*4.5.3 Supply chain and system information controls*

The use of third-party digital hardware, firmware, and software has increased tremendously in the past several decades. The cost-benefit of purchasing general purpose multifunctional digital devices has become a mainstay for many custom in-house and engineered solutions. However, since vendors, integrators, and service providers are profit driven, they will likely not invest in additional cyber security designs and controls for their products and services unless required by procurement specifications.

Since the supply chain is one of five threat vectors into a nuclear facility, it is imperative to develop supply chain controls that incorporate techniques into the procurement and acquisition process to prevent malicious or inadvertent compromise of hardware, firmware, software, and system information, where system information is defined as the "complete record of information regarding a digital system or component, including system level and component level information and/or data such as requirements specifications, design documentation, fabrication, assembly or manufacturing details; validation and verification documentation; operation and maintenance manuals; credential, authentication, or cryptographic information; and product lifecycle plans" [39].

The primary objectives of cyber supply chain risk management include the ability to maintain authenticity, integrity, confidentiality, and exclusivity throughout the system engineering lifecycle [39]. Authenticity assures the components are genuine; integrity assures the components are trustworthy and uncompromised; confidentiality assures there is no unauthorized loss of data or secrets; and exclusivity assures there are limited touchpoints to reduce the number of attack points [40].

A simplified, notional DI&C supply chain cyber-attack surface is illustrated in **Figure 10**. It is important to understand this attack surface so appropriate risk treatments can be implemented to reduce cybersecurity risk throughout the lifecycle. Logically, the parallel use of the design simplification CIE principle reduces this supply chain cyber-attack surface by reducing the number of stakeholders and touchpoints. Ensuring cyber supply chain provenance and trustworthiness is easier with a smaller supply chain cyber-attack surface.

Procurement contracts should include cybersecurity requirements, such as those provided by the Department of Homeland Security [41], the Energy Sector Control Systems Working Group [42], or Electric Power Research Institute [43]. This procurement language should include all aspects of a product or service including the ability to review the supply chain stakeholder's cybersecurity program, including any assessments or cybersecurity testing. Without inclusion of cybersecurity requirements into procurement contracts, the likelihood of insecure or compromised products and services increases.

It is important to recognize that supply chain cybersecurity is necessary during early lifecycle stages even when only system information is available. Reconnaissance is a primary method used by an adversary to acquire preliminary information about an organization, operations, and system designs. Theft of confidential or proprietary system information may result in loss of intellectual property, counterfeiting, and enable development of future sophisticated cyber-attacks. In addition, compromise or falsification of system information could lead to developers inadvertently including malicious codes, falsified data, latent vulnerabilities, or backdoors into the system or component during supply chain activities.

Unfortunately, protection of sensitive information is historically inadequate sensitive information can often be found on social media, corporate websites, conferences, business and employment-oriented online services, vendor advertising, and other third-party entities that store nuclear-related information, such as

*Cyber-Informed Engineering for Nuclear Reactor Digital Instrumentation and Control DOI: http://dx.doi.org/10.5772/intechopen.101807*

#### **Figure 10.**

*A notional DI&C supply chain cyber-attack surface illustrating the complexity of the supply chain lifecycle overlaid with potential supply chain attacks at key stakeholder locations and touchpoints [39].*

nuclear regulators. Of course, poor cybersecurity hygiene can occur at every stakeholder in the supply chain, including hardware manufacturers, programmers, and integrators, as well as the reactor designer and operator. Since engineering records, asset inventories, master drawings, procedures, specifications, analysis, and other sensitive system information is much more accessible today, responsibility for protecting system information lies not only with the entire nuclear organization but all supply chain stakeholders.

#### *4.5.4 Incident response planning*

Incident response planning, in conjunction with contingency planning in resilient design and an accurate and complete digital asset inventory, ensures that procedures, current backups, and accurate configurations are available to respond to and recover from deliberate or inadvertent cyber incidents. Cyber incidents can occur at any stage in the lifecycle. For example, theft of system information or IP can occur during design, introduction of malware by a subcontractor can occur during testing, and downloading of corrupted firmware can occur as part of maintenance. Incident response planning should occur in each stage of the systems engineering lifecycle to safeguard the stakeholder, system information, and DBOM against a cyber incident. IAEA TDL006 [44] and NIST 800-61 [45] provide incident response guidelines.

#### *4.5.5 Cybersecurity culture and training*

An organization's culture is demonstrated every day through the actions of its employees. Nuclear facilities are guided by a nuclear safety and security culture which emphasizes protection of public health and safety over other competing goals, such as electricity generation. Personnel are instilled with the understanding that they can and should speak up when there are safety or security concerns. Since cybersecurity is part of the overarching nuclear security policy to guard against theft and sabotage, developing and maintaining a cybersecurity culture and training program is just as important.

The human-in-the-loop is essential for maintaining a robust security posture. As digital technology is prevalent in both OT and ICT systems, every person is responsible for cybersecurity, not just ICT or engineering staff. Similar to the nuclear safety culture, an organization-wide cybersecurity culture and training program will equip all personnel with the knowledge, skills, and abilities to recognize, prevent, and respond to cyber incidents. The goal of CIE is to develop cyber-informed engineers and personnel as opposed to cybersecurity specialists. Development of cyber-awareness and cross-functional cyber capabilities will provide personnel with information on the importance of their role in an organization's overall security plan. Simply recognizing and reporting phishing emails or suspicious activity can prevent an adversary's entry into an organization. Without this knowledge of how cyber incidents can occur and what unauthorized interactions can look like, compromises can remain persistent and undetected, thereby leading to greater consequences for the organization or nuclear reactor.
