IEC 62645[1]1 provides a cybersecurity framework for digital I&C programmable systems2. IEC 62645[1] aligns strongly with the information security management system (ISMS) elements detailed within ISO/IEC 27001:2013[2]. The “I&C digital programmable system security programme” (as defined in 5.2.1 of IEC 62645:2019[1]) align with the ISMS programme.
The framework for this programme assigns security degrees (SD) to I&C systems and EPS and defines cybersecurity requirements based upon these SDs. The assignment of an SD corresponds heavily to the safety categorization of IEC 61513[3] and IEC 61226[4].
IEC 62645[1] does not provide detailed guidance on risk management. The only guidance outlined in IEC 62645:2019[1] is in 5.4.3.2.2.4, and it states, that ISO/IEC 27005[5] “provides a generic framework for information security risk assessment, but the specific implementation methodology is up to the organization, depending on its organizational, industrial, and regulatory context.”
IEC 62645:2019[1] also references risk in 5.4.3.2.2.5, stating:
“The specific risk assessment methodologies and tools shall be identified and kept up to date. Risk re-assessments shall be performed periodically throughout the whole life cycle of the I&C systems, when modifications to the system occur and when changes to the threat landscape are identified, such as new threats or new vulnerabilities that can affect the installed I&C programmable digital system. The number of potential threats and vulnerabilities usually increases with progress from stand-alone to interconnected systems.”
In recent years, there have been advances in NPP cybersecurity risk management nationally and internationally. For example, International Atomic Energy Agency (IAEA) publications Nuclear Security Series (NSS) 17-T [6] and NSS 33-T [7], propose a framework for computer security risk management that implements a risk management program at both the facility and individual system levels. These international approaches (i.e., IAEA), national approaches (e.g., Canada’s HTRA[8]) and technical methods3 (e.g., HAZCADS[9], Cyber Informed Engineering [10], EBIOS[11][12]) have advanced risk management within NPP cybersecurity programmes that implement international and national standards.
The scope of this document is to capture the national and international cyber-risk approaches employed to manage cybersecurity risks associated with Instrumentation and Control (I&C) and Electrical Power Systems (EPS) at a Nuclear Power Plant (NPP).
This report inherits the scope from IEC 62645[1], which defines adequate measures for the prevention of, detection of, and reaction to malicious acts by digital means (cyberattacks) on I&C systems and EPS. This scope includes any malicious act that creates an unsafe situation, equipment damage, or plant performance degradation, such as:
Malicious modifications affecting system integrity;
Malicious interference with information, data, or resources that could compromise the delivery of or performance of the required I&C system’s programmable digital functions;
Malicious interference with information, data, or resources that could compromise operator displays or lead to loss of management of I&C systems or EPS; and
Malicious hardware, firmware, or software changes at the programmable logic controller level.
Human errors leading to violation of the security policy and those impacting the performance of cybersecurity controls are key risks to be assessed by risk management processes evaluated for this document.
This document summarizes an evaluation of cyber-risk approaches that are in use by nuclear facility operators to manage cybersecurity risks.
The scope of this document generally follows the exclusions of IEC 62645[1] which are:
Non-malevolent actions and events such as accidental failures, human errors (except those stated above, such as impacting the performance of cybersecurity controls), and natural events. In particular, good practices for managing applications and data, including backup and restoration related to accidental failure, are out of scope.
Site physical security, access control (site and specific locations within the site), and site security surveillance systems. While not explicitly addressed in IEC 62645[1], these systems are generally covered by plant operating procedures and programmes.
NOTE 2 This exclusion does not deny that cybersecurity has clear dependencies on the security of the physical environment (e.g., physical protection, or heating/ventilation/air-conditioning systems). However, this exclusion is based on the scope of IEC subcommittee and the working group that developed this document.
Confidentiality of information regarding I&C systems and EPS is not within the scope of IEC 62645[1] (see IEC 62645:2019[1], 5.4.3.2.3). However, unauthorized disclosure of sensitive information regarding I&C systems or EPS can lead to changes in risks associated with those systems. Loss of confidentiality and its impact on risks were considered within this evaluation.
Standards such as ISO/IEC 27001:2013[2] and ISO/IEC 27005:2018[5] are not directly applicable to the cyber protection of NPPI&C systems and EPS. The regulatory and safety requirements needed for the safe operation of systems within an NPP render much of the ISO/IEC 27001:2013[2] and ISO/IEC 27005:2018[5] content immaterial or inadequate. However, IEC 62645[1] builds upon the valid high-level principles and main concepts of ISO/IEC 27001:2013[2], adapts them, and completes them to fit into the nuclear context. In a similar manner, this document aims to evaluate and summarize key insights within ISO/IEC 27005:2018[5] risk management elements for possible adaptation for a potential standard under IEC 62645[1]NPP cybersecurity programmes.
An overview of the hierarchy of IEC SC 45A standards related to cybersecurity is shown in Figure 1.
This document summarizes key insights of the international and cyber-risk approaches used at NPPs regarding the application of ISO/IEC 27005:2018[5]. The evaluation is based on 11 challenges to cybersecurity risk management and their applicability to NPP risk management. The challenges are detailed in Clause 7.
The risk management elements within ISO/IEC 27005:2018[5] considered within the evaluation are listed below:
Context Establishment (external and internal)
Risk Identification
Risk Analysis
Risk Evaluation
Risk Decision Point 1 (Assessment satisfactory)
Risk Treatment
Risk Decision Point 2 (Treatment satisfactory)
Risk Acceptance
Risk Communication and Consultation
Monitoring and Review
This document also relates the risk management elements of IEC 62645[1] and IEC 63096[15].
This document is limited to the scope defined in IEC 62645[1]. Therefore, this document assumes that I&C systems and EPS do not directly contribute to the potential theft of nuclear material. The risk of theft of nuclear material and its consequence is covered through the design, implementation, and operation of Physical Protection Systems and the design and operation of these are unique for each NPP.
IEC/TR 63486:2024
NOTE 1 Although security programs in other normative contexts often cover such aspects (e.g., in the ISO/IEC 27000 series[13] or IEC 62443 series[14]), this document is only focused on evaluating risk management processes that manage risks associated with malicious acts by digital means (cyberattacks) on digital I&C systems (I&C) and Electrical Power Systems (EPS). The main reason for the limitation in scope is that in the nuclear generation domain, other standards and practices already cover accidental failures, unintentional human errors, natural events, etc. The focus of this document is to provide the maximum consistency and the minimum overlap with these other nuclear standards and practices, especially IEC 62645[1].