Go to...
Inf:The site is under developmnet. The complexity of the security graph and/or available methods for it analyses may be subject of the restrictions depends on the available resources (current limit the 50 edges).

Requirements to formal security models for NPP I&C

extracted from: Promyslov Vitaly, International Conference on Computer Security in a Nuclear World: Expert Discussion and Exchange IAEA Headquarters Vienna, Austria 1–5 June 2015 (with autor's kind permit)
In order for organizations to enact significant Information Security (IS) measures for Nuclear Power Plant Instrumentation and Control (NPP I&C), IS measures must be derived from an effective set of security policies. Security policies are defined as non-formalized descriptions presented as expectations and requirements to control the IS beyond the system. These security policies are built on the risk analysis of the organization operating a NPP. When analysis of risks has been implemented and a strategy of protection has been determined, a program is composed, the implementation of which is intended to inform the IS measures [1]. This means that the security policies are unique for each protected facility, since it takes into account any particularities of the installation, including rules and preferences of an installation’s owner, or specific threats to the installation and any requirements of acting regulators. However, given the unique manufacturing cycle for NPPs, the application and identification of homogeneous components for building NPP I&C (sensors, data networks, computers, Supervisory Control and Data Acquisition (SCADA) systems)and common tasks covered by the NPP I&C (control of equipment, maintenance of archive, operator interface, etc.) permits organizations to develop and employ a common template for typical security policies of NPP I&C. This template allows for the application of a typical security policy of NPP I&C against different installations, enabling the use of a uniform approach for the analysis of effectiveness of security policies.
It is a fact that the existence of security policies does not guarantee security of the IS of I&C, even with required implementation. Instead several factors affect the vulnerability of the IS of I&C including: the use of a non-formal definition for security policy that enables various interpretations of guidelines of the IS policies; the considerable complexity of systems, involving numerous objects, subjects and relationships to the IS; the existence of internal contradictions or incompleteness of the security policies. Internal contradictions are manifested, for instance, in existence of mutual subordination (loops). Incompleteness of security policies results in additional challenges for implementation of required technological procedures. Specifically, these policies cannot be implemented to ensure key individuals access to the components they seek to protect. In order to implement effective security policies, one should adopt formal descriptions within the formal (analytical) security model, which assists with mathematical verification [2]. Formal models of the IS enable one, due to a more compact description, to reveal the requirements for security, as well as key characteristics of the environment at a level of detail necessary for context of security issues. At present, there are a variety of models for formal description of the security policies, but these are generalizations and combinations of three classes of security models: discretionary, mandatory and role based access models. At present, there are no commonly recognized formal security models of I&C for NPP. The indicated models were integrated with other knowledge and technologies from the military and banking sectors, and imported into the sphere of the I&C IS. Now, the community has reached an understanding of the distinctions between the goals of the IS for I&C and those IS goals for the banking and military sectors, and applied the particularities of the I&C architecture that differentiate it from information and computer systems. Particularities of the NPP I&C architecture include [4]:
  • The existence of both physical and logical bounds;
  • Information ties impact to facilities; Real time requirements; and
  • Availability of special requirements on nuclear and technological safety.
The primary requirements for the application of formal security models to the NPP I&C IS are:
  • The adoption of the hierarchical system of levels of the security (LS);
  • The ability to describe zone partition of the LS on logical and physical bounds;
  • The transparent classification of components within the model for nuclear and technological safety;
  • The support of mixed goals of the IS (the Bell-LaPadula model and the Biba model [5]);
  • Operate with a time required to access the object;
  • The Priority application of the Biba model (which prioritizes integrity over confidentiality).
This research justifies the proposed requirements and identifies a class of formal security models to be considered, which could, after their adaptation, meet the indicated requirements.


  • [1] IEC/TS 62443-1-1:2009 Terminology, concepts and models
  • [2] United States Department of Defense Standard 5200.28-STD, 1985, Department of Defense Trusted Computer System Evaluation Criteria
  • [3] MITRE Technical Report 2547, Volume I, March 1973, Bell, David Elliott and LaPadula, Leonard J., Secure Computer Systems: Mathematical Foundations
  • [4] IAEA Nuclear Security Series No. 17, 2011, Computer Security at Nuclear Facilities, STI/PUB/1527
  • [5] Biba, K. J. "Integrity Considerations for Secure Computer Systems", MTR-3153, The Mitre Corporation, April 1977

Additional useful data and links ...