Development, Distribution and Maintenance of Application Security Controls for Nuclear

The generic concept of Security Controls, as initially deployed in the information security domain, is gradually used in other business domains, including industrial security for critical infrastructure and cybersecurity of nuclear safety I&C. A Security Control, or less formally, a security countermeasure can be any organizational, technical or administrative measure that helps in reducing the risk imposed by a cybersecurity threat. The new IAEA NST036 lists more than 200 such countermeasures. NIST SP800-53 Rev. 4 contains about 450 pages of security countermeasure descriptions, which are graded according to three levels of stringency. In order to facilitate and formalize the process of developing, precisely describing, distributing and maintaining more complex security controls, the Application Security Controls (ASC) concept is introduced by the new ISO/IEC 27034 multipart standard. An ASC is an extensible semi-formal representation of a security control (e.g. XML or JSON-based), which contains a set of mandatory and optional parts as well as possible links to other ASCs. A set of Application Security Controls may be developed by one company and shipped together with a product of another company. ISO/IEC 27034-6 assumes that ASCs are developed by an organization or team specialized in security and that the ASCs are forwarded to customers for direct use or for integration into their own products or services. The distribution of ASCs is supported and formalized by the Organization Normative Frameworks (ONF) and Application Normative Frameworks (ANF) deployed in the respective organizational units. The maintenance and continuous improvement of ASCs is facilitated by the ONF Process and ANF Process. This paper will explore the applicability of these industry standards based ASC lifecycle concepts for the nuclear domain in line with IEC 62645, IEC 62859 and the up-coming IEC 63096. It will include results from an ongoing bachelor thesis and master thesis, mentored by two of the authors, as well as nuclear specific deployment scenarios currently being evaluated by a team of cybersecurity PhD candidates.