Nuclear Plant Information Security A Management Overview

Similar documents
Overview - Using ADAMS With a Firewall

Overview - Using ADAMS With a Firewall

7. Firewall - Concept

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

CMPT 471 Networking II

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Proxy Server, Network Address Translator, Firewall. Proxy Server

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Lecture 23: Firewalls

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

What would you like to protect?

Security Technology: Firewalls and VPNs

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Firewall Design Principles

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Firewalls CSCI 454/554

12. Firewalls Content

Overview. Firewall Security. Perimeter Security Devices. Routers

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Stateful Inspection Technology

Chapter 11 Cloud Application Development

Basics of Internet Security

CTS2134 Introduction to Networking. Module Network Security

White Paper Copyright 2011 Nomadix, Inc. All Rights Reserved. Thursday, January 05, 2012

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Internet Security Firewalls

How To Understand A Firewall

ICANWK406A Install, configure and test network security

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Cornerstones of Security

FIREWALL ARCHITECTURES

SOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall

A Model Design of Network Security for Private and Public Data Transmission

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Application Firewalls

Networking Basics and Network Security

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

allow all such packets? While outgoing communications request information from a

Basic Network Configuration

Security threats and network. Software firewall. Hardware firewall. Firewalls

Guideline on Firewall

How To Protect Your Network From Attack

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

Internet Security Firewalls

Network Security Administrator

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

8. Firewall Design & Implementation

CompTIA Exam N CompTIA Network+ certification Version: 5.1 [ Total Questions: 1146 ]

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

CS5008: Internet Computing

Cyber Security Design Methodology for Nuclear Power Control & Protection Systems. By Majed Al Breiki Senior Instrumentation & Control Manager (ENEC)

Intro to Firewalls. Summary

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Proxies. Chapter 4. Network & Security Gildas Avoine

Lab Configuring Access Policies and DMZ Settings

Chapter 12 Supporting Network Address Translation (NAT)

5.0 Network Architecture. 5.1 Internet vs. Intranet 5.2 NAT 5.3 Mobile Network

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Connecting with Computer Science, 2e. Chapter 5 The Internet

Recommended IP Telephony Architecture

Network Configuration Settings

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

The Advantages of a Firewall Over an Interafer

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

Essential Curriculum Computer Networking 1. PC Systems Fundamentals 35 hours teaching time

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Chapter 2 TCP/IP Networking Basics

Firewalls for small business

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Consensus Policy Resource Community. Lab Security Policy

DMZ Network Visibility with Wireshark June 15, 2010

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Ranch Networks for Hosted Data Centers

Protecting and controlling Virtual LANs by Linux router-firewall

Chapter 9 Firewalls and Intrusion Prevention Systems

Firewall Architecture

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

A typical router setup between WebSAMS and ITEd network is shown below for reference. DSU. Router

Business Case for a DDoS Consolidated Solution

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

Information Technology Security Guideline. Network Security Zoning

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Achieving PCI Compliance Using F5 Products

Transcription:

Nuclear Plant Information Security A Management Overview The diagram above is a typical (simplified) Infosec Architecture Model for a nuclear power plant. The fully-developed model would, for example, contain more detail about software development, change controls, firewalls and unidirectional networks. Diversity and separation requirements in nuclear power plants generally mean that nuclear plant systems are already robust against cyber attack. 1 of 6

Basic Terminology related to Domain-Based Security Domain-Based Security (DBSy) is a technique developed by Qinetiq Ltd and endorsed by the UK Ministry of Defence for the analysis of information security in plant systems. It requires the IT systems to be analysed by domains as shown in the diagram above so that the different security levels and the key barriers can be identified. Domain Environment Connections between domains Islands of infrastructure Causeways Logical grouping of systems and people within which information can be freely shared. Models of the physical world from where people interact with systems via a Portal. These define the limits of interaction. Single machines or groups of networked machines that operate together to support a business function. Secure connections between Islands. Infosec Architectural Model Risk Threat Actor Groups (TAGs) This incorporates both the business functions and the technical world in which they operate, and thus enables the different views of system users, security advisers and developers to be discussed. This has three elements: Threat, Vulnerability, and Impact. Controls or countermeasures can be applied to each. Internal: Operators, Engineers with high-level access privileges. External: Connected users, Maintenance and Repair, Visitors, Those with wider access, Regulators and security advisers, natural disasters C, I, A Confidentiality, Integrity, Availability 2 of 6

