Spreading the Word on Nuclear Cyber Security

Size: px
Start display at page:

Download "Spreading the Word on Nuclear Cyber Security"

Transcription

1 Spreading the Word on Nuclear Cyber Security Clifford Glantz, Guy Landine, Philip Craig, and Robert Bass Pacific Northwest National Laboratory (PNNL) PO Box 999; 902 Battelle Blvd Richland, WA USA 1

2 Pacific Northwest National Laboratory (PNNL) Pacific Northwest National Laboratory is one of the U.S. Department of Energy's (DOE's) ten national laboratories. 4,300 staff members Performs research for DOE, other agencies (national and international), and industry. 2

3 Why cyber security? To have an effective nuclear security program, we need to integrate both physical security and cyber security. We need to be mindful of: Physical security threats Cyber security threats Combined physical and cyber threats In the past, when all systems were analog, you could focus just on physical security. The transition to digital systems is ongoing. Facilities and security organizations have been slow to adapt to the change in security risks associated with this transition. 3

4 PNNL Support for Nuclear Cyber Security Our efforts picked up steam in PNNL Support for the U.S. NRC Conduct pilot cyber security inspections at nuclear power plants ( , 2009, and 2012) Provide technical guidance for the development of the NRC s cyber security Rule and Reg Guide ( ) Review licensees nuclear cyber security plans ( ) Develop and provide cyber security assessment guidance and training for NRC inspectors ( ). 4

5 PNNL Support for Nuclear Cyber Security (cont) 5 PNNL Support for the DOE Office of Nuclear Safeguards & Security and the IAEA Provide technical support for IAEA cyber security guidance documents ( ) Develop and present cyber security assessment guidance and training workshops ( ). Develop elearning training courses ( ) PNNL Support for UNICRI Develop and provide information security guidance documents for chemical, biological, radiological, and nuclear facilities ( ). Develop and present information security regional workshops (2014)

6 6 PNNL Nuclear Cyber Security Team

7 Initial Observations During our pilot assessments a number of program managers at nuclear plants stated that cyber security risk was low or under control because: Many safety systems are analog An adverse consequence cannot occur because plant operators/staff would take timely mitigation actions Many systems are standalone and therefore protected from cyber attacks Even if an attacker gained access, systems are too sophisticated or obscure for any outsider to understand how to manipulate them. 7

8 Initial Actions Our assessment pointed out the fallacy of some of these arguments: Analog systems are being replaced by digital systems. Plant operators/staff can be misled or confused by feeding them spurious data. Systems are standalone systems can be impacted by inadvertent and/or malicious actions (e.g., Stuxnet) The operations of sophisticated or obscure systems can be deciphered by a dedicated attacker. Based on what we learned during NRC pilot assessments, we developed NUREG/CR-6847 a riskbased cyber security self assessment method for nuclear power plants Our recommendations were voluntarily incorporated by all US nuclear plants and codified in NEI

9 Risk Based Approach The industry-adopted risk-based method was qualitative: Risk = likelihood consequence Risk = threat vulnerability consequence Risk = susceptibility consequence The Consequence of compromising a digital asset is based on: Interactions between the targeted device and a critical system Potential confidentiality, integrity, and availability impacts on the plant from a compromise within the critical system 9

10 Consequence Evaluation Consequence based on: 10

11 Susceptibility Evaluation Susceptibility based on: 11

12 12 Calculation of Risk

13 Did this 10-year old Approach Work? At some sites, this approach worked extremely well: Cyber security specialists were able to highlight cyber security strengths and weaknesses to decision makers Increased security awareness Coupled with a risk management tool, this security analysis got decision makers to increase cyber security investments Reduced overall security risks. At other sites, this approach did not achieve objectives: Too little resources were allocated for performing the assessment Consequences were systematically underestimated This led to risks being underestimated Used as a rationale for not doing additional (and appropriate) cyber security. 13

14 Cyber Security Rule 10 CFR Protection of Digital Computer and Communication Systems and Networks shall provide high assurance that protect digital computer and communication systems that provided the following functions are adequately protected against cyber attacks: (i) Safety-related and important-to-safety functions; (ii) Security functions; (iii) Emergency preparedness functions, including offsite communications; and (iv) Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions. 14

15 Rule CFR (cont) The cyber security program must: (1) implement security controls to protect the assets from cyber attacks; (2) Apply and maintain defense-in-depth protective strategies to ensure the capability to detect, respond to, and recover from cyber attacks; (3) Mitigate the adverse affects of cyber attacks; and (4) Ensure that the functions of protected assets are not adversely impacted due to cyber attacks. Shall Evaluate and manage cyber risks. Shall establish, implement, and maintain a cyber security plan that implements [the rule]. 15

16 Draft Guide 5022 Provided guidance on how to: Implement a cyber security program (e.g., assign cyber security roles and responsibilities) Incorporate cyber security into the overall security program Develop and implement defense-in-depth protection strategies including establishing a defensive architecture Implement management, operational, and technical security controls Develop attack mitigation capabilities (including incident response) Implement role-based cyber security training Implement a program of cyber security risk assessment and risk management Address life-cycle security (covering the design, modification, and addition of assets) 16

