Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>atw</strong> Vol. 62 (<strong>2017</strong>) | Issue 6 ı June<br />
OPERATION AND NEW BUILD 398<br />
International and national nuclear laws and regulations<br />
| | Tab. 1.<br />
Examples of international and national nuclear cyber security regulations.<br />
Assurance) Standard is intended for us<br />
by IA practitioners, working especially<br />
with UK Government ICT systems, as<br />
the foundation for their Information<br />
Risk Management Policy. This standard<br />
provides a methodology by which<br />
these practitioners can “identify, assess<br />
and determine the level of risk to an ICT<br />
system and a framework for the selection<br />
of appropriate risk treatments.”<br />
Requirements from these international<br />
nuclear Cyber Security<br />
standards are applicable for the whole<br />
nuclear power plant. Figure 2 shows<br />
the scope of applicability of these<br />
requirements using the example of a<br />
typical nuclear I&C architecture.<br />
In Figure 3, the relationships<br />
between safety standards (in purple)<br />
and security standards (in orange)<br />
from different industries are indicated.<br />
All the individual fields have<br />
their own specific standards for safety<br />
and security. For example, IEC 6<strong>06</strong>01<br />
and IEC 62304 are the safety standards<br />
referred in medical field.<br />
| | Fig. 2.<br />
An example of a nuclear I&C architecture (© AREVA).<br />
| | Fig. 3.<br />
Safety and Security Interface at the Standards Level (© IEC TC65).<br />
2 Gradual consideration<br />
of information security<br />
in Industry 4.0 and IoT<br />
Industry 4.0 and “Manufactured in<br />
China 2025” are governed by a “Reference<br />
Architecture Model Industry 4.0”<br />
(RAMI) or similar which are typically<br />
represented by cubes subdivided as<br />
6x6x6 or 5x5x5. The 3 axis of the cube<br />
are “Layers”, “Hierarchy Levels” and<br />
“Value Streams”. None of the 6 Layers<br />
(Business, Functional, Information,<br />
Communication, Integration and<br />
Asset) explicitly contains cyber<br />
security. Similarly along the other two<br />
axes, cyber security is not explicitly<br />
included. This is due to the fact that<br />
security and interoperability are<br />
considered as integral components in<br />
multiple of the 3D elements that built<br />
up the complete cube, see Figure 4.<br />
2.1 Generic information<br />
security<br />
One purpose of generic security standards<br />
is to be applicable by any size of<br />
an organization, e.g. a one- employee<br />
service provider or a multinational organization.<br />
The ISO/IEC 27000 series<br />
takes credit on meeting this criterion.<br />
Still, beyond these generic information<br />
security standards in the 27000 to<br />
27021 range, additional standards in<br />
the 27031 to 27050 and other ranges<br />
provide more in-depth guidance.<br />
2.2 IT security for power<br />
generating plants<br />
VGB-S-175 addresses generic security<br />
requirements, Defense-in-Depth<br />
Operation and New Build<br />
Cyber Security in Nuclear Power Plants and its Portability to Other Industrial Infrastructures ı Sébastien Champigny, Deeksha Gupta, Venesa Watson and Karl Waedt