**3.1 Consequence analysis**

A nuclear reactor has a licensing basis that identifies high-consequence DBAs that can potentially lead to radiological release. This licensing basis includes those safety-related SSCs that must remain functional during a DBA to protect the health and safety of the public. While safety-related impacts are the primary concern, consequences from a cyber incident at a nuclear reactor could potentially range from intangible impacts (e.g., reputation damage, industry perception) to financial impacts (e.g., lost generation, equipment damage, repair costs) to adverse public health and safety impacts due to radiological release or theft of special nuclear material (SNM). Examples of low to high consequence impacts from a cyber incident are illustrated in **Figure 4**. **Table 1** expands on several of these consequences to provide causal examples of functional failures from hypothetical cyber incidents.

Cyber-induced consequences at a nuclear reactor can be minimized by maintaining availability, integrity, and confidentiality of DI&C components and systems. Nuclear reactors may be designed to run continuously (e.g., NPP) or intermittently (e.g., research and test reactor). In either case, data and communication flow must remain available to ensure safe and reliable operation of the reactor. Delay, disruption, or prevention of data or communication within an OT system can result in

**Figure 4.**

*Potential consequences from a cyber incident at a reactor.*


#### **Table 1.**

*Potential consequences from a cyber incident at a reactor along with hypothesized functional failure and initiating cyber incident.*

unintended control actions, such as inadvertent component actuation or reactor trip. As listed in **Table 2**, cyber incidents that impact availability can be malicious and intentional, such as from a denial of service attack [14], or non-malicious and unintentional, such as excessive network traffic from failing equipment [15].

The integrity of DI&C information, data, and system parameters must also be maintained. Control systems require accurate, truthful, and complete information for safe and reliable operation. For instance, unintended modification of data, logic, or commands by man-in-the-middle attacks can cause equipment failure [16] or poorly executed software updates can reset plant data and cause actuation of a safety system [17]. Operators also rely on truthful and accurate data for decision making; inaccurate data on indicators or human-machine interfaces could cause operators to make improper decisions or perform incorrect actions. Operationally, it is often more dangerous to have a reactor in an unknown state instead of safely shut down. Consider an unexpected cyber incident that is visible to the operator—the operator can detect and respond to the incident, thereby minimizing further impacts. On the other hand, cyber incidents that are invisible to the operator can potentially result in persistent and higher consequence adverse impacts as operators are unaware of true reactor status.

While not as important in OT systems, confidentiality is also a cybersecurity objective. Loss of confidentiality, such as unauthorized exfiltration of sensitive information [18] or inadvertent posting of sensitive data in the public domain, can enable development of further attacks or cause other business-related concerns. Gaining sensitive nuclear information can provide adversaries roadmaps, schedules, vendors, plant layouts, and a host of other sensitive information shortening the attack timeline and delivering potential pathways to be considered towards ransomware, blackmail, or general political unrest.

#### **3.2 Threat analysis**

Cyber threat vectors into a nuclear reactor include wired and wireless networks or connections, portable media and maintenance devices (e.g., USB drives, maintenance laptops), insiders, and the supply chain. Furthermore, cyber threats can be classified as non-malicious or malicious. Non-malicious actions are often caused by employees or other facility personnel who perform actions not intending to cause harm. These actions are often human performance errors in which a worker mistakenly performs an adverse action, such as misconfiguring a device, selecting the wrong option, or disclosing sensitive information.

*Cyber-Informed Engineering for Nuclear Reactor Digital Instrumentation and Control DOI: http://dx.doi.org/10.5772/intechopen.101807*


**Table 2.**

*Examples of malicious and non-malicious cyber incidents by security objective.*

Malicious threats against nuclear reactors are initiated by adversaries with the intent to cause harm. Adversaries include recreational hackers, malicious and unwitting insiders, criminals, terrorist organizations, and nation states. Sophisticated attacks against nuclear reactors will likely be launched by organizations that have greater resources (e.g., skilled personnel, funding, time) and sufficient motivation (e.g., economic gain, military advantage, societal instability). Additionally, cyber-attacks may be one-dimensional or multi-dimensional, hybrid, coordinated attacks combining multiple threat vectors in both physical and cyber domains. For instance, adversaries may use cyber means to gain access to enable physical destruction or theft of SNM or use physical means to gain access to computer systems to enable unauthorized theft of sensitive information or sabotage.

In the United States, power reactors licensed by the NRC must provide high assurance that critical digital assets (CDAs) are protected against cyber-attacks, up to and including the design basis threat (DBT) [19]. CDAs are defined as digital assets associated with safety-related, important-to-safety, security, or emergency preparedness functions as well as support systems and equipment which, if compromised, would adversely impact these functions. A DBT describes adversarial attributes and characteristics, including level of training, weapons, and tactics, that must be defended against to safeguard the reactor against radiological sabotage and prevent theft or diversion of SNM. Generally, a beyond-DBT, a threat from an adversary who has capabilities beyond what is defined by the DBT, is considered nation-state activity which falls under responsibility of the state (e.g., federal government) for prevention, detection, and response.

### **3.3 Vulnerability analysis**

Vulnerabilities are known or unknown weaknesses. Vulnerabilities in hardware, firmware, and/or software can leave digital assets susceptible to accidental failure or unintentional human error. Additionally, vulnerabilities may be exploitable, enabling adversaries to extract information or insert compromises allowing unauthorized access to perform malicious activities. Vulnerabilities can allow adversaries to penetrate and move throughout systems without the user's knowledge to compromise the availability, integrity, and confidentiality of complex control systems.

Most digital devices can be reprogrammed or modified to perform unintended or undesired functions. Any vulnerability that allows an unauthorized reprogramming or modification of a critical digital asset can result in adverse function of the DI&C systems. As most design approaches wait until system implementation to evaluate vulnerabilities, vulnerability response and mitigation often relies on bolted on security controls. However, if engineers who design and maintain complex control systems are trained to identify, understand, and mitigate these vulnerabilities throughout the lifecycle, including during design stages, vulnerabilities can be addressed early and often, thereby leading to lower overall cyber risk.

From a maintenance perspective, manufacturers often identify vulnerabilities and send information notices to asset owners along with mitigation measures, if applicable. Numerous vulnerability tracking databases and notification services also exist which serve to improve awareness and facilitate mitigation or protection [20–23]. Engineers and stakeholders should maintain awareness of these external vulnerability notifications or sites for their digital assets throughout the entire lifecycle so that they can be addressed immediately.
