Quantifying cyber risk: A model for evaluating safety impacts of cyber threats on NPPs

IF 2.6 3区工程技术 Q1 NUCLEAR SCIENCE & TECHNOLOGY

Nuclear Engineering and Technology Pub Date : 2025-04-30 DOI:10.1016/j.net.2025.103675

Kwang-Seop Son , Jae-Gu Song , Inhye Hahm , Jung-Woon Lee

{"title":"Quantifying cyber risk: A model for evaluating safety impacts of cyber threats on NPPs","authors":"Kwang-Seop Son , Jae-Gu Song , Inhye Hahm , Jung-Woon Lee","doi":"10.1016/j.net.2025.103675","DOIUrl":null,"url":null,"abstract":"<div><div>The quantitative cyber risk assessment approach presented in this paper is specifically tailored to meet the operational and safety needs of Nuclear Power Plants (NPPs). Addressing the limitations of conventional qualitative methods, the proposed approach evaluates cyber risks through the integration of two key elements: the Risk Increase Ratio (RIR) derived from Probabilistic Safety Assessment (PSA) and the Score of Security Controls (SSC) for Critical Digital Assets (CDA). By employing these metrics, the study quantifies the safety impacts of cyber threats by considering their impact on the Core Damage Frequency (CDF). The framework incorporates three distinct models—<span><math><mrow><msub><mrow><mi>C</mi><mi>R</mi></mrow><mi>L</mi></msub></mrow></math></span>, <span><math><mrow><msub><mrow><mi>C</mi><mi>R</mi></mrow><mi>M</mi></msub></mrow></math></span>, and <span><math><mrow><msub><mrow><mi>C</mi><mi>R</mi></mrow><mi>Z</mi></msub></mrow></math></span>—each reflecting different data distribution and normalization methods. Although the absolute risk values varied among the models, their consistent relative risk rankings highlight the robustness of the methodology. A case study was conducted on digital safety systems, demonstrating the applicability of the proposed model to real NPP scenarios. To support practical implementation, the study emphasizes the need for collaboration among operators, designers, and cybersecurity experts to adapt SSC and RIR mappings to the risk values considering site-specific operational and design environments. This structured, risk-informed methodology advances the field of cyber risk assessment by ensuring consistency, granularity, and applicability, ultimately enhancing the resilience of critical infrastructure such as NPPs.</div></div>","PeriodicalId":19272,"journal":{"name":"Nuclear Engineering and Technology","volume":"57 10","pages":"Article 103675"},"PeriodicalIF":2.6000,"publicationDate":"2025-04-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Nuclear Engineering and Technology","FirstCategoryId":"5","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1738573325002438","RegionNum":3,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"NUCLEAR SCIENCE & TECHNOLOGY","Score":null,"Total":0}

引用次数: 0

Abstract

The quantitative cyber risk assessment approach presented in this paper is specifically tailored to meet the operational and safety needs of Nuclear Power Plants (NPPs). Addressing the limitations of conventional qualitative methods, the proposed approach evaluates cyber risks through the integration of two key elements: the Risk Increase Ratio (RIR) derived from Probabilistic Safety Assessment (PSA) and the Score of Security Controls (SSC) for Critical Digital Assets (CDA). By employing these metrics, the study quantifies the safety impacts of cyber threats by considering their impact on the Core Damage Frequency (CDF). The framework incorporates three distinct models—

{C R}_{L}

{C R}_{M}

, and

{C R}_{Z}

—each reflecting different data distribution and normalization methods. Although the absolute risk values varied among the models, their consistent relative risk rankings highlight the robustness of the methodology. A case study was conducted on digital safety systems, demonstrating the applicability of the proposed model to real NPP scenarios. To support practical implementation, the study emphasizes the need for collaboration among operators, designers, and cybersecurity experts to adapt SSC and RIR mappings to the risk values considering site-specific operational and design environments. This structured, risk-informed methodology advances the field of cyber risk assessment by ensuring consistency, granularity, and applicability, ultimately enhancing the resilience of critical infrastructure such as NPPs.

查看原文本刊更多论文

量化网络风险：评估网络威胁对核电站安全影响的模型

本文提出的定量网络风险评估方法是专门为满足核电站（NPPs）的运行和安全需求而量身定制的。为了解决传统定性方法的局限性，本文提出的方法通过整合两个关键要素来评估网络风险：从概率安全评估（PSA）得出的风险增加比（RIR）和关键数字资产（CDA）的安全控制评分（SSC）。通过使用这些指标，该研究通过考虑其对核心损坏频率（CDF）的影响来量化网络威胁对安全的影响。该框架包含三个不同的模型—crl、CRM和crz—每个模型反映不同的数据分布和规范化方法。虽然模型的绝对风险值各不相同，但它们一致的相对风险排名突出了方法的稳健性。以数字安全系统为例进行了研究，证明了该模型对实际核电站情景的适用性。为了支持实际实施，该研究强调了运营商、设计师和网络安全专家之间合作的必要性，以适应SSC和RIR映射，以考虑特定站点的操作和设计环境的风险值。这种结构化的、风险知情的方法通过确保一致性、粒度和适用性，推动了网络风险评估领域的发展，最终增强了核电站等关键基础设施的弹性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Nuclear Engineering and Technology 工程技术-核科学技术

CiteScore

4.80

自引率

7.40%

发文量

431

审稿时长

3.5 months

期刊介绍： Nuclear Engineering and Technology (NET), an international journal of the Korean Nuclear Society (KNS), publishes peer-reviewed papers on original research, ideas and developments in all areas of the field of nuclear science and technology. NET bimonthly publishes original articles, reviews, and technical notes. The journal is listed in the Science Citation Index Expanded (SCIE) of Thomson Reuters. NET covers all fields for peaceful utilization of nuclear energy and radiation as follows: 1) Reactor Physics 2) Thermal Hydraulics 3) Nuclear Safety 4) Nuclear I&C 5) Nuclear Physics, Fusion, and Laser Technology 6) Nuclear Fuel Cycle and Radioactive Waste Management 7) Nuclear Fuel and Reactor Materials 8) Radiation Application 9) Radiation Protection 10) Nuclear Structural Analysis and Plant Management & Maintenance 11) Nuclear Policy, Economics, and Human Resource Development