Project Details

[Return to Previous Page]

Blind Spots: Cyber Risk in Critical Digital Assets

Company: Idaho National Laboratory

Major(s):
Primary: CMPEN
Secondary: CMPSC
Optional: IE

Non-Disclosure Agreement: YES

Intellectual Property: YES

The proposed capstone project provides students with a hands-on, risk-informed introduction to nuclear cybersecurity through the assessment of a Physical Protection System (PPS) camera deployed within a nuclear facility environment. Students will work with a commercially available, network-connected camera system along with predefined nuclear facility placement scenarios describing where the device would be installed, the function it supports, and how it integrates with PPS operations. Following the structure of the 10 CFR 73.54 “cyber rule,” students will determine whether the device qualifies as a Critical Digital Asset (CDA), characterize its technical attributes, identify cyber vulnerabilities, and design compensating cybersecurity controls under realistic operational constraints. Students will assume the role of a nuclear cybersecurity assessment team tasked with protecting an unpatched PPS camera whose compromise could degrade or blind security monitoring during an alarm condition. Patching is explicitly disallowed to reflect real-world constraints associated with safety, operational continuity, and system interdependencies in nuclear facilities. The project emphasizes risk-informed decision-making, adversary analysis, and development of protect and detect strategies that are practical, defensible, and aligned with nuclear regulatory expectations. Project Tasks 1. CDA Determination (10 CFR 73.54) Students will evaluate whether the assigned camera constitutes a CDA based on its function, location, and potential impact on safety, security, or emergency preparedness. 2. Asset Characterization Students will identify and document required information about the camera, including hardware, firmware, software, interfaces, data flows, communication paths, and operational dependencies. 3. Empirical Data Collection Students will collect relevant technical and operational data directly from the camera systems through observation, configuration review, and non-intrusive inspection. 4. Vulnerability Research & CVE Analysis Students will identify applicable Common Vulnerabilities and Exposures (CVEs) associated with the camera hardware, firmware, or supporting components. 5. Attack Pathway Modeling Students will analyze how an adversary could compromise the camera using each of the five attack pathways—wired, wireless, portable media and mobile device (PMMD), supply chain, and direct access (insider). The team will develop adversary scenarios demonstrating how identified vulnerabilities could be exploited to compromise or blind the camera during an alarm. 6. Consequence Analysis Students perform a risk-informed consequence assessment, evaluating the impact of video loss or manipulation on PPS functions and the operational and regulatory significance of degraded alarm verification. 7. MITRE ATT&CK Mapping Students will map attack scenarios to the MITRE ATT&CK framework to identify relevant tactics and techniques used in the scenarios created. 8. Control Identification (NIST Control Families) Using their attack scenario and MITRE mapping, students identify and justify a suite of compensating controls from the NIST control families that could mitigate the modeled attacks in the absence of patching. Students must identify which controls would break each stage of the modeled attack chain, particularly across the five RG 5.71 pathways. 9. Protect and Detect Strategy Development Students design a set of administrative, physical, and technical controls to protect the unpatched system and define detection mechanisms to identify compromise or configuration changes if protections fail. Deliverables Consistent with Learning Factory-style capstone norms, student teams will produce the following deliverables: 1) Demonstration A live or recorded demonstration illustrating the camera attack and the proposed protective and detection measures to defeat that attack. 2) Poster Presentation A technical poster summarizing the problem statement, methodology, attack analysis, control strategy, and key findings. 3) Project Repository A version-controlled repository containing: • System artifacts and configuration files used • Assessment documentation and reports used • ATT&CK Mapping (jpg or json) • Control suite for protection and detection along with justification • Any scripts, tools, or supporting materials developed during the project All deliverables should emphasize clarity, traceability, and documentation appropriate for nuclear cybersecurity environments.

 
 

About

The Learning Factory is the maker space for Penn State’s College of Engineering. We support the capstone engineering design course, a variety of other students projects, and provide a university-industry partnership where student design projects benefit real-world clients.

The Learning Factory

The Pennsylvania State University

University Park, PA 16802