Computer Security as a Component of Nuclear Security: Observations and Lessons Learned

Transcription

1 Computer Security as a Component of Nuclear Security: Observations and Lessons Learned Donald D. Dudenhoeffer International Atomic Energy Agency 11 May 2016

2 Computer Security in the Nuclear World Computers play an essential role in all aspects of the management and safe and secure operation of nuclear facilities, including maintaining physical protection. It is vitally important that all such systems are properly secured against malicious intrusions. Staff responsible for nuclear security should know how to repel cyberattacks and to limit the damage if systems are actually penetrated. The is doing what it can to help governments, organizations, and individuals adapt to evolving technology-driven threats from skilled cyber adversaries. I am confident that, by working together and sharing experience, all of us can help to ensure computer security in the nuclear world. Remarks at International Conference on Computer Security in a Nuclear World, Vienna Austria, 1 June by Director General Yukiya Amano 2

3 Observation on CS in Nuclear Security Discuss 4 observations on computer security from developing programme guidance and from working with Member States 3

4 The Threat Adversary Bad Guy Observation 1: Most people have a hard time understanding the threat and thinking like the adversary. Trusted Employee? Lone wolf? Who is the Adversary? Dedicated group? 4

5 Observation 1: Knowing thy Enemy 5

6 Threat Profiles and Classification External and Internal threats Recreational Hackers Motivation Hacktivist Disgruntled Individuals Terrorist Criminal Groups Nation States Social Activist Rogue Warriors Employees Contractors Third Parties Capability Intention Targets (People and Things) Tactics 6

7 Nuclear Facilities (publically known attacks) Multiple computer security incidents have impacted nuclear facilities Monju NPP (Japan) Compromise of control room computer and release of information (2014) Korea Hydro and Nuclear Power (KHNP) Computer compromise and release of NPP documents (2014) Gundremmingen NPP (Germany) Computer virus found on plant IT systems and media. (2016) 7

8 Competent Authorities beware. Facilities are not just the only targets of attack! 2012 Compromise of an old server resulted in the release of addresses and other information USNRC Victim of multiple attacks that compromised s and accounts. OPM Victim of persistent attacks information related to security clearances including the theft of over 4 million fingerprint files. 8

9 Fear Observation 2: Fears are not always aligned with the risk. What do you fear in a cyber attack? versus What should you fear? 9

10 Fear versus Risk Question asked during a Feb 2016 meeting on Cyber Threat: Which of these animals do you fear the most? A.) Sharks B.) Bees C.) Spiders D.) Dogs E.) Snakes 10

11 The animals that are most likely to kill you Average annual animal-caused fatalities in the US Bees, Wasp, and Hornets Other Mammals Dogs Cows Non-Venomous Arthropods Spiders Venomous Snakes and Lizards Bears Alligators Sharks

12 Survey What are your Cyber Fears? Ref: 2015 Cyberthreat Defense Report: North America & Europe CyberEdge Group 12

13 Complexity Observation 3: Challenge of Understandability Fog of Complexity - Digital I&C Architectures - The Threat - Attack Impact 13

14 Physical World Well defined Service history In service Designer 1949 present Mikhail Kalashnikov Designed Manufacturer Number built Specifications Weight Length Barrel length Izhmash approximately 75 million AK million AK-type rifles [ 4.78 kg (10.5 lb) with a loaded magazine AKM weight with unloaded magazine 3.1 Kg. 880 mm (35 in) fixed wooden stock 875 mm (34.4 in) folding stock extended 645 mm (25.4 in) stock folded 415 mm (16.3 in) Cartridge mm M43/M67 [ Action Gas-operated, rotating bolt Rate of fire Cyclic rate of fire is 600 rounds/min [ Muzzle velocity 715 m/s (2,350 ft/s) [ Effective range Feed system Sights Semi-auto rate of fire is 40 rounds/min [ Full-auto burst rate of fire is 100 rounds/min [ 350 metres (380 yd) Standard magazine capacity is 30 rounds. There are also 10, 20, 40, 75, or 100-round detachable box and drum style magazines. Adjustable iron sights with a 378 mm (14.9 in) sight radius: AK-47 has meter adjustments 14 AKM has meter adjustments

15 Impacts well understood mm Specifications Case type Bullet diameter Neck diameter Shoulder diameter Base diameter Rim diameter Rim thickness Case length Overall length Rimless, bottleneck 7.92 mm (0.312 in) 8.60 mm (0.339 in) mm (0.396 in) mm (0.447 in) mm (0.447 in) 1.50 mm (0.059 in) mm (1.524 in) mm (2.205 in) Case capacity 2.31 cm 3 ( gr H 2 O) Rifling twist Primer type Maximum pressure Filling Filling weight Ballistic performance 240 mm (1 in 9.45 in) Boxer Large Rifle MPa (51,488 psi) SSNF 50 powder gr Bullet weight/type Velocity Energy 123 gr (8 g) Full metal jacket m/s (2,400 ft/s) 2,073.6 J (1,529.4 ft lbf) 154 gr (10 g) Spitzer SP m/s (2,104 ft/s) 2,056.3 J (1,516.6 ft lbf) gr (8 g) Full metal jacket m/s (2,640 ft/s) 2,460 J (1,810 ft lbf) 123 gr (8 g) Full metal jacket 738 m/s (2,420 ft/s) 2,179 J (1,607 ft lbf) Test barrel length: 415 mm Source(s): Wolf Ammo [1] Omar [2] Sellier & Bellot [3] 15

