Spreading the Word on Nuclear Cyber Security

Similar documents
Protecting Organizations from Cyber Attack

A Regulatory Approach to Cyber Security

Options for Cyber Security. Reactors. April 9, 2015

U.S. NUCLEAR REGULATORY COMMISSION January 2010 REGULATORY GUIDE OFFICE OF NUCLEAR REGULATORY RESEARCH. REGULATORY GUIDE 5.71 (New Regulatory Guide)

NRC Cyber Security Policy &

NRC Cyber Security Regulatory

Cyber Security Evaluation of the Wireless Communication for the Mobile Safeguard Systems in uclear Power Plants

Cyber Security Considerations in the Development of I&C Systems for Nuclear Power Plants

Cyber Security for Nuclear Power Plants Matthew Bowman Director of Operations, ATC Nuclear IEEE NPEC Meeting July 2012

Cynthia Broadwell, Progress Energy. William Gross, Nuclear Energy Institute

A CYBER SECURITY RISK ASSESSMENT FOR THE DESIGN OF I&C SYSTEMS IN NUCLEAR POWER PLANTS

Cyber Security R&D (NE-1) and (NEET-4)

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C March 3, 2011

FREQUENTLY ASKED QUESTIONS

NUCLEAR REGULATORY COMMISSION. 10 CFR Part 73 [NRC ] RIN 3150-AJ37. Cyber Security Event Notifications

Executive Director for Operations AUDIT OF NRC S CYBER SECURITY INSPECTION PROGRAM FOR NUCLEAR POWER PLANTS (OIG-14-A-15)

The U.S. Nuclear Regulatory Commission s Cyber Security Regulatory Framework for Nuclear Power Reactors

Ask SME and Learn. NRC Cyber Security Oversight. Cyber Security Directorate

Integrating Cyber Security into Nuclear Power Plant Safety Systems Design

Announcement of a new IAEA Co-ordinated Research Programme (CRP)

Panel Session: Lessons Learned in Smart Grid Cybersecurity

AN ANALYSIS OF TECHNICAL SECURITY CONTROL REQUIREMENTS FOR DIGITAL I&C SYSTEMS IN NUCLEAR POWER PLANTS

Science/Safeguards and Security. Funding Profile by Subprogram

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

NEI [Rev. 6] Cyber Security Plan for Nuclear Power Reactors

AUDIT REPORT. Cybersecurity Controls Over a Major National Nuclear Security Administration Information System

Impact of Cybersecurity Innovations in Key Sectors (Technical Insights)

Cyber Security Risk Management: A New and Holistic Approach

Building Insecurity Lisa Kaiser

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

A Cost-Efficient Approach to High Cyber Security Assurance in Nuclear Power Plants

NEI 06-13A [Revision 0] Template for an Industry Training Program Description

Risk Management Guide for Information Technology Systems. NIST SP Overview

Backgrounder Office of Public Affairs Telephone: 301/

CHALLENGES OF CYBER SECURITY FOR NUCLEAR POWER PLANTS. Kwangjo Kim

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Cisco Security Optimization Service

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

CONCEPTS IN CYBER SECURITY

Proposal to Consolidate Post-Fukushima Rulemaking Activities

Safeguards and Security

Office of Inspector General

Office of Inspector General

A DEVELOPMENT FRAMEWORK FOR SOFTWARE SECURITY IN NUCLEAR SAFETY SYSTEMS: INTEGRATING SECURE DEVELOPMENT AND SYSTEM SECURITY ACTIVITIES

CS 2 SAT: The Control Systems Cyber Security Self-Assessment Tool

Section A: Introduction, Definitions and Principles of Infrastructure Resilience

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

NUCLEAR REGULATORY COMMISSION

Ed McMurray, CISA, CISSP, CTGA CoNetrix

SCREENING FACILITIES FOR CYBER SECURITY RISK ANALYSIS. by Paul Baybutt Primatech Inc

