**3.4 Cyber risk management**

Of course, cyber risk cannot be calculated by simply multiplying numerically derived values of threats, vulnerabilities, and consequences together. For instance, low-threat, high-consequence cyber incidents will likely have a much different risk significance at a nuclear reactor than a high-threat, low-consequence incident. While many techniques have been proposed for incorporating the results of consequence, threat, and vulnerability analyses into a final cyber risk analysis [13], determining, evaluating, and prioritizing cyber risk is highly dependent on the reactor design, regulatory requirements, and organization's risk tolerance.

Cyber risk management is the continual process of analyzing cyber risk, evaluating and prioritizing the identified risk against organizational and regulatory requirements, and then applying risk treatments. In the United States, current nuclear power reactors typically follow guidance in NRC Regulatory Guide 5.71 [24] or the NEI cybersecurity series (NEI 10-04 [2], NEI 08-09 [25], and NEI 13-10 [26]) to identify CDAs and risk treatments. Corresponding cyber security guidelines for the international nuclear community are provided in IAEA Nuclear Security Series (NSS) No. 13 [27], NSS 17-T (Rev. 1) [28], NSS 42-G [29], NSS 33-T [30], and IEC 62645 [31]. For risk management activities, IAEA NSS 17-T (Rev. 1) refers readers to ISO/IEC 27005. Additionally, IEC 62443-3-2 provides an international security risk assessment standard for I&C systems [32]. Cybersecurity regulation and guidance for advanced reactors is still in development.

Regardless of the equation or formula used, cyber risk is managed by analyzing the potential worst-case consequences and then using risk treatments (e.g., avoidance or elimination, mitigation, transference, or acceptance) to lower the risk to a level acceptable to the organization. Unlike analog I&C, where failure analysis was the primary focus of PRA, the use of DI&C has resulted in the capability for hardware, firmware, and software to be altered in a manner not intended by the original design. Since both malicious and unintentional actions can potentially adversely impact operational functions, continually evaluating cyber threats, vulnerabilities, and consequences in a cyber risk management program is necessary to maintain awareness into the constantly evolving risk environment. The goal of this consequence-driven analysis is to prioritize risk treatments for those DI&C components needed to ensure critical reactor functions are maintained.

Consequence-driven, Cyber-Informed Engineering (CCE) is a formal cyber risk management approach that focuses on reducing the impact from high consequence events (HCE) for an overall business entity [33]. As shown in **Figure 5**, CCE is a four-step process. In phase 1, HCEs are identified and prioritized using a severity score calculated based upon consequence criteria weights and criteria severity. For the identified HCE(s), a system of systems analysis identifies the most critical functions in phase 2 and potential cyber-attack scenarios on those functions are then identified in phase 3. In phase 4, appropriate protection and mitigation strategies are developed.

*Cyber-Informed Engineering for Nuclear Reactor Digital Instrumentation and Control DOI: http://dx.doi.org/10.5772/intechopen.101807*

**Figure 5.** *The four-phase CCE process [34].*

Additionally, cyber risk management must not only be considered for nuclear reactor SSCs, but also any digital technology used in their design, operation, and maintenance. For instance, AI/ML and digital twin applications are susceptible to both adversarial and unintentional cyber risk. These technologies are often considered 'black box' techniques in which the end-user is unaware of how the insights are determined. Even if more 'gray box' techniques are used, trust in AI/ML and digital twin models must be established to gain acceptance and approval by operators and regulators. Similarly, adversaries can gain access to these tools and cause data and/or model corruption to adversely affect model operation.
