Simulating Collaboration in Small Modular Nuclear Reactor Cybersecurity with Agent-Based Models

Round 1

Reviewer 1 Report (New Reviewer)

The article is well written, has many pertinent references and presents agent-based simulation, showing the effectiveness of cooperation between agents as the main result of the research. Since the Cybersecurity of this type of device is extremely critical, this is one path presented, but other considerations/approaches should be included. On the other hand, due to the clarity of the presentation and the way the problem was proposed, this type of approach can be used in many other research works.

 

Regarding the results as seen in Table 6, the number of SMRs has a non-linear influence and the number of hacked SMRs increases less than the absolute number of SMRs;

Define acronyms at their first appearance, even the most well-known ones, for example, DARPA (Defense ...);

References

1) Check that references 11 and 39 were not cited in the text;

2) Reference 2, one of the names can be revised: “D. E. A.” is correct?

3) Line 68: should the reference be wrong? should it be “Hirdaris”?

4) Siebers et al., line 229, does not appear in the list of references;

5) The article “Macal and North (2014)”, line 246, does not appear in the reference list;

6) The article “Kelton et al. (2015)”, line 272, does not appear in the reference list;

Some minor comments/suggestions:

7) Line 116: would it be better to use “showing” instead of “demonstrating”?

8) Line 553: replace “explained below” with “following explained”;

9) Line 620: replace “sub-bullets points below” with “following sub-bullets points”;

10) There are some spaces that seem excessive, for example: line 473, before “Macal (2018) ...”; line 475, before “In the zombie ...”.

Author Response

Please see the attached letter.  

Author Response File: Author Response.pdf

Reviewer 2 Report (New Reviewer)

This paper addresses cybersecurity challenges for small modular reactors (SMRs) by innovatively proposing a defence mechanism based on agent-based modelling (ABM) to simulate stakeholder collaboration. It is the first to combine ABM with the Common Criteria to analyse the benefits of collaboration, providing new insights into SMR cybersecurity. However, this paper still needs further optimisation.

Comment#1:

The author emphasises filling the gap in ABM simulation nuclear safety collaboration, but does not fully discuss the differences between similar studies and this model. It is recommended that comparisons be added to the “related work” section to clarify the unique value of this model in the SMR scenario.

Comment#2:

The mechanism of action of the “common criteria” (CC) has not been analysed in depth. For example, how does the CC quantify the promotion of collaboration between manufacturers and SMRs (page 9)?

Comment#3:

The paper’s assumption that“SMR vulnerabilities randomly decrease after 10 successful collaborations”(page 13) lacks empirical or theoretical basis and does not explain why this threshold was chosen.

Comment#4:

The experimental results only show that collaboration reduces the attack success rate , but do not discuss the actual deployment costs (such as CC certification fees and collaboration time costs).

Comment#5:

Hacker behavior relies solely on random skill growth and does not reflect the differentiated strategies of different attackers, which weakens the practicality of the model.

Author Response

Please see the attached letter.  

Author Response File: Author Response.pdf

Reviewer 3 Report (New Reviewer)

1. W przypadku wszystkich nazwisk wymienionych w artykule, np. Duguay (2020); Ayodeji i in. (2023); Engström i Lagerström (2022) itp., prosimy o podanie ich imion (lub pierwszej litery ich imion)
– uwagi do sekcji, np. 173, 193, 245, 287, 299 itp.

2. Tabela 2.
Dane w tabelach są dość nieaktualne. Wymieniając na przykład „państwa narodowe”, należy podać przykłady takich państw, jak Chiny, ponieważ wymienione motywacje nie mogą zaszkodzić innym państwom. Proponuję rozszerzyć tabelę i precyzyjnie zdefiniować cyberzagrożenia poprzez ich nazwanie i opisanie, a także podanie konkretnych przykładów.

3. Tabela 3.
Wskaż źródło danych tabeli i wypisz więcej cech modeli ABM i SMR (te skróty powinny być również uwzględnione w tabeli).

4. Tabela 4.
Tabelę należy doprecyzować i opisać dwie kolumny.

1. W przypadku wszystkich nazwisk wymienionych w artykule, np. Duguay (2020); Ayodeji i in. (2023); Engström i Lagerström (2022) itp., prosimy o podanie ich imion (lub pierwszej litery ich imion)
– uwagi do sekcji, np. 173, 193, 245, 287, 299 itp.

