Cyber Security of FPGA-Based NPP I&C Systems: Challenges and Solutions

Transcription

1 1 authors: vyacheslav kharchenko, andriy kovalenko, anton andrashov, alexander siora Cyber Security of FPGA-Based NPP I&C Systems: Challenges and Solutions This paper presents an overview of the state-of-the-art of Field Programmable Gate Arrays(FPGA)-based Nuclear Power Plants (NPPs) Instrumentation and Control (I&C) systems cyber security assurance problem, starting from analysis of regulatory documents that cover various aspects of NPP I&C systems development and operation, FPGA technology implementation, as well as cyber security assessment and assurance in context of safety as a whole to reveal the most significant problems. Then, the paper briefly describes process- and productoriented approach to analysis of FPGAbased NPP I&C system cyber security. Besides, the paper proposes a technique for cyber security assessment, which covers FPGA-based NPP I&C systems life cycle processes, products, and appropriate requirements. The proposed technique is based on Gap Analysis (GA) and Intrusion Modes and Effects Criticality Analysis (IMECA) procedures, and is applicable to complex I&C systems, including safety-critical FPGA-based I&C systems. Elements of GA-and-IMECA procedure of assessment are described. As an example, the proposed approach and technique are illustrated via some results of cyber security assessment for NPP I&C systems developed on the basis of the FPGA-based platform RadICS (Research and Production Corporation Radiy). 1.0 Introduction FPGA technology is now widely used by the world industry and everywhere from simple and portable personal devices to complex safety-related I&C systems for NPPs. Various functions, including NPP I&C systems control functions important for safety, are being implemented on the basis of FPGA technology in a convenient way [1, 2]. Existing regulatory documents for NPP I&C systems are tailored to meet for pre-fpga technologies requirements and limitations. Additionally, a number of existing regulatory documents address safety issues related to software applications running on standard platforms, such as personal computers or embedded hardware platforms. Given the FPGA s dual nature, being both hardware and software, and its inherent complexity, there is a need for a FPGA-specific regulatory documents that would address issues, such as system safety assessment, design life cycle, verification and validation, configuration management, documentation requirements, etc. [3] There are several challenging problems in the area of cyber security assurance for complex FPGA-based I&C systems. Such problems include the following: consideration of all the possible vulnerabilities that can appear in the product (I&C system or its components) due to some process discrepancies during previous stages of the product life cycle, prioritization of such vulnerabilities according to their criticality and severity, determination of both sufficient and cost-effective countermeasures either to eliminate identified (or even possible) vulnerabilities or make the vulnerabilities difficult to exploit by an adversary. In our opinion, inaccurate evaluation of actual level of vulnerability s criticality and severity (and security of the system in whole) is one of the

2 2 main challenges and can cause additional efforts, costs and undesirable level of risk. One of the possible ways to consider all the possible security vulnerabilities for complex I&C system is in using of processproduct approach. Such an approach requires performance of assessments not only for products (components of I&C system received at different life cycle stages), but for all the processes within the product life cycle. The goal of the paper is to analyze regulatory and assessment issues regarding to FPGA-based NPP I&C systems and to propose approach and technique of assessing. The rest of the paper is organized as follows. Section 2 contains results of analysis of modern regulatory documents and derives short conclusions. Section 3 briefly discusses approaches to analysis and assurance of FPGA-based NPP I&C system cyber security, taking into account possible vulnerabilities for FPGA technology and appropriate points of their insertion within the life cycle. Section 4 presents IMECA-based approach to assessment of FPGA-based NPP I&C systems cyber security, including description of corresponding activities and parameters. Section 5 focuses on conception of assurance of cyber security for FPGA-based NPP I&C systems. Finally, Section 6 contains conclusions and briefly outlines the future work. 2.0 Analysis of Regulatory Documents Assurance of cyber security for I&C systems used in NPPs is very important, complicated, and complex problem. Modern reality requires hardening of security, both in terms of requirements and implementation of such requirements. As for today, there were developed basic regulatory documents that cover various aspects in the areas of FPGA, NPP I&C systems, and security. Regulatory documents in such particular areas try to form basement for developing secure (and reliable) I&C systems, which are capable to assure their intended functions (safety, security, etc.) through their life cycle. Regulatory documents pose general requirements, as well as they state the position and role of appropriate regulatory bodies. Existing regulatory documents can be divided into the following categories (see Fig. 1): regulatory