Fundamental Issues: Nuclear Generators Lead Cyber Security



Similar documents
An International Perspective on Security and Compliance

Safe Network Integration

Stronger than Firewalls And Cheaper Too

13 Ways Through A Firewall

An Analysis of the Capabilities Of Cybersecurity Defense

13 Ways Through A Firewall What you don t know will hurt you

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Redesigning automation network security

DeltaV System Cyber-Security

Maximize Security to Minimize Compliance Costs. Technical Solutions Focused Webinar July 28, 2015 Sponsored by Waterfall Security Solutions

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Driving Company Security is Challenging. Centralized Management Makes it Simple.

Remote Access Considered Dangerous. Andrew Ginter, VP Industrial Security Waterfall Security Solutions

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

Top five strategies for combating modern threats Is anti-virus dead?

This is a preview - click here to buy the full publication

Internet threats: steps to security for your small business

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

How To Protect Your Network From Attack From A Hacker (For A Fee)

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

The State of Industrial Control Systems Security and National Critical Infrastructure Protection

NERC CIP VERSION 5 COMPLIANCE

Ovation Security Center Data Sheet

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Cyber Security Compliance (NERC CIP V5)

Start building a trusted environment now... (before it s too late) IT Decision Makers

OPC & Security Agenda

Web Security School Final Exam

Strong Security in NERC CIP Version 5: Unidirectional Security Gateways

What Risk Managers need to know about ICS Cyber Security

What is Really Needed to Secure the Internet of Things?

10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection. September 2011

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

CMPT 471 Networking II

Protect Your Assets. Cyber Security Engineering. Control Systems. Power Plants. Hurst Technologies

Ovation Security Center Data Sheet

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

SIMPLIFYING THE PATCH MANAGEMENT PROCESS

Securing Computing Resources from USB Borne Viruses and Malware. White Paper

SCADA Security: Challenges and Solutions

Building a Business Case:

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

Beyond Remote Control Features that Take Remote Control Capabilities to the Next Level of Network Management

Roadmaps to Securing Industrial Control Systems

Decrease your HMI/SCADA risk

ITAR Compliance Best Practices Guide

Cyber Security Response to Physical Security Breaches

Deploying Firewalls Throughout Your Organization

Streamlining Web and Security

Overview of Banking Application Security and PCI DSS Compliance for Banking Applications

Firewalls, Tunnels, and Network Intrusion Detection

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

How To Secure A Wireless Utility Network

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.

152 FERC 61,054 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. 18 CFR Part 40. [Docket No. RM ]

Critical Controls for Cyber Security.

7 Things All CFOs Should Know About Cyber Security

AB 1149 Compliance: Data Security Best Practices

Top 10 Tips to Keep Your Small Business Safe

2012 Endpoint Security Best Practices Survey

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

CSG & Cyberoam Endpoint Data Protection. Ubiquitous USBs - Leaving Millions on the Table

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Web Security. Discovering, Analyzing and Mitigating Web Security Threats

Why The Security You Bought Yesterday, Won t Save You Today

Compliance series Guide to meeting requirements of the UK Government Cyber Essentials Scheme

AVeS Cloud Security powered by SYMANTEC TM

Cybersecurity in a Mobile IP World

MaaS360.com > White Paper. Mobile Data Security. Finding the Balance

SCADA Security Training

Industrial Cyber Security 101. Mike Spear

Cyber Security and Privacy - Program 183

Practical Threat Intelligence. with Bromium LAVA

The Virtualization Practice

Best Practices for DanPac Express Cyber Security

Beyond the Hype: Advanced Persistent Threats

Carbon Black and Palo Alto Networks

Designing a security policy to protect your automation solution

An illustration of a company transforming to complete data security in 15 minutes

Sygate Secure Enterprise and Alcatel

COSC 472 Network Security

CYBER SECURITY INFORMATION SHARING & COLLABORATION

Table of Contents. Page 2/13

N-Dimension Solutions Cyber Security for Utilities

WIRELESS LOCAL AREA NETWORK (WLAN) IMPLEMENTATION

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

5 Steps to Advanced Threat Protection

Secure Software Update Service (SSUS ) White Paper

Security Practices for Online Collaboration and Social Media

Industrial Security for Process Automation

Best Practices for DeltaV Cyber- Security

GE Measurement & Control. Cyber Security for Industrial Controls

Keeping the Lights On

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

CIP Supply Chain Risk Management (RM ) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

