Quantifying cyber risk: A model for evaluating safety impacts of cyber threats on NPPs

The quantitative cyber risk assessment approach presented in this paper is specifically tailored to meet the operational and safety needs of Nuclear Power Plants (NPPs). Addressing the limitations of conventional qualitative methods, the proposed approach evaluates cyber risks through the integration of two key elements: the Risk Increase Ratio (RIR) derived from Probabilistic Safety Assessment (PSA) and the Score of Security Controls (SSC) for Critical Digital Assets (CDA). By employing these metrics, the study quantifies the safety impacts of cyber threats by considering their impact on the Core Damage Frequency (CDF). The framework incorporates three distinct models—${CR}_L$, ${CR}_M$, and ${CR}_Z$—each reflecting different data distribution and normalization methods. Although the absolute risk values varied among the models, their consistent relative risk rankings highlight the robustness of the methodology. A case study was conducted on digital safety systems, demonstrating the applicability of the proposed model to real NPP scenarios. To support practical implementation, the study emphasizes the need for collaboration among operators, designers, and cybersecurity experts to adapt SSC and RIR mappings to the risk values considering site-specific operational and design environments. This structured, risk-informed methodology advances the field of cyber risk assessment by ensuring consistency, granularity, and applicability, ultimately enhancing the resilience of critical infrastructure such as NPPs.