documents related to NPP I&C systems; regulatory documents related to FPGA technology; regulatory documents related to security. Fig.1 shows some of the existing standards and regulatory documents that correspond to categories mentioned above. Figure 1 A classification of existing regulatory documents IEC Direct Relation NPP I&C Systems Partial Relation Security FPGA Technology Coverage of Trend Area NUREG 7006, EPRI TR , EPRI TR IEC Regulatory Documents Related to NPP I&C Systems In this category, one of the most important documents is a Committee Draft of IEC [4]. This document represents an approach to establishing requirements and providing guidance for the development and management of effective security programs for NPP I&C systems, implementation of life cycle for I&C system security, and briefly describes main security controls. Modern standards such as the ISO/IEC [5], [6] and [7] are not directly applicable to the cyber protection of NPP I&C systems due to their specificities, including the regulatory and safety requirements inherent to NPPs. The focus of IEC is in issue of requirements

3 3 for computer security programs and system development processes in order to prevent and/or minimize the impact of attacks against computer-based systems. This standard is based on ISO/IEC standards series and implies that any International Atomic Energy Agency and country specific guidance can expand area of the standard. IEC is limited to security of NPP I&C systems and intended to be used when modernizing existing NPP and for designing new nuclear power plants, throughout the life cycle. 2.2 Regulatory Documents Related to FPGA Technology There are no existing regulatory documents that are specific about FPGA design practices. First referenced document in this category is NUREG/CR 7006 [1], which was prepared by US Nuclear Regulatory Commission (NRC), and represents an attempt to cover existing gap. This document is a comprehensive guidance for the NRC staff to confirm that FPGA-based safety systems are in conformance with the actual NRC regulations (moreover, some FPGA-specific review procedures and acceptance criteria during NRC-friendly licensing process can be based on this document). The document follows on the investigation of existing regulatory documents and standards related to design and review of safety-related FPGA systems. NUREG/CR 7006 discovers various specific features of FPGA technology, including design practices, which are classified into three major groups FPGA hardware design practices, FPGA design entry methods, and FPGA design methodologies. The document focuses on listing and describing FPGA design practices that are potentially unsafe as well as on suggesting which ones are acceptable for safety-critical designs. Additionally, the document outlines a design life cycle that could be used by the designers and the reviewers for FPGA-based safety systems. Also, NUREG/CR 7006 presents results for survey of FPGA design guides and experience relevant to NPP application, as well as search results for technical standards related to FPGA design. Next two regulatory documents (EPRI TR [8] and EPRI TR [9] ) in this category were prepared by the Electric Power Research Institute (EPRI) in order to assist utilities in understanding, evaluating, and applying FPGA technology in NPP I&C systems and to address the use of FPGA technology in retrofits to operating NPPs and in new NPPs designs. These documents discuss advantages and limitations of FPGA technology on the basis of experience and lessons learned from previous applications, provide guidance on planning and conceptual design of modifications employing FPGA technology and on specifying and selecting FPGA-based systems; guidance on designing an FPGA application is also included, addressing the full life cycle of requirements, design, verification, and validation. 2.3 Regulatory Documents Related to Security This category is represented by IEC [10]. This document focuses on activities applied for developed Hardware Description Languages (HDL)-based integrated circuits (i.e. developed with HDL and related software tools) within an I&C system development project. In particular, it covers the following aspects: an approach to specify the requirements of, to design, to implement and to verify HDLbased integrated circuits, and to handle the corresponding aspects of system integration and validation; an approach to analyze and select the blank integrated circuits, microelectronic technologies and Pre-Developed Blocks used to develop HDL-based integrated circuits; procedures for the modification and configuration control of HDL-based integrated circuits; and requirements for selection and use of software tools used to develop HDL-based integrated circuits. Therefore, it is possible to conclude that existing regulatory documents represent an evolving area of regulatory requirements, try to cover the intended areas without sufficient consideration of related ones, and should be more detailed in terms of appropriate approaches and their relationship with the technologies. Nowadays the problem of cyber security assessment and assurance for FPGA technology as a whole, and application of the technology in NPP I&C systems in particular, is not comprehensively solved due to several objective reasons. One of such reasons is insufficiently structured regulatory documents, both local and international: there is no special branch standard that covers cyber security aspects of

