Development of a quantitative method for identifying fault-prone cyber security controls in NPP digital I&C systems

The nuclear regulatory organizations have developed the regulatory guidance for assessment and selection of cyber security controls. One of the important considerations is that the performance and reliability of safety-grade software system must not be degraded by the cyber security controls. However, the nuclear industry has difficulty in applying and verifying the cyber security controls because of the complicated structure of digital I&C systems and the vast amount of cyber security controls. In this study, in order to solve the problem, a cyber security control V&V process model is developed based on the concept of adaptive focusing testing. In addition, a quantitative method for identifying and prioritizing fault-prone cyber security controls is developed. It was confirmed that the developed model can provide an additional and more objective context for the subjective judgement of experts. (C) 2020 Elsevier Ltd. All rights reserved.