NST076 - Computer Security of Operational Technologies and Instrumentation and Control Systems for Nuclear Security

Status: STEP 3

Revision von NSS No. 33-T

Beteiligte IAEO-Komitees: NSGC, NUSSC, EPReSC, RASSC, TRANSC, WASSC

NSS Implementing Guides and Technical Guidance

Zurück zur Übersicht "In Entwicklung befindliche Safety Standards"

NSS No. 33-T interfaces with several safety and security guidance publications that have undergone revisions since its publication in 2018. Some additional new concepts, like cyber-by-design, have also been developed and need to be taken into account.

Additionally, IAEA Safety Standards Series No. SSR-2/1 (Rev. 1), Safety of Nuclear Power Plants: Design, is currently under review and Specific Safety Guide SSG-39, Design of Instrumentation and Control Systems for Nuclear Power Plants, is scheduled for review in 2026.

The primary scope of this revision focuses on the application of computer security measures to Operational Technology (OT) systems in nuclear facilities. This is important because OT systems, including Instrumentation and Control (I&C) systems, are the foundation of many nuclear safety and security systems used in operations and nuclear facilities. These systems perform critical functions, including security, safety, and auxiliary operations, at facilities that use, store, and transport nuclear material and other radioactive material.

OT have to be understood as computer-based digital technologies that control real-world processes. In this way, OT includes but are not limited to I&C (Industrial Control) systems. Therefore, OT also includes the human actions as a part of the systems, which should be considered in this revision.

Since OT is distinguished from Information Technologies (IT) for business activities, the boundary between both technologies is merging and OT may include IT-like platforms or in the near future Cloud based systems.

Additionally, the revision should cover OT systems that monitor the retrieval of material outside of regulatory control.

It is proposed that this document should be a cross-cutting publication supporting all nuclear security domains including addressing emerging digital technologies, machine learning, Artificial Intelligence and Small Modular Reactors and Microreactors.

Further, guidance on certain aspects of the safety interfaces with security need to be clarified, improved and updated in order to reflect the best practices developed since the initial development of NSS 33-T.

The original scope of NSS 33-T was focused on nuclear power plants. As the computer security for nuclear may be needed in other areas of the nuclear security regime, the scope of the document should cover all the Nuclear Security domains (e.g. NMAC, PPS, EP, SSS, Rad and MORC).

Examples of topics that may be explored in a NSS 33-T revision:

• Clarification of the relationship between computer security and safety.
• Baseline computer security requirements for SMR.
• Practical development on function defence, data-flows and trust relationships complementing NSS No. 17-T (rev.1).
• Clarification of the lifecycle concepts.
• Practical guidance on supply chain issues.
• Consideration and possible guidance on implementing OT-SOCs (Security Operation Centres) and on their relationship with other security components (Central Alarm Station, Main Control Room, IT SOC, Incident and safety Event Response…).
• Clarification of the concept of SDA (Sensitive Digital Asset) in order to better focus on function protection rather than on assets security.
• Clarification of the concept of DBT (Design Basis Threat) for computer security.

The revision will provide up-to-date guidance on computer security measures across various domains, including interactions with cloud-based systems, facility lifetimes (from design to decommissioning), component lifecycle management, and human component of the OT systems. Additionally, informative annexes including worked examples and references to other relevant publications will offer practical insights and support on computer security for OT systems.

This revision will be aligned with the three-recommendation level publications of the NSS (NSS Nos 13, 14, and 15) that are currently under revision. The revision also addresses the application of computer security measures to the development, simulation, and maintenance environments of OT systems.

The revision will also examine the security implications of introducing emerging digital technologies, such as autonomous, remote operation, wireless, cloud computing, and artificial intelligence, as well as the implementation of a zero-trust model for OT systems. This will help strengthen security in order to mitigate potential weaknesses in OT systems.