APPENDIX B SUPPLEMENTAL INSPECTION PROGRAM A. OBJECTIVES AND PHILOSOPHY OF THE SUPPLEMENTAL INSPECTION PROGRAM

Risk Management in Practice A Guide for the Electric Sector

How To Protect Your Network From Attack From A Network Security Threat

Cyber Security and Privacy - Program 183

CRITICAL INFRASTRUCTURE PROTECTION BUILDING ORGANIZATIONAL RESILIENCE

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

RESPONSIBLE CARE SECURITY CODE OF MANAGEMENT PRACTICES

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

Addressing Dynamic Threats to the Electric Power Grid Through Resilience

Click to edit Master title style

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Oil and Gas Industry A Comprehensive Security Risk Management Approach.

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

REGULATORY GUIDE (Draft was issued as DG-1267, dated August 2012)

AUDIT REPORT. The Department of Energy's Implementation of Voice over Internet Protocol Telecommunications Networks

Big Data, Big Risk, Big Rewards. Hussein Syed

Guideline on Vulnerability and Patch Management

The Advantages of an Integrated Factory Acceptance Test in an ICS Environment

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

DeltaV System Cyber-Security

Advanced Threat Protection with Dell SecureWorks Security Services

Get Confidence in Mission Security with IV&V Information Assurance

Cyber Security and the Canadian Nuclear Industry a Canadian Regulatory Perspective

Microsoft s cybersecurity commitment

Cybersecurity for Medical Devices

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

SECURITY. Risk & Compliance Services

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Written Testimony. Dr. Andy Ozment. Assistant Secretary for Cybersecurity and Communications. U.S. Department of Homeland Security.

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

Risk-Informed Security: Summary of Three Workshops

ADVANCED KILL CHAIN DISRUPTION. Enabling deception networks

Software Application Control and SDLC

Transcription:

Spreading the Word on Nuclear Cyber Security Clifford Glantz, Guy Landine, Philip Craig, and Robert Bass Pacific Northwest National Laboratory (PNNL) PO Box 999; 902 Battelle Blvd Richland, WA 99352 USA cliff.glantz@pnnl.gov 1

Pacific Northwest National Laboratory (PNNL) Pacific Northwest National Laboratory is one of the U.S. Department of Energy's (DOE's) ten national laboratories. 4,300 staff members Performs research for DOE, other agencies (national and international), and industry. 2

Why cyber security? To have an effective nuclear security program, we need to integrate both physical security and cyber security. We need to be mindful of: Physical security threats Cyber security threats Combined physical and cyber threats In the past, when all systems were analog, you could focus just on physical security. The transition to digital systems is ongoing. Facilities and security organizations have been slow to adapt to the change in security risks associated with this transition. 3

PNNL Support for Nuclear Cyber Security Our efforts picked up steam in 2002... PNNL Support for the U.S. NRC Conduct pilot cyber security inspections at nuclear power plants (2003-2004, 2009, and 2012) Provide technical guidance for the development of the NRC s cyber security Rule and Reg Guide (2006-2009) Review licensees nuclear cyber security plans (2010-2011) Develop and provide cyber security assessment guidance and training for NRC inspectors (2011-2012). 4

PNNL Support for Nuclear Cyber Security (cont) 5 PNNL Support for the DOE Office of Nuclear Safeguards & Security and the IAEA Provide technical support for IAEA cyber security guidance documents (2012-2014) Develop and present cyber security assessment guidance and training workshops (2013-2014). Develop elearning training courses (2013-2014) PNNL Support for UNICRI Develop and provide information security guidance documents for chemical, biological, radiological, and nuclear facilities (2013-2014). Develop and present information security regional workshops (2014)

6 PNNL Nuclear Cyber Security Team

Initial Observations During our 2003-2004 pilot assessments a number of program managers at nuclear plants stated that cyber security risk was low or under control because: Many safety systems are analog An adverse consequence cannot occur because plant operators/staff would take timely mitigation actions Many systems are standalone and therefore protected from cyber attacks Even if an attacker gained access, systems are too sophisticated or obscure for any outsider to understand how to manipulate them. 7

