays that can affect the operator, also needs to be considered. In the NEI report, the non-safety system that provides plant status information to the operators is classified as category important-to-safety in 10 CFR 73.54 [9]. In an NPP, plant information is provided through the I&C system, which consists of a safety system, control system, human-machine interface (HMI), and other actuation and supporting systems. Operators usually acquire plant status information through the operator console and large HMI display panel. As revealed in the Three Mile Island accident, inadequate information led to misunderstanding, wrong action of the operator, and ultimately core damage [17]. Despite the crucial importance of proper information, the information and display system of NPPs might have several vulnerabilities, as evidenced by the following incident. In 2003, the Davis–Besse NPP was infected by a Slammer worm that propagated through the corporate network and process control network of the plant. While it did not permanently destroy or change the system, it temporarily disrupted normal operation by generating spurious traffic. As a result, the safety parameter display system was not available for nearly five hours. This case shows the potential for cyber-attacks on the non-safety display system of NPPs, and therefore highlights the need to identify the attack vectors and corresponding anticipated consequences. The implication is that, if a cyber-attack can affect the NPP I&C system, it might also affect the behavior of the operator via HMI systems.
The human element is considered as one of the most important elements in NPP safety [18] and cybersecurity [7], [19], [20]. One report issued by the U.S. General Accountability Office illustrated that a successful attack on control systems can be conducted by denying availability of the networks to operators and sending false information to operators [21]. Several studies [22], [23], [24] implied the possibility that incorrect operator judgment on the plant state can be caused by the violation of data integrity, which might result in disastrous effects for the plant and the environment. These studies however have not yet been extended in detail; therefore, a cyber-attack on a non-safety display along with operator action should be treated systematically. Various other studies have focused on the physical protection of NPPs, which can give insight into the risk from cyber-attack. Sandia National Laboratories has suggested adopting a fault tree (FT) model for vital area identification, and determined the minimal cut set (MCS) representing all possible events resulting from sabotage actions [25], [26]; based on this previous research, a conceptual framework to assess the risk from sabotage has been suggested [27].
As previous research has not provided detailed connections between safety and operator action under cyber-attack, this study seeks to actively discuss the relation between a cyber-attack and failure of mitigation because of the wrong actions of the operator. Here, a probabilistic approach is preferentially adopted over a deterministic approach, as the former develops a scenario and models the mitigation of an initiating event in detail. Multiple failures are considered as important events, and a human reliability assessment is considered in detail. The FT model employed here is one of the consistent and well-proven probabilistic safety assessment (PSA) models for NPP safety assessments. By identifying the MCSs related to cyber-attacks, the resulting scenarios to core damage can be known. The objective of this work is to provide a complete set of safety-related attack scenarios by analyzing existing FT analysis results; the authors regard this as a top-down approach rather than a conventional bottom-up approach. Meanwhile, while cyber-attacks on the non-safety NPP I&C systems cannot directly cause the failure of the safety systems—as only one-way data flow from the safety to the non-safety system is allowed [7]—nevertheless failures related to the HMI and corresponding safety-related action failure by the operator need to be considered together. To investigate the consequences induced by wrong actions of the operator due to a cyber-attack, the basic events related to the actions of the operator are identified from the emergency operating procedure (EOP). The result of this study is expected to be useful in the development of preventive measures to improve security level, or for the establishment of regulation criteria for a cyber-attack on a non-safety system, for example in the selection of penetration test target components and target information.
Section snippets
Considerations of wrong operator actions
Unlike other systems, there are manual backups for the safety functions in NPPs. Since the safety features are automated and implemented in the safety platform, the operator only needs to confirm whether the system is working properly, and generate the manual actuation signal based on the EOP. The operator might also undo the safety actions depending on the status of the plant; in this case, however, the safety functions cannot be turned back on automatically. Therefore, if the operator's
Methodology development
In this section, the developed scenario identification process is presented. The types of operator error used in this process are identified with corresponding basic events described. Post-processing to obtain the scenarios needed to develop preventive measures is also described.
