Cyber
Security
By Erik Dorman, AREVA, Inc.
Erik Dorman
Mr. Erik Dorman is the product line
manager for cybersecurity solutions
at AREVA Inc.
Mr. Dorman was
previously the
cybersecurity
engineering
program lead for
AREVA. He is a
representative on the
INPO Cybersecurity
Strategic Advisory
Board, and his
work has included
meeting with U.S.
Nuclear Regulatory
Commission to
resolve cybersecurity
issues for the
industry. He is also
a certified Project
Management Professional (PMP) and
has led various projects in the energy
industry within AREVA’s Installed Base
organization.
Dorman received his Bachelor of
Science, Computer Science, from
University of Mary Washington in
Fredericksburg, Virginia.
Responses to questions by Newal
Agnihotri, Editor of Nuclear Plant
Journal.
1.
What is the impact of digital
upgrades on the cyber security concern?
Why did you switch from your land-
line telephone to a mobile phone, or from
a manual typewriter to your personal
computer? Both scenarios increased your
risks for cyber security threats and expo-
sure, so why did you change? You reach
a point where the benefit of making a
change outweighs the risk of keeping old
technology. With advances in technology,
old systems become obsolete, costly to
maintain and creates greater risks on the
safety, quality and performance of your
services. Ultimately, a change is required.
While we can’t completely eliminate the
cyber security concern, we have been
able to provide solu-
tions that have met the
evolving
challenge
while improving the
operational
perfor-
mance of the nuclear
industry. For the en-
ergy industry, digi-
tal is necessary, and
safety and security
are non-negotiable, so
best-in-class cyberse-
curity is critical to the
continued operational
excellence of the U.S.
nuclear energy fleet.
2.
Is AREVA do-
ing any cybersecurity-
related research?
AREVA is actively engaged with
research and development activities
in response to the ever-evolving threat
landscape. We currently have active
projects related to threat monitoring and
intelligence, device hardening, product
integration, and a host of other projects
in partnership with utilities, national labs
and academia.
3.
How does AREVA ensure that
upgraded equipment that goes off-site
does not come back with any embedded
or undesired devices?
AREVA requires that our suppliers
meet industry requirements that align
with the expectations of our customers
with respect to cybersecurity threats. This
includes having policies and procedures in
place to address all facets of development,
testing and installation that help mitigate
46
NuclearPlantJournal.com Nuclear Plant Journal, July-August 2015
any potential vulnerability. Our focus is
on delivering products and services to our
customers with the technical rigor and
quality they require, without impacting
the reliability, performance or safety
attributes that have become pillars within
our industry.
4.
How does AREVA ensure the security
of upgraded software?
The security of the software
development activities are validated via
testing and qualification per AREVA and
the licensee’s procedures. In addition
to performing audits of our suppliers,
AREVA audits our own internal
development practices. This helps to
drive continuous improvement and
performance enhancements, and validates
that all work products produced have the
technical rigor that our industry expects.
5.
With the prevalence of portable
devices, such as iPads, and their
connections on valves, pumps, how does
AREVA ensure that malicious information
is not uploaded?
The industry has worked diligently
to apply additional protections and
controls when it comes to portable media,
e.g. virus and malicious code scanning
technology. There are strict requirements
imposed by licensees to make sure that
their internal and external teams follow
the appropriate procedures that provide
assurance that portable devices do not
have any malicious attributes that could
negatively impact plant performance.
6.
Does AREVA do any remote
monitoring?
AREVA protects all information
acquired in the support of our engagement
per industry procedures, standards and
accepted best practices. The security of
all information is a vital component to
AREVA being an approved supply within
the nuclear industry.
7.
With cybersecurity being such a
new field, how does AREVA recruit
experienced personnel? What training
resources does AREVA have?
AREVA continues to team with
academia to create a steady pipeline
of talented young professionals that
