Nuclear Power plants - Instrumentation and control systems - Use of formal security models for I&C security architecture design and assessment

IEC TR 63415:2023 provides an overview over the formalized modelling and designing of cybersecure architectures to apply for I&C system cybersecurity enforcement at NPPs. The plant-specific risk assessment can use the techniques covered by this TR. This document considers the complex problem of NPP I&C architecture synthesis to address particular issues:
- asset classification,
- barrier measures assignment,
- the information transfer and links conformity with security requirements.
This document provides guidance on creating a comprehensive security model applicable to NPP I&C systems that describes NPP I&C cybersecurity architecture and aids in accomplishing the main tasks of I&C system secure design, which are:
- specification of system designs with increased determinism that enhance security,
- mapping of the security requirements into the security architecture of the I&C system,
- definition of the security requirements for information exchange between components within the I&C system, operators and other systems,
- assistance in the determination of the security degree assignment with a model-based technique considering asset properties and formal grouping of the assets,
design and establishment of security zones boundaries.

General Information

Status
Published
Publication Date
29-Aug-2023
Current Stage
PPUB - Publication issued
Start Date
20-Jul-2023
Completion Date
30-Aug-2023
Ref Project

Buy Standard

Technical report
IEC TR 63415:2023 - Nuclear Power plants - Instrumentation and control systems - Use of formal security models for I&C security architecture design and assessment Released:8/30/2023
English language
56 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


IEC TR 63415 ®
Edition 1.0 2023-08
TECHNICAL
REPORT
colour
inside
Nuclear Power plants – Instrumentation and control systems – Use of formal
security models for I&C security architecture design and assessment

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.

IEC Secretariat Tel.: +41 22 919 02 11
3, rue de Varembé info@iec.ch
CH-1211 Geneva 20 www.iec.ch
Switzerland
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigendum or an amendment might have been published.

IEC publications search - webstore.iec.ch/advsearchform IEC Products & Services Portal - products.iec.ch
The advanced search enables to find IEC publications by a Discover our powerful search engine and read freely all the
variety of criteria (reference number, text, technical publications previews. With a subscription you will always have
committee, …). It also gives information on projects, replaced access to up to date content tailored to your needs.
and withdrawn publications.
Electropedia - www.electropedia.org
IEC Just Published - webstore.iec.ch/justpublished
The world's leading online dictionary on electrotechnology,
Stay up to date on all new IEC publications. Just Published
containing more than 22 300 terminological entries in English
details all new publications released. Available online and once
and French, with equivalent terms in 19 additional languages.
a month by email.
Also known as the International Electrotechnical Vocabulary

(IEV) online.
IEC Customer Service Centre - webstore.iec.ch/csc

If you wish to give us your feedback on this publication or need
further assistance, please contact the Customer Service
Centre: sales@iec.ch.
IEC TR 63415 ®
Edition 1.0 2023-08
TECHNICAL
REPORT
colour
inside
Nuclear Power plants – Instrumentation and control systems – Use of formal

security models for I&C security architecture design and assessment

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 27.120.20  ISBN 978-2-8322-7340-1

– 2 – IEC TR 63415:2023 © IEC 2023
CONTENTS
FOREWORD . 5
INTRODUCTION . 7
1 Scope . 9
2 Normative references . 10
3 Terms and definitions . 10
4 Abbreviated terms . 12
5 I&C system security life cycle and security modelling activities . 13
6 Description of a typical NPP I&C system . 15
7 Security requirements and security architecture . 16
7.1 General framework . 16
7.2 Integrated security model . 18
7.3 Basics of the information exchange model (DM) . 18
7.4 Basics of the security model (SLM) . 18
7.5 Basic principles of the secure design . 19
7.6 Asset ranking and ordering . 19
7.7 Information property of the asset. 19
7.8 Security degrees concept and security architecture. 20
7.9 Establishing a relation between the data model and the security model . 21
8 Procedure of I&C security modelling . 21
8.1 General . 21
8.2 General approach to asset classification . 24
8.3 Security degree assignment and the analysis of model conformance . 24
8.4 Classification in hierarchical systems . 24
9 Case study of I&C security architecture synthesis . 26
9.1 General . 26
9.2 Definition of the security model . 26
9.3 Selecting the detail level in system analysis . 27
9.4 Asset classification . 27
9.5 Identification and initial classification of assets . 28
9.6 Data model . 28
9.7 Analysis of the model and synthesis of architecture . 29
9.8 Assessment of the modified security architecture . 33
10 NPP cybersecurity simulation for security assessment of I&C systems . 34
11 Conclusion . 35
Annex A (informative) Data model . 37
Annex B (informative) Security model definition (SLM) . 40
Annex C (informative) Justification of the secure by design principle . 41
Annex D (informative) Mapping of security and data model . 43
Annex E (informative) Formal approach to asset clustering and classification . 46
E.1 Input data types and the choice of data representation for the analysis . 46
E.2 Order relation on a security graph . 46
E.3 Data renormalization . 47
E.4 Criteria and clustering method . 47
Annex F (informative) Some algorithmic aspects for security architecture synthesis . 49
Annex G (informative) Asset classification using clustering method: an example . 50