Target operation
To apply the methodology for scenario development concerning a cyber-attack on the information display system of an NPP, a case study is considered here. The target operation is the feed and bleed (F&B) operation in case of a loss of all feed water (LOAF) accident in a pressurized water reactor (PWR). The F&B operation directly cools down the reactor coolant system (RCS) when adequate residual heat removal by the secondary cooling system is not available. To initiate F&B, the operator has to
Conclusion
This study demonstrated that a cyber-attack on non-safety systems could threaten the safety of NPPs. While the HMI display is not a safety system, it affects the safety actions of operators. The risk induced by a cyber-attack can be identified by using PSA results, which describe the failures that lead to core damage. Therefore, the MCSs related to a cyber-attack and the related consequences were identified. Since wrong actions by the operator caused by a cyber-attack have the same effect as
Acknowledgment
This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT & Future Planning (NRF-2016R1A5A1013919).
References (39)
- et al.
An analysis of safety-critical digital systems for risk-informed design
Reliab Eng Syst Safe.
(2002) Analysis of information security reliability: a tutorial
Reliab Eng Syst Safe
(2015)- et al.
Risk assessment of security systems based on entropy theory and the Neyman–Pearson criterion
Reliab Eng Syst Safe
(2015) - et al.
Multiple cyber attacks against a target with observation errors and dependent outcomes: characterization and optimization
Reliab Eng Syst Safe
(2017) - et al.
A review of cyber security risk assessment methods for SCADA systems
Comput Secur
(2016) - et al.
Development of a cyber security risk model using Bayesian networks
Reliab Eng Syst Safe
(2015) - et al.
Cross-fertilization between safety and security engineering
Reliab Eng Syst Safe
(2013) - et al.
A survey of approaches combining safety and security for industrial control systems
Reliab Eng Syst Safe
(2015) - et al.
An analysis of technical security control requirements for digital I&C systems in nuclear power plants
Nucl Eng Technol
(2013) - et al.
A PSA-based vital area identification methodology development
Reliab Eng Syst Safe
(2003)
Dynamic sequence analysis for feed-and-bleed operation in an OPR1000
Ann Nucl Energy
Committee on application of digital instrumentation and control systems to nuclear power plant operations and safety
Cyber security assessment of a power plant
Electr Power Syst Res
Risk Effect of Possible Cyber Terror to Nuclear Plants
Lessons from Stuxnet
Computer
Cited by (17)
Cyber security in the nuclear industry: A closer look at digital control systems, networks and human factors
2023, Progress in Nuclear EnergyThe effects of cyber threats on maintenance outsourcing and age replacement policy
2023, Computers in IndustryModelling cyber resilience in a water treatment and distribution system
2022, Reliability Engineering and System SafetyCitation Excerpt :For example, feeding the model with (near-) real-time data might substantiate live anomaly detection. Currently, the actions of human operators have not been modeled, even though they represent an additional source of variability, both positive (increasing system resilience to cyber attacks) and negative (facilitating a cyber vulnerability [72,73]). Additional variability on system functioning can be also considered by modeling the WDN with a more dynamic approach, e.g., considering leaks [74], or by modeling cyber attacks against WDN's smart devices, too [33].
Development of a method for securing the operator's situation awareness from manipulation attacks on NPP process data
2022, Nuclear Engineering and TechnologyCitation Excerpt :In addition, these safety systems are developed considering the stringent cybersecurity regulatory requirements for NPPs. For these reasons, non-safety-grade systems might be more vulnerable to cyberattacks than the safety systems [27]. If an attacker infiltrates an non-safety system and compromises the MMIS, the operator can be deceived by misinformation and may take inappropriate actions.
Evaluating attractiveness of cyberattack path using resistance concept and page-rank algorithm
2022, Annals of Nuclear EnergyCitation Excerpt :According to ORNL (ORNL, 2007), Byzantine failure may occur in communication between non-safety systems even if the safety system operates normally. And also, Kim et al. (2017) showed that the NPP can be severe state by attacking several non-safety components. Theoretically, complete fault tolerance against Byzantine failure can be guaranteed by using 3n + 1 components.