Abstract
The emergence of cyberweapons and the convergence of Information Technology (IT) and Operational Technology (OT), contribute to the exponential growth in the number and sophistication of cyber-attacks, targeting critical infrastructure. The nuclear sector has recognized that it must employ compensating measures in order to ensure its most critical systems can defend, detect, delay, respond, and recover from cyber-attacks. The Nuclear Regulatory Commission (NRC) has included cybersecurity requirements in the Physical Security and Design Basis Threat Orders. Design Basis Threat (DBT) is a profile of the type, composition, and capabilities of an adversary used to design protection systems at nuclear power plants. These prescribed cybersecurity requirements, are an alternate approach to traditional DBT analysis, that even if implemented correctly, may not be sufficient to defend against an Advanced Persistent Threat (APT). The use of a compliance-based approach has left nuclear power plants unable to quantitatively measure their ability to defend against adversaries with cyber capabilities. This research identifies residual cyber risk at nuclear power plants, advocates for the adoption of Software-Defined Networking (SDN) and face recognition technologies at nuclear facilities, and proposes a novel approach to developing cyber DBTs specific to the facility, its material, or adversary activities that can be empirically investigated through a combination of modeling, simulation and live exercises.