Annex H (informative) Mathematical notations in the integrated security mode . 53
H.1 Integrated cybersecurity model, ICM . 53
H.2 Model of information exchange, DM . 53
H.3 Allowed transformation of a security graph . 53
H.4 Relationship of secure information transfer between two assets . 53
H.5 Relationship of simple information transfer between two assets . 53
H.6 Asymmetric operations between two assets . 53
H.7 Access rules model . 53
H.8 Relationship of simple information transfer between security degrees . 54
H.9 Relationship of secure information transfer between security degrees . 54
H.10 Operator R of mapping between two models . 54
Bibliography . 55

Figure 1 – Structure of a typical I&C system . 16
Figure 2 – Procedure of security architecture synthesis . 23
Figure 3 – I&C information model with subsystem hierarchy (left) and without it (right) . 25
Figure 4 – Simplified information model of security. (secure relation between degrees

are shown by dashed lines) . 27
Figure 5 – General security graph for I&C subsystem without taking into account
security controls. The borders show boundaries for workstation server and gate
subsystem. . 29
Figure 6 – Changes in the security graph for I&C subsystem when OS_WS asset is
targeting allocation to a separate zone. The edges belonging to the minimal cut are
shown with bold lines. . 30
Figure 7 – General view of the security graph for I&C subsystem, taking into account
security controls for OS assets. The security degree structure is shown in a) and the
zone structure is shown in b). Degrees and zones are shown in a solid rectangle. The
degree is numbered. . 31
Figure 8 – Changes in the security graph for I&C subsystem when server assets are
targeting allocation to a separate zone from the workstation. The edges belonging to
minimal cut are highlighted with bold line. . 32
Figure 9 – General representation of the security graph for practical I&C subsystem,
taking into account all assigned security controls for the assets. The security degree
structure is shown in a) and zone structure is shown in b). The degrees and zones are
shown in solid rectangle. The degrees are numbered. . 33
Figure 10 – General scenario of use of the digital twin for stress tests . 35
Red and orange arrows mean secure information transfer, black arrows mean
“common” information transfer. . 43
Figure D.1 – Sketch of link transformation . 43
Figure D.2 – Example of domains of connectivity in a graph – Here the graph splits
into three domains . 44
Figure G.1 – Security graph of the system in the information exchange model . 50
Figure G.2 – Transitive closure of the security graph by the relation w . 51
Figure G.3 – Asset partitioning by security degrees . 51

Table 1 – I&C life cycle stages and corresponding scenarios for the use of security
modelling . 13
Table 2 – List of assets of a typical control system channel and IS target
characteristics . 28

– 4 – IEC TR 63415:2023 © IEC 2023
Table 3 – Information security characteristics for assets in the architecture of a I&C
subsystem . 34
Table A.1 – Correspondence of the physical properties of I&C systems with the

properties of the security graph . 37
Table E.1 – NPP I&C asset properties . 46
Table F.1 – Computational methods for analyzing the security graph . 49
Table G.1 – Table of attributes . 50
Table G.2 – Partition of the assets into security degrees . 52

INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
NUCLEAR POWER PLANTS – INSTR
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.