Nuclear facilities - Instrumentation, control and electrical power systems - Cybersecurity risk management approaches

IEC TR 63486:2024 provides a cybersecurity framework for digital I&C programmable systems [2]. IEC 62645 [1] aligns strongly with the information security management system (ISMS) elements detailed within ISO/IEC 27001:2013 [2]. The ISO/IEC ISMS structure corresponds to the “I&C digital programmable system cybersecurity program” in the context (as defined in 5.2.1 of IEC 62645:2019 [1]).
The scope of this document is to capture the national and international cyber-risk approaches employed to manage cybersecurity risks associated with Instrumentation and Control (I&C) and Electrical Power Systems (EPS) at a Nuclear Power Plant (NPP).
This document summarizes an evaluation of cyber-risk approaches that are in use by nuclear facility operators to manage cybersecurity risks.
The scope of this document generally follows the exclusions of IEC 62645 which are:
- Non-malevolent actions and events such as accidental failures, human errors (except those stated above, such as impacting the performance of cybersecurity controls), and natural events. In particular, good practices for managing applications and data, including backup and restoration related to accidental failure, are out of scope.
This document summarizes key insights of the international and cyber-risk approaches used at NPPs regarding the application of ISO/IEC 27005:2018 [5]. The evaluation is based on 11 challenges to cybersecurity risk management and their applicability to NPP risk management. The challenges are detailed in Clause 7. This document also relates the risk management elements of IEC 62645 and IEC 63096.

General Information

Status
Published
Publication Date
12-Sep-2024
Current Stage
PPUB - Publication issued
Start Date
19-Jul-2024
Completion Date
13-Sep-2024
Ref Project

Buy Standard

Technical report
IEC TR 63486:2024 - Nuclear facilities - Instrumentation, control and electrical power systems - Cybersecurity risk management approaches Isbn:9782832293805
English language
160 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


IEC TR 63486 ®
Edition 1.0 2024-09
TECHNICAL
REPORT
colour
inside
Nuclear facilities – Instrumentation, control and electrical power systems –
Cybersecurity risk management approaches
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.
IEC Secretariat Tel.: +41 22 919 02 11
3, rue de Varembé info@iec.ch
CH-1211 Geneva 20 www.iec.ch
Switzerland
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.
About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigendum or an amendment might have been published.
IEC publications search - webstore.iec.ch/advsearchform IEC Products & Services Portal - products.iec.ch
The advanced search enables to find IEC publications by a Discover our powerful search engine and read freely all the
variety of criteria (reference number, text, technical publications previews, graphical symbols and the glossary.
committee, …). It also gives information on projects, replaced With a subscription you will always have access to up to date
and withdrawn publications. content tailored to your needs.
IEC Just Published - webstore.iec.ch/justpublished
Electropedia - www.electropedia.org
Stay up to date on all new IEC publications. Just Published
The world's leading online dictionary on electrotechnology,
details all new publications released. Available online and once
containing more than 22 500 terminological entries in English
a month by email.
and French, with equivalent terms in 25 additional languages.
Also known as the International Electrotechnical Vocabulary
IEC Customer Service Centre - webstore.iec.ch/csc
(IEV) online.
If you wish to give us your feedback on this publication or need
further assistance, please contact the Customer Service
Centre: sales@iec.ch.
IEC TR 63486 ®
Edition 1.0 2024-09
TECHNICAL
REPORT
colour
inside
Nuclear facilities – Instrumentation, control and electrical power systems –
Cybersecurity risk management approaches
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 27.120.20; 27.100 ISBN 978-2-8322-9380-5
– 2 – IEC TR 63486:2024  IEC 2024
CONTENTS
FOREWORD . 13
INTRODUCTION . 15
1 Scope . 17
1.1 General . 17
1.2 Framework . 20
1.3 Limitations . 20
2 Normative references . 20
3 Terms and definitions . 20
4 Abbreviated terms . 25
5 IEC 62645 risk management elements . 27
5.1 General . 27
5.2 Assignment of security degrees in the management of risk . 27
5.3 Safety correlation . 28
6 NPP cyber risk management challenges and analyses . 28
6.1 General . 28
6.2 Challenge 1: Aggregate risk of multiple units / locations. 31
6.3 Challenge 2: Complexity of interdependencies and interactions . 32
6.4 Challenge 3: Incident likelihood determination . 32
6.5 Challenge 4: Unknown or lacking sufficient detail for pre-developed
components . 32
6.6 Challenge 5: Differences in cyber-risk management . 33
6.7 Challenge 6: Lack of abstract analysis methods . 33
6.8 Challenge 7: Uncertainty in vulnerability / Susceptibility analysis . 33
6.9 Challenge 8: Adversary characterization uncertainty . 34
6.10 Challenge 9: Excessive information volume . 34
6.11 Challenge 10: Lack of a common and comprehensive risk management
process . 34
6.12 Challenge 11: Advanced security capabilities incompatibility . 35
7 Cyber-risk approaches versus challenges by ISO/IEC 27005 . 35
7.1 General . 35
7.2 ISO/IEC 27005:2018, 7.1 General considerations . 35
7.2.1 Summary . 35
7.2.2 Applicable challenges . 36
7.2.3 Summary of key approaches . 36
7.2.4 Cross-reference table (Table 4) . 37
7.3 ISO/IEC 27005:2018, 7.2 Basic criteria . 37
7.3.1 Summary . 37
7.3.2 Applicable challenges . 37
7.3.3 Key approaches . 38
7.3.4 Cross-reference table (Table 6) . 40
7.4 ISO/IEC 27005:2018, 7.3 Scope and boundaries . 40
7.4.1 Summary . 40
7.4.2 Applicable challenges . 40
7.4.3 Key approaches . 41
7.4.4 Cross-reference table (Table 8) . 42
7.5 ISO/IEC 27005:2018, 7.4 Organization for information security risk
management . 42