Three Simple Steps to SCADA Systems Security

Avaya TM G700 Media Gateway Security. White Paper

Security in SCADA solutions

Avaya G700 Media Gateway Security - Issue 1.0

Transcription:

power eng.com http://www.power eng.com/articles/npi/print/volume 8/issue 5/nucleus/fundamental issues nuclear generators lead cybersecurity.html Fundamental Issues: Nuclear Generators Lead Cyber Security 10/12/2015 Andrew Ginter, VP Industrial Security, Waterfall Security Solutions We have all heard the phrase "oh that's for nuclear they're different." While nuclear is "different" in many realms, it is not so different in the realm of industrial cyber security. Cyber attacks, attack tools and the attackers themselves only become more sophisticated over time. The risk of physical sabotage using a cyber attack is common to nuclear and non nuclear sites. Yes, nuclear generators are more concerned than most about both physical and cyber security, but the "sophisticated cyber attacks" that nuclear generators were talking about five years ago are today encoded into publicly available, powerful and easy to use attack tools. These tools make yesterday's "sophisticated attacks" accessible to large numbers of hackers of modest talents, and even to unskilled "script kiddies." Nuclear generator security people have been talking about issues that are becoming equally troubling for the entire electric sector and for industrial control systems in all industries. Waterfall Security's unidirectional gateway is one of many ways businesses can keep computers and other technology safe from outside threats. Courtesy: Waterfall Security Security Is All About Safety We can start with priorities. Industrial security standards and guidance published in the early 2000s, such as the http://www.power eng.com/articles/npi/print/volume 8/issue 5/nucleus/fundamental issues nuclear generators lead cyber security.html 1/6

National Institute of Standards and Technology (NIST) 800 82r1 and International Electrotechnical Commission (IEC) 62443 1 1, all talk about "CIA" versus "AIC." Conventional IT security priorities tend to be, in this specific order, confidentiality, integrity and availability (CIA). If the banking website starts leaking credit card numbers to the Internet, shut it down to protect confidentiality. If the site starts letting people transfer money they don't have, shut it down to protect database integrity. Finally, try hard not to shut the site down at all. Protect the site's availability, because every hour the site is running the bank reaps millions of dollars in transaction fees. Common wisdom among control system security practitioners in the early 2000s was that, in the ICS world, this triad is reversed. The highest priority for control systems was thought to be availability (keep the control system running), the second priority was integrity (keep the control system running correctly) and the third priority was confidentiality. In the world of nuclear generators, though, we never hear any of this "CIA vs. AIC" terminology. The first priority at nuclear generators was, is and always will be safety. Cyber security breaches are systematic failures of safety equipment, not random failures, and so cannot be modeled by standard safety calculations. Cyber security is therefore essential to safety; digital safety systems are worthless if they are compromised. The second nuclear security priority is always reliability: prevent damage to the generating unit, and keep the lights on. And yes, the third priority is confidentiality. This "safety and reliability" wording is being discussed in a number of control system standards forums. Revision 2 of the NIST 800 82 "Guide to Industrial Control Systems (ICS) Security" is the first major standard to pick up the new wording. Several other draft standards from different organizations are looking at this new wording, as well. It is the safety and reliability of the physical processes that are the cyber security focus at most industrial sites, not abstract CIA/AIC attributes of the industrial control system computers and networks. Security Starts at the Perimeter In a real sense, all cyber security starts at the cyber/physical security perimeter. If a control system ever makes the transition from a trustworthy state to a compromised state, the compromise had to originate somewhere. Compromise always comes from "the outside." It comes from network attacks, software/malware coming into the control system, people with malicious intent entering the secure area to mis operate the control system and hardware components with embedded software crossing through the perimeter. Classic network perimeter protection in old school ICS security standards is all about firewalls. The problem with firewalls is that they are porous by design. At their core, all firewalls are routers, because all firewalls forward messages. Some of the forwarded messages contain attacks, in spite of every firewall vendor's best efforts to filter "good" packets from "bad." Fundamentally, every path through a firewall intended to permit data to flow out of a control system network also allows attacks back into that "protected" network. In 2010, the Nuclear Regulatory Commission (NRC) effectively forbade American nuclear generators from deploying firewalls to connect generating unit safety and control networks, directly or indirectly, to any lesstrusted network. As a result, to balance between security and operational needs, all American nuclear generators deployed unidirectional security gateway technology. Unidirectional gateways are deployed widely in other nations, as well, either because of a similar regulatory imperative, or simply because the technology provides such dramatic threat reduction benefits. Unidirectional gateways permit information to leave industrial networks and are physically incapable of sending any message or any information back into protected networks to put those networks at risk. Unidirectional gateway hardware makes the gateways secure, and unidirectional server replication software makes the gateways plug and play replacements for firewalls. Since 2010, unidirectional gateways have been deployed widely outside the nuclear generation industry, and http://www.power eng.com/articles/npi/print/volume 8/issue 5/nucleus/fundamental issues nuclear generators lead cyber security.html 2/6

