Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC 62645: Nuclear I&C Security Programmes for Computer-Based Systems
As nuclear power plants increasingly rely on digital instrumentation and control (I&C) systems, the threat landscape for cybersecurity has expanded dramatically. IEC 62645 establishes the requirements for security programmes specifically designed for computer-based and hardwired digital (CB&HPD) systems in nuclear facilities. This standard provides a structured framework that integrates information security management principles with the unique safety demands of nuclear operations, ensuring that digital systems remain resilient against both intentional and unintentional cyber threats.
💡 Key Insight: IEC 62645 is aligned with ISO/IEC 27001 and ISO/IEC 27002, but adapts these general IT security frameworks to address the specific safety-critical requirements of nuclear power plant I&C systems. The 2015 corrigendum clarifies alignment with the 2009/2005 editions of these ISO standards.
Scope and Framework of IEC 62645
IEC 62645 applies to all computer-based and hardwired digital systems that perform safety-related, safety-important, and security-related functions in nuclear power plants. The standard establishes a comprehensive security programme that encompasses the entire lifecycle of I&C systems, from design and procurement through operation, maintenance, and eventual decommissioning.
The framework follows a graded approach, meaning that the depth and rigor of security measures are proportional to the safety significance of the system. Systems classified as Safety Class 1 (highest safety significance) require the most stringent security measures, while lower-class systems receive proportionally less rigorous treatment.
Core Security Programme Elements
The standard defines several essential components that form the backbone of a nuclear I&C security programme:
- Security Policy: High-level organizational commitment to protecting I&C systems from cyber threats
- Risk Assessment: Systematic identification and evaluation of threats, vulnerabilities, and potential consequences
- Defence-in-Depth: Multiple layers of security controls to prevent single points of failure
- Security Architecture: Network segmentation, access controls, and communication security
- Incident Response: Procedures for detecting, reporting, and mitigating security incidents
- Configuration Management: Controlled changes to hardware, software, and network configurations
| Security Programme Element | Scope | Key Requirements |
|---|---|---|
| Security Policy | Organization-wide | Management commitment, roles, responsibilities |
| Risk Assessment | All CB&HPD systems | Threat analysis, vulnerability assessment, consequence evaluation |
| Defence-in-Depth | Architecture level | Multiple barriers, network zoning, access layers |
| Security Controls | Technical measures | Authentication, encryption, monitoring, logging |
| Incident Management | Operational phase | Detection, response, recovery, lessons learned |
| Configuration Management | Lifecycle | Change control, baseline management, audit trails |
| Personnel Security | Human resources | Training, awareness, vetting, access privileges |
⚠️ Important: IEC 62645 requires that security measures do not compromise nuclear safety. In cases where security and safety requirements conflict, safety requirements take precedence. This principle is fundamental to the standard’s approach.
Graded Approach and Risk Assessment
The graded approach is one of the most important concepts in IEC 62645. Rather than applying uniform security measures across all systems, the standard requires that security efforts be proportional to the potential consequences of a security breach. This approach ensures that resources are allocated efficiently while maintaining adequate protection for the most critical systems.
Risk assessment under IEC 62645 follows a structured methodology that considers three key dimensions:
- Threat Assessment: Identification of potential adversaries, their capabilities, motivations, and attack vectors
- Vulnerability Analysis: Examination of system weaknesses that could be exploited by threats
- Consequence Evaluation: Assessment of potential impacts on nuclear safety, plant operation, and public health
Security Classification of I&C Systems
IEC 62645 defines security classification levels that correspond to the safety classification of I&C systems:
| Classification Level | Safety Significance | Security Requirements |
|---|---|---|
| Safety Class 1 | Highest – directly affects reactor safety | Most stringent; full programme implementation |
| Safety Class 2 | Important – supports safety functions | Significant measures; partial programme |
| Safety Class 3 | Indirect safety contribution | Basic security measures |
| Non-Safety | No direct safety impact | General IT security practices |
✅ Best Practice: When implementing IEC 62645, start with a comprehensive asset inventory and safety classification of all digital I&C systems. This forms the foundation for applying the graded approach effectively and ensures no critical system is overlooked.
Defence-in-Depth Security Architecture
Defence-in-depth is a cornerstone principle of IEC 62645, borrowed from nuclear safety philosophy and adapted for cybersecurity. This approach creates multiple independent layers of security controls, so that if one layer is compromised, subsequent layers continue to provide protection. The concept mirrors the physical defence-in-depth used in nuclear plant design.
Key architectural requirements include:
- Network Zoning: Segregation of I&C networks into security zones with controlled interfaces
- Boundary Protection: Firewalls, data diodes, and unidirectional gateways at zone boundaries
- Access Control: Role-based access with multi-factor authentication for critical systems
- Monitoring and Detection: Continuous surveillance of network traffic and system behaviour
- Physical Security: Protection of I&C hardware from unauthorized physical access
🚨 Critical Warning: Air-gapping alone is not considered sufficient security under IEC 62645. The standard recognizes that even isolated systems can be compromised through removable media, maintenance laptops, supply chain attacks, and insider threats. Comprehensive security measures must address all potential attack vectors.
Engineering Design Insights
Implementing IEC 62645 effectively requires careful integration with existing nuclear I&C design practices. Engineers should consider the following practical recommendations:
- Integrate security requirements early in the I&C system design phase, not as an afterthought
- Use security-by-design principles to minimize the attack surface of digital systems
- Establish clear interfaces between safety and security functions to prevent unintended interactions
- Implement robust patch management procedures that account for nuclear operational constraints
- Conduct regular security assessments and penetration testing within operational limitations
- Maintain detailed security documentation as part of the plant’s quality assurance programme
Frequently Asked Questions
Q1: How does IEC 62645 differ from general IT security standards like ISO 27001?
While IEC 62645 is aligned with ISO/IEC 27001 and 27002, it adds nuclear-specific requirements including the graded approach based on safety classification, the principle that safety takes precedence over security, defence-in-depth adapted for nuclear architectures, and specific provisions for the unique operational constraints of nuclear facilities such as long system lifetimes and regulatory oversight.
Q2: What is the relationship between IEC 62645 and IEC 61513 (nuclear I&C safety)?
IEC 62645 and IEC 61513 are complementary standards. IEC 61513 addresses the safety requirements for nuclear I&C systems, while IEC 62645 addresses the cybersecurity requirements. Both standards must be applied together to ensure that nuclear I&C systems are both safe and secure. The security programme must not compromise safety functions.
Q3: How often should a nuclear I&C security programme be reviewed?
IEC 62645 requires periodic review of the security programme, with the frequency determined by the graded approach. Safety Class 1 systems typically require more frequent reviews. Additionally, reviews should be triggered by significant events such as security incidents, major system changes, or the emergence of new threat intelligence.
Q4: Can IEC 62645 be applied to existing nuclear power plants?
Yes, IEC 62645 is designed to be applicable to both new and existing nuclear power plants. For existing plants, the standard recommends a phased implementation approach, starting with risk assessment to identify the most critical systems and vulnerabilities, followed by prioritized implementation of security controls based on the graded approach.
