High assurance cybersecurity plan templates for nuclear facilities: Two-dimensional layering of mutually orthogonal security controls for a high-assurance cybersecurity protection of critical computer-based systems in the post-Stuxnet era

In the paper, an insight into two high assurance cybersecurity plan templates for nuclear facilities, namely the templates of the NRC RG 5.71:2010 and NEI 08-09 Rev.6:2010, is provided. The two cybersecurity plan templates were developed to assist nuclear industry to comply with legal requirements of Title 10 of the U.S. Code of Federal Regulation Section 73.54. The Regulation requires an adequate protection of digital computer and communication systems and networks in nuclear facilities. Regarding the compliance with the regulatory requirement, the paper discusses the concept of orthogonality in a two-dimensional layering of security controls as a way to more effectively deal with sophisticated, targeted and persistent threats of the post-Stuxnet era. Selected components of the Stuxnet attack scenario are used to illustrate that two dimensional layering of security controls makes each layer of the defense-in-depth protection more robust against both intentional and unintentional compromise. The paper also illustrates that due to recent changes in the cyber threat environment and advances in security protection, the cybersecurity plan templates of the NRC RG 5.71:2010 and NEI 08-09 Rev.6:2010 can be viewed as templates developed for incomplete initial threat conditions.