DESC0023776

C56-40h-273244 Nuclear power plants have historically relied on analog systems for control and operations; however, due to the aging nature of these systems and the fact that many of their components are no longer manufactured, nuclear power plant operators are increasingly replacing these legacy control systems with modern digital operational technology systems. This greater degree of connectivity leads to challenges protecting these systems from cyberattacks. One such challenge is the difficulty in providing specific and actionable information about an attack to analysts or operators. Modern intrusion detection systems may be able to detect that an attack is occurring but can struggle with high false positive rates and often do not provide easily digestible information that an analyst or an operator needs to effectively respond to an active threat. Two factors compound this issue: (1) nuclear power operational technology systems have unique architectures and use diverse and potentially proprietary protocols, making general cybersecurity solutions for information technology infeasible to apply, and (2) any cybersecurity solution must not interfere with the normal operations of the nuclear power plant. Ensuring that nuclear power operational technology systems are secure is critical to maintain correct and safe operating conditions for nuclear power plants. Similarly, responses need to be fast and reliable to avoid potentially disastrous consequences. This proposal will result in a cyberattack detection and inference solution for nuclear power plant operational technology systems that provides actionable feedback to security personnel, allowing for faster attack classification and response times. The solution will run on its own device, interfacing with the control system architecture in a way that avoids interfering with normal activity. The solution will also run an anomaly detection framework that provides the evidence of an anomaly to an engine that uses systemic functional grammars, a concept from computational linguistics, to represent the attack space. The engine will use the evidence provided by the anomaly detection component to probabilistically determine what attack is currently ongoing, the most likely alternatives, and recommended mitigations. The engine will then send appropriate information to reactor operators and security personnel, who can take the steps necessary to remediate the attack. Under Phase I, a feasibility analysis of each of the solution’s software components will be performed. By accessing a subcontractors’ subject matter expertise and reactor facility to obtain normal operating data from a research reactor, as well as attack data from a simulated reactor control system and then building upon the data to build a demonstration of the solution, our feasibility analysis will show: (1) data ingestion and transformation, (2) ensemble anomaly detection, (3) a systemic functional grammar–based attack inference engine, (4) attack evidence to attack class mapping, and (5) mitigation recommendations. Phase II will consist of integrating the software component with hardware and integrating the full device with a physical system for testing. The proposed approach offers significant commercial benefit, not only because of its leading-edge anomaly detection component, but because the grammar engine can interface with any anomaly detection capabilities. This means the attack mapping engine can be extended to other anomaly detection solutions. The ability to support ground attack classification using probabilistic evidence allows for higher confidence in detected attack vectors, permitting more concrete mitigation recommendations. These capabilities will lead to better actionable cyber intelligence solutions across the power generation sector.