Regulatory Perspective on Nuclear Cyber Security: The Fundamental Issues

We are living in a digital and information-driven age and need to store information related to virtually every aspect of our lives, nuclear information included. For computer system to be reliable and secure in nuclear facilities, unauthorized event changes must be prevented (which means maintaining confidentiality), field device inputs and outputs must remain immutable throughout their usable lifetime (which means maintaining integrity), and all component parts should remain in an operable state (which means maintaining availability).The dynamic and complex nature of cyber threats has made it a serious challenge to secure computer systems in nuclear facilities. A number of varied cyber security services, policies, mechanisms, strategies and regulatory frameworks have been adopted , including: confidentiality, integrity, availability, non-repudiation, encipherment, defense-in-depth (DID), design basis threat (DBT), IAEA technical guidance documents such as: GS-R-1, GS-R-2, GS-R-3, GS-G-3.13.5, NSS20, NSS23-G, NSS13, NSS17, NST036, NST045, and NST047, IEEE standard 7-4.3.2-2010, NIST SP 800-53, NIST SP 800-82, NEI 04-04, NEI 08-09 and country-specific requirements such as: 10 CFR 73.54, RG 5.71 (U.S.NRC), KINS/RG-N08.22 (South Korea). However, threats remain persistent. This paper is aimed at providing a regulatory perspective on nuclear cyber security, its relationship to nuclear safety and security, regulatory requirements and global best practice recommendations for nuclear cyber security, and strategies to prevent and counteract threats. This study is imperative as Nigeria prepares to join the league of countries with operational nuclear power plants and research reactors 1 Arinze et al.: Regulatory Perspective on Nuclear Cyber Security: The Fundamental Issues Published by Trace: Tennessee Research and Creative Exchange, 2020 International Journal of Nuclear Security, Vol.6 No.1, 2020 following approval and adoption of the nuclear power programme roadmap in 2007 and contract signing with Rosatom of Russia for NPP and research reactor construction.

