Nuclear Cybersecurity

SAIC is conversant in and has current experience with the operations and systems of nuclear power plants and in conducting (Nuclear Energy Institute) NEI 08-09-based cybersecurity assessments, identifying and implementing corresponding remediation activities.

A Clear Understanding of NRC Requirements

SAIC understands the fundamental challenge set forth by the Nuclear Regulatory Commission (NRC) 10 CFR 73.54 and the Nuclear Energy Institute (NEI)-08/09 approaches to cybersecurity. We recognize the difficulty in moving from a risk-based cybersecurity assessment (NEI 04-04, Cyber Security Program for Power Reactors, November 2005 guidance) to the new, deterministic approach laid out by the National Institute for Standards and Technology (NIST) controls-based cybersecurity program and adopted by NEI 08/09. A clear understanding and interpretation of these new requirements is paramount to success.

SAICs Nuclear Industry and Engineering Expertise

SAIC's capabilities bring together cybersecurity domain knowledge in the utility industry, nuclear power experience, and plant and information technology (IT) knowledge. We have a history of providing ongoing IT and engineering services to utilities and energy companies for more than 15 years. Our experience includes industry-leading experts in the cybersecurity controls and compliance arena, physical nuclear security, and nuclear engineering work packages and workflow. Our intimate understanding of common nuclear industry asset management applications allows us to leverage existing critical digital asset (CDA) information repositories.

The Cyber Security Assessment Team — "Compliance as a Discipline"

SAIC has significant experience in performing complete security compliance programs across all manner of domains, including North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP), NIST Standard Practice (SP) 800-53, Federal Information Processing Standard (FIPS), and Federal Information Security Management Act (FISMA). We believe that a sound assessment methodology, the right assessment tools, and cybersecurity experts with deep nuclear industry domain experience are foundational tenets for successful compliance assessment. Our proven methodology for program establishment, team training and assessment and governance procedures provide efficient, timely and accurate program execution throughout the assessment and compliance life cycle. We will establish and build a cybersecurity assessment team from our pool of expert and nuclear-intelligent engineers and consultants with a diverse skill set from the following areas: cybersecurity, computer and software systems, networked communications, digital instrumentation, nuclear plant engineering and nuclear industry-specific operations knowledge.

The Cyber Security Assessment Team — "Tools and Approach"

NIST Cybersecurity Documentation and the SDLC

This diagram shows the NIST documentation to be referenced in developing all standardized and technical cybersecurity training materials.

SAIC will bring tools, procedures, utilities and checklists, all developed over the years following extensive use in the field. Part of our analysis approach uses advanced quantitative analytic tools and techniques, including a variant of failure mode and effects modeling using cyber-attack trees. This approach is scenario- and use case-driven and leverages our domain expertise of nuclear generator stations, both advanced boiler water reactor and pressure reactor plants.

SSEP Threat Vector Analysis

This diagram illustrates the threats targeting the SSEP (Safety, Security and Emergency Preparedness) functionality in an advanced boiling water reactor.

Our cyber-attack-tree-enabled threat vector analysis approach facilitates the identification of tractable opportunities to consolidate or minimize modifications to control implementation in a manner that fully supports the existing cybersecurity procedures, including probabilistic risk assessment procedures, which may already be in place at plants.

Providing Assessment Results and Solid Actionable Recommendations for Remediation

Following assessment, SAIC will provide detailed assessment results and perform vulnerability analyses of any identified control gaps. We will make recommendations for remediation and closing the control gaps for the affected CDAs, and create solid, affirmative recommendations for alteration to infrastructure, applications, and architecture for compliance. Our recommendations will define and help drive the changes that need to be made for overall compliance with 10 CFR 73.54.

Success Starts Today

SAIC is a world leader in critical infrastructure security. SAIC leads efforts to map standard approaches to cybersecurity to challenging non-IT domains, including nuclear power, transmission and distribution, oil and gas pipelines, platforms, and refineries. In each area, clearly applying standard principles to unique environments is the key to success. With a vision for the future and an understanding of the nuclear industry, SAIC understands energy and helps our clients protect it.

Contact Us Today

For more information about our business solutions and capabilities, please contact us today.