Cyber Security in a Nuclear Context

Transcription

1 Cyber Security in a Nuclear Context Mitchell Hewes & Nick Howarth UNCLASSIFIED

2 Who are we?

3 Our Facilities Synchrotron Accelerators Cyclotron OPAL

4 Lucas Heights Campus

5 Some Considerations

6 We have an interesting regulatory framework UNCLASSIFIED

7 especially the pharmaceuticals

8 Control Systems & Computer Security

9 So what is Security? risk = likelihood x impact Mathematically security controls address risks by minimising the likelihood or impact. How we see a risk is weighted by our perception of the threat and our own historical experiences. Schneier, B.: The Psychology of Security (2008)

10 Computer Security Application of security controls to a set of very complex programmable electronic devices. Digital Assets encompassing the hardware, software, and information. Photo by yellowcloud (flickr) / CC BY

11 Makeup of a Control System Field Devices Field Controllers SCADA, HMI

12 Cyber Attacks Shamoon Stuxnet Siberian pipeline sabotage 1982, way before stuxnet

13 Protect the Process Confidentiality: Unauthorised logic changes must be prevented. Integrity: Field Device Outputs/Inputs must remain immutable throughout their usable lifetime. Availability: Everything should remain in an operable state.

14 How? Personnel Security Physical Security Controls Perimeter is not enough. Network Segregation It Works! (if you do it properly) Ensure Authenticity (users, communications) Change Control Vendor & Supply Chain Security (vendors, and their products)

15 Air Gap Physical isolation of a network from unsecured networks. Provable unidirectional communication data diode. Reduces the attack surface. Is it really possible to isolate a control system? Software patches. Engineering and maintenance updates. Each transfer/modification comes with a risk Policy around transfers. Technical security controls to identify, isolate, and monitor what is allowed.

16 Computer Security at Nuclear Facilities

17 Priorities Plant Equipment fits into one of three categories. 1. Essential for Nuclear Safety. 2. Significant additional contribution to Nuclear Safety. 3. All other plant systems. Nuclear safety and nuclear security have a common purpose the protection of people, society and the environment. INTERNATIONAL NUCLEAR SAFETY GROUP, The Interface Between Safety and Security at Nuclear Power Plants, INSAG-24, IAEA, Vienna (2010).

18 Design Problems Risks to a safety or safety related system could have significant impact on the levels of defense in depth for the facility. Lifecycle of a typical Nuclear Facility is considerable. Reactor design to decommission can be years. A waste storage facility -??? We are the custodians of these facilities and this material for our generation.

19 Technical Guidance Produced by the IAEA in consultation with states, regulators, and facility operators. NSS 17 Computer Security at Nuclear Facilities NST047 Computer Security Techniques for Nuclear Facilities NST036 Computer Security for I&C systems at Nuclear Facilities Openly available and offer advice that is relevant for even nonnuclear facilities.

20 A Graded Approach Many systems in a Nuclear Facility Protection System Physical Access Control System Reactor Control System All separate systems Consider and characterize risks to each individually Segregate and apply security controls to reduce risk

21 Don t bolt it on UNCLASSIFIED

22 UNCLASSIFIED

23 Cyber Security at the OPAL Research Reactor UNCLASSIFIED

24 A brief Introduction to OPAL

25 A brief introduction to OPAL Open Pool Australian Light Water Reactor 20MW Thermal Utilisation: Radiopharmaceutical Production Silicon Doping (NTD) Neutron Beams (Bragg Institute) Other Irradiations UNCLASSIFIED

26 A brief introduction to OPAL 1997 Replacement Research Reactor Project (RRRP) first funded 2000 Contract signed with INVAP 2001 License to construct issued 2006 Operating license issued 12 August 2006 First Criticality April 2007 Official Opening UNCLASSIFIED

27 UNCLASSIFIED

28 UNCLASSIFIED

29 UNCLASSIFIED

30 UNCLASSIFIED

31 UNCLASSIFIED

32 Systems

33 Protection Systems First Reactor Protection System Second Reactor Protection System UNCLASSIFIED

34 Control Systems Reactor Control and Monitoring System Other PLCs UNCLASSIFIED

35 Cyber Security

36 A Disclaimer This is what we do at OPAL This may or may not be suitable for your own facilities and organisations UNCLASSIFIED

37 Organisational Dedicated IT people for the plant Not corporate IT Not I&C Engineers UNCLASSIFIED

38 Physical Protected site Protected building Secure rooms and cabinets Monitoring UNCLASSIFIED

39 Physical No wireless No exceptions UNCLASSIFIED

40 Physical Keep contractor s IT assets away Maintain a dedicated computer for each contractor They ll complain, but they ll comply Keep corporate IT assets away Dedicated engineering workstations and laptops UNCLASSIFIED

41 Physical Don t leave boxes lying around Stand alone systems rot Consolidate and virtualise whatever you can Vendors wont always appreciate it UNCLASSIFIED

42 Physical Keep your plant offline, use data diodes if you really must have real time access to data Physical media controls Physically block USB and other media, remove external media drives UNCLASSIFIED

43 Logical Use data diodes to control what data is coming to/from the plant Physical media control software, for instances where you really must have physical media UNCLASSIFIED

44 Logical Conventional cyber security controls UNCLASSIFIED

45 How did we get there?

46 How did we get there? Australian Government Information Security Manual (ISM), from the Australian Signals Directorate UNCLASSIFIED

47 The ISM in Context UNCLASSIFIED

48 From high level controls UNCLASSIFIED

49 to low level controls UNCLASSIFIED

50 Process Security Policy High level 1 pager Security Risk Management Plan What are the risks, and how bad are they? What controls will mitigate those risks, and how good are they? System Security Plan How are we implementing those controls? SOPs and other lower level Docs e.g. training material, checklists, forms UNCLASSIFIED

51 SRMP You already do HAZOPs and CHAZOPs, now do the same for IT security Generic SCADA Risk Management Framework For Australian Critical Infrastructure Developed by the IT Security Expert Advisory Group (ITSEAG) (Revised March 2012) UNCLASSIFIED

52 But that s too much!

53 The Top 35 Strategies to Mitigate Targeted Cyber Intrusions If you don t want the whole ISM, do the Top 35 UNCLASSIFIED

54 UNCLASSIFIED

55 The Top 4 1. Application whitelisting of permitted/trusted programs, to prevent execution of malicious or unapproved programs including.dll files, scripts and installers. 2. Patch applications e.g. Java, PDF viewer, Flash, web browsers and Microsoft Office. Patch/mitigate systems with "extreme risk" vulnerabilities within two days. Use the latest version of applications. 3. Patch operating system vulnerabilities. Patch/mitigate systems with "extreme risk" vulnerabilities within two days. Use the latest suitable operating system version. Avoid Microsoft Windows XP. 4. Restrict administrative privileges to operating systems and applications based on user duties. Such users should use a separate unprivileged account for and web browsing. UNCLASSIFIED

56 Questions