The importance of this paper is underscored by the fact that nuclear security is tremendously impacted by cyber security. Nuclear facilities made up of field devices, field controllers, supervisory control and data acquisition (SCADA) and instrumentation and control (I&C) systems as shown in Figure 1 are missioncritical infrastructure that are susceptible to attacks from Nation States and non-state actors like hactivist/hactivism, third-parties, organized crime, professional criminals, spies, voyeurs, corporate raiders, disgruntled insiders, vandals, script kiddies and cyber terrorists as shown in Table 1.1. The various threat actors have different motivations, intentions for their activities, and capabilities, which adds to the complexity of the problem and increases the need for comprehensive understanding of the risks at regional, industry, institutional and process levels. database. These critical facilities use both analog and digital systems to monitor and operate plant processes, equipment, and store and retrieve information. In addition to physical and system operational security, cyber security of CDAs and computer instrumentation and control systems (ICS), networks have become a growing concern to both nuclear operators and nuclear facility regulators around the world. I&C components such as process control systems (PCS), supervisory control and data acquisition (SCADA), digital control systems (DCS) that interconnect plant systems performing safety, security, and emergency preparedness (SSEP) functions are not isolated from the Internet. This presents an attack vector for cyber threats as shown in Figure     Currently, the focus is not on new types of threats, but on existing types that are enhanced. As regards social engineering attacks, for example, a professionalization of the analysis followed by targeting can be observed. Perimeter security and cloud security measures are no longer sufficient. Increasingly, endpoint security is in demand again. It is also advisable to keep an eye on the hardware, as it may serve as target platform for firmware attacks. The impairment of products and standards continues to be a key issue. If these impairments affect widely used products and standards and remain undetected for a long time, they may be disastrous in terms of information security. A good example of this is Heartbleed. Therefore, it is advisable to reduce products' functionality to the maximum and, as a result, avoid the integration of potential vulnerabilities in unnecessary modules. It is also recommended not activating sensitive or hardly used modules by default (secure defaults). System providers using security-relevant products and standards should have several complementary security layers, including controls, in place. This allows them to reduce potential effects of such impairments (defense in depth). As a general rule, attacks are becoming more complex and more difficult to identify. For this reason, identifying misuse by means of user behavior analytics and adaptive security measures are gaining in importance.
In addition, game-changing events like the increase in the number of advanced persistent threats (APTs) such as the Taj Mahal framework and Stuxnet, malware, Trojan attacks and ransomware attacks at the personal, corporate and even state levels. A careful examination of cyber-attacks targeted at NPPs from 1980 to present reveals a pattern of increasing incidence of attack and sophistication.  (2008)  As a sub-set of nuclear security, the cyber threat landscape is highly dynamic and complex [1], it is a broad and wide-ranging discipline that interacts with all other areas of security in a nuclear facility. All disciplines of security complement each other to establish a facility's security posture, which is defined in the site security plan (SSP) as shown in Figures 1.9 and 1.10. A failure in any of the disciplines of security could severely impact the other domains and could place additional burdens on the remaining aspects of security.  In order to counter this growing threat, this paper examines the current nuclear cyber security landscape vis-a-vis national and international regulatory frameworks and standards and also studies incidents and lessons learned with a view toward identifying critical gaps and making appropriate recommendations. This task was accomplished by adopting an open-source data gathering and analysis approach via International Atomic Energy Agency (IAEA) nuclear security and safety guidance documents and by examining country-specific cyber security standards and practices from five selected nuclear-powered nations namely: China, Germany, Russian Federation, South Africa and the United States. The scope of this study is restricted to legal, regulatory, and institutional frameworks for cyber security in civilian nuclear fuel cycle facilities, e.g., enrichment or fuel fabrication plants, power plants, reprocessing facilities, research reactors [2], etc. The justification for the focus on cyber security is that it is one of the most significant new key elements that have entered the nuclear security lexicon in the last decade, quickly gaining momentum, prominence and significance due to the growing reliance on digital equipment [2].
The objective of cyber security is to protect information and property from theft, corruption, or natural disaster, while allowing the information and property remain accessible and useful to authorized users. There are a lot of different approaches to implement and manage cyber security measures. On from the approaches is Open Security Architecture (OSA). The OSA Metamodel depicts the entities and relationships that are relevant for OSA as shown in Figure 11. OSA can provide benefits to IT service consumers, IT service suppliers and IT vendors, giving the entire IT community an interest in using and improving. An open approach means that the patterns and catalogues will benefit the whole community and can be more quickly improved and refined by the common experience of participants. The rest of the paper is organized as follows: section 2 provides an overview of related works in computer/information security and nuclear cyber security. Section 3 deals with nuclear cyber security model frameworks and standards. Section 4 highlight current status and examples of digital I&C systems in nuclear power plants. Section 5 deals with cyber security regulatory requirements for nuclear facilities. Section 6 outlines global best practice recommendations on nuclear cyber security for Regulators. Section 7 highlights the implications of cyber security incidents for research and practices. Section 8 points out the various lessons learned and section 9 is the summary and conclusion respectively.

