Development of an integrated cyber attack response support system based on NPP security state estimation

Abstract

The introduction of digital and automation technologies within nuclear power plants (NPPs) has raised cyber security-related issues in the nuclear industry. Regulatory agencies require all nuclear facilities to have adequate cyber attack prevention and response capabilities, but previous studies on cyber security have focused mainly on prevention rather than response. Although technical guidelines suggest that the scope of cyber attack response strategies should be expanded security-oriented to safety-oriented depending on the progress state of a cyber attack, the guidelines do not describe how to identify the states or how to plan a course of response actions. To solve this problem, a system that can estimate security states is developed. The hidden Markov model (HMM)-based state estimation method is adopted to identify the most probable security state transition path given a sequence of security alarms. To address the shortage of training datasets required for model construction, a knowledge-based method is developed that utilizes available system knowledge. In addition, an online model update method is developed to address the limitations of the knowledge-based method. Although the current security state can be estimated, operators may find it difficult to plan cyber attack response actions. In this study, a system is developed to support operators in planning response actions based on the estimated security state. The Markov decision process (MDP) model-based response planning method is used to establish an optimal response plan. An MDP modeling method is developed in which the cyber attack process is affected by response actions taken, and an agent modeling method is developed to identify the optimal response plan. In addition, a case study is conducted to prove the feasibility of the developed systems. A cyber attack scenario is implemented experimentally using a hardware-in-the-loop (HIL) system. The developed system detected a cyber attack at an early stage and distinguished false alarm scenarios by probabilistically estimating the occurrence of a cyber attack. In addition to detecting cyber attacks, the security state transition path was estimated with a high level of confidence. The developed support system was able to recommend the optimal action based on the estimated security state. Moreover, it was able to quantify the expected effect of the response plan, which could help operators to verify the effectiveness of the response plan in advance. It was proved that the developed integrated cyber attack support system can help operators to understand the progress of cyber attacks and implement the optimal response actions. Therefore, the developed system is expected to improve the cyber attack response capabilities of NPPs in the future.