Fault-Tree Based Prevention Analysis of Cyber-Attack Scenarios for PRA Applications

Abstract

Probabilistic risk assessment (PRA) based on event- and fault-tree analyses has long been a popular and powerful technique for formulating system- and plant-level risk scenarios in high-hazard facilities [1]. Event- and fault-tree-based PRA is commonly performed in the nuclear industry using tools like Systems Analysis Programs for Hands-on Integrity Reliability Evaluation (SAPHIRE) [2] or the Computer Aided Fault Tree Analysis System (CAFTA) [3]. Often, the goal of a PRA effort is to assess the risk of events having high consequences to the public or the environment. In such a case, the fault-tree and event-tree analyses in a PRA mostly focus on initiating events and system and component failures that would result in such consequences. However, a much broader spectrum of consequences is possible in principle from cyber-attack: a computer system could be exposed to an attack that could lead to disruption, financial loss or other damage to the system and its organization. It is not only a major threat for businesses, but has recently impacted infrastructure utilities. In a nuclear power plant, the potential consequences of cyber-attack may range from an inconvenience to unplanned reactor shutdowns or to plant damage, or (in principle) worse; but the low-consequence end of this accident spectrum is not typically addressed using PRA models. Hence it is important to understand better, and minimize the risk of, cyber-attacks in nuclear power plants. The proven fault-tree analysis methodology holds a strong promise of a comprehensive, robust, scalable, and efficient assessment of cyber-attack scenarios in NPPs. This paper presents a fault-tree based formulation for a cyber-attack scenario in a water flow-loop comprised of flow controllers and pumps, controlled via manual controls, wired signals and wireless signals that is susceptible to a cyber-attack. The fault-tree analysis technique is applied to a variety of cyber-attacks that may result in system failure. The analysis provides a comprehensive picture of the attack scenarios and an exhaustive list of attack pathways that are critical for causing system failure, paving the way for formulating strategies of performing cyber-attack prevention analysis.