Cyber Security and the Canadian Nuclear Industry a Canadian Regulatory Perspective Terry Jamieson Vice-President Technical Support Branch Canadian Nuclear Safety Commission August 11, 2015 www.nuclearsafety.gc.ca
Outline CNSC mission and mandate Modern cyber security threat Cyber security and modern industrial control system Regulatory approach to cyber security International perspectives Current and future challenges Closing remarks 2
Canadian Nuclear Safety Commission Regulates the use of nuclear energy and materials to protect health, safety, security and the environment, and to implement Canada s international commitments on the peaceful use of nuclear energy; and to disseminate objective scientific, technical and regulatory information to the public 3
CNSC presence Headquarters in Ottawa Five offices at nuclear power plants One site office at Chalk River Labs Four regional offices Staff: ~800 Resources: $140M (75% of costs recovered) Number of licensees: 2,500 Total number of licences: 3,300 Calgary Western Regional Office Saskatoon Uranium Mills and Mines Division Regional Office Gentilly-2 Point Lepreau Chalk River HQ Bruce Laval Eastern Regional Office Darlington Mississauga Southern Regional Office Pickering A and B 4
CNSC regulates all nuclear-related facilities and activities Imports and exports Controlled information Medical diagnostics Therapeutic Controlled material Refining Teletherapy Nuclear medicine and radiation therapy Controlled equipment Fuel fabrication Milling Brachytherapy Irradiators Mining Power reactor High power accelerators From cradle to grave Accelerators Waste Research reactors Radioisotope reactors Industrial applications Nuclear gauges Nuclear R&D test facilities Research and radioisotope production facilities 5
Nuclear power plants in Canada Darlington (4 unit station) Refurbishment of current 4-unit station scheduled to begin in 2016 Point Lepreau (single unit station) Refurbishment project completed and unit returned to service (late 2012) Gentilly-2 (single unit station) HQ permanently shut down facility in December 2012 Bruce (8 unit station) Refurbishments ongoing (2 of 8 units completed as of 2015) Pickering (6 of 8 units operating) Shutdown expected in 2020 6
In the old days Operators of process control systems (PCS) believed they were invulnerable to cyber attack for two main reasons: 1. PCS are isolated from the Internet. 2. PCS generally use proprietary protocols and specialized hardware, which are not compatible with common network protocols and the Internet. Source: The Vulnerability of Nuclear Facilities to Cyber Attack, B. Kesler, 2011 7
Cyber security and modern digital systems: the reality 2003: Slammer worm at Davis Besse Nuclear Power Plants (2003) in the US Siemens Programmable Logic Controller 2010: Stuxnet malware infiltrated Natanz (Iran) nuclear facility disabling over 1000 centrifuges 2014: Monju fast reactor (Japan) infected by malware (data integrity and compromise) Various theories as to its introduction Monju Sodium Fast Reactor Natanz Enrichment Facility, Iran And many more cyber incidents 8
And more recent incidents South Korean nuclear operator hacked amid cyber attack fears Operator begins two-day exercise after suspected hacker tweets information on Korea Hydro & Nuclear Power (KHNP) plants and staff The latest attack resulted in the leak of personal details of 10,000 KHNP workers, designs and manuals for at least two reactors, electricity flow charts and estimates of radiation exposure among local residents. There was no evidence, however, that the nuclear control systems had been hacked. 9
What do we mean by cyber security and the nuclear industry? Protect digital assets that perform the functions of systems important to nuclear safety, security, emergency preparedness and international safeguards from cyber attack Digital asset: A subcomponent of a system that consists of or contains a digital device, computer or communication system or network, and information stored in the subcomponent. 10
Scope of cyber security program nuclear facilities Industrial Control System for nuclear safety Physical protection systems Annunciation, communication systems for emergency preparedness / response and international safeguards systems 11
Cyber threats What are the CNSC and nuclear industry doing? Since 2008, the CNSC has engaged major nuclear facilities in Canada in defining requirements of and implementing programs for cyber security Regulations updated, licence conditions added, modern standards developed CSA N290.7 Cyber Security for Nuclear Power Plants and Small Reactor Facilities (published December 2014) Site cyber security inspections by CNSC staff began in January 2015 for Canadian Nuclear Power Plants 12
CSA N290.7 security controls cyber security for nuclear facilities CSA N290.7 will form the cornerstone of CNSC s regulatory framework requirements N290.7 comprises technical, operational and management control requirements: Technical - executed through non-human mechanisms Operational - executed through human mechanisms Management - risk management and general policies including procurement strategies 13
Cyber defensive architecture at NPPs Cyber security focuses on defence in depth (similar to traditional principles of safety) Data flow restricted as per diagram (i.e., typically from higher to lower security levels) Defensive architecture is implemented by establishing the logical and physical boundaries 14
State of cyber defensive architecture in Canadian NPPs Networks responsible for safety systems, process control systems, physical security systems and business systems are segregated Safety system network connected to process system network via one-way communication device (no possibility of bidirectional information flow) Administrative and mechanical controls prevent unauthorized access (portable mobile devices, etc.) to safety, process control and physical security computers Licensees have robust cyber security measures in place that have been verified by staff 15
Cyber security the importance of national/international collaboration Domestically, CNSC works with Public Safety Canada / Canadian Cyber Incident Response Centre, Natural Resources Canada, Communication Security Establishment Canada and others Internationally, bilateral work with the US Nuclear Regulatory Commission has greatly advanced knowledge CNSC contributes significantly to the work at International Atomic Energy Agency (IAEA) in developing security series documents Nuclear Security Series (NSS) 17 Computer Security at Nuclear Facilities, Conducting Cyber Security Assessments for Nuclear Facilities and many more 16
IAEA and cyber security (cont.) International Physical Protection Advisory Service (IPPAS) missions Module on computer (cyber) security Canada will host an IPPAS mission in 2015! Training Offered by international cyber experts from nuclear industry to host countries (operators, regulators, others) Production of Nuclear Security Series publications to assist IAEA member states with program implementation and improvements 17
Challenges to managing and regulating cyber security in the nuclear industry Rapid evolution of cyber threat vectors and instruments nuclear plants seen as a target of interest Challenges of regulating across global supply chain counterfeit, fraudulent, suspect items cases well publicized Increased sophistication of cyber attacks makes detection and prevention increasingly difficult Knowledge and resource limitations (cyber expertise): industry and regulator State of board/senior executive oversight on cyber security matters is still evolving 18
Conclusions Canadian nuclear power plants have robust comprehensive cyber security programs in place CNSC is evolving its regulatory approaches to meet the needs of the proponents now and in the future while ensuring high levels of safety are assured Cyber security requirements need to be embedded into every phase of the regulatory review process for I&C systems Cyber security (like physical security) is only as strong as the weakest link 19
Thank You Any Questions? nuclearsafety.gc.ca facebook.com/canadiannuclearsafetycommission twitter.com/cnsc_ccsn youtube.com/cnscccsn 20