Open AccessComputer Security of NPP Instrumentation and Control Systems: Computer Security Assessment
Author(s) -
O. Klevtsov,
Artem Symonov,
S. Trubchaninov
Publication year - 2020
Publication title -
âderna ta radìacìjna bezpeka
Language(s) - English
Resource type - Journals
ISSN - 2073-6231
DOI - 10.32918/nrs.2020.4(88).09
Subject(s) - computer security , software security assurance , security information and event management , computer science , security testing , computer security model , instrumentation (computer programming) , security controls , asset (computer security) , security service , scope (computer science) , security through obscurity , covert channel , cloud computing security , control (management) , information security , risk analysis (engineering) , business , operating system , cloud computing , artificial intelligence , programming language
The paper is devoted to the issues of computer security assessment of instrumentation and control systems (I&C systems) of nuclear power plants (NPPs). The authors specified the main areas of assessing the computer security of NPP I&C systems, especially the assessment of cyber threats, vulnerabilities of I&C computer security, sufficiency of applied measures for ensuring I&C systems computer security, risks of I&C system computer security as well as periodic reassessment of I&C computer security. The paper considers the assessment of I&C computer security vulnerabilities, sufficiency of applied measures for ensuring I&C computer security (assessment of cyber threats and the risks of I&C computer security are discussed in detail in other publications from the series “Computer Security of NPP Instrumentation and Control Systems”).
Approaches to assessing the computer security vulnerabilities of I&C systems and software at each stage of I&C life cycle are considered. The recommendations for assessing vulnerabilities regarding technical and software protection against unauthorized access or connection to I&C, protection of local networks, implementation of organizational measures and procedures for computer security are provided.
The paper describes the scope and procedures for the initial assessment and periodic reassessment of NPP I&C computer security. Recommendations for the formation of an appropriate evaluation team are provided. Methods of assessing I&C computer security are considered, namely: analysis of documents (computer security policy, program, plan, reports, etc.), survey of staff (administrative, operational, service and computer security experts), direct review of I&C systems, their components and local networks. The evaluation stages (collection of information, detailed analysis, reporting) and the scope of work at each stage are described.
General information about the possibility and necessity of assessing the computer security risks of I&C systems in the case of using risk-informed approaches is provided.
The need to document the results of the assessment is noted separately and specific proposals about the procedure for developing relevant reports are made.