17 Regulatory Guide 5.71 RG 5.71 followed DG Implemented most of the programmatic guidance in DG- 5022; however: Instead of providing guidance on how to select management, operational, and technical security controls, it instead specified the required security controls. These were based on NIST : Recommended Security Controls for Federal Information Systems and Organizations. Applies ~180 security controls to each component of each critical digital asset Adopted a Compliance-Only approach (i.e., the risk assessment and risk management component found in the NIST guidance, DG-5022, and NEI were stripped out). 17

18 The RG 5.71 Implementation The NRC s latest round of inspections has shown some pluses for RG 5.71: Provides a way to implement 10 CFR Establishes baseline requirements for cyber security Removes subjectivity And some minuses: Generates a LOT of paperwork (too much to wade through in the limited time provided to NRC inspectors). Resources are being allocated to private consultants to prepare documentation rather than being invested in enhancing internal cyber security capabilities. Applies the same criteria to all critical digital assets, even though some assets pose much greater safety and security risks than others. 18

19 What are Other Organizations Doing? The IAEA is pushing a risk-based approach for cyber security European and Asian nuclear organizations have riskbased components in their cyber security programs Standards organizations are advocating risk-based decision making for the information and digital control systems used in critical infrastructures. Jim Wiggins, the head of the NRC s Office or Nuclear Security and Incident Response (NSIR), advocates the NRC s move toward a risk-based approach to cyber security. 19

20 Lessons Learned: An appropriate blend of compliance requirements and risk-based decision making is the hallmark of an effective and cost-efficient cyber security program. The optimal solution seems to be to set basic cyber security compliance requirements for all digital systems supplement this with a risk-based approach that provides additional (or more rigorous) controls for higher risk systems. Even Langner/Pederson s RIPE framework whitepaper acknowledges: The decision [regarding] which vulnerabilities require mitigation and which don t is the point where the concept of risk management may reasonably be applied. 20

21 Lesson Learned: Use Multidisciplinary Teams Use multidisciplinary teams to: develop cyber security policies and technical guidance conduct cyber security assessments ( you get what you inspect ). Expertise is needed in diverse areas such as: cyber security industrial control systems computer networking nuclear facility operations physical security risk management. There is an advantage in finding people with knowledge in more than one discipline. This increases team efficiency. 21

22 Lesson Learned: Security Coordination Observation: minimal interaction between physical and cyber security programs leads to problems. Physical security programs incorporate digital assets (e.g., security databases, cameras, detectors, alarm systems). All are subject to cyber attack. Industrial control systems and computers are susceptible to physical attacks that can only be prevented by physical security controls. Physical and cyber security programs need to be coordinated both are both key elements of a nuclear security program. 22

23 Security Coordination (continued) In many attack scenarios, modern adversaries are likely to employ blended attacks that involve both physical and cyber components. Example: Use a cyber attack to disable communications, monitoring equipment, and alarms before mounting a physical attack. Security evaluations and testing should include scenarios that involve combined physical and cyber attacks. 23

24 Lesson Learned: Cyber Security Defenses Must be Monitored and Maintained Firewalls, intrusion detection devices, and other barriers and monitoring techniques are often deployed to protect digital assets. These security controls are like castle walls they deter and delay attackers, but oversight and maintenance is required to ensure they do their jobs. 24

25 Lesson Learned: Trust but Verify We begin our cyber security assessments with reviews of documentation and interviews with key staff We have always found key differences between documentation/interviews and the way things are actually set-up in the facility. Walk-down inspections of key digital systems and key communication channels are essential for identifying and correcting major security flaws. 25

26 Lesson Learned: Do Not Neglect Onsite Cyber Security Technical Support Offsite cyber security expertise can be an important element in an effective cyber security program. The overreliance on offsite support can be a problem. An emphasis on distant, offsite support: Limits the familiarity of cyber security specialists with facility operations. Reduces the interaction between facility staff and cyber security personnel. Prevents cyber security specialists from regularly inspecting digital assets and communication paths. Requires offsite communication pathways into critical digital assets -- opening up new avenues for cyber attack. 26

27 Lesson Learned: Cyber Security Oversight When cyber security is managed by the Information Technology (IT) Department, there may be conflicts between productivity and security goals. Productively is ease to incentivize and reward; security is not. The tendency is to emphasize productivity rather than security. If physical security oversight is independent of Operations, why is cyber security managed by IT? In the long run, cyber security should be managed by the security organization. IT staffers can still have cyber security assignments, but the resources and incentives for their security work should come from the security organization. 27

28 Lesson Learned: Cyber Security Involves Defense and Resiliency Defense Deter. Make it too difficult, expensive, or dangerous to mount an attack. Detect. Catch attackers trying to break in, or shortly thereafter, so you can mobilize your defenses. Delay. Gain time to implement an effective response. Deny. Keep attackers from reaching critical systems. Respond. Mobilize the incident response team. Resiliency/Mitigation Resist. Limit the adverse consequences. Absorb. Maintain operations or, if need be, fail gracefully. Restore. Recover in a way that minimizes adverse consequences. 28

29 29 Questions?

