Cyberattacks against the digital instrumentation and control (DI&C) systems in nuclear power plants (NPPs) are of grave security concern. The US Nuclear Regulatory Commission (NRC) requires all NPPs to protect critical digital assets that support safety, security, and emergency preparedness functions against cyberattacks.1 Other standards bodies like the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC) have also developed standards that address cybersecurity for industrial control systems (ICS) including DI&C.2 Due to concerns for security, relevant stakeholders such as regulators, plant operators, information technology (IT) and operation technology (OT) staff, and equipment suppliers are sometimes reluctant to reveal in technical detail about vulnerabilities posed by DI&C systems. Yet, because some types of cyberattacks against an NPP may cause core damage or significant release of radioactivity, harming the plant, the public and the industry, the safety implications of potential cyberattacks should be evaluated. This divide between security and safety is a challenge for stakeholders focused in cyber security for NPPs.
To bridge this security and safety divide, this study proposes and demonstrates a methodology for assessing and addressing the safety consequences of cyber events that disrupt one or more parts of the DI&C systems at NPPs. The methodology builds on the “effect-centric” cyber risk assessment framework developed by the Center for International and Security Studies at Maryland (CISSM). It is used to analyze two historical cyberattacks and one hypothetical attack scenario. As the focus is on plant safety, these assessment, evaluation, and analysis can be candidly and openly discussed with the goal of finding the best defense to thwart the specific cyberattack.