Nuclear Security Requires Cyber Security



Similar documents
i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Data Security Incident Response Plan. [Insert Organization Name]

FERPA: Data & Transport Security Best Practices

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

FACT SHEET: Ransomware and HIPAA

Information Security Basic Concepts

Patch Management. Is it recommended to patch an Industrial Automation Control System and, if so, why? Siemens AG All Rights Reserved.

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

Risk Assessment Guide

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

How-To Guide: Cyber Security. Content Provided by

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

SecurityMetrics Vision whitepaper

10 Smart Ideas for. Keeping Data Safe. From Hackers

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Cybersecurity Awareness. Part 1

DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS?

Information Security

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123. Cybersecurity: A Growing Concern for Small Businesses

I ve been breached! Now what?

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

I N T E L L I G E N C E A S S E S S M E N T

HIPAA Security Alert

Cyber Security An Exercise in Predicting the Future

Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

Security Practices for Online Collaboration and Social Media

September 20, 2013 Senior IT Examiner Gene Lilienthal

External Supplier Control Requirements

Cybersecurity and internal audit. August 15, 2014

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Cyber Security and the Canadian Nuclear Industry a Canadian Regulatory Perspective

Maritime Insurance Cyber Security Framing the Exposure. Tony Cowie May 2015

Challenges in Industrial IT-Security Dr. Rolf Reinema, Head of Technology Field IT-Security, Siemens AG Siemens AG All rights reserved

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

EHS Privacy and Information Security

Incident Response. Proactive Incident Management. Sean Curran Director

Combatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation

The Business Case for Security Information Management

Information Security and Risk Management

Cybersecurity Vulnerability Management:

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

Cybersecurity The role of Internal Audit

COSC 472 Network Security

CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Enterprise Computing Solutions

Into the cybersecurity breach

Incident Response 101: You ve been hacked, now what?

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

VMware vcloud Air HIPAA Matrix

Ed McMurray, CISA, CISSP, CTGA CoNetrix

CSG & Cyberoam Endpoint Data Protection. Ubiquitous USBs - Leaving Millions on the Table

SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness

Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media

Average annual cost of security incidents

The Internet of Things (IoT) Opportunities and Risks

Mitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

UF IT Risk Assessment Standard

Security Issues with Integrated Smart Buildings

Anatomy of a Cloud Computing Data Breach

US Cyber Marathon. David Ambrose, Chief Security Officer and Chief Privacy Officer Bureau of the Fiscal Service U.S. Department of the Treasury

Presented by Evan Sylvester, CISSP

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

Financial Implications of Cybercrime Meeting the Information Security Management Challenge in the Cyber-Age

Cybersecurity for the C-Level

Supplier Security Assessment Questionnaire

What is Cyber Liability

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

How To Protect Your Online Banking From Fraud

8/27/2015. Brad Schuette IT Manager City of Punta Gorda (941) Don t Wait Another Day

What Data? I m A Trucking Company!

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Reducing Application Vulnerabilities by Security Engineering

Cybersecurity: Protecting Your Business. March 11, 2015

Common Cyber Threats. Common cyber threats include:

INDUSTRY OVERVIEW: FINANCIAL

Cyber Security. John Leek Chief Strategist

Defensible Strategy To. Cyber Incident Response

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C

Transcription:

Nuclear Security Requires Cyber Security A. DAVID MCKINNON, PH.D., MARY SUE HOXIE Cyber Physical Security Team, National Security Directorate Project on Nuclear Issues (PONI) Fall 2015 Conference PNNL-SA-113027 October 20, 2015 1

Cyber Security It s not new Passing notes in class Secrets Confidentiality From Billy to Suzy Integrity During class, not afterwards Availability Consequences varied Security impact levels October 20, 2015 2

Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information [44 U.S.C., Sec. 3542] A loss of confidentiality is the unauthorized disclosure of information. Nuclear security relevance Protecting restricted data from unauthorized access Protecting facility design information Protecting the PII of nuclear workers October 20, 2015 3

Integrity Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity [44 U.S.C., Sec. 3542] A loss of integrity is the unauthorized modification or destruction of information. Nuclear security relevance Corrupted radiation sensor data will impact worker safety Missing/destroyed historical data will impact after-action reviews of incidents Modified plant configuration parameters may lead to inefficient operation or even unsafe operation Integrity is critical for real-time control applications October 20, 2015 4