II. Related Works
According to Tanenbaum and van Steen (2002), before one can evaluate attacks against a system and decide on appropriate mechanisms to fend off these threats, it is necessary to specify a security policy. A security policy defines the desired properties for each part of a secure computer system. It is a decision that has to take into account the value of the assets that should be protected, the expected threats and the cost of proper protection mechanisms. A security policy that is sufficient for the data of a normal home user may not be sufficient for a bank, as a bank is obviously a more likely target and has to protect more valuable resources. In general, there is a flow of data from a source (e.g., a host, a file, memory) to a destination (e.g., a remote host, another file, or a user) over a communication channel (e.g., a wire, a data bus). The task of the security system is to restrict access to this information to only those parties (persons or processes) that are authorized to have access, according to the security policy in use. Although literature uses different approaches to categorizing network attacks, in this paper, I will classify them into three (3) groups related to confidentiality, integrity and availability, known as the C.I.A triad of network security goals as shown in Figure 2.1. Confidentiality in the nuclear context implies that unauthorized logic changes must be prevented; integrity implies that field device inputs and outputs must remain immutable throughout their usable lifetime and availability means that all components should remain in an operable state. The U.S.NRC RG 5.71 developed best practices over the years that include the basic tenet that information security is a life-cycle process.     Early taxonomies such as (Bishop, 1995) [12], focused on categorizing security vulnerabilities in software to assist security practitioners in maintaining more robust and secure systems through an understanding of these vulnerabilities. One approach to gaining insight into an attacker's target is to consider the attack paths, or combination of exploits [13]. John Howard extended this idea in his 1997 doctoral work in which he analyzed and classified 4,299 security related incidents on the internet. Howard's work was notable because he included attackers, results and objectives as classification categories expanding threat taxonomies beyond the technical details of an attack to include more intangible factors such as an attacker's motivation for conducting an attack [14]. The vast majority of threat taxonomies are designed as attacker-centric frameworks which categorize attacks from the perspective of an attacker's tools, motivations and objectives. Killouri, Maxion and Tan created taxonomy in 2004 designed to be defensecentric based on how an attack manifested itself in the target systems. Based on a test set of 25 attacks, this taxonomy was able to predict whether or not the defender's detection systems would be able to detect a given type of an attack [15].
In a similar effort, Mirkovic and Reiher created taxonomy of Distributed Denial of Service (DDoS) defenses, which categorized DDoS defense mechanisms based on activity level, degree of co-operation and deployment location [16]. These two taxonomies are among the few that classify threats or security incidents from a defensive viewpoint and show the importance of addressing such issues from different perspectives to gain a more holistic view of security issues. Researchers at the University of Memphis led by Simmons created a cyber-attack taxonomy called AVOIDIT in 2009, which described attacks using five (5), extensible classifications: Attack Vector, Operational Impact, Defense, Informational Impact, and Target  The efforts present certain challenge: although they provide background information related to cyber threats that could be utilized to address future developments, the taxonomies in question do not properly capture the protection of nuclear facilities in the light of existing cyber threats and legal and regulatory frameworks. This is because nuclear digital systems are in nature different from general information and telecommunication systems. Because cyber-attacks against nuclear power plants can result in grievous consequences in the forms of human, environmental and infrastructural damages, nuclear digital systems are long-term, real-time systems that demands simultaneous responses to intrusions 24 hours a day, seven days a week for the entirety of their 30 to 40 years lifespan. highlighted the vulnerabilities of IT and ICS systems in nuclear facilities around the world, comparing country-specific nuclear cyber regulatory frameworks and best practices. Nuclear systems demand a comprehensive security measure that considers system life cycle, work processes and procedures as well as infrastructural protection spanning measures for system developers, system maintenance staffs, third-party contractors, consultants and workers within the plant. In [30], Gluschke, Mesut & Macori (2018) three levels of cyber threats protection are established as requirements: the internet network, the intra-network, and the independently blocked network. Staff within the plant can work only within the intra-network. The internet and intra-network must be separated (air gap) to ensure full independence of the workspace and access. Internet access within the workspace must be authorized and separated from the intranet network. Although this separation can result in some inefficiencies and inconveniences, it provides an additional layer of security for the system to protect against cyber threats. The intra-network -must be connected with the independently blocked network, which controls specific nuclear infrastructure and critical information systems such as the nuclear reactors, computer systems, the centralized database management systems, the operating systems, turbine control systems, etc. This independently blocked network -transfers only simple operation information to the intra -network in order to ensure that new threats such as nuclear cyber terrorism and espionages are mitigated. In addition, a holistic approach that establishes legal and institutional frameworks for efficient radiation disaster management systems -must be in place to provide standards and procedures for regulating and controlling illegal transfer of radioactive and nuclear materials and for handling sabotage by cyber attackers.
In Cyber security at Nuclear Facilities: National Approaches, a research conducted by the Institute for Strategic Studies (ISS) at the Brandenburg University of Applied Sciences, Germany and United States Nuclear Threat Initiative (NTI), they focused on the legal, regulatory, and institutional frameworks for cyber security by examining in detail range of measures that affect the higher levels of the hierarchy of responsibilities [2]. The study's comparative analysis focuses on national legislation, regulatory frameworks, regulations and guidance, licensing and other associated regulatory activities. However, the limitation of their study is their decision not to discuss on the more operational and technical aspects of cyber security and their implementation at the facility level. The following figure shows the various tiers of cyber security needed to address the cyber threat at nuclear facilities and indicates the tiers at the nation state level, which is the focus of this study. The NSS20 approach is broader than is needed for cyber security; but most essential elements can play a role when assessing a nation state in terms of nuclearcyber readiness, such as 'Identification and Definition of Nuclear Security Responsibilities', 'Legislative, Regulatory Framework' or 'Identification and Assessment of Nuclear Security Threats' [2]. Figure 2.4 illustrate the defense-in-depth (DID) model for nuclear cyber security.

