IEC/TR 63415 Ed. 1.0 en:2023 PDF

The TR provides an overview over the formalized modelling and designing of cybersecure architectures to apply for I&C system cybersecurity enforcement at NPPs. The plant-specific risk assessment can use the techniques covered by this TR.

The formal security models are often used in the analysis and design of I&C security architectures. A formal security model is a mathematical notation such as algebra and set theory or logical expression that defines the security properties of a system and the relationships between different components. It provides a rigorous way to reason about the security of a system and to identify potential vulnerabilities and threats.

This document considers the complex problem of NPP I&C architecture synthesis to address particular issues:
• asset classification,
• barrier measures assignment,
• the information transfer and links conformity with security requirements.

This document provides guidance on creating a comprehensive security model applicable to NPP I&C systems that describes NPP I&C cybersecurity architecture and aids in accomplishing the main tasks of I&C system secure design, which are:
• specification of system designs with increased determinism that enhance security,
• mapping of the security requirements into the security architecture of the I&C system,
• definition of the security requirements for information exchange between components within the I&C system, operators and other systems,
• assistance in the determination of the security degree assignment with a model-based technique considering asset properties and formal grouping of the assets,
• design and establishment of security zones boundaries.

These tasks are closely related with the I&C NPP security framework established by IEC 62645 [2] and implement the Secure by Design principle (SeBD) [3].

This document presents the following limitations. The presented methods of the security modelling rely on the following properties of the I&C system:
a) The system is built upon the hierarchical principle, the hierarchy exists both at the level of functional system architecture (subsystems, software and hardware components etc.) and at the security architecture level (degrees and zones);
b) The focus is on preserving integrity, which prevails over the principle of maintaining confidentiality.
c) The availability property and any time related behaviour are out of the scope of this document;
d) The notion of a “secure” communication or a “secure” barrier in the document generally does not define the exact mechanism (controls) of how the secure property is achieved. It just assumes that an appropriate set of the security controls is implemented in situ;
e) The approach takes into account the existing nuclear safety classification scheme [7].

In addition to a general consideration of the I&C system security, several assumptions about properties of the I&C system have been made to facilitate the analysis, namely:
• the set of the assets is fixed and stable over a long period of time;
• peer-to-peer relations between assets are fixed and known;
• technological/functional requirements are determined.

The users of the presented methods are supposed to be familiar with basics of graph theory, discretionary access models, and documents listed in Clause 2.

Specific software tools implementing the presented methods eases the requirements to the users’ mathematical background.