The nuclear power industry, including the 61 commercially operating nuclear power plants with 99 nuclear reactors, and research and test reactors, is undergoing a transition from analog to digital control systems (A2D). While the A2D transition will enhance efficient operation of nuclear reactors, it also introduces cybersecurity concerns related to their safe and cost-effective operation. Insider threats, supply chain management, susceptibility to direct network breach are emerging as recognized concerns in the reactor community as security budgets are an average $10 mm per plant per year.At the same time, there is little unified methodology for assessing the full range risks of vulnerabilities in a digitized reactor domain. Facility safety and security currently often hinge on a catalog of approved parts, with a rudimentary binning and ranking process carrying little fidelity around the impact on A2D transition risks to mission-critical assets. The loss impact could be significant if an operator cannot distinguish the risk impact of changing a low criticality part from accrediting a critical part.Neo Prime proposes to develop a risk-informed approach to the digital transition of the nuclear plants. Neo Prime will extend its patented risk simulation and modeling approach, which is already providing guidance to non-nuclear generation, and extend it to commercial application in the nuclear sector. This will promote design and implementation of secure architectures to reduce risk to mission critical reactor assets, prioritize cost-effective security control deployment and advanced reporting. This framework allows enterprise risk evaluation of resiliency of nuclear facility security planning and implementation, and informs requirements that should be placed on manufacturers of critical digital equipment. Phase I design of a dynamic threat model against nuclear utility components and damage pathways will extend Design Basis Threat analysis to include the latest ICS threats, e.g., US CERT TA17-163A Crash Override. NRC Regulations will be fully incorporated into a stochastic risk-based model of reactor operations, with multiple Neo Prime components focusing on threat groups and attack tactics, the security control measures for insider threat, supply chain security, and A2D transition scenarios, while developing a risk model for safety, security and maintenance. The Phase I risk model will inform decision-making, training and exercising, including cooperative tests with Neo Primes current client base. Phase II will focus on extending the Neo Prime RiskFirst platform for automated data entry, risk reporting, alert notifications and security control tracking to allow reactor leadership and security teams to track progress on their cost-effective mitigation strategies, and allow managers to plan and track implementation for safe A2D reactor transitions. Phase II will include the design of a comprehensive simulation and security training regime to protect nuclear facilities via the modified RiskFirst platform.
