The risk of cybersecurity threats on computer-based equipment and programmable logic devices used in industrial installations is always topical. In particular, IT equipment has been widely implemented also in nuclear power plants (both existing and newly built ones) to perform operational and safety functions. Therefore, the protection of nuclear power plants against cybersecurity threats is of particular importance to ensure plant safety and operation.
The IEC Subcommittee 45A (IEC – TC 45/SC 45A) on ‘Instrumentation, control and electrical power systems of nuclear facilities’, which is mirrored at European level by CLC/TC 45AX ‘Instrumentation, control and electrical power systems of nuclear facilities’, whose Secretariat is currently held by AFNOR, has been developing a cybersecurity standards framework. This framework is based on the ISO/IEC 27000 series and the security series of the International Atomic Energy Agency (IAEA).
Within this framework, the second edition of IEC 62645 ‘Nuclear power plants – Instrumentation and control systems – Cybersecurity requirements’ was published in 2019, and it was recently adopted without modification by CENELEC as EN IEC 62645:2020. This standard is accompanied by IEC 62859 ‘Nuclear power plants - Instrumentation and control systems - Requirements for coordinating safety and cybersecurity’ to acknowledge the mutual relationship between safety and cybersecurity in the nuclear energy sector.
EN IEC 62645:2020 focuses on the issue of preventing and/or minimising the impact of attacks against computer-based systems and programmable logic devices on nuclear safety and plant performance. It provides and clarifies cybersecurity requirements and guidance on processes to design, develop and operate IT systems in nuclear plants. The document distinguishes three layers of development and management:
- The life-cycle programme level (based e.g. on regulatory guidance, documented and approved policies and plant specific guidance through a Plan-Do-Control-Act - PDCA - process according to ISO/IEC 27001);
- The life-cycle system level (covering the plant-specific computer-based system architecture and the system development and design); as well as,
- Generic considerations on security controls (i.e. the variety of measures and equipment which has to be applied, to reach the cybersecurity objectives).
In addition, this standard aims at consistency with the domain’s independent regulatory framework ISO/IEC 27001, ISO/IEC 27002 and IAEA NSS17 in deeper detail, as well as enhanced coordination with safety-related standards (particularly IEC 61513, IEC 62138 and IEC 60880). Furthermore, technical guidance was modified or added, for example with regards to the concept of security degrees (whereby now the criteria of four degrees are prescribed), the consideration of smart electric systems and of legacy systems.
As EN IEC 62645:2020 is based on well-established international cybersecurity principles and policies, it provides the relevant actors of the nuclear sector a dependable basis to develop their plant-specific cybersecurity programs.
The document expresses that the requirements and guidance of power plants’ security programs should comply with the country-specific security requirements. This standard addresses an evolving area of regulatory requirements, due to the changing and evolving nature of cyber security threats. Therefore, it defines a framework within which the evolving country specific requirements may be developed and applied.
EN IEC 62645:2020 facilitates the development of bundles of cybersecurity measures that meet the expectations of planning, design, operation, and maintenance staff, as well as assessors and licensors of nuclear facilities throughout Europe. In this way, it contributes to the construction of new nuclear facilities, the modernisation of existing ones and to efficiently targeting licensing processes.
For more information, please contact Mercedes MIRA COSTA.