Cyber Security Assessment Topics for Cyber Security Provisions of Vendor Designs and Regulatory Expectation during Design Phases of Cyber Essential Assets

Abstract of the technical paper for the:
IAEA International Conference on Computer Security in the Nuclear World: Securing the Future
May 11 - 15, 2026, Vienna, Austria

Prepared by:
Chul Hwan Jung, Yubo Lei, Eman Ibrahim, John Sladek and Justin Sigetich
Canadian Nuclear Safety Commission

Abstract

CNSC staff have carried out several vendor design reviews (VDRs) for Nuclear Power Plants (NPPs) and Small Modular Reactors (SMRs) at the vendor’s request. The primary purpose of a VDR is to provide feedback to the vendor about how they are addressing Canadian regulatory requirements and CNSC expectations in their design and design activities. This review provides for the early identification and resolution of potential regulatory or technical issues during the design process, particularly those that could result in significant changes to the reactor’s design.

Cyber security risk management is relevant in all phases of a nuclear facility and of system life cycles in that it informs the development, implementation, and maintenance of cyber security measures. CNSC’s regulatory requirements for cyber security (CNSC regulatory document REGDOC-2.5.2, Design of reactor facilities, and the CSA Group standard N290.7, Cyber security for nuclear facilities) specify that systems and components that perform or impact nuclear safety, nuclear security, emergency preparedness, and safeguards functions are to be protected from cyber attacks.

As part of a VDR, CNSC staff review the proposed provisions for cyber security of a vendor’s design. For the review, CNSC staff developed cyber security review topics from the CNSC’s regulatory requirements. These review topics are listed in a CNSC work instruction for a VDR. Therefore, CNSC staff have used the review topics to determine how each vendor’s design intent meets applicable CNSC regulatory requirements and guidance.

Along with the cyber security assessment topics for a VDR, CNSC staff have cyber security requirements and guidance within our regulatory framework for managing potential security vulnerabilities which should be considered during the design phases of cyber essential assets.

This paper provides an overview of the cyber security assessment topics for cyber security provisions of nuclear reactor vendor designs and the details of cyber security regulatory expectations for the design phases of cyber essential assets.

To obtain a copy of the abstract’s document, please contact us at info@cnsc-ccsn.gc.ca, or call 613-995-5894 or 1-800-668-5284 (in Canada). When contacting us, please provide the title and date of the abstract.