SBIR-STTR Award

Nuclear plant operators are required by the Nuclear Regulatory Commission NRC) to perform cybersecurity assessment on their internal networks, control systems and critical data assets on a regular basis to ensure regulatory compliance and safety, security and emergency preparedness of the nations most critical infrastructures. However, the current assessment processes are conducted manually. The existing software tools used today are primarily report generators based on operators input to a sequence of static questions. This practice is not only labor intensive and costly, but also error-prone and risky due to potential inconsistency and lack of quantification in detailed assessment measures. A false or inaccurate assessment of a nuclear facility may have unintended consequences with potential security vulnerabilities affecting the plant operations. In this SBIR, we propose an innovative approach to solve the problem of inefficiency and inaccuracy in cybersecurity assessment. We plan to design and develop the Automated Cybersecurity Assessment Manager ACAM) as a software tool to perform cybersecurity assessment in a efficient and cost-effective fashion. The ACAM tool is going to be designed in compliance with NRC policies and regulations, and implemented as a web-based decision- support system, integrating high-level, codified security controls with network-level vulnerability scanning, penetration testing, intrusion detection, and configuration management mechanisms. During Phase I, we will focus on the initial ACAM requirement gathering and analysis, architecture design, and produce a prototype as a proof-of-concept for the follow-on work in Phase II. Our research team will work with DoE customers closely to identify the functional requirements, and reach out to other related stakeholders, including nuclear plant operators and government agencies responsible for coordinating and overseeing the cybersecurity programs, for validating our requirements and technical approach. The Phase II work will be to extend the functionality and operational readiness of ACAM and productize the tool towards commercialization. The ACAM will provide the benefits of quality cybersecurity assessment with improved accuracy, consistency, reduced time and cost. It will fill an important gap in streamlining and automating the cybersecurity program management for the nuclear power industry. The tool can be easily configured and customized to various security control requirements, and adopted by other utility companies as well as other industries e.g. government, healthcare, and banking). As more enterprises are adopting standard assessment practices, we will be uniquely positioned to capture this growing market by continuing advancing the ACAM technology and applying the right intellectual property strategy. Our long-term goal is to make ACAM an integral part of the cybersecurity ecosystem, and help to secure and protect our nations critical infrastructures for years to come.

Nuclear power plant (NPP) operators are required by the Nuclear Regulatory Commission (NRC) to perform cybersecurity assessments on their internal networks, control systems and critical data assets on a regular basis to ensure regulatory compliance and safety, security and emergency preparedness of the nation’s most critical infrastructures. However, the current assessment processes in the nuclear industry are highly manual driven, labor intensive and costly. The existing software tools for assessments used today are primarily report generators based on user input to a sequence of static questions. The results generated from such practices are inconsistent, costly, difficult to verify, and inadequate to capture the security posture of an NPP in a timely fashion. In this SBIR, we will develop an innovative solution for the cybersecurity assessment problem via automation. By using a quantitative risk model, we will create a robust and extensible software tool to help streamline the cybersecurity assessment process in the nuclear industry. The software tool, called Automated Cybersecurity Assessment Manager (ACAM™), is designed to support NRC regulatory policies and industry standards, and provide NPP operators with a set of web based functions to manage cybersecurity risks efficiently and cost effectively. At the end of Phase I, we created an initial version of a quantitative risk model and developed a prototype of the ACAM product that demonstrated the solution feasibility and laid out a solid foundation for continuous research and development (R&D) in Phase II. Our Phase II plan is to continue maturing our quantitative model for industrial control systems (ICS), continue developing the ACAM prototype into an enterprise product, and complete the ACAM testing in a lab test environment with realistic digital and process control assets. The end result will be a full-fledged ACAM software product ready to be deployed for beta testing with customers and integrators towards commercialization. ACAM will be the first software framework for conducting quantitative cybersecurity assessment from a risk perspective, providing accurate and consistent assessment results with significant cost savings. The result of this SBIR will fill an important gap in cybersecurity risk management for the nuclear and power industry, creating a viable solution that can be easily customized and adopted by other utility companies as well as other ICS industries. As more enterprises adopt cybersecurity assessment practices, we will be uniquely positioned to capture this growing market by continuing to advance the ACAM technology and help to secure and protect our nation’s critical infrastructures for years to come. Key Words: Cybersecurity Assessment, Assessment Evaluation, Quantitative Risk Analysis, Security Controls, Regulatory Compliance, Nuclear Power Plant Cybersecurity, Critical Infrastructure Protection