7.5.1 Summary . 42
7.5.2 Applicable challenges . 42
7.5.3 Key approaches . 43
7.5.4 Cross-reference table (Table 10) . 43
7.6 ISO/IEC 27005:2018, 8.1 General description of information security risk

assessment. 44
7.6.1 Summary . 44
7.6.2 Applicable challenges . 44
7.6.3 Key approaches . 44
7.6.4 Cross-reference table (Table 12) . 45
7.7 ISO/IEC 27005:2018, 8.2 Risk identification . 45
7.7.1 Summary . 45
7.7.2 Applicable challenges . 46
7.7.3 Key approaches . 46
7.7.4 Cross-reference table (Table 14) . 48
7.8 ISO/IEC 27005:2018, 8.3 Risk analysis . 48
7.8.1 Summary . 48
7.8.2 Applicable challenges . 49
7.8.3 Key approaches . 49
7.8.4 Cross-reference table (Table 16) . 51
7.9 ISO/IEC 27005:2018, 8.4 Risk evaluation . 51
7.9.1 Summary . 51
7.9.2 Applicable challenges . 51
7.9.3 Key approaches . 52
7.9.4 Cross-reference table (Table 18) . 53
7.10 ISO/IEC 27005:2018, 9.1 General description of risk treatment . 54
7.10.1 Summary . 54
7.10.2 Applicable challenges . 54
7.10.3 Key approaches . 54
7.10.4 Cross-reference table (Table 20) . 55
7.11 ISO/IEC 27005:2018, 9.2 Risk modification . 55
7.11.1 Summary . 55
7.11.2 Applicable challenges . 56
7.11.3 Key approaches . 56
7.11.4 Cross-reference table (Table 22) . 57
7.12 ISO/IEC 27005:2018, 9.3 Risk retention . 58
7.12.1 Summary . 58
7.12.2 Applicable challenges . 58
7.12.3 Key approaches . 58
7.12.4 Cross-reference table (Table 23) . 59
7.13 ISO/IEC 27005:2018, 9.4 Risk avoidance . 59
7.13.1 Summary . 59
7.13.2 Applicable challenges . 59
7.13.3 Key approaches . 60
7.13.4 Cross-reference table (Table 25) . 60
7.14 ISO/IEC 27005:2018, 9.5 Risk sharing . 60
7.14.1 Summary . 60
7.14.2 Applicable challenges . 60
7.14.3 Key approaches . 61

– 4 – IEC TR 63486:2024  IEC 2024
7.14.4 Cross-reference table (Table 27) . 61
7.15 ISO/IEC 27005:2018, Clause 10 Information security risk acceptance . 61
7.15.1 Summary . 61
7.15.2 Applicable challenges . 62
7.15.3 Key approaches
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.