2. Tabela 2.
Dane w tabelach są dość nieaktualne. Wymieniając na przykład „państwa narodowe”, należy podać przykłady takich państw, jak Chiny, ponieważ wymienione motywacje nie mogą zaszkodzić innym państwom. Proponuję rozszerzyć tabelę i precyzyjnie zdefiniować cyberzagrożenia poprzez ich nazwanie i opisanie, a także podanie konkretnych przykładów.

3. Tabela 3.
Wskaż źródło danych tabeli i wypisz więcej cech modeli ABM i SMR (te skróty powinny być również uwzględnione w tabeli).

4. Tabela 4.
Tabelę należy doprecyzować i opisać dwie kolumny.

Author Response

Please see the attached letter.  

Author Response File: Author Response.pdf

Reviewer 4 Report (New Reviewer)

This paper explores the potential of agent-based modeling (ABM) in investigating the impact of stakeholder collaboration on the cybersecurity of Small Modular Nuclear Reactors (SMRs). The authors posit that as SMRs are increasingly adopted for clean energy, their unique cyber-physical characteristics and deployment models present novel security risks. The study reviews the current landscape of nuclear cybersecurity standards, introduces ABM as a promising simulation approach for assessing collaboration effects, and implements an ABM simulation (in NetLogo) to demonstrate the potential benefits of collaboration between SMR operators and control system vendors. The simulation results demonstrate that collaboration, as modeled through the Common Criteria, leads to a reduction in the average proportion of SMRs in a hacked state. This finding supports the assertion that collaborative efforts can enhance the cybersecurity of SMRs.

The title is both accurate and precise in its reflection of the article's central theme. The text communicates two things: first, the subject matter, which is collaboration in SMR cybersecurity; and second, the methodological approach, which is agent-based models. Readers are thus able to understand the scope at a glance.

The introduction provides a comprehensive and concise overview of the cybersecurity challenges in the nuclear energy sector, the emergence of SMRs, and the imperative for robust cybersecurity practices in light of recent industry trends and threats. The research is situated within the broader context of existing gaps, particularly the paucity of simulation-based studies on SMR cybersecurity collaboration. The extant literature on the subject is both current and relevant, providing a compelling motivation for the study.

The research design, which utilizes NetLogo to implement an agent-based simulation of SMR, hacker, and vendor agents, is well justified given the study's emphasis on human and organizational behaviors. The methodology is described in great detail, including model parameters, initialization, agent types, and the logic behind interactions. The fundamental assumptions and the role of stochasticity are explicitly articulated, and the ODD (Overview, Design concepts, Details) protocol is correctly referenced to ensure model transparency and reproducibility. In sum, the methods employed are deemed suitable and adequately detailed to facilitate replication.

The results are presented in tabular and graphical form, with supporting statistical analyses (means, confidence intervals, t-tests) that substantiate the findings. The primary outcome, which showcases the quantifiable advantages of collaboration, is well-supported by empirical evidence and has attained statistical significance across various scenarios. The conclusions of this study are logically derived from the data and are appropriately contextualized within the existing literature, especially the limitations and opportunities for agent-based modeling in this domain. The authors openly discuss the limitations of the study and suggest directions for future research.

The references are meticulously curated to ensure comprehensiveness and currency, encompassing foundational works such as NRC guidelines, ABM methodologies, and security-by-design concepts, as well as recent studies on SMR risks, cyberattack simulation, and collaboration strategies. All sources are pertinent to the research questions and underpin the arguments and methodology used.

The article presents a novel perspective on the value of collaboration, operationalized through the Common Criteria, in the context of cybersecurity for SMRs. The employment of agent-based simulation to model these interactions in a nuclear context represents an original contribution to the field. This work significantly broadens the existing body of literature on SMR cybersecurity and the practical implementation of ABM in complex stakeholder systems. It offers tools and insights that can be readily applied to a broader range of cybersecurity modeling initiatives.

The manuscript is written in clear, professional English. The style aligns with the standards of a scientific journal, with technical terminology utilized in a consistent manner and accurately. On occasion, the length of certain sentences could be reduced to enhance conciseness. However, the overall clarity and fluidity of the text are commendable.

 The work is methodologically sound, clearly justified, and offers an original contribution to the field.
Here are some clear improvements to consider.

• Condense sections to improve readability, especially in the methods.
• Add a short summary table or visualization near the conclusion. This table or visualization must highlight key simulation findings and practical implications.
• Expand on how insights from this model can be generalized to other critical infrastructure contexts.

Author Response

Please see the attached letter.  

Author Response File: Author Response.pdf

This manuscript is a resubmission of an earlier submission. The following is a list of the peer review reports and author responses from that submission.