have appeared in many ICS security standards and guidance documents. For example, the 2013 North American Electric Reliability Corporation Critical Infrastructure Protection Version 5 (NERC CIP V5) standards recognize the security of unidirectional gateways in the definition of the NERC term "External Routable Connectivity." The standards relax roughly one third of the CIP V5 requirements for medium impact power plants with unidirectional gateways deployed, in recognition of the superior security provided by the gateways. The proposed 2015 NERC CIP V6 standards also include all of these exemptions and introduce additional ones. The NIST 800 82r2, International Society of Automation (ISA)/IEC 62443 3 3, and European Network and Information Security Agency (ENISA) control system standards also recognize the strength of unidirectional gateways. The 2014 French Agence nationale de la sécurité des systems d'information (ANSSI) ICS security standards go even further. ANSSI groups control systems into three classes, based on the importance of the industrial site. The standards permit the use of firewalls for only the least important Class 1 networks. ANSSI states that all connections between the more important Class 2 networks and any less trusted networks "should be unidirectional" toward the less trusted networks. For the most important Class 3 networks, ANSSI outright forbids the use of firewalls. The ANSSI standards make this point very clearly: firewalls are permitted for partitioning networks at the same level of trust, but may not be used to connect networks at different trust levels. Remote Access Historically, guidance for interactive remote access to industrial sites echoed standard guidance for IT systems: use encryption, firewalls, two factor authentication and "jump hosts" machines to terminate remote desktop or other interactive sessions outside of the control system, and permit only connections from the "jump host" machines to control networks. The thinking was that if these measures were secure enough for corporate networks, they should be enough for control networks, as well. Bluntly though, the problem with this approach is that corporate networks are not particularly secure. In 2010, the United States' Nuclear Energy Institute (NEI) NEI 08 09 guidance and the NRC 5.71 rules effectively banned interactive remote access to nuclear generator safety and control system networks. Today, no American nuclear generator permits such access. And again, similar rules and practices are in effect in many other nuclear generation jurisdictions throughout the world. The rationale for banning remote access is simple: there is no way to assure the trustworthiness of remote endpoints. Modern attack tools and techniques routinely defeat anti virus, security updates and other IT centric protections. If a remote laptop or workstation is compromised, no two factor authentication, encryption or jump hosts will save us. A compromised endpoint computer is no longer running trusted software. Such a machine is going to do whatever its attacker wants the machine to do, not what the owner or operator wants the machine to do. If we trust a compromised machine to operate any part of our control system remotely, we have handed our control system over to our attacker. What is the state of remote access outside of nuclear generation? ISA ICS security training material describes remote access technology as "high risk." The 2014 ANSSI standards "strongly discourage" remote access for Class 2 networks, and forbid such access for Class 3 networks. The current NERC CIP V5 standards permit remote access, provided that IT standard encryption, two factor and other security controls are deployed, but this may change. The American Federal Energy Regulatory Commission (FERC), in its Notice of Proposed Rulemaking (NOPR) for the proposed CIP V6 standards, has expressed concern about the adequacy of CIP V5/V6 controls for interactive remote access, and has invited comments from all stakeholders as to what might http://www.power eng.com/articles/npi/print/volume 8/issue 5/nucleus/fundamental issues nuclear generators lead cyber security.html 3/6

