Regulatory-based development processes for software security in nuclear safety systems

Abstract

Historically, nuclear computer-based safety systems are operated in isolated environments. They have long been considered immune to cyber (or malicious) attacks for the past decade. Unfortunately, both academic research and practical experience have indicated that this is misplaced confidence. The move to using software and digital products such as pre-developed software, Commercial Off-The-Shelf (COTS) products, and open standards such as Ethernet and TCP/IP allows malicious insiders and unintended virus writers to take advantage of the ignorance in the industry. The result is a growing number of security incidents that affect the safety of nuclear power plants and the progress of nuclear-related industries. Facing the new security crisis, the nuclear regulator issued the new security regulation for the specific features of nuclear computer-based systems in 2006. Therefore, nowadays, it is a great challenge for nuclear developers to comply with regulatory security requirements. In this article, we propose platform-independent development processes, which merge with existing software project management. In addition, UML notations are adopted to describe security processes, which are intended to enhance the communication between regulators and developers.