Systematic development of scenarios caused by cyber-attack-induced human errors in nuclear power plants

Abstract

The digitalization of the instrumentation and control (I&C) systems in nuclear power plants has increased the threat from cyber-attack. This paper addresses cyber-attack vulnerability from potential attacks on non-safety I&C systems that result in a hazardous plant status. In safety-critical applications such as nuclear power plants, safety systems are separated and isolated from non-safety systems by design. Cyber-attacks on the non-safety systems can however escalate into plant safety threats by inducing wrong operator actions. We focus here on the operator actions that lead to the unavailability of the safety system and cause the failure of accident mitigation. In this study, the effect of safety system unavailability on plant safety is carefully modeled by using n conventional fault tree (FT) analyses, and human actions are analyzed based on emergency operating procedures. Based on the results of the FT analyses in combination with human action analyses, we suggest a novel method to systematically develop cyber-attack propagation scenarios, where a cyber-attack is linked to its consequences. As a case study, the feed-and-bleed operation is analyzed with the developed FT, producing multiple scenarios that lead to core damage. The results of this study are expected to be useful in establishing preventive measures