You are here

Safety Software Assurance Compliance verification and Risk Evaluation (S-SACRE)

Award Information
Agency: Department of Energy
Branch: N/A
Contract: DE-SC0015999
Agency Tracking Number: 224154
Amount: $149,798.00
Phase: Phase I
Program: STTR
Solicitation Topic Code: 30
Solicitation Number: DE-FOA-0001417
Solicitation Year: 2016
Award Year: 2016
Award Start Date (Proposal Award Date): 2016-06-13
Award End Date (Contract End Date): 2017-03-12
Small Business Information
4031 University Boulevard Suite 100
Fairfax, VA 22030-3400
United States
DUNS: 078669612
HUBZone Owned: No
Woman Owned: Yes
Socially and Economically Disadvantaged: Yes
Principal Investigator
 Keesha Crosby
 (703) 435-9545
Business Contact
 Keesha Crosby
Title: Ms.
Phone: (704) 435-9545
Research Institution
 University of Nebraska
6001 Dodge Street
Omaha, NE 68128-0210
United States

 (402) 554-2286
 Nonprofit College or University

Most digital systems being software intensive are also vulnerable to attacks that exploit software weaknesses. According to the International Atomic Energy Agency, “exploiting weaknesses in digital technology could be the most attractive route for those terrorists seeking to attack nuclear facilities without fear of interdiction.” Recent publicized events about cyber-attack on critical infrastructure, and possible many more that are not reported or known, demonstrate a much deeper problem: The vulnerability that has been introduced in our critical infrastructure by reliance on digital technologies. Future nuclear energy systems will only increase their dependence upon digital technologies that are complex software, hardware and firmware component combinations. While many system-level accreditation and authorization has been enforced by the US Nuclear Regulatory Commission, they do not expose latent weaknesses in the composed software components and their impact on system level security controls. The project will extend the methods to generate a mapping between security controls and software weaknesses for digital computer and communications systems and networks used in safety-related and important-to-safety functions, security functions, emergency preparedness functions, including offsite communications, and support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions. The mappings will utilize control definitions in the National Institute of Standards and Technology Special Publication 800-53, which form the foundation for regulatory guidance on materials and plant protection as well as secure development and operational environment for digital safety systems from the US Nuclear Regulatory Commission. In Phase 1, the mappings and related prioritization mechanisms will be made available in a proof-of-concept prototype. Pilot studies will be conducted in a full-scale nuclear facility testbed to further tailor the proof-of-concept for specific accreditation and authorization processes required by the Nuclear Regulatory Commission. Requirements to scale the proof-of-concept to a technology-readiness-level-8 functionality will be identified for continued development in Phase II. The new technology will be integrated in to regulatory assessment and accreditation processes as well as procurement processes in the software supply chain. The approach and resulting toolsets will provide a framework for rigorous assessment of the digital software components for nuclear facilities using existing regulatory guidance. Key Words: Software Assurance for Safety and Security Functions; Cyber security; Nuclear Regulatory Guidance; Software Weaknesses and Vulnerabilities; Security Controls; Secure development and operational environment for digital safety systems

* Information listed above is at the time of submission. *

US Flag An Official Website of the United States Government