Protecting Organizations from Cyber Attack

Protecting Organizations from Cyber Attack Protecting Organizations from Cyber Attack Cliff Glantz and Guy Landine Pacific Northwest National Laboratory (PNNL) PO Box 999 Richland, WA 99352 cliff.glantz@pnnl.gov guy.landine@pnnl.gov 1 Key Topics

More information

A Regulatory Approach to Cyber Security

A Regulatory Approach to Cyber Security A Regulatory Approach to Cyber Security Perry Pederson Security Specialist (Cyber) Office of Nuclear Security and Incident Response U.S. Nuclear Regulatory Commission 1 Agenda Overview Regulatory Framework

More information

Options for Cyber Security. Reactors. April 9, 2015

Options for Cyber Security. Reactors. April 9, 2015 Options for Cyber Security Design Requirements for Power Reactors April 9, 2015 Scope Discuss options for including cyber security design requirements for power reactors into NRC regulations Scope does

More information

U.S. NUCLEAR REGULATORY COMMISSION January 2010 REGULATORY GUIDE OFFICE OF NUCLEAR REGULATORY RESEARCH. REGULATORY GUIDE 5.71 (New Regulatory Guide)

U.S. NUCLEAR REGULATORY COMMISSION January 2010 REGULATORY GUIDE OFFICE OF NUCLEAR REGULATORY RESEARCH. REGULATORY GUIDE 5.71 (New Regulatory Guide) U.S. NUCLEAR REGULATORY COMMISSION January 2010 REGULATORY GUIDE OFFICE OF NUCLEAR REGULATORY RESEARCH REGULATORY GUIDE 5.71 (New Regulatory Guide) CYBER SECURITY PROGRAMS FOR NUCLEAR FACILITIES A INTRODUCTION

More information

NRC Cyber Security Policy &

NRC Cyber Security Policy & Ask SME and Learn NRC Cyber Security Policy & Guidance Development Mario R. Fernandez Jr., Security Specialist (Cyber) Cyber Security Directorate Office of Nuclear Security & Incident Response 1 Agenda

More information

NRC Cyber Security Regulatory

NRC Cyber Security Regulatory Ask SME and Learn NRC Cyber Security Regulatory Program Development Mario R. Fernandez Jr., Security Specialist (Cyber) Cyber Security Directorate Office of Nuclear Security & Incident Response 1 Agenda

More information

Cyber Security Evaluation of the Wireless Communication for the Mobile Safeguard Systems in uclear Power Plants

Cyber Security Evaluation of the Wireless Communication for the Mobile Safeguard Systems in uclear Power Plants Cyber Security Evaluation of the Wireless Communication for the Mobile Safeguard Systems in uclear Power Plants Sooill Lee a*, Yong Sik Kim a, Song Hae Ye a a Central Research Institute, Korea Hydro and

More information

Cyber Security Considerations in the Development of I&C Systems for Nuclear Power Plants

Cyber Security Considerations in the Development of I&C Systems for Nuclear Power Plants Cyber Security Considerations in the Development of I&C Systems for Nuclear Power Plants Jung-Woon Lee, Cheol-Kwon Lee, Jae-Gu Song, and Dong-Young Lee I&C and HF Research Division, Korea Atomic Energy

More information

Cyber Security for Nuclear Power Plants Matthew Bowman Director of Operations, ATC Nuclear IEEE NPEC Meeting July 2012

Cyber Security for Nuclear Power Plants Matthew Bowman Director of Operations, ATC Nuclear IEEE NPEC Meeting July 2012 Cyber Security for Nuclear Power Plants Matthew Bowman Director of Operations, ATC Nuclear IEEE NPEC Meeting July 2012 ATC Nuclear ATC-N serves the commercial nuclear utilities in the US and many foreign

More information

POLICY ISSUE INFORMATION

POLICY ISSUE INFORMATION POLICY ISSUE INFORMATION November 19, 2010 SECY-10-0153 FOR: FROM: SUBJECT: The Commissioners R. W. Borchardt Executive Director for Operations CYBER SECURITY IMPLEMENTATION OF THE COMMISSION S DETERMINATION

More information

Cynthia Broadwell, Progress Energy. William Gross, Nuclear Energy Institute

Cynthia Broadwell, Progress Energy. William Gross, Nuclear Energy Institute Cyber Security Plan Overview Cynthia Broadwell, Progress Energy Nolan Heinrich, TVA William Gross, Nuclear Energy Institute Introduction Cynthia Broadwell Progress Energy Progress Energy Fleet Cyber Security

More information

A CYBER SECURITY RISK ASSESSMENT FOR THE DESIGN OF I&C SYSTEMS IN NUCLEAR POWER PLANTS

A CYBER SECURITY RISK ASSESSMENT FOR THE DESIGN OF I&C SYSTEMS IN NUCLEAR POWER PLANTS http://dx.doi.org/10.5516/net.04.2011.065 A CYBER SECURITY RISK ASSESSMENT FOR THE DESIGN OF I&C SYSTEMS IN NUCLEAR POWER PLANTS JAE-GU SONG, JUNG-WOON LEE *, CHEOL-KWON LEE, KEE-CHOON KWON, and DONG-YOUNG

More information

Cyber Security R&D (NE-1) and (NEET-4)