4 4 FPGA-based NPP I&C systems. Moreover, there are no strict interdependencies between the above regulatory documents, their coverage is insufficient, and the problem of their branch customization is still challenging. 3.0 Process- and Product-Oriented Analysis of FPGA-Based NPP I&C System Cyber Security 3.1 Approach to Analysis of FPGA-Based NPP I&C Systems Cyber Security An analysis of FPGA-based NPP I&C systems cyber security should be performed prior to its assurance. In general, such analysis should include: defining the boundaries of a system (or security perimeter); identification of security-critical assets within the system; identification of vulnerabilities and appropriate security weaknesses. Moreover, comprehensive analysis of cyber security should be both process- and product-oriented, i.e. performed for both I&C system and corresponding development processes. In terms of product, i.e. NPP I&C system in our case, cyber security weaknesses are represented by a set of vulnerabilities, introduced during implementation of design activities, specific for both: the technologies, used in such product, and the way they are implemented into the product. Vulnerabilities of NPP I&C system can be exploited by an adversary to implement cyber attack against certain system in order to compromise or degrade its intended functions. In terms of processes, e.g. implementation of processes during development, operation and maintenance of I&C system and its components, there can be discrepancies (or gaps) in appropriate procedures that can result in intended or unintended introduction of vulnerabilities into the product (or its components). 3.2 Analysis of Factors that Cause Vulnerabilities for FPGA Technology FPGA technology is the alternative to microprocessor technologies and, particularly, to programmable logic devices and application-specific integrated circuits. Physical representation of FPGA is a semiconductor device (or chip) that can be (re)programmed in accordance to customers requirements. FPGA technology assumes two necessary components: FPGA-chip, which is a part of hardware and that should be qualified against hardware qualification testing requirements, and FPGA electronic design, which is a set of statements in HDL and that should be verified against functional requirements. Application of FPGA technology in NPP I&C systems provides several benefits, related with absence of executable software, high performance of the system, parallel operation of control algorithms, etc. As of today, it is possible to identify a number of factors that can cause vulnerabilities in FPGA technology, which can be then used in cyber attacks against FPGA-based systems, including NPP I&C systems. Such attacks, in a case of their successful implementation against FPGA technology, can result in: modification of system s hardware that can potentially result in reading and/or distortion of confidential and/or critical information due to system s malfunction; addition of unintended functionality (for example, using development tools) to a system; stealing of intellectual property. In modern FPGA-based NPP I&C systems, FPGA chips are assembled into (or even form the basis for) various hardware components (modules) of a system. Vulnerabilities of FPGA technology can unintentionally arise, or can be introduced by an adversary using various means during different stages of FPGA-based I&C system life cycle (see Fig. 2), including: 1. stages implemented by FPGA chip vendor: a stage of FPGA chip design (Stage 1); a stage of FPGA chip manufacturing (Stage 2); a stage of FPGA chip packaging and testing (Stage 3); 2. stages implemented by I&C system developer: a stage of FPGA electronic design (which describes I&C system s logic) development for integration into FPGA chip (Stage 4);»» a stage of FPGA electronic design implementation and testing (Stage 5);

5 5 3. a stage implemented by user of I&C system: a stage of operation and maintenance of FPGAbased I&C system at its intended site (Stage 6). For all the stages, the following factors can lead to intended or unintended introduction of vulnerabilities into FPGA-based I&C system: use of malicious tools (EDA tools or CAD tools) during either FPGA chip designing by a vendor or during FPGA electronic design development by an I&C system developer; use of compromised devices during integration of developed FPGA electronic design into FPGA chip by an I&C system developer; use of IP-cores from third-party vendors during development of FPGA electronic design by an I&C system developer; the presence of adversaries (insiders) in development teams. Assurance of cyber security for FPGA technology is complex and open-ended problem that should involve all the parties \ implementing appropriate activities within the whole life-cycles of both FPGA chip and FPGA-based I&C system: FPGA chip vendor, I&C system developer, and user of FPGA-based I&C system. Moreover, the objective of cyber security assurance for FPGA-based I&C systems should be solved at various levels of hierarchy within each of those I&C systems, from FPGA chips assembled into printed circuit boards to system s components inside specific locations, since each of the levels can contain specific hardware or software vulnerabilities, which potentially can affect the whole I&C system. FPGA chip vendors can contribute in FPGA-based NPP I&C systems cyber security assurance in terms of decreasing the number