As of February 2, 2012 there
were 439 nuclear power plants in operation world wide. Most of these
existing NPP where constructed between the 1960 and 2000 [Ref1]. These
NPP are controlled primarily by analog systems that for one produce less
energy and second analog systems are resistance to cyber attacks. But
with the turn of the century, the increased demand on energy and the
positive effort of reducing carbon emissions lowering and fighting
global warming, newer and more productive NPP with digital systems where
designed. At the same time, older NPP increasingly relay on computers to run auxiliary and monitoring systems.
That
is why I wrote about the importants of cyber security for nuclear power
plants in my last blog. Now it is time to spend some thought on how to
accomplish the task of cyber security and deciding on a good security
program, that will
cover the NPP needs. The main point is to establish a fitting cyber
security architecture that lines out all the areas and needs of the a
specific NPP or maybe even a group of systems. To put it in very simply,
how you build your security architecture will most likely depend on the
following 4 basic questions:
1. Why
2. What
3.When
4. How
The answers to each of these questions will depend on the current state of the utility and the future plans. As an example;
1. Why
Most likely, a NPP or utility has to implement or extent its cyber security program for the following reasons:
1) The older analog systems will be updated to new digital programmable systems
2) The NPP is a new build or has a new extension
3) The regulatory bodies ask you for it to include cyber or IT-security to complement the safety program
4) Internationally it is becoming the norm and is expected in today's digital operational environment
5) To achieve a state of the art nuclear operation that has an positive reflection on your nuclear program
With these question's answered the next question should answer more details:
2. What
Here you can use a top down approach, to analyse the security programs implementation scope. A good point to start is to evaluate each safety zone and determine if there is a need for security implementation. To divide it in three main areas would be:
1) External Network infrastructure (internet, remote business pears or back up control center)
2) Corporate LAN
3) Control Systems LAN
The controle systems LAN then could be broken down further:
1) I&C Architecture and Network (According to operational areas and safety zones for example)
2) System
3) Subsystems
4) Software components
With the increase of computers and
digital systems and several security concerns mentioned in the previous
article, like the US based slammer worm and the Stuxnet virus in Iran
for example, the demand on cyber security to complete nuclear safety has
increased in the last couple of years massively and the attention of
regulatory bodies like the IAEA and the NRC directed at cyber security
at nuclear power plants.
Now the question of "When" is not easily
answered for the general public. On a very generic basis, it can be
assumed that the Utility wants to update I&C systems, because they
like to be more productive. According to the IAEA "Progress in
electronics and information technology (IT) has created incentives to
replace traditional analog instrumentation and control (I&C) systems
in nuclear power plants with digital I&C systems, i.e. systems
based on computers and microprocessors.
Digital systems offer higher reliability, better plant performance and
additional diagnostic capabilities. Analog systems will gradually become
obsolete in the general IT shift to digital technology. About 40% of
the world’s operating reactors have been modernized to include at least
some digital I&C systems. Most newer plants also include digital
I&C systems." [Ref 2]
The change from analog to digital I&C systems has posed new
challenges for the industry and regulators, who have had to create new
regulations, data, and develop methods to guide, lead and assures safe
operations for utilities. It is essential that the new systems meet all
reliability and performance requirements of course, but also meet the
cyber security requirements, that ensures safe operations. This leads to
the last question of "How".
No hay comentarios:
Publicar un comentario