Cyber Security R&D (NE-1) and (NEET-4) Cyber Security R&D (NE-1) and (NEET-4) Trevor Cook Office of Science and Technology Innovation Office of Nuclear Energy U.S. Department of Energy Cyber Security for Nuclear Systems (the threat is real)

More information

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001. March 3, 2011

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001. March 3, 2011 UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 March 3, 2011 Mr. Timothy S. Rausch Senior Vice President and Chief Nuclear Officer PPL Susquehanna, LLC 769 Salem Boulevard Berwick,

More information

FREQUENTLY ASKED QUESTIONS

FREQUENTLY ASKED QUESTIONS FREQUENTLY ASKED QUESTIONS Continuous Monitoring 1. What is continuous monitoring? Continuous monitoring is one of six steps in the Risk Management Framework (RMF) described in NIST Special Publication

More information

NUCLEAR REGULATORY COMMISSION. 10 CFR Part 73 [NRC-2014-0036] RIN 3150-AJ37. Cyber Security Event Notifications

NUCLEAR REGULATORY COMMISSION. 10 CFR Part 73 [NRC-2014-0036] RIN 3150-AJ37. Cyber Security Event Notifications This document is scheduled to be published in the Federal Register on 11/02/2015 and available online at http://federalregister.gov/a/2015-27855, and on FDsys.gov [7590-01-P] NUCLEAR REGULATORY COMMISSION

More information

Executive Director for Operations AUDIT OF NRC S CYBER SECURITY INSPECTION PROGRAM FOR NUCLEAR POWER PLANTS (OIG-14-A-15)

Executive Director for Operations AUDIT OF NRC S CYBER SECURITY INSPECTION PROGRAM FOR NUCLEAR POWER PLANTS (OIG-14-A-15) UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 OFFICE OF THE INSPECTOR GENERAL May 7, 2014 MEMORANDUM TO: Mark A. Satorius Executive Director for Operations FROM: Stephen D. Dingbaum

More information

The U.S. Nuclear Regulatory Commission s Cyber Security Regulatory Framework for Nuclear Power Reactors

The U.S. Nuclear Regulatory Commission s Cyber Security Regulatory Framework for Nuclear Power Reactors NUREG/CR-7141 The U.S. Nuclear Regulatory Commission s Cyber Security Regulatory Framework for Nuclear Power Reactors Office of Nuclear Security and Incident Response AVAILABILITY OF REFERENCE MATERIALS

More information

Ask SME and Learn. NRC Cyber Security Oversight. Cyber Security Directorate

Ask SME and Learn. NRC Cyber Security Oversight. Cyber Security Directorate Ask SME and Learn NRC Cyber Security Oversight Program Mario R. Fernandez Jr., Security Specialist (Cyber) Cyber Security Directorate Office of Nuclear Security & Incident Response 1 Agenda Cyber Security

More information

2/22/2010. Cyber Security Industry Experiences. Regulatory Documents. Licensing History. NRC RIC Jack Roe NEI

2/22/2010. Cyber Security Industry Experiences. Regulatory Documents. Licensing History. NRC RIC Jack Roe NEI Cyber Security Industry Experiences NRC RIC Jack Roe NEI Regulatory Documents Interim Compensatory Measures (2002) NUREG/CR-6847 (2003) Design Basis Threat Order (2003) NEI 03-12 Section 18 (2004) NEI

More information

Integrating Cyber Security into Nuclear Power Plant Safety Systems Design

Integrating Cyber Security into Nuclear Power Plant Safety Systems Design Integrating Cyber Security into Nuclear Power Plant Safety Systems Design Deanna Zhang U.S. Nuclear Regulatory Commission Document Date: 05/21/2010 Objectives To provide methods for utilizing safety features,

More information

Announcement of a new IAEA Co-ordinated Research Programme (CRP)

Announcement of a new IAEA Co-ordinated Research Programme (CRP) Announcement of a new IAEA Co-ordinated Research Programme (CRP) 1. Title of Co-ordinated Research Programme Design and engineering aspects of the robustness of digital instrumentation and control (I&C)

More information

Panel Session: Lessons Learned in Smart Grid Cybersecurity

Panel Session: Lessons Learned in Smart Grid Cybersecurity PNNL-SA-91587 Panel Session: Lessons Learned in Smart Grid Cybersecurity TCIPG Industry Workshop Jeff Dagle, PE Chief Electrical Engineer Advanced Power and Energy Systems Pacific Northwest National Laboratory

More information

AN ANALYSIS OF TECHNICAL SECURITY CONTROL REQUIREMENTS FOR DIGITAL I&C SYSTEMS IN NUCLEAR POWER PLANTS

AN ANALYSIS OF TECHNICAL SECURITY CONTROL REQUIREMENTS FOR DIGITAL I&C SYSTEMS IN NUCLEAR POWER PLANTS http://dx.doi.org/10.5516/net.04.2012.091 AN ANALYSIS OF TECHNICAL SECURITY CONTROL REQUIREMENTS FOR DIGITAL I&C SYSTEMS IN NUCLEAR POWER PLANTS JAE-GU SONG *, JUNG-WOON LEE, GEE-YONG PARK, KEE-CHOON KWON,

