Overview and Recommendations for Cyber Risk Assessment in Nuclear Power Plants

Digital instrumentation and control (I&C) systems are being deployed in nuclear power plants (NPPs) for both existing and advanced reactor designs. As I&C systems become more digitized to allow features like near autonomous control and remote operation, they introduce greater cyber risk to NPPs. Cyberattacks targeting industrial control systems (ICSs) are growing in both qualities and capabilities, which indicates that cybersecurity needs to be an integral part of risk assessment in the industry. Although there are some risk assessment methods in traditional information technology (IT) cybersecurity, the differences between IT and ICS cybersecurity make it infeasible to apply these risk assessment methods directly to ICSs. Some research has focused on risk assessment methods for ICSs, but few studies focus on applications to NPPs. Ideal risk frameworks for the nuclear industry are dynamic and account for system dependencies; this survey review focuses on such risk assessment methods both in and outside the nuclear field. The major challenges in cybersecurity risk assessment research are pointed out, and further research suggestions and considerations for cyber risk assessment in I&C systems are identified.