Initial Actions Our assessment pointed out the fallacy of some of these arguments: Analog systems are being replaced by digital systems. Plant operators/staff can be misled or confused by feeding them spurious data. Systems are standalone systems can be impacted by inadvertent and/or malicious actions (e.g., Stuxnet) The operations of sophisticated or obscure systems can be deciphered by a dedicated attacker. Based on what we learned during NRC pilot assessments, we developed NUREG/CR-6847 a riskbased cyber security self assessment method for nuclear power plants Our recommendations were voluntarily incorporated by all US nuclear plants and codified in NEI 04-04 8

Risk Based Approach The industry-adopted risk-based method was qualitative: Risk = likelihood consequence Risk = threat vulnerability consequence Risk = susceptibility consequence The Consequence of compromising a digital asset is based on: Interactions between the targeted device and a critical system Potential confidentiality, integrity, and availability impacts on the plant from a compromise within the critical system 9

Consequence Evaluation Consequence based on: 10

Susceptibility Evaluation Susceptibility based on: 11

12 Calculation of Risk

Did this 10-year old Approach Work? At some sites, this approach worked extremely well: Cyber security specialists were able to highlight cyber security strengths and weaknesses to decision makers Increased security awareness Coupled with a risk management tool, this security analysis got decision makers to increase cyber security investments Reduced overall security risks. At other sites, this approach did not achieve objectives: Too little resources were allocated for performing the assessment Consequences were systematically underestimated This led to risks being underestimated Used as a rationale for not doing additional (and appropriate) cyber security. 13

Cyber Security Rule 10 CFR 73.54 Protection of Digital Computer and Communication Systems and Networks shall provide high assurance that protect digital computer and communication systems that provided the following functions are adequately protected against cyber attacks: (i) Safety-related and important-to-safety functions; (ii) Security functions; (iii) Emergency preparedness functions, including offsite communications; and (iv) Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions. 14

Rule -- 10 CFR 73.54 (cont) The cyber security program must: (1) implement security controls to protect the assets from cyber attacks; (2) Apply and maintain defense-in-depth protective strategies to ensure the capability to detect, respond to, and recover from cyber attacks; (3) Mitigate the adverse affects of cyber attacks; and (4) Ensure that the functions of protected assets are not adversely impacted due to cyber attacks. Shall Evaluate and manage cyber risks. Shall establish, implement, and maintain a cyber security plan that implements [the rule]. 15

Draft Guide 5022 Provided guidance on how to: Implement a cyber security program (e.g., assign cyber security roles and responsibilities) Incorporate cyber security into the overall security program Develop and implement defense-in-depth protection strategies including establishing a defensive architecture Implement management, operational, and technical security controls Develop attack mitigation capabilities (including incident response) Implement role-based cyber security training Implement a program of cyber security risk assessment and risk management Address life-cycle security (covering the design, modification, and addition of assets) 16

Regulatory Guide 5.71 RG 5.71 followed DG-5022. Implemented most of the programmatic guidance in DG- 5022; however: Instead of providing guidance on how to select management, operational, and technical security controls, it instead specified the required security controls. These were based on NIST 800-53: Recommended Security Controls for Federal Information Systems and Organizations. Applies ~180 security controls to each component of each critical digital asset Adopted a Compliance-Only approach (i.e., the risk assessment and risk management component found in the NIST guidance, DG-5022, and NEI 04-04 were stripped out). 17

The RG 5.71 Implementation The NRC s latest round of inspections has shown some pluses for RG 5.71: Provides a way to implement 10 CFR 73.54 Establishes baseline requirements for cyber security Removes subjectivity And some minuses: Generates a LOT of paperwork (too much to wade through in the limited time provided to NRC inspectors). Resources are being allocated to private consultants to prepare documentation rather than being invested in enhancing internal cyber security capabilities. Applies the same criteria to all critical digital assets, even though some assets pose much greater safety and security risks than others. 18

