dc.description.abstract |
In the last several decades, a nuclear power plant (NPP) which is one of the safety critical infrastructures has adopted digital technology in both safety and non-safety systems. Thus, the cyber-attack has emerged as one of the concerns on digital instrumentation and control systems in NPPs. “Stuxnet” in 2010, which is a typical example of the cyber-attacks on nuclear facilities, showed that cyber-attack on NPPs is already a realized problem. Also, the possibility of physical destruction of nuclear facilities through the cyber-attack has been turned out. Therefore, the need for specific cyber security strategies for NPPs has been increasing because NPPs must be defended against any situations. To develop effective defense strategies against cyberattacks on NPPs, both qualitative and quantitative analysis are necessary. While there have been studies for qualitative analysis of cyber-attacks on NPPs, the research on quantitative analysis for cyber security is not mature yet. This work aims to propose a quantitative analysis method of the risk caused by cyberattack. Typically, the risk of an NPP is represented as the product of frequency (e.g., core damage frequency) and consequence of event (e.g., fatalities). In the same sense, the risk of a cyber-attack can be represented as the product of the frequencies of cyber-attacks and their consequences. However, since a cyber-attack is an intended attack, it is not possible to estimate or predict its frequency. Therefore, in this work, the complexity of a cyber-attack is used instead of the frequency to estimate the risk. In this study, a complexity evaluation model of cyber-attacks on NPPs was developed based on Bayesian Belief Network (BBN). To develop the model, the cyber-attack related variables such as vulnerabilities of systems by cyberattacks, detection and protection systems, mitigation actions by operators, critical digital assets (CDAs) and the impacts of CDA failures caused by cyber-attacks were considered. This method is for providing the information about the relative complexities of cyber-attacks rather than absolute ones. Based on the evaluation results of this work, it is expected possible to develop effective cyber security strategies. |
- |