Risk-Informing Critical Digital Assets (CDAs) for Nuclear Power Systems

M. D. Muhlheim, F. G. Hudson, R. W. Youngblood

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Regulatory requirements have been established by the US Nuclear Regulatory Commission (NRC) to ensure that nuclear power plants provide reasonable assurance of adequate protection of public health and safety. The current body of NRC regulations (including cybersecurity) is largely based upon deterministic or prescriptive methods. A risk-informed approach modifies this traditional deterministic approach by considering a broader set of potential challenges to plant safety, providing a logical means for prioritizing challenges based on risk significance, and considering a broader set of capabilities to respond to these challenges. In contrast to the traditional deterministic approach, a risk-informed approach addresses the impact of credible initiating events by assessing event frequency and mitigating system reliability and event consequences, enabling treatment of structures, systems, and components (SSCs) in accordance with their relative risk significance over the lifetime of the plant. The overall result of a risk-informed approach is increased emphasis on risk-significant SSCs such that public health and safety is adequately protected while improving the efficiency of plant operation. Underlying risk assessment techniques used by a risk-informed approach can range from very simple and qualitative to very complex and quantitative. ANS Working Group 3.15, “Risk-Informing Critical Digital Assets (CDAs) for Nuclear Power Plant Systems,” is developing a standard whose implementation would utilize a risk-informed approach to protect certain digital systems and components the compromise of which by cyberattack could result in failure of nuclear plant digital assets (DAs), causing unwanted actions and/or preventing wanted actions. The application of a risk-informed approach is envisioned as a two-step process with the first step being to identify DAs warranting protection from cyberattacks. These assets would be designated as critical DAs (CDAs). Having identified and categorized DAs warranting protection, the second step would be development of a portfolio of cybersecurity countermeasures appropriate for each DA risk category. Collectively, such a programmatic risk-informed approach should improve the efficiency and effectiveness of nuclear power plant cybersecurity programs. The current focus of the ANS Working Group is on the first step, applying risk-informed methods to the identification and categorization of DAs. To achieve this, 14 candidate methods are under review. Test cases on effectiveness and user-friendliness of these methods are currently being explored. The result of this effort may be the recommendation of a single method or a combination of methods. This paper describes the status and envisioned path forward of this risk-informed methodology review effort.

Original languageEnglish
Title of host publicationProceedings of 18th International Probabilistic Safety Assessment and Analysis, PSA 2023
PublisherAmerican Nuclear Society
Pages219-228
Number of pages10
ISBN (Electronic)9780894487927
DOIs
StatePublished - 2023
Externally publishedYes
Event18th International Probabilistic Safety Assessment and Analysis, PSA 2023 - Knoxville, United States
Duration: Jul 15 2023Jul 20 2023

Publication series

NameProceedings of 18th International Probabilistic Safety Assessment and Analysis, PSA 2023

Conference

Conference18th International Probabilistic Safety Assessment and Analysis, PSA 2023
Country/TerritoryUnited States
CityKnoxville
Period07/15/2307/20/23

Fingerprint

Dive into the research topics of 'Risk-Informing Critical Digital Assets (CDAs) for Nuclear Power Systems'. Together they form a unique fingerprint.

Cite this