Automating the Cybersecurity Assessment Process in Nuclear Facilities

Period of Performance: 06/08/2015 - 03/07/2016


Phase 1 SBIR

Recipient Firm

D-Tech, LLC
13800 Coppermine Rd Suite 300
Herndon, VA 20171
Firm POC, Principal Investigator


Nuclear plant operators are required by the Nuclear Regulatory Commission NRC) to perform cybersecurity assessment on their internal networks, control systems and critical data assets on a regular basis to ensure regulatory compliance and safety, security and emergency preparedness of the nations most critical infrastructures. However, the current assessment processes are conducted manually. The existing software tools used today are primarily report generators based on operators input to a sequence of static questions. This practice is not only labor intensive and costly, but also error-prone and risky due to potential inconsistency and lack of quantification in detailed assessment measures. A false or inaccurate assessment of a nuclear facility may have unintended consequences with potential security vulnerabilities affecting the plant operations. In this SBIR, we propose an innovative approach to solve the problem of inefficiency and inaccuracy in cybersecurity assessment. We plan to design and develop the Automated Cybersecurity Assessment Manager ACAM) as a software tool to perform cybersecurity assessment in a efficient and cost-effective fashion. The ACAM tool is going to be designed in compliance with NRC policies and regulations, and implemented as a web-based decision- support system, integrating high-level, codified security controls with network-level vulnerability scanning, penetration testing, intrusion detection, and configuration management mechanisms. During Phase I, we will focus on the initial ACAM requirement gathering and analysis, architecture design, and produce a prototype as a proof-of-concept for the follow-on work in Phase II. Our research team will work with DoE customers closely to identify the functional requirements, and reach out to other related stakeholders, including nuclear plant operators and government agencies responsible for coordinating and overseeing the cybersecurity programs, for validating our requirements and technical approach. The Phase II work will be to extend the functionality and operational readiness of ACAM and productize the tool towards commercialization. The ACAM will provide the benefits of quality cybersecurity assessment with improved accuracy, consistency, reduced time and cost. It will fill an important gap in streamlining and automating the cybersecurity program management for the nuclear power industry. The tool can be easily configured and customized to various security control requirements, and adopted by other utility companies as well as other industries e.g. government, healthcare, and banking). As more enterprises are adopting standard assessment practices, we will be uniquely positioned to capture this growing market by continuing advancing the ACAM technology and applying the right intellectual property strategy. Our long-term goal is to make ACAM an integral part of the cybersecurity ecosystem, and help to secure and protect our nations critical infrastructures for years to come.