of possible vulnerabilities for FPGA technology via solving the following tasks: provide protection of own design and technology against reverse engineering, copying or modification; provide the customers with FPGA electronic design security means, which can be applied during development, operation and maintenance of FPGAbased I&C systems. One additional problem can arise due to the fact that some FPGA chips vendors do not have own manufacturing capacity: after design of FPGA chip (that includes application of tools for design automation) is developed, they place orders for chip manufacturing among appropriate foundries. Such foundries can introduce additional vulnerabilities into FPGA chips, for example, by stealing or modification of FPGA design during chip manufacturing process. Hence, manufacturing foundries play important role in assurance of cyber security and prevention of FPGA chips from probable vulnerabilities. Moreover, supply chain of manufactured FPGA chips from vendor to customer is usually traceable and can be audited that, however, does not reduce its importance from point of view of cyber security assurance problem for FPGA technology. Most of life cycle stages of FPGA chip and FPGA-based I&C system are implemented using software tools. Such tools are usually used during design of printed circuit boards for FPGA chips, in development of FPGA electronic designs, and during simulations. Hence, developers of tools for design automation play a key role in assurance of cyber security for FPGA technology and, in turn, can introduce new vulnerabilities into FPGA-based I&C systems being developed. Some vulnerabilities can be introduced into FPGA-based I&C systems by their designers via using of IP-cores in FPGA electronic design. IP-core is a completed functional description intended for integration into FPGA electronic design, which is being developed. IP-cores can be either in a form of modules for HDLs or in a form of compiled netlists. IP-cores are used by designers to save their resources and time. IPcores can be produced by FPGA chip vendor or third-party vendors, and, in order to assure cyber security of FPGA-based I&C system, it is necessary to facilitate safe distribution and integration of such IPcores by designers of I&C systems.

6 6 Figure 2 Life cycle stages of FPGA chip and FPGA-based I&C systems with potential vulnerabilities Stage 1 FPGA Chip Vendor Design Files FPGA Chip Foundry FPGA Chip Packaging Facility II&C System Development I&C System User Software Flow Mask Files EDA Tools Stage 2 Mask Files Fabrication Process FPGA Wafer Stage 3 Packaging Process FPGA Chip Acceptance Testing Tested FPGA Chip Stage 4 Specification & Design System Synthesis (RTL) IP Cores Logic Synthesis Physical Synthesis CAD Tools FPGA Electronic Design Stage 5 Integration Testing FPGA Chip with Implemented Electronic Design Stage 6 Operation & Maintenance Process Component Tool Coverage Vulnerability

7 7 4.0 Imeca-Based Technique to Assessment of FPGA-Based NPP I&C Systems Cyber Security In order to improve a level of cyber security for FPGAbased NPP I&C systems and ensure their intrusion tolerance, it is necessary to assess the majority of possible intrusion modes, their causes and the resulting influence on the system. With this purpose we propose an approach, which uses a modification of standardized FMEA (Failure Modes and Effects Analysis)-technique [11] called IMECA (Intrusion Modes, Effect and Criticality Analysis) [12]. 4.1 An Overview of IMECA Failure Mode, Effects and Criticality Analysis (FMECA) is an extension to standard formalized technique called Failure Mode and Effects Analysis (FMEA) for the systems reliability analysis devoted to the specification of failure modes, their sources, causes, criticality, and influence on system operability [11]. Failure modes means the ways, or modes, in which something might fail. Failures are any errors or defects in a form of deviations from a normal operation, which can affect the customer, and can be potential (that can happen in future) or actual (that already happened). Effects analysis refers to studying the consequences of those failures. In addition, FMECA extends FMEA by including a criticality analysis, which is used to chart the probability of failure modes against the severity of their consequences. In FMEA-technique, all possible failures are prioritized according to consequences severity, frequency and detectability. Such a technique is used during design stages in order to avoid failures in a system being developed. During some consequent stages it can also be used for the purposes of process control. General purpose of FMEA-technique is to take actions to eliminate or reduce possible failures. IMECA (Intrusion Modes and Effects Criticality Analysis) is a modification of FMECA-technique that takes into account possible intrusions to the system [12]. During assessment of FPGA-based NPP I&C systems, IMECA can be used instead or in addition to standardized FMECA for safetyrelated domains, because each vulnerability can become a failure in a case of intrusion into such systems [13,14]. Nevertheless, FMECA and IMECA are not the only methods for complex systems failures and risks analysis, and we have chosen IMECA on the basis of our expert assessment only. 4.2 Threats for FPGA Technology First, we briefly discuss threats for FPGA technology. At the present time, there is a limited number of potentially probable modes of cyber attacks for FPGA technology, a list of which, along with their short description, is given below. 