Cyber security – the human factor

Digital-based industrial control systems have lower operating and maintenance costs than analogue backups and they are easier to replace. However, the threat from a cyberattack is perceived as higher risk in nuclear power plants using digital systems. The public perception of the risk varies internationally, and generally correlates with the penetration of digital devices in everyday life and high levels of availability in network infrastructure.

To meet international safety and security standards the resilience of nuclear facilities, systems and technologies have high levels of scrutiny. Cyber-based attacks continue to test the defences, with threats even from nation state actors, as now identified by the US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) in Technical Alert [TA18-074A] released on 15 March 2018.

It is not clear what part human error plays in weakening cyber defences. For example, ‘holes’ may be left in systems due to human error during firewall configuration, patching or managing security settings in IT group policies. Of course, physical security may also be compromised through human error. An Innovate UK funded project may help to increase knowledge and gain regulatory and public support.

How is human error currently accounted for?

Since the mid-1980s human error has been incorporated into nuclear safety risk management through the use of human reliability analysis (HRA). Methods such as THERP (technique for human error-rate prediction) and then HEART (human error assessment and reduction technique) were adopted widely, primarily in analogue-based control rooms. Recent reviews of HEART confirmed the underlying veracity of this approach.

Given the ‘safety case’ regime adopted in the UK, with robust security and safety measures (Office for Nuclear Regulation security assessment principles and fail-safe modes) in place, the outcome of a cyberattack via these human-error-based ‘holes’ may be an offline plant, rather than an accident. But an offline reactor is very costly for the licensee and increased frequency of these events could undermine the financial viability of a plant. The power outage would of course also be disruptive.

The use of probabilistic safety analysis (PSA) (probabilistic risk assessment in the USA) in support of safety cases is well established in the global nuclear safety and security community.

The PSA systematically assesses the probability of failure of key systems and protection measures. For the majority of analyses, however, no specific account is taken of cybersecurity-related defensive barriers or attack pathways.

To address this, and based on decades of experience in risk modelling, Corporate Risk Associates (CRA) is developing a holistic risk modelling (HRM) approach. This will specifically include the human aspects in cyber defences in the PSA process.

Evolving tools from analogue to digital

The primary HRA tools available are rooted in the analogue age. CRA has therefore launched an R&D project, part- funded by Innovate UK, to support the HRM approach. It focuses on the quantification of human error in cyber for the nuclear sector.

The project started in February 2018 and will continue throughout the rest of the year. Early work includes:

• Mapping existing generic task types and associated human error probabilities to computer based cyber defensive tasks;
• Literature review;
• Identification of new generic task types for cyber defensive tasks, where required;
• Workshop with human factors and cyber security representatives from the nuclear sector;
• Scenario-based pilot trial on a selection of agreed generic cyber tasks to collect raw data; and
• Preliminary data analysis.

As the project continues CRA will collaborate with the University of Kent to refine the cyber-based HRA approach and find other sources of data from the international community. This may include large data collection exercises.

Ultimately the new approach will be incorporated into a software based tool that will be integrated into the HRM process. This process will help to identify human-error- based cybersecurity vulnerabilities in digital systems. These can then be mitigated through interface design improvements or revised operating procedures. CRA believes this approach could lead to regulatory acceptance of digital systems and reduced plant operating costs.  

Author information: James Amende is Human factors development manager at Corporate Risk Associates