Cyber Security in a Nuclear Context

Cyber Security in a Nuclear Context Mitchell Hewes & Nick Howarth UNCLASSIFIED

Who are we?

Our Facilities Synchrotron Accelerators Cyclotron OPAL

Lucas Heights Campus

Some Considerations

We have an interesting regulatory framework UNCLASSIFIED

especially the pharmaceuticals

Control Systems & Computer Security

So what is Security? risk = likelihood x impact Mathematically security controls address risks by minimising the likelihood or impact. How we see a risk is weighted by our perception of the threat and our own historical experiences. Schneier, B.: The Psychology of Security (2008)

Computer Security Application of security controls to a set of very complex programmable electronic devices. Digital Assets encompassing the hardware, software, and information. Photo by yellowcloud (flickr) / CC BY

Makeup of a Control System Field Devices Field Controllers SCADA, HMI

Cyber Attacks Shamoon Stuxnet Siberian pipeline sabotage 1982, way before stuxnet

Protect the Process Confidentiality: Unauthorised logic changes must be prevented. Integrity: Field Device Outputs/Inputs must remain immutable throughout their usable lifetime. Availability: Everything should remain in an operable state.

How? Personnel Security Physical Security Controls Perimeter is not enough. Network Segregation It Works! (if you do it properly) Ensure Authenticity (users, communications) Change Control Vendor & Supply Chain Security (vendors, and their products)

Air Gap Physical isolation of a network from unsecured networks. Provable unidirectional communication data diode. Reduces the attack surface. Is it really possible to isolate a control system? Software patches. Engineering and maintenance updates. Each transfer/modification comes with a risk Policy around transfers. Technical security controls to identify, isolate, and monitor what is allowed.

Computer Security at Nuclear Facilities

Priorities Plant Equipment fits into one of three categories. 1. Essential for Nuclear Safety. 2. Significant additional contribution to Nuclear Safety. 3. All other plant systems. Nuclear safety and nuclear security have a common purpose the protection of people, society and the environment. INTERNATIONAL NUCLEAR SAFETY GROUP, The Interface Between Safety and Security at Nuclear Power Plants, INSAG-24, IAEA, Vienna (2010).

Design Problems Risks to a safety or safety related system could have significant impact on the levels of defense in depth for the facility. Lifecycle of a typical Nuclear Facility is considerable. Reactor design to decommission can be 50-80 years. A waste storage facility -??? We are the custodians of these facilities and this material for our generation.

Technical Guidance Produced by the IAEA in consultation with states, regulators, and facility operators. NSS 17 Computer Security at Nuclear Facilities NST047 Computer Security Techniques for Nuclear Facilities NST036 Computer Security for I&C systems at Nuclear Facilities Openly available and offer advice that is relevant for even nonnuclear facilities.

A Graded Approach Many systems in a Nuclear Facility Protection System Physical Access Control System Reactor Control System Email All separate systems Consider and characterize risks to each individually Segregate and apply security controls to reduce risk

Don t bolt it on UNCLASSIFIED

UNCLASSIFIED

Cyber Security at the OPAL Research Reactor UNCLASSIFIED

A brief Introduction to OPAL

A brief introduction to OPAL Open Pool Australian Light Water Reactor 20MW Thermal Utilisation: Radiopharmaceutical Production Silicon Doping (NTD) Neutron Beams (Bragg Institute) Other Irradiations UNCLASSIFIED

A brief introduction to OPAL 1997 Replacement Research Reactor Project (RRRP) first funded 2000 Contract signed with INVAP 2001 License to construct issued 2006 Operating license issued 12 August 2006 First Criticality April 2007 Official Opening UNCLASSIFIED

UNCLASSIFIED

UNCLASSIFIED

UNCLASSIFIED

UNCLASSIFIED

UNCLASSIFIED

Systems

Protection Systems First Reactor Protection System Second Reactor Protection System UNCLASSIFIED

Control Systems Reactor Control and Monitoring System Other PLCs UNCLASSIFIED

Cyber Security

A Disclaimer This is what we do at OPAL This may or may not be suitable for your own facilities and organisations UNCLASSIFIED

Organisational Dedicated IT people for the plant Not corporate IT Not I&C Engineers UNCLASSIFIED

Physical Protected site Protected building Secure rooms and cabinets Monitoring UNCLASSIFIED

Physical No wireless No exceptions UNCLASSIFIED

Physical Keep contractor s IT assets away Maintain a dedicated computer for each contractor They ll complain, but they ll comply Keep corporate IT assets away Dedicated engineering workstations and laptops UNCLASSIFIED

Physical Don t leave boxes lying around Stand alone systems rot Consolidate and virtualise whatever you can Vendors wont always appreciate it UNCLASSIFIED

Physical Keep your plant offline, use data diodes if you really must have real time access to data Physical media controls Physically block USB and other media, remove external media drives UNCLASSIFIED

Logical Use data diodes to control what data is coming to/from the plant Physical media control software, for instances where you really must have physical media UNCLASSIFIED

Logical Conventional cyber security controls UNCLASSIFIED

How did we get there?

How did we get there? Australian Government Information Security Manual (ISM), from the Australian Signals Directorate http://asd.gov.au UNCLASSIFIED

The ISM in Context UNCLASSIFIED

From high level controls UNCLASSIFIED

to low level controls UNCLASSIFIED

Process Security Policy High level 1 pager Security Risk Management Plan What are the risks, and how bad are they? What controls will mitigate those risks, and how good are they? System Security Plan How are we implementing those controls? SOPs and other lower level Docs e.g. training material, checklists, forms UNCLASSIFIED

SRMP You already do HAZOPs and CHAZOPs, now do the same for IT security Generic SCADA Risk Management Framework For Australian Critical Infrastructure Developed by the IT Security Expert Advisory Group (ITSEAG) (Revised March 2012) http://www.tisn.gov.au/documents/scada-generic-risk-management-framework.pdf UNCLASSIFIED

But that s too much!

The Top 35 Strategies to Mitigate Targeted Cyber Intrusions http://www.asd.gov.au/infosec/top35mitigationstrategies.htm If you don t want the whole ISM, do the Top 35 UNCLASSIFIED

UNCLASSIFIED

The Top 4 1. Application whitelisting of permitted/trusted programs, to prevent execution of malicious or unapproved programs including.dll files, scripts and installers. 2. Patch applications e.g. Java, PDF viewer, Flash, web browsers and Microsoft Office. Patch/mitigate systems with "extreme risk" vulnerabilities within two days. Use the latest version of applications. 3. Patch operating system vulnerabilities. Patch/mitigate systems with "extreme risk" vulnerabilities within two days. Use the latest suitable operating system version. Avoid Microsoft Windows XP. 4. Restrict administrative privileges to operating systems and applications based on user duties. Such users should use a separate unprivileged account for email and web browsing. UNCLASSIFIED

Questions