1. Black Box : An adversary inputs all possible combinations to FPGA chip and registers output states. Such an approach provides a potential possibility of reverse engineering for FPGA electronic design, integrated into the chip. In practice this approach is extremely hard to implement for systems with complex logic. 2. Read-Back : The attack is based on a potential possibility of reading FPGA chip configuration, usually, via JTAG interface used in most FPGAs for debugging. Recently, FPGA vendors have improved protection measures to access chip configuration to resist such attacks. 3. Cloning : In SRAM FPGA chips, a configuration file is stored in a nonvolatile memory outside FPGA chip, allowing quite easily retrieve a bitstream while loading configuration in the FPGA and clone such FPGA electronic design of the chip afterwards. The only variant of protection against this threat is encrypting a bitstream during its transmission from a nonvolatile memory to the FPGA that has been already implemented in most modern FPGAs. Therefore, the strength of applied cipher is an open-ended question. 4. Physical attack against SRAM-based FPGAs: The objective of such an attack is to obtain information concerning physical structure of FPGA chip by studying specific areas in the chip. Such attacks are usually targeted on FPGA parts inaccessible through input-output channels. Instruments, based on focusing of ion beam, allowing FPGA structure checking, are used for the attack. It is rather difficult to implement such an attack due to complexity of required equipment; besides that, some technologies

8 8 (for example, Antifuse and Flash), which have their own restrictions, significantly complicate this mode of attacks. 5. Side-Channel : Such an attack uses specifics of systems physical implementation in order to obtain information concerning power consumption, execution time and electromagnetic fields, allowing an adversary to obtain power, time and/or electromagnetic signatures, which, in turn, can expose information about their underlying implementation. Hence, in order to implement side-channel attack, it is required to solve a task of obtaining such signatures and a task of their processing for obtaining required results. Tasks of collecting and processing of such information are rather nontrivial, however, there are known complex techniques requiring only several measurements to attack a system. Data Analysis is a logical continuation of read-back attack or side-channel attack, as data obtained from these attacks, are considered as noise. The fact that an adversary has obtained such data does not guarantee a possibility of recovering original FPGA electronic design, but makes it probable. Logically following stage after the read-back attack (or cloning attack) is Reverse Engineering. It allows, for example, discovering a data structure, used by the manufacturer, to decrypt FPGA configuration. Application of the reverse engineering technique is characterized by a quite high percentage of its successful completion. 4.3 Proposed Technique Now, we can discuss a technique for assessment of FPGA-based NPP I&C systems cyber security, as well as appropriate activities necessary to implement it on the basis of IMECA-technique. The idea behind this approach can be expressed by the following activities sequence: Step 1: Identification of security gap lists in a form of formal description for all the I&C system s components (or system modules) during each life cycle stage of those systems. Such lists should include both process and product cyber security gaps. Step 2: Determination of appropriate vulnerability(ies) for each identified security gap and possible scenarios to exploit identified vulnerabilities. (In other words, for each identified vulnerability it is required to create a particular IMECA table that reflects attack mode, attack nature, attack cause, occurrence probability, effect severity, type of effects and appropriate countermeasures). Step 3: Performance of security GA, based on IMECAtechnique: each security gap (identified during Step 1) is being represented by one or several rows in particular IMECA table, where a number of such rows corresponds to the number of appropriate vulnerability(ies) identified during Step 2. GA should be performed in order to reveal appropriate cyber security risks. Step 4: Assessment of appropriate columns (occurrence probability and effect severity) in each particular IMECA table on the basis of expert evaluation. So, each row of such particular IMECA table represents security weakness(es), which should be analyzed further (during Step 6) in context of whole I&C system. Step 5: Integration of all the particular IMECA tables into a single final IMECA table in order to analyze cyber security risks of the whole I&C system. Step 6: Assessment of cyber security risks of I&C system: each row of the final IMECA table forms the basis for creating of a global security criticality matrix, which reveals the weaknesses of the whole I&C system in a visual form. The highest cyber security risk corresponds to the highest row in a global security criticality matrix. In order to illustrate the proposed technique we present results of its application for attacks modes, possible in FPGA technology (see Table I). Such attacks are applicable to FPGA-based NPP I&C systems during Stage 6 (see Fig. 2).