A. National legislation
At the highest level, legislation should ideally reflect a contemporary approach to nuclear security, incorporating concepts expressed in the 2005 amendment to the Convention on the Physical Protection of Nuclear Material (CPPNM) [2, 21], as well as including or referring to the security of information (or more explicitly cyber security) as one of the key elements of nuclear security. In this context it is probably more feasible to do so in those national legislations where nuclear security is separate from generic nuclear laws dealing with the promotion and regulation at large of any activity involving radioactive materials or nuclear energy generation [2]. Countries with or without specific nuclear security legislation are shown in Facility Level  Characteristics Countries No nuclear law China A generic "nuclear law" dealing broadly with issues relating to the implementation of nuclear power with few or no explicit references to nuclear security

South Africa [22]
A generic "nuclear law" with explicit references or detailed sections dedicated to nuclear security A law specifically dedicated to nuclear security (the latter often in conjunction with more generic "nuclear laws" within the same legal system)

B. Regulatory framework
Similarly, legislation should operate at the proper level and avoid rapid obsolescence by steering clear of legislating specific details which are bound to evolve rapidly (like technology) and should instead focus on establishing the framework for the correct operation of a regulatory authority, with regard to its ability to write and enforce regulation and to criminalize and prosecute relevant crimes [2]. Table 2.3 shows countries with or without competent authorities for cybersecurity at their respective nuclear facilities.

C. Regulations and guidance
Regulations instead, are standards adopted as rules by the relevant authority to implement, interpret, or make specific the laws enforced or administered by the authority itself. They are needed so that the industry may have clear and detailed instructions. At the same time, regulation can evolve and adapt more rapidly than legislation given a lighter approval/modification procedure that involves fewer stakeholders. A number of countries -for example, China and South Africa -have regulations pertaining to aspects of nuclear safety and cyber security that protect national infrastructure in general. There are no specific regulations in these countries related to the cyber security of nuclear facilities. Also, the status of the implementation of these regulations is elusive and can therefore not be said to be fully developed.

D. Licensing
Ideally cyber security should be embedded into the design of nuclear facilities themselves and their associated security plans from the beginning. The crucial instruments to ensure that this occurs and is maintained through the lifecycle of an NPPas a design goal and as an element of safety and security cultureare the licensing process and its enforcement [2]. In Germany and the United States considerations for cyber security are explicitly detailed in the licensing process and in the certification process of individual systems.

E. Associated regulatory activities
From supply chain control, to personnel security, to law enforcement training, many different issues may have a strong impact on the cyber security of nuclear facilities. Regulatory activities for nuclear facilities should encompass and characterize how threat assessment is done, how cyber security training is integrated in the programme, whether the nuclear supply chain is regulated, and whether cyber security is a component of those regulations. It is noteworthy that the United States and South Africa are nations that involve national intelligence agencies in the preparation of threat information and that this information is made available directly to nuclear facilities using the Design Basis Threat (DBT) model to communicate threats to facilities.

F. Cyber Security Education
Countries with very strong structure for nuclear facilities such as China and Russia, offer national level education and degree programmes in nuclear security. The majority of the countries delving into nuclear

III. Analysis of Model Frameworks and Standards
This section provides detailed overview of cyber security Standards, Frameworks and Requirement specifications for addressing security vulnerabilities in IT/ICS systems used in NPPs. Cyber security Standards are set of specifications for the cyber security of I&C systems used in NPPs. A Framework is a risk-based approach to reducing cyber security risk. It comprises of three (3)   The Framework Core is a set of cybersecurity activities and references that are common across critical infrastructure sectors and are organized around particular outcomes. It comprises of four (4) types of elements: Functions, Categories, Sub-categories, and Informative References. The Framework Implementation Tier is a lens through which to view the characteristics of an organization's approach to risk -how an organization views cyber security risk and the processes in place to manage that risk. The Framework Profile is a representation of the outcomes that a particular system or organization has selected from the Framework Categories and Sub-Categories [32].
In other to address the security vulnerabilities arising from cybersecurity threats, several frameworks have been developed by industry standardization organizations, International and national nuclear regulatory According to the U.S. Department of Homeland Security (DHS), the Nuclear Sector has a long history of addressing cyber security issues. In 1997, through the Nuclear Energy Institute (NEI), the industry began looking at potential issues associated with the increasing use of digital technologies at power reactors. At this time there was a concern regarding the potential impacts associated with the change in millenniareferred to at that time as the "Y2K" issue. Following the terrorist attacks of September 11, 2001, the industry turned its focus to potential cyber security-related issues. Power plants are required by the NRC to design, implement, and evaluate their physical and cyber security programs to defend against a Design Basis Threat (DBT). In response to the increasing threat of cyber-related attacks, the NRC amended its design basis threat requirements in 2007 to include a cyberattack as an attribute of the adversary. The NRC describes a cyber-attack as:

