Assessment of Cyber Security Challenges in Nuclear Power Plants Security Incidents, Threats, and Initiatives

Nuclear power plants play an important role in electricity production for many countries. They supply power to industries, centers, government facilities, and residential areas. Yet, upon review, several cases reveal that even a small-scale attack on a nuclear power plant could lead to catastrophic consequences for a country’s citizens, economy, infrastructure, and security. In recent years, there has been increased attention to the area of nuclear cybersecurity due to attacks or incidents designed to disrupt NPP operations. In spite of this rise of nuclear-related cyber attacks, the security for NPPs has not been holistically addressed. Literature review reveals the lack of a comprehensive information security framework to secure nuclear power plants from internal and external threats. This research highlights the significance of performing security assessments within NPPs as it relates to cyber defense. The contribution of this paper is twofold. First, it presents a detailed review of cyber challenges and security incidents that have occurred within NPPs, followed by a discussion on the initiatives taken by governments and regulatory bodies in mitigating such security challenges. Contextual background information on Critical Infrastructure Protection, nuclear power plants and information security risk management has been supplied to aid reader understanding. Additionally, this research posits that any kind of cyber incident on nuclear infrastructure may lead to catastrophic results, from which recovery may be impossible. Therefore, there is a significant need to perform detailed threat and vulnerability assessments that address either stand-alone attacks or coordinated attacks against the use of computer systems on NPPs. Following this discussion, a threat modelling is presented using an established methodology, which identifies possible threats to, vulnerabilities in, and adversaries of a generic Instrumentation and Control (I&C) system of a NPP by considering its characteristics and architecture. The analysis reveals that NPPs are not fully armed against cyber attacks and identifies a significant need to conduct security assessments such as the Information Security Risk Assessment, which would provide comprehensive and reliable risk analysis functionality to NPPs.