9 9 Table 1 Results of IMECA for FPGA attacks Row # Mode Nature Cause Occurrence Probability Effect Severity Type of Effect Countermeasures 1 Black Box Active Simple logic of electronic design Very Low Very Low Reverse engineering of logic by adversary Complication of electronic design logic 2 Readback Active Absence of chip security and/or availability of physical access to chip interface (for example, JTAG Moderate High Obtaining of secret information by adversary The use of security bit Application of physical security controls 3 Cloning Active Storing of decoded configuration Moderate High Obtaining of configuration data by adversary Checking of chip s internal ID before powering up an electronic design Encoding of configuration file Storing of configuration file within FPGA chip (requires internal power source) 4 Physical Active Absence of monitoring of physical parameters (voltage, temperature, clock frequency) of environment and chip Low Moderate Obtaining of information concerning patented algorithms by adversary Decreasing memory retention effect Monitoring of physical parameters (voltage, temperature, clock frequency) of environment and chip 5 Side- Channel Active Correlation of physical measurable chip parameters with its function High High Leak of undesirable information Addition of random noise in physically measurable chip parameters (or masking of information by random values) Decrease of difference in power consumption Changing of electronic design logic (or duplication of architecture) 5.0 Assurance of Cyber Security for FPGA-Based NPP I&C Systems To decrease the risks of successful cyber attack implementation, we propose three-step procedure. First step is in creation of criticality matrix based on results of proposed IMECA-based approach. Second step consists in selection of a set of applicable appropriate countermeasures, and third step is in choice of a subset of specific countermeasures in order to decrease risks of intrusion into FPGA-based NPP I&C system to acceptable value and to minimize costs for their purchase, implementation and maintenance. Criticality matrix, appropriate to Table I, is depicted in Fig. 3a. Each of the numbers inside the matrix represents an appropriate row number of IMECA table. From cyber security assurance point of view, the possible way of risk reduction is in decreasing of attacks occurrence probability, since related damage is constant. Fig. 3b represents a worst-case criticality diagonal for the matrix; acceptable values of risks are below the diagonal. Cases of probability, decreasing for rows 2, 3, and 5, are denoted by dotted lines with arrows: the problem is in decreasing of the probability by the degree sufficient to move a row of IMECA table below the criticality diagonal.

