Computer Security of NPP Instrumentation and Control Systems: Computer Security Justification Documents

The approaches to the development and management of computer security justification documents on computer security policy, program and plan, computer incident response plan, reports related to computer security are considered in the paper. Requirements for computer security policy, program and plan are presented, and the analysis of different approaches adopted and reflected in the documents of the International Atomic Energy Agency, U.S. Nuclear Regulatory Commission and International Electrotechnical Commission is carried out. It is noted that the approaches used by these organizations to the development and management of computer security justification documents are quite similar. The paper provides suggestions for the development of requirements for computer security justification documents on the instrumentation and control systems at Ukrainian NPPs. The analysis of different international approaches to the development, implementation, and management of the computer security policy, program and plan has allowed developing requirements for the above-mentioned documents, which will be reflected in the new regulation taking into account the current situation at Ukrainian NPPs. Besides, it is planned to include separate requirements for computer security documentation of the developers of instrumentation and control systems regarding computer incident response plan and reporting documents on computer security in this regulation. The paper presents recommendations for the content, implementation and management of computer security justification documents.