October 7-9, I attended the International Electrotechnical Commission (IEC) TC45A meetings on nuclear plant instrumentation & control (I&C) systems. I thought the following items were important to note:
- The current focus of IEC TC45A Working Group (WG) A9 on I&C cyber security standards are malicious attacks with unintentional incidents excluded. The reason for the exclusion is unintentional incidents have been viewed as operator errors which are addressed in other standards and not cyber vulnerabilities inherent in the design of some I&C equipment. These types of cyber vulnerabilities are NOT being addressed elsewhere. I hope there will be a reconsideration on inclusion of unintentional incidents based on this information as unintentional cyber incidents can, and have, affected nuclear plant safety.
- There was still a tendency of WGA9 to focus on the IEC-27000 series of standards which are IT-focused rather than IEC-62443 which is control system-focused. Given that, there is a liaison relationship being established between IECTC45 WG A9 and IECTC65 WG10 (non-nuclear I&C cyber security).
- I had an opportunity to address IEC TC45A WG11 on electrical equipment (not cyber security) about Aurora. There was a lack of understanding of Aurora other than what was in the infamous CNN tape. After providing an explanation to the group, it didn’t take long for these experts on electrical equipment to understand the real issues Aurora presents. This includes Aurora affecting equipment such as switchgear and emergency diesels. It is not clear the approach being taken by the US nuclear utilities will be adequate to address Aurora.
- TC45A WGA9 is developing requirements for addressing electromagnetic impacts on electrical equipment such as inverters, uninterruptible power supplies (UPS) and intelligent electronic devices. I believe this work can be of value to the non-nuclear electric industry.