Addressing Cyber Hazards in Nuclear Power Plants with STPA-Informed Fault Trees

Civilian nuclear applications—including nuclear power plants (NPPs)—are trending towards modernizing plant control systems from analog to digital instrumentation and control (DI&C) systems. Though well established and mature, traditional probabilistic risk assessment (PRA) methods for NPP safety analyses struggle to adequately address vulnerabilities introduced by digital equipment and other cyber hazards. More specifically, the potential failures and/or undesired behaviors due to plant modernization will manifest from digital and passive systems—whose behaviors are not as aligned with core tenets of reliability theory—as older NPPs who relied on analog and active systems. Additionally, traditional risk assessment tools do not account for systems that perform their functions but still lead to inadequate behavior. Recent research sponsored by the Electric Power Research Institute (EPRI) has aimed to rectify this struggle. This research has shown that the logical process for prioritizing the importance of component behavior within varying loss scenarios of fault tree analysis (FTA) can be combined with the top-down process for evaluating emergent behaviors of systems-theoretic process analysis (STPA). The results are so-called “STPA-informed fault trees” (SIFTs), which have emerged as a powerful analytical tool for evaluating cyber hazards in NPPs. By incorporating STPA-derived hazardous control actions into fault trees, the resulting SIFT cut sets can be categorized in terms of whether they contact only physical, only digital, or a combination of digital/physical components. This provides unique insights into developing and managing cyber protection strategies. This hybrid analytical approach has been codified into a process called Hazards and Consequences Analysis for Digital Systems </i>(HAZCADS) which seeks to leverage the respective benefits of both FTA and STPA approaches. After introducing the challenges of digital controllers and cyber hazards to desired NPP operations, this paper will briefly review the core tenets of both FTA and STPA. Next, both a detailed description and example of how SIFTs are used to evaluate cyber hazards in NPPs will be provided. Finally, this paper will summarize the overall HAZCADS methodology and offer insights for improving cyber security efforts for civilian nuclear applications. (SAND2019-0720A)