Development of a cyber security risk model using Bayesian networks

Cyber security is an emerging safety issue in the nuclear industry, especially in the instrumentation and control (I&C) field. To address the cyber security issue systematically, a model that can be used for cyber security evaluation is required. In this work, a cyber security risk model based on a Bayesian network is suggested for evaluating cyber security for nuclear facilities in an integrated manner. The suggested model enables the evaluation of both the procedural and technical aspects of cyber security, which are related to compliance with regulatory guides and system architectures, respectively. The activity-quality analysis model was developed to evaluate how well people and/or organizations comply with the regulatory guidance associated with cyber security. The architecture analysis model was created to evaluate vulnerabilities and mitigation measures with respect to their effect on cyber security. The two models are integrated into a single model, which is called the cyber security risk model, so that cyber security can be evaluated from procedural and technical viewpoints at the same time. The model was applied to evaluate the cyber security risk of the reactor protection system (RPS) of a research reactor and to demonstrate its usefulness and feasibility. •We developed the cyber security risk model can be find the weak point of cyber security integrated two cyber analysis models by using Bayesian Network.•One is the activity-quality model signifies how people and/or organization comply with the cyber security regulatory guide.•Other is the architecture model represents the probability of cyber-attack on RPS architecture.•The cyber security risk model can provide evidence that is able to determine the key element for cyber security for RPS of a research reactor.