16 The Cyber Threat How does one characterize the threat? We can talk about Operational Characteristics of computers Processor Intel Core i7-2640m Dual Core (2.80GHz,4M cache,) Operating System Windows 7 Professional, No Media, 64-bit Display 17.3" UltraSharp FHD(1920x1080) Wide View Anti-Glare LED-backlit Memory 4GB3 DDR3 SDRAM at 1333MHz Hard Drive 750GB 7200rpm Hard Drive Video Card AMD FirePro M8900 Mobility Pro Graphics with 2GB GDDR5 Optical Drive 8X DVD+/-RW System Weight 7.77 lbs 16

17 The Cyber Threat How does one characterize the threat? But how does one characterize the range of attack vectors targets and methods, impacts? 17

18 Culture Observation 4: Culture is key. Security is a people issue, not just a technical issue Without good training, technology cannot be effective Attacks against organizational staff including directed attacks are a common tactic by adversaries Over half of all computer security compromise results from or are complicated by human error People can be the strongest asset or your weakest link in security 18

19 Infection Vectors ICS-CERT responded to 295 reported incidents involving critical infrastructure (CI) in the US. (Oct Sept 2015). Unknown insufficient forensic data available to identify the initial intrusion vector. Ref: ICS-CERT Monitor, Nov/Dec

20 Placing a Man on the Moon President John F. Kennedy was visiting NASA headquarters for the first time, in While touring the facility, he introduced himself to a janitor who was mopping the floor and asked him what he did at NASA. The janitor replied, I m helping put a man on the moon! Obviously, the janitor understood the importance of his contribution. He truly felt he was a valuable part of something bigger than himself, and his attitude created a feeling of self-confidence in his mission. He wasn t merely a janitor; he was a member of the 1962 NASA Space Team! How to we empower and motivate each employee to be part of the Security Team. Ref: 20

21 Trends for 2015 and Beyond Increase in the number of adversaries (state and cyber criminals) with cyber capability. Cybercrime-as-a-service is likely to increase reducing the barriers for entry for cybercriminals. Sophistication of the current cyber adversaries will increase, making detection and response more difficult. Spear phishing will continue to be popular with adversaries, and the use of watering-hole techniques will increase. Ransomware will continue to be prominent. Increase in the number of cyber adversaries with a destructive capability and, possibly, the number of incidents with a destructive element. Increase in electronic graffiti, such as web defacements and social media hijacking, which is designed to grab a headline. Ref: Australian Cyber Security Centre 2015 Threat Report 21

22 Survey Inhibitors to Effective CS Ref: 2015 Cyberthreat Defense Report: North America & Europe CyberEdge Group 22

23 NSNS Computer Security Programme Plan Directs Informs Implements Member States NSGC INSSPS Expert Meetings 23

24 NSNS Computer Security Programme Plan 2016 Priority Action Items NSS guidance development Coordinated research in computer security incident response Development of hands-on training curriculums to support specialized computer security training for the protection ICS Investigation of an information sharing for computer security incident information, security notices on system vulnerabilities and threats relevant for nuclear security. Expert meetings to support global information exchange and training. 24

25 2016 Priority Action Items 1. Revision and development of NSS guidance. 2. Coordinated Research Project to technologies and processes that support computer security incident response at nuclear facilities. 3. Investigation of information sharing for sharing computer security incident and notices relevant for nuclear security. 4. Expert meetings to support global information exchange. 5. Development of hands-on training to support specialized computer security training for the protection of systems used for nuclear safety, nuclear security, NMAC. 25

26 2016 Security Conference Planned Technical Sessions: National legislative and regulatory framework for nuclear security; Regulatory oversight for nuclear security; Threat and risk assessment; Information security and computer security; Physical protection of nuclear material and nuclear facilities. Submission of Synopsis by 13 May 2016 Grant Applications by 13 May 2016 Notification of authors July 2016 Submission of full papers October 2016 Full Programme available November 2016 Ministerial Segment 5 December 2016 Conference 5-9 December 2016 Conference website: Nuclear-Security-Commitments-and-Actions 26

27 Conclusions Greater awareness and understanding of computer security is needed at all levels Cyber adversaries continue to advance at a rapid pace Attack methods may be sophisticated, but also they often take advantage of human failure Competent Authorities, Facilities, and Third Parties are all targets of attack Security, including computer security, is a processes that must continue to evolve and improve 27

28 Questions Donald D. Dudenhoeffer Nuclear Security Information Officer International Atomic Energy Agency Vienna International Centre A-1400 Wien Austria Tel: +43 (1) Fax: +43 (1)

29 Computer Security in the Nuclear Security Series Fundamentals: NSS No Objective and Essential Elements of a State s Nuclear Security Regime Recommendations: NSS No Physical Protection of Nuclear Material and Nuclear Facilities (INFCIRC/225/Revision 5) NSS No Radioactive Material and Associated Facilities NSS No Nuclear and Other Radioactive Material out of Regulatory Control Implementing Guides: NSS No. 10 Development, Use and Maintenance of the Design Basis Threat (Update pending) NSS No. 23-G Security of Nuclear Information NST045 Computer Security for Nuclear Security Non-serial publications: NST037 Conducting Computer Security Assessments NST038Computer Security Incident Response Planning Technical Guidance: NSS No. 17 Computer Security for Nuclear Facilities NST036 Computer Security of Nuclear I&C Systems NST047 Computer Security Methods for Nuclear Facilities 29