*4.4.1 Engineering risk treatment*

Risk management is the process of identifying, evaluating, and responding to risk. Traditional risk treatments for responding to risk include risk avoidance or elimination, risk transference, risk mitigation, and risk acceptance. As shown in **Figure 8**, engineering risk treatments for cyber risk are similar, where risk can be designed out, shifted to another organization, mitigated with security controls or countermeasures, or accepted by making a conscious decision to tolerate the risk without implementing changes.

Security controls, as identified by National Institute of Standards and Technology (NIST) SP 800-82 [37], NRC Regulatory Guide (RG) 5.71 [24], or NEI 08-09 [25] are typically considered administrative, physical, or technical. As indicated in **Figure 8**, these controls mitigate cyber risk that cannot be eliminated. Unfortunately, engineering risk treatments, including security controls, are typically not considered until after installation. However, waiting until after installation is often too late to provide adequate protection. On the other hand, implementing engineering risk treatments during design stages can actually eliminate specifically identified risks by designing it out altogether or more efficiently and effectively reduce risk by incorporating security controls into the design.

#### **Figure 8.**

*Engineering cyber risk treatments [35].*

### *4.4.2 Secure architecture*

The goal of the secure architecture CIE principle is to establish network and system architectures that segregate and limit data flows to trusted devices and connections within and between subsystems, systems, and systems of systems. Properly designed architectures reduce cyber risk by isolating critical functions, minimizing the cyber-attack surface, and lowering the probability of unauthorized access or compromise of critical SSCs.

To ensure defense in depth, the design should consider use of isolated (e.g., air-gapped) or segregated network levels and zones, boundary devices, data flow rules, and unidirectional, deterministic communication, such as data diodes. In the United States, NRC Regulatory Guide 5.71 recommends power reactors to implement a defensive architecture with only one-way data flow from safety and security network levels outward to the plant network [24]. Internationally, as illustrated in **Figure 9**, the IAEA recommends implementing security levels with common requirements and zones separated by decoupling devices, such as data diodes and other boundary devices, such as gateways, routers, or firewalls, to minimize communications to untrusted devices [38]. Engineers should consider these secure architecture approaches during design stages to limit overall risks from compromised pathways or devices.

#### *4.4.3 Design simplification*

A cyber incident can only adversely impact DI&C functions if a vulnerability is exploited by a threat (intentional or unintentional). Vulnerabilities decrease as the complexity of DI&C decreases. Thus, the goal of the design simplification principle is to reduce the complexity of the system, component, and architecture while maintaining the intended function. Design simplification minimizes vulnerabilities and reduces overall cyber risk.

Design simplification is considered in conjunction with the secure architecture, resilient design, and engineering risk treatment principles. Complex or overbuilt designs result in a digital footprint larger than necessary. As the number of digital assets increases in a system, the number of digital failure possibilities and exploit locations also increases. Additionally, it is possible for adversaries to repurpose unused or latent functions and features on SSCs to behave in unanticipated ways.

*Cyber-Informed Engineering for Nuclear Reactor Digital Instrumentation and Control DOI: http://dx.doi.org/10.5772/intechopen.101807*

#### **Figure 9.**

*Example implementation of a secure architecture [38].*

On the other hand, simplifying the design, such as by using simpler digital devices or hardening the system by eliminating, limiting, or disabling unnecessary functions or capabilities, minimizes the overall cyber-attack surface and reduces vulnerabilities. The intent of design simplification is to simplify the engineering design itself, not sacrifice security requirements for the sake of simplicity. Nevertheless, in cases where extreme safeguards are required, analog I&C may be implemented instead of DI&C to protect against cyber incidents.

#### *4.4.4 Resilient design*

Resilience is a system's capability to withstand internal and external disruptions, including equipment failure, grid disturbances, or cyber incidents. A control system is resilient if it continues to carry out its mission by providing its required functionality despite disturbances that may cause disruptions or degradation. In nuclear reactors, general design criteria of separation, redundancy, diversity, and defense in depth are used for designing safety-related systems. Separation and independence are achieved by physical separation and electrical isolation. Redundancy is achieved by using more than one component to perform the same function. Diversity is achieved by using different technology within the system and with the redundant components.