"The capability to exploit site computer and communications system vulnerabilities to modify or destroy data and programming code, deny access to systems, and prevent the operation of the computer system and the equipment it controls."
In March 2009, the NRC issued revised security requirements that included comprehensive programmatic cyber security requirements, principally codified in Title 10 of the Code of Federal Regulations (CFR), Section 10 CFR 73.54, "Protection of Digital Computer and Communication Systems and Networks" (Rule). The Rule requires power plants to submit a cyber security plan and implementation schedule for NRC review and approval. To support uniform implementation, the industry developed a template for the cyber security plan and the implementation schedule. In May 2010 the NRC endorsed NEI 08-09, "Cyber Security Plan for Nuclear Power Reactors," Revision 6. NEI 08-09 provides a template for cyber security plans and a catalog of technical, operational, and management cyber security controls tailored from the NIST Special Publication (SP) 800-53, "Recommended Security Controls for Federal Information Systems," Revision 2. The template for the implementation schedule provides eight milestones-seven interim milestones and an eighth milestone for full implementation. The first seven milestones are designed to address the most prominent threats to the plant's most important systems [32].
These milestones include the establishment of a cyber security assessment team, hardware-based isolation of key networks and assets, tightening controls over portable media and equipment, enhancing existing insider threat mitigation, instituting protective measures for digital equipment that could impact key safety systems, and establishing ongoing monitoring and assessment activities for implemented cyber security measures. By December 31, 2012, each plant completed the initial seven milestones. Post-2012 activities (the eighth milestone) include the completion of policy and procedural revisions that enhance existing capabilities, the completion of any remaining design-related modifications necessary to implement the cyber security plan, and institution of protective measures for lower consequence assets. In January 2013, the NRC began inspecting power plant cyber security program implementation of the initial seven milestones, and completed inspections at each power plant at the end of 2015 [32].
The frameworks for providing cyber security controls at NPPs can be categorized into two (2) broad classes: International and Country-specific. These international publications are consistent with, and complement, international nuclear security instruments, such as the amended Convention on the Physical Protection of Nuclear Material CPPNM), the Code of Conduct (CoC) on the Safety and Security of Radioactive Sources, United Nations Security Council Resolutions (UNSCR) 1373 and 1540, and the International Convention for the Suppression of Acts of Nuclear Terrorism (ICSANT).
The structure of the legal framework as shown in Figure 3.2, which forms the basis for regulation, have Law, Act, decree and Statute as the principal legislation established by the national legislative body. It establishes the fundamental structures and concepts, sets infrastructure for regulatory control and defines out the scope of the legislation. Regulations are more specific in relation to nuclear Cybersecurity, are developed by the Regulatory Body, are issued by the legislative body, Ministry or Regulatory Body (varies depending on the national legal system). Licenses are authorizations issued by Regulatory Bodies as clearance to operate showing compliance with regulatory requirements as regards Cybersecurity. Regulatory documents include Codes of Practices (CoPs), Guidance documents et cetera. They are usually developed and issued by the Regulatory Body, give practice specific advice on how to achieve protection and safety requirements defined in legislation or regulations; may or may not be legally binding -other procedures might be followed to achieve the same protection and safety goals. The international frameworks and Standards like IAEA publications in the IAEA Nuclear Security Series (NSS) and Basic Safety Standards (BSS) are issued in the following categories as shown in Figure 3.3: • Nuclear Security Fundamentals: contain objectives, concepts and principles of nuclear security and provide the basis for security recommendations. • Recommendations present best practices that should be adopted by Member States in the application of the Nuclear Security Fundamentals. • Implementing Guides provide further elaboration of the Recommendations in broad areas and suggest measures for their implementation. • Technical Guidance: publications include: Reference Manuals, with detailed measures and/or guidance on how to apply the Implementing Guides in specific fields or activities; Training Guides, covering the syllabus and/or manuals for IAEA training courses in the area of nuclear security; and Service Guides, which provide guidance on the conduct and scope of IAEA nuclear security advisory missions. The selection of a framework should be informed by baseline assessment, risk appetite and governance model. The primary consideration to be made by those with accountability for cyber security of nuclear facilities is ensuring that when implementing a framework, linkages and integration are created with the governance model, risk appetite, strategic plan and the broader enterprise risk management functions. It is also important to consider the broader regulatory framework and environment to inform framework selection. These nuclear cyber security frameworks are categorized into IAEA and country-specific frameworks. The lists of nuclear cyber security frameworks, requirements, guidance are provided in Tables 3.1-3.3, while Table 3.4 highlights the comparative analysis of the main requirements of IAEA Draft, U.S NRC RG 5.71 and IEC 62645 CDI.    In Japan, the first fully digital I&C system was integrated into the Kashiwazaki-Kariwa-6 advanced boiling water reactor (ABWR) in 1996, followed shortly by Kashiwazaki-Kariwa-7 (KK-7). Similar digital I&C systems are used in Hamaoka-5. Tomari-3, which will feature the first all-digital reactor control room, is scheduled to begin operation in 2009.
In China, Qinshan Phase III, with two 700 MW(e) CANDU reactors, and Tianwan-1 and -2, with two 1000 MW(e) VVERs, have fully digital I&C systems, including both the safety and control systems, and partly computerized, i.e. hybrid, human-system interfaces (HSIs). China's high-temperature gas cooled experimental reactor, the HTGR-10, also has fully digital safety and control I&C systems, plus a hybrid human-system interface in its main control room.
In the UK at Sizewell B, a 1250 MW(e) PWR, all automatic functions of the safety I&C systems are digital, and in the main control room, all the qualified displays used in the human-system interface are computerized.
In Russia, Kalinin-3, which was commissioned in 2004, is the first VVER-1000 equipped with digital I&C safety systems and digital process control systems. In addition, both its main and emergency control rooms have hybrid human-system interfaces. A dynamic simulator was also installed for the purpose of testing control functions.
In the Republic of Korea, three 1000 MW(e) PWRs are under construction (Shin-Kori-1 and -2 and Shin-Wolsong-1), all with fully digital I&C safety and control systems and hybrid human-system interfaces in the control rooms.
In the USA, 1978 was the last year in which construction started on a reactor that eventually came online. The US Nuclear Regulatory Commission (NRC) has therefore not had the same experience with digital I&C systems as have regulators in China, India, Japan and the Republic of Korea, where the expansion of nuclear power is centred. Partly as a result, digital systems have not yet been approved for use as safety systems in operating US NPPs.