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

The submitted manuscript proposes the utilization of computer simulation methods, specifically agent-based modeling (ABM), to enhance the cybersecurity of Small Modular Nuclear Reactors (SMRs) and its associated entities, such as vendors, producers, and infrastructure.

The manuscript is well-crafted, with no apparent issues in English grammar or spelling. However, constructive criticisms are provided below to further elevate the quality of the article.

Minor Issue: Figure 1 is included in the manuscript without prior mention or contextualization in the text.

Major Issues:

1. The introduction of the article lacks a clear delineation of its objectives.

2. The principal contributions of the article to the field are not explicitly articulated.

3. During the literature review, the examination of various computational simulation techniques exclusively focuses on ABM and DES. It is suggested to explore other potential techniques for cybersecurity, such as Monte Carlo simulation, Stochastic Network Modeling, or hybrid systems. Could a combination of continuous and discrete elements effectively capture the complexity of such a system for security assessment?

4. The final results of the article are presented as recommendations that lack clarity.

5. In the abstract, the authors declare their intent to propose ABM methods for evaluating enhanced collaboration among cyber defenders, power plants, and cybersecurity vendors. However, these methods are not distinctly delineated or identified in the ensuing recommendations.

6. It is suggested to append an explanation of the article's organizational structure at the end of the introduction. This affords the reader an overview of what to anticipate. In my perspective, perusing the document left me anticipating the authors' results, and ultimately, the article seems to predominantly resemble a state-of-the-art review.

Reviewer 2 Report

Comments and Suggestions for Authors

The topic addressed in this paper is timely. However, this paper is still a work-in-progress as it is conceptual and there is no concrete application of Agent-based Modeling. Furthermore, there are different weaknesses: 

Research Question(s) that this study intend to address is not explicitly clear.

Motivation for this study is lacking in the Introduction like Why there is a need for cyber-defender collaboration? 

How is SMR different from traditional NPPs? What are implications of such differences in terms of cyber security?

"With this growing interest in SMRs, their cybersecurity must be at the forefront of strategic planning." Why cybersecurity must be at the forefront?

Application/Demonstration/Evaluation of ABM is lacking.

Limitations of this study and Future Work Directions are lacking.

Some Minor Feedback:

Structure of the paper is missing in the Introduction.

Figure 1 caption can be rephrased. Whether  permission has been obtained to use this Figure from Fares (2016)?

Comments on the Quality of English Language

Proof-reading needs to be done.

Reviewer 3 Report

Comments and Suggestions for Authors

Cyber-security of SMRs is of great interest and this research proposes computer simulation methods for assessing and enhancing Small Modular Nuclear Reactors (SMRs) cybersecurity. The public's lack of confidence in the security of SMRs will prevent them from being widely adopted, despite the technology's promise to help create a clean and sustainable energy system. SMRs are new technologies with many cyber-physical systems, remote operations, and cyberlinks to other industrial issues that could make them more susceptible to cyberattacks. Some comments are as follows:

The title of the paper needs to reflect that this research is a review article of the techniques with a focus on SMR cyber-security.

The authors must highlight the main contributions of this work.

In this work, SMRs are mentioned as a potential resource for clean energy that leads to modern power systems offering the integration of renewable energy resources. It would be beneficial if the introduction part can be expanded to include related works such as:

https://link.springer.com/chapter/10.1007/978-3-031-20360-2_2

https://www.mdpi.com/1424-8220/21/18/6225

It would be interesting to see a classification of cyber-attacks targeting SMRs based on the MITRE matrix (https://attack.mitre.org/).

The abstract mentioned the proposed method to optimize the cyber-security of SMR. The draft is missing any case studies and the results obtained from the proposed methods.

Comments on the Quality of English Language

Minor editing of English language required

Reviewer 4 Report

Comments and Suggestions for Authors

This manuscript discusses the concept of computer simulation of potential attacks on a Small Modular Nuclear Reactor. The method used is using Agent-Based Models. Review:

We capture the content conveyed by the author as conceptual ideas. This manuscript does not contain the process of implementing and validating the conceptual idea. This manuscript also lacks illustrations to clarify the position of the problem being discussed, as well as the solutions and concepts proposed as the solutions. The conclusion section does not need to include citations but directly conveys the conclusion of the research results. In general, improvements are needed so that the manuscript can be more accessible to understand and more prosperous in information about the ideas conveyed by the author. The author should discuss the implementation process that can be applied so that this conceptual idea can be followed up by parties relevant to the Small Modular Nuclear Reactor issue.