More information

Science/Safeguards and Security. Funding Profile by Subprogram

Science/Safeguards and Security. Funding Profile by Subprogram Safeguards and Security Safeguards and Security Funding Profile by Subprogram (dollars in thousands) Protective Forces 35,059 37,147 Security Systems 11,896 10,435 Information Security 4,655 4,595 Cyber

More information

ABA Section of Public Utility, Communications & Transportation Law Safety and Security in Transport

ABA Section of Public Utility, Communications & Transportation Law Safety and Security in Transport ABA Section of Public Utility, Communications & Transportation Law Safety and Security in Transport Commercial Nuclear Power Plants Stan Blanton Nuclear Power Subcommittee The Regulatory Landscape NRC

More information

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808 cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

More information

NEI 08-09 [Rev. 6] Cyber Security Plan for Nuclear Power Reactors

NEI 08-09 [Rev. 6] Cyber Security Plan for Nuclear Power Reactors NEI 08-09 [Rev. 6] Cyber Security Plan for Nuclear Power Reactors [THIS PAGE IS LEFT BLANK INTENTIONALLY] NEI 08-09 [Rev. 6] Nuclear Energy Institute Cyber Security Plan for Nuclear Power Reactors Nuclear

More information

UNITED STATES NUCLEAR REGULATORY COMMISSION ADVISORY COMMITTEE ON REACTOR SAFEGUARDS WASHINGTON, DC 20555-0001. July 17, 2012

UNITED STATES NUCLEAR REGULATORY COMMISSION ADVISORY COMMITTEE ON REACTOR SAFEGUARDS WASHINGTON, DC 20555-0001. July 17, 2012 UNITED STATES NUCLEAR REGULATORY COMMISSION ADVISORY COMMITTEE ON REACTOR SAFEGUARDS WASHINGTON, DC 20555-0001 July 17, 2012 Mr. R. W. Borchardt Executive Director for Operations U.S. Nuclear Regulatory

More information

AUDIT REPORT. Cybersecurity Controls Over a Major National Nuclear Security Administration Information System

AUDIT REPORT. Cybersecurity Controls Over a Major National Nuclear Security Administration Information System U.S. Department of Energy Office of Inspector General Office of Audits and Inspections AUDIT REPORT Cybersecurity Controls Over a Major National Nuclear Security Administration Information System DOE/IG-0938

More information

Impact of Cybersecurity Innovations in Key Sectors (Technical Insights)

Impact of Cybersecurity Innovations in Key Sectors (Technical Insights) Impact of Cybersecurity Innovations in Key Sectors (Technical Insights) Customized cybersecurity measures help overcome Industry specific challenges September 2014 Table of Contents Section Slide Number

More information

Cyber Security Risk Management: A New and Holistic Approach

Cyber Security Risk Management: A New and Holistic Approach Cyber Security Risk Management: A New and Holistic Approach Understanding and Applying NIST SP 800-39 WebEx Hosted by: Business of Security and Federal InfoSec Forum April 12, 2011 Dr. Ron Ross Computer

More information

Building Insecurity Lisa Kaiser

Building Insecurity Lisa Kaiser Building Insecurity Lisa Kaiser Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) Insecurity How do I Specify it Buy it Test it Deploy it Regret it Apologize for it Specifying Insecurity

More information

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems Energy Sector Control Systems Working Group Supporting the Electricity Sector Coordinating Council, Oil & Natural Gas

More information

A Cost-Efficient Approach to High Cyber Security Assurance in Nuclear Power Plants

A Cost-Efficient Approach to High Cyber Security Assurance in Nuclear Power Plants A Cost-Efficient Approach to High Cyber Security Assurance in Nuclear Power Plants The RIPE Framework as an Alternative to Regulatory Guide 5.71 and NEI 08-09 Perry Pederson April 2014 The Langner Group

More information

NEI 06-13A [Revision 0] Template for an Industry Training Program Description

NEI 06-13A [Revision 0] Template for an Industry Training Program Description NEI 06-13A [Revision 0] Template for an Industry Training Program Description NEI 06-13A [Revision 0] Nuclear Energy Institute Template for an Industry Training Program Description ACKNOWLEDGEMENTS This

More information

Risk Management Guide for Information Technology Systems. NIST SP800-30 Overview

Risk Management Guide for Information Technology Systems. NIST SP800-30 Overview Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve

More information

Backgrounder Office of Public Affairs Telephone: 301/415-8200 E-mail: opa@nrc.gov

Backgrounder Office of Public Affairs Telephone: 301/415-8200 E-mail: opa@nrc.gov Backgrounder Office of Public Affairs Telephone: 301/415-8200 E-mail: opa@nrc.gov Nuclear Security Background While security of the nuclear facilities and materials the NRC regulates has always been a

More information

CHALLENGES OF CYBER SECURITY FOR NUCLEAR POWER PLANTS. Kwangjo Kim

CHALLENGES OF CYBER SECURITY FOR NUCLEAR POWER PLANTS. Kwangjo Kim PBNC 2012 CHALLENGES OF CYBER SECURITY FOR NUCLEAR POWER PLANTS Kwangjo Kim KAIST, Daejeon, Korea Khalifa University of Science, Technology and Research, Abu Dhabi, UAE kkj@kaist.ac.kr, kwangjo.kim@kustar.ac.ae