V. Cyber Security Regulatory Requirements for Nuclear Facilities
All nuclear power plant licensees are required by regulation to establish, implement, and maintain a cyber security program that provides a high assurance of adequate protection against cyber-attacks. There are three (3) distinct groups or types of requirements that the cyber security program must satisfy:

VI. Global Best Practice Recommendations on Nuclear Cyber Security for Regulators
Crafting a cyber security regulatory framework is a difficult and complex task for any nuclear regulator.
The following global best practice recommendations, if strictly followed, will help in simplifying the process of implementing a robust nuclear cyber security defense system: a) Adopt a risk-based cyber security framework for isolating critical digital assets (CDAs) by thoroughly analyzing systems and processes to classify their criticality and attack paths. b) Institutionalize cyber security. The most challenging issue for nuclear cyber security is configuration integrity. The licensee must be compelled by the regulator to establish and demonstrate how configuration integrity is maintained in their facility. c) Set the scope by limiting consequences of radiological hazards. d) Demand verifiability and accurate system documentation on the digital characteristics of the plant systems, including details on system and network configuration, data flows, authorized software applications, engineering systems, etc. e) Implement an active cyber defense system rather than being reactive to cyber threats. f) Reduce digital complexity of CDAs as it complicates the task of securing CDAs. g) Avoid blind adoption of information security concepts. Refer to concepts from safety and control systems engineering. h) Get the cyber design basis threat right. Defining a DBT based on hackers and malware attack is too simplistic. Consider the design of modified products. i) Implement a cyber incident response strategy. A sophisticated cyber-attack against a nuclear facility implies the risk of radiological release, thereby creating a hazard to public safety and compromising national security. Responding to such an event is not the sole responsibility of the licensees. Just like in the case of physical attacks, have a solid response plan ready and tell the licensees what you expect from them in terms of first response.