Types of Firewall Network Dual-Firewall DMZ Network Architecture (also called Perimeter Architecture) 3 of 6

Firewall terminology Data diodes and unidirectional networks Network layer or packet filter firewalls Applications layer firewalls Proxy firewalls Bridging versus Routing firewalls These are the methods of ensuring one-way transmission of information from a higher-security ( trusted ) system to a lower-security system, but not viceversa. Do not allow packets to pass through the firewall unless they match the established rule set. Packet filters act by inspecting the "packets" which transfer between computers on the Internet. If a packet matches the packet filter's set of rules, the packet filter will drop (silently discard) the packet, or reject it (discard it, and send "error responses" to the source). Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets (usually dropping them without acknowledgment to the sender). The key benefit of application layer filtering is that it can "understand" certain applications and protocols (such as File Transfer Protocol (FTP), Domain Name System (DNS), or Hypertext Transfer Protocol (HTTP)). This is useful as it is able to detect if an unwanted protocol is attempting to bypass the firewall on an allowed port, or detect if a protocol is being abused in any harmful way. A proxy server (running either on dedicated hardware or as software on a general-purpose machine) may act as a firewall by responding to input packets (connection requests, for example) in the manner of an application, while blocking other packets. A proxy server is a gateway from one network to another for a specific network application, in the sense that it functions as a proxy on behalf of the network user. What is the difference between a bridging ( transparent ) firewall and a conventional firewall? Usually a firewall also acts as a router: systems on the inside are configured to see the firewall as a gateway to the network outside, and routers outside are configured to see the firewall as the gateway to the protected network. A bridge is piece of equipment that connects two (or more) network segments together and passes packets back and forth without the rest of the network being aware of its existence. In other words, a router connects two networks together and translates between them; a bridge is like a patch cable, connecting two portions of one network together. A bridging firewall acts as a bridge but also filters the packets it passes, while remaining unseen by either side. 4 of 6

Fig 6 is a flow chart showing the multiple interconnections between the concepts of threat, vulnerability and risk (from IAEA pub 1527). 5 of 6

Security classification is in accordance with safety classification, which is done in accordance with IEC 61266. IAEA publication 1527 makes recommendations for minimum countermeasures according to security classification, as follows: Cat* IEC 61266 A B C Description Typical functions Possible security level and counter measures (IAEA pub 1527) Principal role in achieving safety Complementary role to Category A Auxiliary or indirect role - (i) Document management, (ii) Work permit and control system, (iii) Access control system 1. Reactor shutdown/holddown 2. Decay heat removal 3. Containment 4. Essential displays 1. Spent fuel pool cooling 2. Main cooling system isolation 3. Post accident monitoring system 4. Automatic control 5. Monitoring and control of fuel handing 1. Monitoring category B functions in post-accident phase 2. Warning of internal or external hazards 3. Functions where operating mistakes could cause very minor radioactive releases Level 1: No network data flow of any kind. Strict outward comms only, which excludes handshake protocols such as TCP/IP. No remote maintenance access. Physical access strictly controlled. All data entry is approved and verified. Level 2: Outward one way network data flow from level 2 to level 3 systems only. Remote maintenance access may be allowed on a case by case basis for limited time only. Physical connections must be strictly controlled. Level 2: Outward one way network data flow from level 2 to level 3 systems only. Remote maintenance access may be allowed on a case by case basis for limited time only. Physical connections must be strictly controlled. Level 4: Only approved users are allowed. Access to the internet from level 4 systems may be given to users if adequate protective measures are employed. Security gateways are implemented. Physical connections are controlled. Remote maintenance is allowed and controlled. System functions available to users are controlled by access control mechanisms. Remote external access is allowed for approved users. - Email Level 5: Only approved users can make modifications to the systems. Internet access is allowed subject to protective measures. Remote external access is allowed subject to protective measures. *EdF Energy subdivides Cat B into Significant Cat B and Less significant Cat B. Systems which fall into Cat C or Less significant Cat B can be assessed using DBSy ADVANTAGE. Systems with a higher classification require the full DBSy approach. 6 of 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information