More information

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

More information

Cisco Security Optimization Service

Cisco Security Optimization Service Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Evaluation Report The Department's Unclassified Cyber Security Program 2011 DOE/IG-0856 October 2011 Department of

More information

CONCEPTS IN CYBER SECURITY

CONCEPTS IN CYBER SECURITY CONCEPTS IN CYBER SECURITY GARY KNEELAND, CISSP SENIOR CONSULTANT CRITICAL INFRASTRUCTURE & SECURITY PRACTICE 1 OBJECTIVES FRAMEWORK FOR CYBERSECURITY CYBERSECURITY FUNCTIONS CYBERSECURITY CONTROLS COMPARATIVE

More information

Proposal to Consolidate Post-Fukushima Rulemaking Activities

Proposal to Consolidate Post-Fukushima Rulemaking Activities Proposal to Consolidate Post-Fukushima Rulemaking Activities On January 28, 2014, the U.S. Nuclear Regulatory Commission s (NRC s) Fukushima Steering Committee endorsed an NRC staff proposal for integrating

More information

Safeguards and Security

Safeguards and Security Safeguards and Security Overview The Safeguards and Security (S&S) program mission is to support Departmental research at Office of Science (SC) laboratories by ensuring appropriate levels of protection

More information

Office of Inspector General

Office of Inspector General Office of Inspector General DEPARTMENT OF HOMELAND SECURITY U.S. Department of Homeland Security Washington, DC 20528 Office of Inspector General Security Weaknesses Increase Risks to Critical DHS Databases

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Management of Los Alamos National Laboratory's Cyber Security Program DOE/IG-0880 February 2013 Department

More information

A DEVELOPMENT FRAMEWORK FOR SOFTWARE SECURITY IN NUCLEAR SAFETY SYSTEMS: INTEGRATING SECURE DEVELOPMENT AND SYSTEM SECURITY ACTIVITIES

A DEVELOPMENT FRAMEWORK FOR SOFTWARE SECURITY IN NUCLEAR SAFETY SYSTEMS: INTEGRATING SECURE DEVELOPMENT AND SYSTEM SECURITY ACTIVITIES A DEVELOPMENT FRAMEWORK FOR SOFTWARE SECURITY IN NUCLEAR SAFETY SYSTEMS: INTEGRATING SECURE DEVELOPMENT AND SYSTEM SECURITY ACTIVITIES JAEKWAN PARK * and YONGSUK SUH Korea Atomic Energy Research Institute

More information

CS 2 SAT: The Control Systems Cyber Security Self-Assessment Tool

CS 2 SAT: The Control Systems Cyber Security Self-Assessment Tool INL/CON-07-12810 PREPRINT CS 2 SAT: The Control Systems Cyber Security Self-Assessment Tool ISA Expo 2007 Kathleen A. Lee January 2008 This is a preprint of a paper intended for publication in a journal

More information

Section A: Introduction, Definitions and Principles of Infrastructure Resilience

Section A: Introduction, Definitions and Principles of Infrastructure Resilience Section A: Introduction, Definitions and Principles of Infrastructure Resilience A1. This section introduces infrastructure resilience, sets out the background and provides definitions. Introduction Purpose

More information

EEI Business Continuity. Threat Scenario Project (TSP) April 4, 2012. EEI Threat Scenario Project

EEI Business Continuity. Threat Scenario Project (TSP) April 4, 2012. EEI Threat Scenario Project EEI Business Continuity Conference Threat Scenario (TSP) April 4, 2012 EEI Threat Scenario 1 Background EEI, working with a group of CIOs and Subject Matter Experts, conducted a survey with member companies

More information

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS Karen Scarfone, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Many people

More information

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed

More information

NUCLEAR REGULATORY COMMISSION

NUCLEAR REGULATORY COMMISSION GAO United States Government Accountability Office Report to Congressional Requesters October 2012 NUCLEAR REGULATORY COMMISSION Oversight and Status of Implementing a Risk-Informed Approach to Fire Safety

More information

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Audit Report Follow-up Audit of the Department's Cyber Security Incident Management Program DOE/IG-0878 December 2012

More information

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Ed McMurray, CISA, CISSP, CTGA CoNetrix Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats

More information

SCREENING FACILITIES FOR CYBER SECURITY RISK ANALYSIS. by Paul Baybutt Primatech Inc. paulb@primatech.com 614-841-9800 www.primatech.com.

SCREENING FACILITIES FOR CYBER SECURITY RISK ANALYSIS. by Paul Baybutt Primatech Inc. paulb@primatech.com 614-841-9800 www.primatech.com. SCREENING FACILITIES FOR CYBER SECURITY RISK ANALYSIS by Paul Baybutt Primatech Inc. paulb@primatech.com 614-841-9800 www.primatech.com Abstract Many chemical companies have performed security vulnerability

More information

APPENDIX B SUPPLEMENTAL INSPECTION PROGRAM A. OBJECTIVES AND PHILOSOPHY OF THE SUPPLEMENTAL INSPECTION PROGRAM

APPENDIX B SUPPLEMENTAL INSPECTION PROGRAM A. OBJECTIVES AND PHILOSOPHY OF THE SUPPLEMENTAL INSPECTION PROGRAM APPENDIX B SUPPLEMENTAL INSPECTION PROGRAM A. OBJECTIVES AND PHILOSOPHY OF THE SUPPLEMENTAL INSPECTION PROGRAM The supplemental inspection program is designed to support the NRC s goals of maintaining

