Year
2025
Abstract
Current regulations for the existing U.S. nuclear fleet prescribe a “wrap-around” security approach for cybersecurity. The cybersecurity protections are based on strict access control and configuration management, defended by strong physical protection measures (i.e., guns, guards, and gates). While this wrap-around approach has been sufficient in securing existing nuclear power plants (NPPs) from cyber-attacks, it constrains innovation and new, novel use cases (e.g., remote, autonomous operations) that are necessary to drive capital and operating costs of new Small Modular Reactors (SMRs).
The goal of Cyber-Informed Engineering (CIE) and cybersecurity-by-design frameworks is to fully integrate security into design starting at the earliest stages in the facility and system lifecycle. Cybersecurity-by-design practices, such as consequence prioritization, simplifying designs, establishing defensive architectures, hardening instrumentation and control (I&C) systems, and including security controls and detection capabilities in the design, are techniques that can reduce overall digital risk prior to installation and implementation.
The draft U.S. Nuclear Regulatory Commission’s Regulatory Guide (RG) 5.96 details objectives of a cyber-security by design approach. This approach leverages SMR Design Maturity phases to prioritize specific CIE principles during specific SMR design phases. This prioritization bounds and simplifies complex design analysis thereby reducing complexity, potential for errors, and costly re-designs to achieve cybersecurity by design. RG 5.96 achieves this by presenting a tiered cyber analysis (TCA) to address mission (strategic/national) risk, facility (single site/reactor) risk, and system risk individually with the design focused on mission and facility risks. This paper will discuss efforts and results of research on CIE and the TCA to provide insights into how to achieve cybersecurity by design.
SNL is managed and operated by NTESS under DOE NNSA contract DE-NA0003525.