Availability Ensuring timely and reliable access to and use of information [44 U.S.C., SEC. 3542] A loss of availability is the disruption of access to or use of information or an information system. Nuclear security relevance Continuity of operations, surviving a natural disasters, etc. Delayed data delivery will impact real-time control operations Availability has historically been provided via fault tolerance and redundancy October 20, 2015 5

Real World Nuclear Examples Davis Besse Nuclear Power Plant* Slammer worm infected plant, Aug. 20, 2003 Shut down the digital portion of Safety Parameter Display System (SPDS) and Plant Process Computer (PPC) for several hours Worm started at contractor s site and spread to the corporate plant network Korea Hydro & Nuclear Power (KHNP)** Phishing emails to retirees & 3 rd party contractors Malware email received, Dec. 09, 2014 Information released, Dec. 15-23, 2014 & March 2015 Received threat to shutdown nuclear power plant Davis Besse Nuclear Power Plant Nuclear security is impacted by cyber security * US DHS, http://csrc.nist.gov/groups/sma/ispab/documents/minutes/2008-12/icssecurity_ispab-dec2008_spmcgurk.pdf, Accessed: 4 Feb 2015 ** Gahm-Yong Kim, End to End: In the case of Cyber Security Threats to KHNP, IAEA Computer Security in a Nuclear World Conferenc, October Vienna, 20, 2015 June 2015. ** Min Baek, ROK s Regulatory Perspective for Cyber Security of Nuclear Facilities, IAEA Computer Security in a Nuclear World Conference, Vienna, June 2015. 6

Cyber Security Target was breached late 2013 Customer credit card data was stolen Attack vector: HVAC vendor s remote access Heartbleed Exploit extracted encryption keys from OpenSLL servers Timeline March 2012, OpenSLL 1.0.1 released April 2014, vulnerability publicly disclosed Required: massive server patching and password changing Adversaries may attack indirectly, you may never see an early indicator Critical software flaws may be discovered years after deployments October 20, 2015 7

Cyber Security in 2015 Anthem Discovered January 29, 2015, attack began in Dec. 2014 Breach of 80 million SS# and other personal information* Phishers set up false information sites* Premera Blue Cross Disclosed March 17, 2015 Discovered January 29, 2015, initial attack occurred on May 5, 2014** Breach of financial and medical records of 11 million customers Office of Personnel Management (OPM) Disclosed May 2015 Data breach impacted 21 million people The nuclear workforce is at risk from non-nuclear cyber attacks * Krebs on Security, http://krebsonsecurity.com/2015/02/phishers-pounce-on-anthem-breach/, Acc.: 6 July 2015 ** Premera Update, http://premeraupdate.com/, Acc.: 6 July 2015 Krebs on Security, http://krebsonsecurity.com/2015/03/premera-blue-cross-breach-exposes-financial-medical-records/, Acc.: 6 July 2015 Information about OPM Cybersecurity Incidents, https://www.opm.gov/cybersecurity/, Acc. 13 September 2015 October 20, 2015 8

Cyber-Physical Security Enigma (World War II) Stolen machines enabled cryptanalysis Decrypted messages sunk ships German Steel Mill (2014) Email used to steal credentials Attackers moved from the business network to control network Blast furnace suffered massive damage IAEA Cyber Security in a Nuclear World Demonstration (2015) Art of the possible live demonstration Cyber attack on cameras enabled physical (information) theft at 3 rd party Stolen information enabled design of a custom cyber attack Cyber attack disabled a key pump October 20, 2015 9

Source: SEL, Inc., https://www.selinc.com/cybersecurity/posters/ Assess Your Risks What are your Crown Jewels? What are they worth to you? (Ransom / Blackmail) What are they worth to someone else? Are you a pawn in somebody else s chess game? Are you prepared for natural disasters? Fire, flood, storms, Who is your most likely attacker? Clueless/Careless insider Malicious insider Script kiddie Organized crime Advanced (enough) Persistent (enough) Threat Could you survive and/or recover from an cyber security incident? October 20, 2015 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information