be done to address these concerns. Given the clear direction on the part of the nuclear industry, and the strong indications outside of nuclear, the future of remote access seems clear. Within a handful of years, expect remote access to be permitted or recommended only for unimportant, expendable networks and expendable industrial processes. Removable Media Sometimes, removable media, such as USB Flash sticks and CD ROMs, are essential to the configuration and operation of industrial control systems. At the same time, any medium that can store information, can also store attacks and malware. This is a serious problem. Nuclear generators have discussed this risk at length, and, for now, have settled on a handful of security controls to deal with the risks of removable media: When moving information from control systems to less trusted networks, use only brand new media no exceptions. The thinking is that any medium exposed to a corporate network or other untrusted network is potentially compromised, and so untrustworthy. When moving information from "outside" networks into trusted networks: use brand new media and expose it to a minimum number of "outside" machines; prefer to use CD ROMS to USB Flash sticks, because of the risk of USB firmware compromise; scan the media on at least one dedicated anti malware scanning machine, with at least four different anti malware engines; once files have been identified as probably "clean," copy those files to a new CD ROM, and carry the CD ROM into the trusted network; and as much as possible, try to load these CD ROMs onto an isolated test bed for functionality and security testing, before loading them into live equipment. This entire process is viewed as high risk, and nuclear sites strongly discourage use of this process at all. That said, though, sometimes the process is unavoidable, such as when control system software components are being enhanced or upgraded. Many in the nuclear community view these current measures as interim measures and are evaluating alternatives, such as unidirectional FLIP technology. FLIP operates as a unidirectional security gateway, except that it switches the orientation on a scheduled, basis to enable information to flow unidirectionally into the protected network from time to time. In the wider world, concerns over the safety of removable media are only starting to be discussed. The ISA/IEC 62443 3 3 and the proposed NERC CIP V6 standards contain only vague IT like provisions for managing removable media, roughly amounting to "use removable media only on systems with anti virus software installed." The 2014 ANSSI standards are more specific. ANSSI encourages Class 1 networks to do what nuclear generators do today. The less expendable Class 2 and Class 3 networks are required to do what nuclear generators do today. Individual sites are also deploying unidirectional FLIP technology to automate these anti virus checks and other security controls and even further reduce the use of removable media on industrial systems. Thus, it seems that stronger controls for removable media on non nuclear control systems are coming, but are somewhat further in the future than remote access and unidirectional gateway controls. http://www.power eng.com/articles/npi/print/volume 8/issue 5/nucleus/fundamental issues nuclear generators lead cyber security.html 4/6

Supply Chain Protection Historically, industrial supply chain concerns were focused on safety. There have been cases where distributors were found to be selling, deliberately or inadvertently, equipment that claimed a high Safety Integrity Level rating, when the equipment was, in fact, counterfeit, and not SIL rated at all. In nuclear generators, supply chain integrity discussions have expanded in recent years to include controlsystem computer components of all types. Supply chain security concerns include recent reports that nationstate intelligence agencies had inserted remote control radio components into brand new computers that were intercepted in transit between a distributor and a customer, and concerns about CPUs and vulnerable firmware embedded in USB devices. The 2010 NEI and NRC rules require "measures to protect against supply chain threats," including trusted distribution paths, vendor validation and tamper proof seals. These measures are more easily required than delivered, though, especially for cheap, high volume USB components, including Flash sticks, keyboards and mice. How to maximize the effectiveness and minimize the cost of addressing supply chain risks are open issues and topics of frequent discussion in nuclear security meetings and workshops. Discussions of supply chain security in the non nuclear world are only just beginning. In the FERC NOPR for NERC CIP V6, FERC gives notice of its intent to order NERC to develop supply chain security provisions for a future revision of the CIP standards. FERC's stated reason for the coming order is "recent malware campaigns targeting supply chain vendors." This is presumably a reference to recent "watering hole" attacks, where control system vendor websites were hacked to distribute malware, as well as legitimate control system software updates. In addition, while NIST 800 82r2 provides no specific measures for ICS supply chain protection, the standard does refer readers to supply chain security controls listed in the IT focused NIST 800 53. Looking Forward Once again, because cyber attack tools and cyber sabotage tools only become more powerful and easier to use over time, what was regarded yesterday as a sophisticated attack that only the most important nuclear control systems must address, is likely to be regarded tomorrow as a pervasive, universally available attack capability that all industrial sites must consider. Today, in many industries, safety, reliability and equipment protection priorities are driving deployments of unidirectional gateway technologies and prohibitions against remote access. Unidirectional gateways defeat even those modern attacks that firewalls are ineffective against, without impairing plant to business communications that are so valuable to modern enterprises. In addition, removable media controls and supply chain protection are issues are on the horizon for all "important" industrial sites. In short, control system security standards from many authorities are evolving rapidly to reflect and address modern attack capabilities that nuclear generators have been dealing with for years. Today, the real questions facing all electric sector owners and operators are "which of our sites are important enough to protect with modern security measures?" and "which of our sites are expendable enough to continue protecting against only yesterday's attacks?" Really are any of our industrial sites expendable? http://www.power eng.com/articles/npi/print/volume 8/issue 5/nucleus/fundamental issues nuclear generators lead cyber security.html 5/6

Andrew Ginter is the vice president of industrial security at http://www.waterfall security.com/, a provider of Unidirectional Security Gateways for industrial control networks and critical infrastructures. Ginter has 25 years of experience leading the development of control system software products, control system middleware products and industrial cybersecurity products. http://www.power eng.com/articles/npi/print/volume 8/issue 5/nucleus/fundamental issues nuclear generators lead cyber security.html 6/6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information