This document provides a framework to manage the interactions between safety and cybersecurity for nuclear power plant (NPP) systems, taking into account the current SC 45A standards addressing these issues and the specifics of nuclear I&C programmable digital systems.
NOTE In this document (as in IEC 62645), cybersecurity relates to prevention of, detection of, and reaction to malicious acts perpetrated by digital means (cyberattacks). In this context, it does not cover considerations related to non-malevolent actions and events such as accidental failures, natural events or human errors (except those degrading cybersecurity). Those aspects are of course of prime importance but they are covered by other SC 45A documents and standards, and are not considered as cybersecurity related in this document.
This document establishes requirements and guidance to:
– integrate cybersecurity provisions in nuclear I&C architectures and systems, which are fundamentally tailored for safety;
– avoid potential conflicts between safety and cybersecurity provisions;
– aid the identification and the leveraging of the potential synergies between safety and cybersecurity.
This document is intended to be used for designing new NPPs, or modernizing existing NPPs, throughout I&C programmable digital systems lifecycle. It is also applicable for assessing the coordination between safety and cybersecurity of existing plants. It may also be applicable to other types of nuclear facilities.
This document addresses I&C programmable digital systems important to safety and I&C programmable digital systems not important to safety. It does not address programmable
digital systems dedicated to site physical security, room access control and site security surveillance.
This document is limited to I&C programmable digital systems of NPPs, including their on-site maintenance and configuration tools.
Annex A provides a rationale for and comments about the scope definition and the document application, in particular about the exclusions and limitations previously mentioned.
This document comprises three normative clauses:
• Clause 5 deals with the overall I&C architecture;
• Clause 6 focuses on the system level;
• Clause 7 deals with organizational and operational issues.