More information

Risk Management in Practice A Guide for the Electric Sector

Risk Management in Practice A Guide for the Electric Sector Risk Management in Practice A Guide for the Electric Sector Annabelle Lee Senior Technical Executive ICCS European Engagement Summit April 28, 2015 Before we continue let s get over our fears and myths

More information

How To Protect Your Network From Attack From A Network Security Threat

How To Protect Your Network From Attack From A Network Security Threat Cisco Security Services Cisco Security Services help you defend your business from evolving security threats, enhance the efficiency of your internal staff and processes, and increase the return on your

More information

Cyber Security and Privacy - Program 183

Cyber Security and Privacy - Program 183 Program Program Overview Cyber/physical security and data privacy have become critical priorities for electric utilities. The evolving electric sector is increasingly dependent on information technology

More information

CRITICAL INFRASTRUCTURE PROTECTION BUILDING ORGANIZATIONAL RESILIENCE

CRITICAL INFRASTRUCTURE PROTECTION BUILDING ORGANIZATIONAL RESILIENCE 1 CRITICAL INFRASTRUCTURE PROTECTION BUILDING ORGANIZATIONAL RESILIENCE Gavin McLintock P.Eng. CISSP PCIP 2 METCALFE POWER STATION 16 April 2013 Sophisticated physical attack 27 Days outage $15.4 million

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report The Department's Configuration Management of Non-Financial Systems OAS-M-12-02 February 2012 Department

More information

RESPONSIBLE CARE SECURITY CODE OF MANAGEMENT PRACTICES

RESPONSIBLE CARE SECURITY CODE OF MANAGEMENT PRACTICES RESPONSIBLE CARE SECURITY CODE OF MANAGEMENT PRACTICES Purpose and Scope The purpose of the Security Code of Management Practices is to help protect people, property, products, processes, information and

More information

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems. 1 Cyber-attacks frequently take advantage of software weaknesses unintentionally created during development. This presentation discusses some ways that improved acquisition practices can reduce the likelihood

More information

Addressing Dynamic Threats to the Electric Power Grid Through Resilience

Addressing Dynamic Threats to the Electric Power Grid Through Resilience Addressing Dynamic Threats to the Electric Power Grid Through Resilience NOVEMBER 2014 INTRODUCTION The U.S. electric power grid is an interconnected system made up of power generation, transmission, and

More information

Click to edit Master title style

Click to edit Master title style EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

Oil and Gas Industry A Comprehensive Security Risk Management Approach. www.riskwatch.com

Oil and Gas Industry A Comprehensive Security Risk Management Approach. www.riskwatch.com Oil and Gas Industry A Comprehensive Security Risk Management Approach www.riskwatch.com Introduction This white paper explores the key security challenges facing the oil and gas industry and suggests

More information

SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Behavioral Interview Guidelines by Job Roles

SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Behavioral Interview Guidelines by Job Roles PNNL-24140 SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Behavioral Interview Guidelines by Job Roles March 2015 LR O Neil TJ Conway DH Tobey FL Greitzer AC Dalton

More information

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including

More information

Protect Your Assets. Cyber Security Engineering. Control Systems. Power Plants. Hurst Technologies

Protect Your Assets. Cyber Security Engineering. Control Systems. Power Plants. Hurst Technologies Protect Your Assets Cyber Security Engineering Control Systems. Power Plants. Hurst Technologies Cyber Security The hackers are out there and the cyber security threats to your power plant are real. That

More information

REGULATORY GUIDE 1.168 (Draft was issued as DG-1267, dated August 2012)

REGULATORY GUIDE 1.168 (Draft was issued as DG-1267, dated August 2012) Purpose U.S. NUCLEAR REGULATORY COMMISSION July 2013 Revision 2 REGULATORY GUIDE OFFICE OF NUCLEAR REGULATORY RESEARCH REGULATORY GUIDE 1.168 (Draft was issued as DG-1267, dated August 2012) Technical

More information

AUDIT REPORT. The Department of Energy's Implementation of Voice over Internet Protocol Telecommunications Networks

AUDIT REPORT. The Department of Energy's Implementation of Voice over Internet Protocol Telecommunications Networks U.S. Department of Energy Office of Inspector General Office of Audits and Inspections AUDIT REPORT The Department of Energy's Implementation of Voice over Internet Protocol Telecommunications Networks

More information

Big Data, Big Risk, Big Rewards. Hussein Syed

Big Data, Big Risk, Big Rewards. Hussein Syed Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data

More information

Guideline on Vulnerability and Patch Management

Guideline on Vulnerability and Patch Management CMSGu2014-03 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Vulnerability and Patch Management National Computer Board

More information

The Advantages of an Integrated Factory Acceptance Test in an ICS Environment

The Advantages of an Integrated Factory Acceptance Test in an ICS Environment The Advantages of an Integrated Factory Acceptance Test in an ICS Environment By Jerome Farquharson, Critical Infrastructure and Compliance Practice Manager, and Alexandra Wiesehan, Cyber Security Analyst,

More information

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems U.S. Office of Personnel Management Actions to Strengthen Cybersecurity and Protect Critical IT Systems June 2015 1 I. Introduction The recent intrusions into U.S. Office of Personnel Management (OPM)

More information

DeltaV System Cyber-Security

DeltaV System Cyber-Security January 2013 Page 1 This paper describes the system philosophy and guidelines for keeping your DeltaV System secure from Cyber attacks. www.deltav.com January 2013 Page 2 Table of Contents Introduction...

