Performance Testing of Cyber Incident Response at NPP Operators

Cyber-attacks targeting nuclear facilities are an increasing concern for nuclear security. However, unlike physical security, performance testing of cyber-security incident response at nuclear facilities has yet to develop mature, safe and secure methodologies necessary to evaluate facility staff in live or representative conditions. Exercises are one way to test the effectiveness of the cyber program, train staff, increase awareness, ensure that the appropriate tools and processes are available and effective, and that pre?requisites for response and recovery systems are in place before they are needed in order to assure safety and business continuity in a cyber event. Exercises are also an effective way to strengthen interfaces with the Regulator and other regional or national departments who could support the industry in the event of a significant cyber security attack. In 2021, a collaborative research and development project between Canadian Nuclear Laboratories (CNL), Idaho National Laboratory, and Sandia National Laboratories was commenced. This project will develop and conduct cyber security exercises to support Nuclear operators and relevant staff within the facility, in understanding how to recognize a cyber-attack, how to respond to an attack, how to conduct forensic analysis to determine the consequences of the attack, and elements to consider when developing a cyber incident response program. Exercises involving “live” attacks on Operational Technology systems are planned for March 2022 at CNL’s cyber centre, with a second exercise planned for May 2023 involving a blended attack (physical intrusion supported by a cyber-attack) at Sandia’s Nuclear Security Technology Complex. This paper will discuss the outcomes of the March 2022 and the planned efforts for May 2023. SNL is managed and operated by NTESS under DOE NNSA contract DE-NA0003525 SAND2022-1550 A LLNL-ABS-818781-DRAFT