10 10 In terms of FPGA-based NPP I&C systems, such decreasing of the probability can be achieved, for example, by implementation of certain process countermeasures during implementation of development processes for FPGAbased NPP I&C systems; during operation and maintenance stage (see Fig. 2), assurance of cyber security can be achieved through choice and implementation of specific countermeasures (for example, a list of countermeasures can be derived from NEI [15] ) on the basis of results of proposed approach application. Figure 3 Criticality matrices PROBABILITY PROBABILITY Very High High Moderate Low Very Low Very High High Moderate Low Very High Very High 5 5 High 2,3 High 2,3 DAMAGE Moderate 4 DAMAGE Moderate 4 Low Low Very Low 1 Very Low A B 6.0 Conclusion A problem of NPP I&C systems cyber security assessment is still challenging due to the complexity of such systems and different nature of their components. The assessment of FPGA-based I&C systems is impossible without consideration of all the specific features for all the technologies used. In this paper we discussed some problems related to assessment of security aspects of FPGA-based NPP I&C systems. To assure cyber security of modern complex NPP I&C systems, as well as to decrease a probability of vulnerabilities exploitation and appearance of security weaknesses, a cyber security assessment approach is proposed. This approach implies conducting of GA, based on identification of all possible vulnerabilities, on the basis of product and life cycle processes, and their assessment via application of IMECA technique. Moreover, the proposed approach is applicable in assessment of various aspects of I&C systems, since it implies considering process-product model to reveal all the vulnerabilities that can potentially result in product security weaknesses. The proposed approach and technique were applied to cyber security assessment of RadICS FPGAbased I&C platform developed by Research and Production Corporation Radiy. Furthermore, gap-and- IMECA-based technique was applied in development of a company standard in Research and Production Corporation Radiy that is harmonized with international standards. This standard is used during implementation of development and verification activities for safety-critical I&C systems for nuclear power plants [2]. Next steps of research and development activities may be devoted to creation and implementation of tool-based support for the proposed approach, taking into account results of qualitative and quantitative assessment. Very Low 1

11 11 1. NUREG/CR-7006, Review Guidelines for Field-Programmable Gate Arrays in Nuclear Power Plant Safety Systems, U.S. Nuclear Regulatory Commission (2010) 2. V. Kharchenko, V. Sklyar (Edits), FPGA-based NPP Instrumentation and Control Systems: Development and Safety Assessment, Research and Production Corporation Radiy, National Aerospace University named after N.E. Zhukovsky KhAI, State Scientific Technical Center on Nuclear and Radiation Safety (2008) 3. V. Kharchenko (Edit), Critical Infrastructures Safety: Mathematical and Engineering Methods of Analysis and Assurance, Department of Education and Science of Ukraine, National Aerospace University named after N. Zhukovsky KhAI (2011) 4. IEC (Ed.1), Nuclear power plants Instrumentation and control systems Requirements for security programmes for computer-based systems, International Electrotechnical Commission (2011) 5. ISO/IEC 27000, Information technology Security techniques Information security management systems Overview and vocabulary, International Organization for Standardization and International Electrotechnical Commission (2009) 6. ISO/IEC 27001, Information technology Security techniques Information security management systems Requirements, International Organization for Standardization and International Electrotechnical Commission (2005) 7. ISO/IEC 27002, Information technology Security techniques Code of practice for information security management, International Organization for Standardization and International Electrotechnical Commission (2005) 8. EPRI TR , Guidelines on the Use of Field Programmable Gate Arrays (FPGAs) in Nuclear Power Plant I&C Systems, Electric Power Research Institute (2009) 9. EPRI TR , Recommended Approaches and Design Criteria for Application of Field Programmable Gate Arrays in Nuclear Power Plant I&C Systems, Electric Power Research Institute (2011) 10. IEC (Ed.1), Nuclear Power Plants Instrumentation and control important to safety Hardware language aspects for systems performing category A functions, International Electrotechnical Commission (2010) 11. IEC 812, Analysis Techniques for System Reliability Procedure for Failure Modes and Effects Analysis (FMEA), International Electrotechnical Commission (1985) 12. A. Gorbenko, V. Kharchenko, O. Tarasyuk, A. Furmanov, F(I)MEA-technique of Web Services Analysis and Dependability Ensuring, Lecture Notes in Computer Science, Vol. 4157/2006, pp (2006) 13. A. Avizienis, J.-C. Laprie, B. Randell, C. Landwehr, Basic Concepts and Taxonomy of Dependable and Secure Computing, IEEE Transactions on Dependable and Secure Computing, Vol. 1(1), pp (2004) 14. E. Babeshko, V. Kharchenko, A. Gorbenko, Applying F(I)MEA-technique for SCADA-based Industrial Control Systems Dependability Assessment and Ensuring, DepCoS-RELCOMEX 2008, pp (2008) 15. NEI (Rev. 6), Cyber Security Plan for Nuclear Power Reactors, Nuclear Energy Institute (2010)