Example of Graded and Lifecycle Phase-Specific Security Controls for Nuclear I&C and EPS Use Cases

Working Group WGA9 of IEC SC45A (Nuclear I&C and ES), has recently completed a further working draft (WD) of the new IEC 63096 (unpublished) standard, aptly entitled Nuclear Power Plants – Instrumentation, Control and Electrical Systems – Security Controls. IEC 63096 specifically focuses on the selection and application of computer security controls for computer-based I&C and ES systems. This standard follows the commonly accepted ISO/IEC 27000 series security objectives of confidentiality, integrity and availability, and borrows and expands the objectives and implementation guidance from ISO/IEC 27002, while considering recommendations on sector-specific standards by ISO/IEC 27009. In addition, this guidance introduces a security grading, as well as lifecycle phase-specific controls. The grading aligns with the stringency of security controls, starting with Baseline Requirements (BR), Security Degree S3 and up to S1 (from lowest to highest degree). The lifecycle phase concerns the I&C development (D), project engineering (E) and operation and maintenance phases (O). This paper applies a sub-clause of IEC 63096 clause 15 (Supplier Relationships), to a programmable logic controller (PLC) that is typically used in power plants, to show the intended use of this standard and how it complements highest safety requirements in power plants. The Supplier Relationship clause concerns topics related to supply chain security, and is used to develop a use case example for the PLC. This example demonstrates how the controls and security degrees fits the implementation guidance from ISO/IEC 27002 and how they can be methodically applied to an I&C system.