Current DI&C systems operate in an untrusted environment, which presumes that users, devices, and systems cannot be trusted (e.g., users can be unauthorized, devices can be infected with malware). Additionally, it is impossible to design DI&C systems to withstand every malicious or unintentional cyber incident. Thus, resilient design is required to ensure continued safe and secure operation of the reactor and facility not only during an incident, but afterward as well.

While safety-related DI&C systems in nuclear reactors should be designed using the general design criteria, consideration should be given to designing similar features into non-safety DI&C systems to address this zero-trust paradigm, depending on the cyber risk prioritization. The objective of resilient DI&C design is to ensure continued operation of critical functions when possible, or graceful degradation when not possible, in the event of an SSC failure or cyber incident. Failure of one function, device, or system should not result in failure of another function. System design and control logic should attempt to eliminate the possibility of such cascading failures.

Additionally, resilient design may also include contingency planning and situational awareness. Contingency planning provides alternative methods for continued operation of critical functions. Using techniques, such as network and system monitoring, to provide situational awareness enables rapid decision making that may be needed for continued operation during a cyber incident. Moreover, operators have been trained to trust their instruments and indicators. This training model may need to be revisited due to the new zero-trust environment.

Finally, it should be noted that while resilient design may seem contrary to design simplification, the intent is to ensure that critical functions remain operational during a cyber incident. If additional devices are required to adequately assure resilience, there may be a tradeoff between resiliency and simplicity.

### *4.4.5 Active defense*

Security countermeasures and protections can be applied passively or actively. Passive defenses include those defensive architecture techniques described in Section 4.4.2. These passive defenses establish barriers using defense-in-depth techniques to deter and protect against a malicious adversary. This technique, however, is static and reactionary. It is also at a disadvantage for defending against dynamic and adaptive adversary capabilities.

Instead of reliance on passive capabilities, engineers need to build in active defenses to preemptively prevent, detect, and respond to cyber incidents. This paradigm shift is needed to proactively identify malicious and inadvertent cyber incidents to quickly stop the incident and remove the threat before degradation or unrecoverable damage occurs. Active defenses include security information event monitoring and other real-time anomaly detection and response tools that may not yet be developed or deployed. The objective is to enhance resilience capabilities by improving operational situational awareness via dynamic and testable strategies. Ideally, active defense tools can identify cyber anomalies in all five threat vectors (e.g., wired networks, wireless networks, portable media and maintenance devices, insiders, and supply chain).

### **4.5 CIE Organizational principles**

#### *4.5.1 Interdependencies*

The CIE organizational principles listed in **Figure 7** are those fundamental cybersecurity practices that enable holistic integration of cybersecurity into other programs within the facility or organization. Technical and administrative interdependencies are necessary for safe and secure reactor operation. From a technical

### *Cyber-Informed Engineering for Nuclear Reactor Digital Instrumentation and Control DOI: http://dx.doi.org/10.5772/intechopen.101807*

perspective, this principle ensures that cybersecurity is considered within all the interconnections between systems and systems of systems, including extended data pathways. Additionally, 10CFR73.54 not only requires adequate protection of safety-related and important-to-safety SSCs but also those support systems relied upon to ensure safe operation of those functions. Support systems may include power, communications, water, or HVAC. Even though there is the potential for adverse safety or security consequences if a cyber incident impacts a support system, these interdependencies are often overlooked.

From an administrative perspective, the interdependency principle promotes a multidisciplinary approach to ensure all project personnel are involved. For instance, when designing or modifying a reactor safety system to perform specific functions, a design engineer relies on safety engineers to provide expertise on safety-related functions, quality engineers to verify correct design implementations, maintenance personnel to provide perspectives on accessibility and maintainability, operators to provide operational feedback under various conditions, and competent authorities to provide safety and security requirements.

With the shift towards DI&C, cyber engineers or specialists should also be included throughout the systems engineering lifecycle to provide valuable insight into cyber risk and risk (and cost) minimization strategies, such as cyber risk treatments, policies, and procedures. Additionally, it is paramount to ensure other disciplines, such as engineering, safety, risk, design, maintenance, operations, human factors, and ICT, are knowledgeable about these system interdependencies and the potential consequences of a cyber incident on a facility function, digital asset, system, or system of systems. While the nature of the multidisciplinary engagements may differ with each stage, similar to safety, the intent is to ensure cyber engineering remains a core domain throughout the entire lifecycle.
