IEC/TR 63486 Ed. 1.0 en:2024 PDF

IEC 62645 [1]1 provides a cybersecurity framework for digital I&C programmable systems2. IEC 62645 [1] aligns strongly with the information security management system (ISMS) elements detailed within ISO/IEC 27001:2013 [2]. The “I&C digital programmable system security programme” (as defined in 5.2.1 of IEC 62645:2019 [1]) align with the ISMS programme.

The framework for this programme assigns security degrees (SD) to I&C systems and EPS and defines cybersecurity requirements based upon these SDs. The assignment of an SD corresponds heavily to the safety categorization of IEC 61513 [3] and IEC 61226 [4].

IEC 62645 [1] does not provide detailed guidance on risk management. The only guidance outlined in IEC 62645:2019 [1] is in 5.4.3.2.2.4, and it states, that ISO/IEC 27005 [5] “provides a generic framework for information security risk assessment, but the specific implementation methodology is up to the organization, depending on its organizational, industrial, and regulatory context.”

IEC 62645:2019 [1] also references risk in 5.4.3.2.2.5, stating:
“The specific risk assessment methodologies and tools shall be identified and kept up to date. Risk re-assessments shall be performed periodically throughout the whole life cycle of the I&C systems, when modifications to the system occur and when changes to the threat landscape are identified, such as new threats or new vulnerabilities that can affect the installed I&C programmable digital system. The number of potential threats and vulnerabilities usually increases with progress from stand-alone to interconnected systems.”

In recent years, there have been advances in NPP cybersecurity risk management nationally and internationally. For example, International Atomic Energy Agency (IAEA) publications Nuclear Security Series (NSS) 17-T [6] and NSS 33-T [7], propose a framework for computer security risk management that implements a risk management program at both the facility and individual system levels. These international approaches (i.e., IAEA), national approaches (e.g., Canada’s HTRA [8]) and technical methods3 (e.g., HAZCADS [9], Cyber Informed Engineering [10], EBIOS [11] [12]) have advanced risk management within NPP cybersecurity programmes that implement international and national standards.

The scope of this document is to capture the national and international cyber-risk approaches employed to manage cybersecurity risks associated with Instrumentation and Control (I&C) and Electrical Power Systems (EPS) at a Nuclear Power Plant (NPP).