scope:

General

Since strict requirements on safety and availability of nuclear I&C apply, due consideration of cybersecurity threats is needed.

Since nowadays nuclear I&C programmable digital systems are largely based on digital systems including networks, individual I&C systems are more and more interconnected, and the I&C equipment is widely spread within the NPP area, security controls for prevention, detection and correction are needed to protect nuclear I&C programmable digital systems from external and internal cybersecurity threats.

The objective of this document is to extend the SC 45A series of documents addressing cybersecurity with IEC 62645 as its top-level document, by defining nuclear I&C programmable digital system specific security controls for I&C systems of the Safety Classes 1, 2, 3 and for non-classified (NC) I&C systems. The safety classification of I&C systems, and associated safety requirements, are among the biggest differences compared to typical IT systems and standard industrial automation systems. Annex B contains a correspondence between IEC 62645 and IEC 63096.

This document, based on the security controls defined in ISO/IEC 27002, reflects the special security control requirements for nuclear I&C programmable digital systems. The original ISO/IEC 27002 requirements are either modified, detailed or completed, wherever deemed necessary from a nuclear I&C programmable digital system perspective. Additional nuclear I&C programmable digital system specific security controls that are not identified in ISO/IEC 27002, but deemed necessary are also added.

This document refers in detail to ISO/IEC 27002:2013. A later modification of ISO/IEC 27002:2013 will not automatically influence the modifications, detailing and completions given by IEC 63096 without analysing the consequences from the nuclear I&C perspective.

By applying and extending the ISO/IEC 27002:2013 security controls, this document implicitly reflects all lifecycle phases of nuclear I&C programmable digital system platforms and systems.

By selecting the highly recommended security controls based on the processes as defined in IEC 62645 and the additional process details described within this document the risk level will be reduced to an acceptable level.

The selection of security controls ensures that both safety and security requirements are met according to IEC 62859. If a specific security control negatively influences safety, safety prevails (see IEC 62859) and a compensatory security control should be implemented.

For the development of this document ISO/IEC 27009 has been followed as far as applicable, also considering that ISO/IEC 27009 is not binding for the SC 45A IEC standard series.

ISO/IEC 27019 explicitly excludes the "process control domain of nuclear facilities".

NOTE The term "process control domain of nuclear facilities" is a quote from ISO/IEC 27019.

Objectives

This document provides a catalogue of highly recommended and optional security controls graded (see Clause 5 to Clause 20) in line with the security degrees defined by IEC 62645. These are intended for nuclear I&C programmable digital systems and architecture including related activities (I&C platform development, project engineering, operation and maintenance).

This document establishes requirements and guidance to:

- select and apply security controls for nuclear I&C programmable digital systems;

- propose and apply compensatory security controls in case a highly recommended security control cannot be implemented (e. g. due to technical reasons);

- credit/inherit existing security controls and safety provisions implemented for I&C systems important to safety as compensatory security controls;

- handle the security of legacy I&C.

Application of cybersecurity controls on the overall I&C architecture level is not considered in this document.

Safety remains the top priority from a nuclear I&C programmable digital system perspective. IEC 62859 provides requirements and guidance to coordinate cybersecurity measures with safety.

Application

This document is intended to be used for designing I&C systems for new NPPs, and modernizing and modifying I&C systems for existing NPPs throughout the I&C programmable digital systems lifecycle. It may also be applicable to other types of nuclear facilities.

This document addresses the whole scope of nuclear I&C programmable digital systems, both safety and non-safety classified.

The scope of this document also includes sensors, actuators and electrical systems that belong to the I&C control loop.

It is also applicable to those parts of electrical systems covered by IEC 63046, which rely on digital programmable technology. For better readability the terms "nuclear I&C programmable digital systems", "I&C system" or "I&C platform" used in this document implicitly include electrical systems if the electrical system includes a programmable digital systems.

NOTE It is recognized that electrical systems are not necessarily classified according to IEC 61226. Therefore, the security degree classification used in this document might not be usable for electrical systems.

This document also defines security controls on access control and physical protection as needed for protecting nuclear I&C programmable digital systems and electrical systems against cyberattacks. The NPP wide cybersecurity for Facility Management (Building Technology) is beyond the scope of IEC SC 45A. For details on the cybersecurity scope in the context of physical protection for nuclear I&C programmable digital systems, see IEC 62645.

This document is applicable to nuclear I&C programmable digital systems of NPPs, including their maintenance and configuration tools (e.g. engineering or diagnostic tools). This also includes the interfaces to 3rd party I&C programmable digital systems, 3rd party computer systems or other IT- networks.

The scope of this document includes:

- Security controls for the I&C platform and the I&C system itself.

- Security controls for the I&C platform development environment.

- Security controls for the I&C system engineering environment including installation and commissioning phases.

- Security controls for the I&C system operation and maintenance environmen.t

This document is intended to be used by the audience, as defined in 4.1, for the following activities:

- I&C Platform Development.

- Project Engineering for plant specific I&C system.

- Operation and Maintenance of I&C system.

Framework

This document comprises the following normative clauses:

- Clause 4 deals with the selection of security controls and its interconnection to IEC 62645 and IEC 62859.

- Clause 5 through Clause 18 comprise the security control clauses and for each control clause the control categories as defined in ISO/IEC 27002:2013.

ISO/IEC 27002:2013 security control clauses are either taken over without modification or modified or completed for the nuclear I&C programmable digital systems domain. Necessary nuclear specific modifications are indicated clearly within each clause.

For each security control clause, additional nuclear I&C programmable digital system specific information is given: Applicability for security degrees, applicability for activities (life cycle), the preservation objective (confidentiality, integrity and availability) and the security control focus (prevention, detection and correction).

- Clause 19 and Clause 20 comprise nuclear security specific control clauses that are additional to the ISO/IEC 27002:2013 clauses.

NOTE Annex A summarizes all security controls including their applicability for security degrees, their applicability for activities, the preservation objective and the control focus.