More information

Advanced Threat Protection with Dell SecureWorks Security Services

Advanced Threat Protection with Dell SecureWorks Security Services Advanced Threat Protection with Dell SecureWorks Security Services Table of Contents Summary... 2 What are Advanced Threats?... 3 How do advanced threat actors operate?... 3 Addressing the Threat... 5

More information

Get Confidence in Mission Security with IV&V Information Assurance

Get Confidence in Mission Security with IV&V Information Assurance Get Confidence in Mission Security with IV&V Information Assurance September 10, 2014 Threat Landscape Regulatory Framework Life-cycles IV&V Rigor and Independence Threat Landscape Continuously evolving

More information

Cyber Security and the Canadian Nuclear Industry a Canadian Regulatory Perspective

Cyber Security and the Canadian Nuclear Industry a Canadian Regulatory Perspective Cyber Security and the Canadian Nuclear Industry a Canadian Regulatory Perspective Terry Jamieson Vice-President Technical Support Branch Canadian Nuclear Safety Commission August 11, 2015 www.nuclearsafety.gc.ca

More information

Microsoft s cybersecurity commitment

Microsoft s cybersecurity commitment Microsoft s cybersecurity commitment Published January 2015 At Microsoft, we take the security and privacy of our customers data seriously. This focus has been core to our culture for more than a decade

More information

Cybersecurity for Medical Devices

Cybersecurity for Medical Devices Cybersecurity for Medical Devices Suzanne O Shea Kathleen Rice January 29, 2015 Why Is This Important? Security Risks in the Sensors of Implantable Medical Devices Over the last year, we ve seen an uptick

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is

More information

SECURITY. Risk & Compliance Services

SECURITY. Risk & Compliance Services SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize

More information

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY

More information

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample

More information

Written Testimony. Dr. Andy Ozment. Assistant Secretary for Cybersecurity and Communications. U.S. Department of Homeland Security.

Written Testimony. Dr. Andy Ozment. Assistant Secretary for Cybersecurity and Communications. U.S. Department of Homeland Security. Written Testimony of Dr. Andy Ozment Assistant Secretary for Cybersecurity and Communications U.S. Department of Homeland Security Before the U.S. House of Representatives Committee on Oversight and Government

More information

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION Prepared for the NRC Fuel Cycle Cyber Security Threat Conference Presented by: Jon Chugg, Ken Rohde Organization(s): INL Date: May 30, 2013 Disclaimer

More information

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies IT Professional Standards Information Security Discipline Sub-discipline 605 Information Security Testing and Information Assurance Methodologies December 2012 Draft Version 0.6 DOCUMENT REVIEW Document

More information

Risk-Informed Security: Summary of Three Workshops

Risk-Informed Security: Summary of Three Workshops Risk-Informed Security: Summary of Three Workshops N. Siu Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Presented at INMM/ANS Workshop on Safety-Security Risk-Informed Decision-Making

More information

ADVANCED KILL CHAIN DISRUPTION. Enabling deception networks

ADVANCED KILL CHAIN DISRUPTION. Enabling deception networks ADVANCED KILL CHAIN DISRUPTION Enabling deception networks Enabling Deception Networks Agenda Introduction Overview of Active Defense Process Orchestration in Active Defense Introducing Deception Networks

More information

Securing Industrial Control Systems in the Chemical Sector. Roadmap Awareness Initiative Making the Business Case

Securing Industrial Control Systems in the Chemical Sector. Roadmap Awareness Initiative Making the Business Case Securing Industrial Control Systems in the Chemical Sector Roadmap Awareness Initiative Making the Business Case Developed by the Chemical Sector Coordinating Council in partnership with The U.S. Department

More information

STANDARDIZATION OF DOE DISPOSAL FACILITIES WASTE ACCEPTANCE PROCESSES

STANDARDIZATION OF DOE DISPOSAL FACILITIES WASTE ACCEPTANCE PROCESSES STANDARDIZATION OF DOE DISPOSAL FACILITIES WASTE ACCEPTANCE PROCESSES ABSTRACT Todd A. Shrader U.S. Department of Energy Richland Operations Office 825 Jadwin Ave., P.O. Box 550, MS A6-38, Richland, WA

More information

Security Awareness Training Solutions

Security Awareness Training Solutions DATA SHEET Security Awareness Training Solutions A guide to available Dell SecureWorks services At Dell SecureWorks, we strive to be a trusted security advisor to our clients. Part of building this trust

More information

Software Application Control and SDLC

Software Application Control and SDLC Software Application Control and SDLC Albert J. Marcella, Jr., Ph.D., CISA, CISM 1 The most effective way to achieve secure software is for its development life cycle processes to rigorously conform to

More information