What are Other Organizations Doing? The IAEA is pushing a risk-based approach for cyber security European and Asian nuclear organizations have riskbased components in their cyber security programs Standards organizations are advocating risk-based decision making for the information and digital control systems used in critical infrastructures. Jim Wiggins, the head of the NRC s Office or Nuclear Security and Incident Response (NSIR), advocates the NRC s move toward a risk-based approach to cyber security. 19

Lessons Learned: An appropriate blend of compliance requirements and risk-based decision making is the hallmark of an effective and cost-efficient cyber security program. The optimal solution seems to be to set basic cyber security compliance requirements for all digital systems supplement this with a risk-based approach that provides additional (or more rigorous) controls for higher risk systems. Even Langner/Pederson s RIPE framework whitepaper acknowledges: The decision [regarding] which vulnerabilities require mitigation and which don t is the point where the concept of risk management may reasonably be applied. 20

Lesson Learned: Use Multidisciplinary Teams Use multidisciplinary teams to: develop cyber security policies and technical guidance conduct cyber security assessments ( you get what you inspect ). Expertise is needed in diverse areas such as: cyber security industrial control systems computer networking nuclear facility operations physical security risk management. There is an advantage in finding people with knowledge in more than one discipline. This increases team efficiency. 21

Lesson Learned: Security Coordination Observation: minimal interaction between physical and cyber security programs leads to problems. Physical security programs incorporate digital assets (e.g., security databases, cameras, detectors, alarm systems). All are subject to cyber attack. Industrial control systems and computers are susceptible to physical attacks that can only be prevented by physical security controls. Physical and cyber security programs need to be coordinated both are both key elements of a nuclear security program. 22

Security Coordination (continued) In many attack scenarios, modern adversaries are likely to employ blended attacks that involve both physical and cyber components. Example: Use a cyber attack to disable communications, monitoring equipment, and alarms before mounting a physical attack. Security evaluations and testing should include scenarios that involve combined physical and cyber attacks. 23

Lesson Learned: Cyber Security Defenses Must be Monitored and Maintained Firewalls, intrusion detection devices, and other barriers and monitoring techniques are often deployed to protect digital assets. These security controls are like castle walls they deter and delay attackers, but oversight and maintenance is required to ensure they do their jobs. 24

Lesson Learned: Trust but Verify We begin our cyber security assessments with reviews of documentation and interviews with key staff We have always found key differences between documentation/interviews and the way things are actually set-up in the facility. Walk-down inspections of key digital systems and key communication channels are essential for identifying and correcting major security flaws. 25

Lesson Learned: Do Not Neglect Onsite Cyber Security Technical Support Offsite cyber security expertise can be an important element in an effective cyber security program. The overreliance on offsite support can be a problem. An emphasis on distant, offsite support: Limits the familiarity of cyber security specialists with facility operations. Reduces the interaction between facility staff and cyber security personnel. Prevents cyber security specialists from regularly inspecting digital assets and communication paths. Requires offsite communication pathways into critical digital assets -- opening up new avenues for cyber attack. 26

Lesson Learned: Cyber Security Oversight When cyber security is managed by the Information Technology (IT) Department, there may be conflicts between productivity and security goals. Productively is ease to incentivize and reward; security is not. The tendency is to emphasize productivity rather than security. If physical security oversight is independent of Operations, why is cyber security managed by IT? In the long run, cyber security should be managed by the security organization. IT staffers can still have cyber security assignments, but the resources and incentives for their security work should come from the security organization. 27

Lesson Learned: Cyber Security Involves Defense and Resiliency Defense Deter. Make it too difficult, expensive, or dangerous to mount an attack. Detect. Catch attackers trying to break in, or shortly thereafter, so you can mobilize your defenses. Delay. Gain time to implement an effective response. Deny. Keep attackers from reaching critical systems. Respond. Mobilize the incident response team. Resiliency/Mitigation Resist. Limit the adverse consequences. Absorb. Maintain operations or, if need be, fail gracefully. Restore. Recover in a way that minimizes adverse consequences. 28

29 Questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information