44
NuclearPlantJournal.com Nuclear Plant Journal, May-June 2016
interpretation and application of cyber
security controls is essential to provide
high assurance that these critical digital
assets are protected against cyber attack
up to and including design basis events. A
successful cyber security program ensures
that these assets are not compromised
and that they do not challenge plant
safety systems or the utility’s ability to
implement its radiological emergency
program. The cyber security assessment
tool developed by TVA not only ensures
standard application of the assessment
methodology across the fleet, it also
standardizes the application of the
cyber security controls to all digital
assets within the scope of the NRC
and OMB programs. Furthermore, the
assessment tool ensures consistency in
the development of remediation actions
to address identified vulnerabilities
and consistent documentation of the
assessment results. The consistency the
tool provides decreases the likelihood
of human performance errors during
the assessment process. TVA’s cyber
security assessment tool is an industry
leading program that provides the logic,
rules, methodology, documentation,
remediation plans, and assessment
structure necessary to protect the plant’s
critical digital assets.
Cost Savings
Use of the assessment tool enabled
TVA to assess approximately 5,200,000
Critical Digital Asset (CDA) - control
interactions over a period of 42 weeks
(6 weeks per unit). This effort included
development of remediation actions and
documentation of the assessment results.
Based on an 8 person assessment team
working 50 hours/week at an average
labor cost of $60/hour, the cost of
assessing all 7,800 CDAs for the TVA
nuclear fleet was approximately $1
million. Other utilities have reported
vendor quotes in the $25 - $30 million
range for cyber security assessments of
this scope and projected durations more
than double this time.
Successful implementation of a
cyber security program depends on the
consistent interpretation and application
of cyber controls to Critical Digital
Assets. The cyber security assessment
tool developed by TVA provides that
consistency. Ensuring consistent
implementation of the cyber controls
reduces the likelihood of a cyber attack.
The cost avoidance per cyber attack is
expected to range between $200,000 and
$1,000,000 depending upon the extent of
the exploitation. Costs associated with a
cyber attack include the mobilization of
an Incident Response Team, the time to
perform and document the evaluation,
eradication of the malware and/or
implementation of remediation actions
as appropriate, and the recovery of the
Critical Digital Asset and plant system to
its proper configuration.
It also considers the costs of
responding to inquiries by regulating
bodies including NRC, OMB, and the
Department of Homeland Security
(DHS).
In addition to reducing the
probability of incurring cyber events
and the significant costs associated with
responding to them, the cyber security
assessment tool provides plant personnel
with information about the digital assets
installed in plant systems that facilitates
ongoing system maintenance by
providing information on the connectivity
of these devices. The tool also provides
data that supports security alert reviews.
Innovation
TVA is unique in the nuclear power
industry having to meet the cyber security
requirements of two federal agencies, the
NRC and OMB.
The TVA-developed cyber security
assessment tool efficiently integrates
these requirements into one assessment
process. What makes this tool unique
is that it incorporates the logic, rules,
and strategies necessary to streamline
the evaluation of over 5 million asset-
cyber control interactions. It ensures
that the cyber security assessment
process is implemented consistently
across TVA’s nuclear fleet. It helps
ensure that TVA interprets and applies
the cyber security controls consistently
from one operating unit to the next. At
the time the assessment process and the
assessment tool were developed, there
was no commercially available product
that integrated the requirements, the
implementation strategies, data, network
connectivity, and assessment results
(remediation actions) into a single tool.
TVA leads the industry in this area.
Productivity/Efficiency
The time savings meant that plant
personnel assigned to the assessment
Cyber Security Assessment System.
Cyber Security...