VII. Implications for Research and Practices
Based on the foregoing, the questions that result from the discourse are: • What effect will an increase in the cost of cyber security/system protection have on nuclear renaissance? • What is the overall lesson for nuclear-emerging countries like Nigeria when it comes to embracing cyber security as an important piece of nuclear power program implementation?
• At what point will a break in the link in Cyber Attack Sophistication model become a threat to safety or security in terms of operation or plant availability? It is necessary to answer these pertinent questions in order to properly situate the findings from our discourse in line with the evolution of nuclear facilities in developing countries such as Nigeria.
With regard to the first and second questions the cost benefit analysis of the nuclear renaissance, with all of its ramifications is skews positively, as the deliverables from nuclear energy provides many resources that result in earned revenue that can be used to address security issues. Although cyber security of nuclear facilities will increase the cost of operations, planning cybersecurity for nuclear facilities should be an integral part of the overall security processes and strategy. With regard to the third question, looking at the Cyber Attack Sophistication model, it is pertinent to mention that any form of vulnerability poses a major threat to the safety or security of nuclear facilities in terms of operation or plant availability.

VIII. Lessons Learned
The various cyber security incidents reported in this paper and vulnerabilities of I&Cs deployed in NPPs around the world hold important lessons for the cyber security of nuclear facilities and critical digital infrastructure in general.
a. The notion of airgap separating control and protection sections of NPPs has been proved wrong. The case of Davis-Besse NPP shows that this is a misconception. Operators who try to monitor and protect every connection cannot be sure they know about all of them. Stuxnet was transmitted via thumb drives to infect computers that were not connected to the internet.
b. Security vulnerabilities as a result of digital I&C deployment across CDAs are more complicated than earlier thought by alarmists and sceptics.
c. The various cyber security incidents reveal that Process Control Systems (PCSs) are not immune from attacks since they are different from ordinary computers as widely believed.
d. There is need for an understanding of current cyber security challenges and threat. NPPs responsible for power generation, enrichment and storage are complex computing environments consisting of hundreds to thousands of individual devices. These devices and computer systems that manage them are built from a combination of common, off-the-shell (OTS) computing technologies and custom, one-of-a-kind hardware, software and networking protocols. The only commonality between these facilities is that a large number of their critical systems tend to be built on legacy technologies. The current ad hoc approach to computer security that attempt to detect and block cyber-attacks using intrusion detection systems (IDS) is attack-centric and needs to change to a proactive, risk-based approach.
e. Due to dynamic and complex threat landscape confronting computer systems deployed at NPPs, a new approach to computer security is needed, centered on sound principles and technologies that can be used to construct effective defenses. The vulnerability-centric security approach seeks to address the root cause of system insecurity -system vulnerabilities -and creates the opportunity for security to be more constructive.

IX. Summary and Conclusion
From this study, only three out of the five countries possess written cyber regulations (U.S.A, Germany and Russia); China and South Africa do not have these regulations. The diversity in the ways in which cyber capabilities can be used poses one of the greatest challenges in Information technology. Computer security must be an essential component in an effective and robust nuclear security regime, so as to guard against increasingly sophisticated cyber threats in a digitally dependent environment. Nonetheless, particularly the computers used in safety and safety-related systems must be very well protected from possible intrusions. But other computers must be protected as well. The computers used to control the plant are essential to assure the continuity of power production. The computers used to control access to sensitive areas are needed both to prevent unauthorized access that might be part of an attack, and to assure authorized access both for safety and security reasons. Computers that store important and sensitive data have to be protected to assure that those data are not erased or stolen. Possible cyber-attacks could be associated with business espionage, technology theft, a disgruntled employee, a recreational hacker, a cyber activist, organized crime, a nation state, or a terrorist organization.