Get documents about "Overview of LearnSafe
Document Sample
Cyber security of nuclear power plant instrumentation,
control and information systems
Björn Wahlström
VTT Industrial management and innovation systems
Background
• A concern raised by the growing number of computer security
incidents
• A joint effort of the IAEA departments of Nuclear Power and
Nuclear Safety and Security
• A draft of a TECDOC has been produced
• A technical meeting will be held in Idaho Falls 17-20.10.2006
• Further decisions on how to continue will be made
VTT Industrial management and innovation systems
What to do about cyber security?
It is a threat like all the others!?
That is not really true!
• Ensuring safety of computer systems is a game
against nature!
• Ensuring cyber security is a game against one or
several intelligent opponents!
VTT Industrial management and innovation systems
Table of Contents
1 Foreword
2 Introduction
2.1 Scope
2.2 Physical protection of nuclear facilities
2.3 Computer security at nuclear facilities
3 Security Needs and Appropriate Security Measures
3.1 Objectives for the Physical Protection of Nuclear Material and Facilities
3.2 Computer systems
3.3 Threats to computer systems
3.4 Graded approach to computer security
4 Implementing computer systems security
4.1 Computer systems security plan
4.2 Computerised systems structure analysis (configuration)
4.3 Risk analysis, assessment and management of computer systems
5 Organisational issues
5.1 Authorities and responsibilities
5.2 Organisational aspects of daily operations
5.3 Security Awareness Training
6 Third party and vendor interfaces
7 Quality Assurance
8 Regulatory Activities
VTT Industrial management and innovation systems
The design basis threat (DBT)
The attributes and characteristics of potential insider
and/or external adversaries, who might attempt
unauthorized removal of nuclear material or sabotage,
against which a physical protection system is
designed and evaluated.
IAEA INFCIRC/225/Rev.4
G3 Gates - Guards - Guns
VTT Industrial management and innovation systems
Threats to computer systems (1/2)
• Unauthorized access to information (Loss of confidentially),
• Interception and change of information, software, hardware, etc.
(Loss of integrity),
• Block of data transmission lines and/or shutdown of systems
(Loss of availability)
• Unauthorized intrusion in data communication systems or in
computers (Loss of reliability)
VTT Industrial management and innovation systems
Threats to computer systems (2/2)
• Attacks by outsiders
• hackers gaining access through external data transmissions lines
• denial of services attacks through a flooding of important communication
channels
• Attacks by insiders
• switching off an important computer system
• intentional release of computer viruses into the Intranet
• modification of important parameters
• installation of malevolent code into the systems
• Attacks with a combination of actions from both insiders and outsiders
• the largest hazard potential.
• threats include all the threats above
• a possibility that an attack is planned and implemented over a period of time
VTT Industrial management and innovation systems
Measures on a generic level
• Security Operating Procedures are written and used
• Users are given access only to those functions on a system that they require
• There is an access control with authentication and identification of users
• The staff permitted access to the system is suitably qualified and experienced
• An intrusion detection system (IDS) is installed and maintained
• Virus detection and handling is based on the most recent technology
• Removable media are controlled in accordance with security operating
procedures
• Audit trails are implemented for actions on the firewalls, IDS and network servers
• Appropriate trustworthiness checks are carried out on all with access to the
computer systems
• Appropriate business continuity procedures are in place (back-up of data, fall-
back procedures)
• Physical protection commensurate with the functionality of the computer system,
upgrade routes, cables, terminals, etc. is applied
• Physical protection needs are considered and the principle of defence in depth is
applied in the design of the systems
VTT Industrial management and innovation systems
Measures on different levels (1/2)
Level 4, Measures used for systems, not directly important to technical control or
operational purposes, e.g. office automation systems, which have a low severity
level for unauthorised access may include the following:
• INTERNET access is given with normal industrial standard protective measures
• Firewalls are based on the best-available-technology and they are maintained;
• Remote access is allowed for authorised users provided that encryption and strong
authentication procedures are used;
• Penetration tests are undertaken periodically.
Level 3, Protective measures used for systems, e.g. technical support systems,
which have a medium severity level for unauthorised access may include the
following:
• Well maintained firewalls are implemented between levels of the security zones to
protect against commands from a lower level entering a higher level;
• Connections to data transmission network are allowed, but they are protected with
industrial state-of-the-art measures to ensure a high integrity;
• No data flow is allowed from the lower levels to the higher level computer systems;
• All interfaces and connection to the computers are strictly controlled;
• Remote maintenance access is allowed on a case by case basis provided that it is
robustly controlled;
• System functions, which are available to users are controlled by password in a
hierarchical manner not all users given the same access and modification rights.;
• Only approved and qualified users are allowed to make modifications in the systems;
• Important computers are mirrored in a way to allow a quick start-up of redundant
computers;
• Penetration tests are undertaken periodically.
VTT Industrial management and innovation systems
Measures on different levels (2/2)
Level 2, Protective measures used for systems, e.g. operational control systems,
which require a high level of security may include the following:
• Only a one-way outward flow of data is allowed. No control commands are accepted
from the outside
• Remote maintenance access may be allowed on a case by case access for a defined
working period, when used it must be protected by encryption and strong authentication
and identification
• Redundancy or shadowing, but possibly without the requirement of a hot standby
computer
• The number of staff is given access to the systems is kept to a minimum
• High level control of access to systems and a high level of authentication and
identification of users
• All reasonable measures to ensure the integrity and availability have been taken
Level 1, Protective measures used for systems, e.g. protection systems, which
require the highest level of security may include the following:
• Use no external data transmission connections outside this zone, except that outward
data flow without any data transfer protocol may be permitted
• Redundancy or shadowing meeting the single failure criteria, which means that the
computers have a full hot standby unit able to take over at any time
• No remote maintenance access is allowed
• Limiting number of staff given access to the systems to an absolute minimum
• Strict control of access to systems and a strong authentication and identification of users
• A two-person rule is applied, which means that there must always be two persons giving
their joint approval to any modifications done in the computer systems
• All measures to ensure the confidentiality, integrity and availability have been taken
VTT Industrial management and innovation systems
A computer security plan
• An overall security framework and design
• Security operating procedures
• Compliance of the security plan with the security policy
• Application of the design basis threat (DBT)
• Risk and vulnerability assessment
• Identification of contingency actions
• Organisation and responsibilities
• Security awareness and training requirements
• A frame for the development of security operating and
administrative procedures
VTT Industrial management and innovation systems
Structure analysis of computerised systems
Content of the analysis
• Functions/tasks and operational modes of all existing computerised systems,
• Identification of all interconnections including power supplies,
• Dataflow analysis, to determine what communicates with what, and how and
why
• Procedures that initiate communication, frequency of communication,
protocols
• Locating where computer systems and equipment are located
• Analysis of user groups
Sources of information
• Requirement specifications, design specifications, implementation
specifications, test specifications
• Identification, traceability, communication and change management of the
requirements
• Functional system aspects (goals, functions, behaviours, communications,
structures) modelled in the specifications
• Non-functional system aspects (availability, reliability, safety, security,
flexibility, maintainability, reusability, mobility) modelled in the specifications
VTT Industrial management and innovation systems
Authorities and responsibilities
Requirements on the management:
• Control of information distribution by applying the need-to-know principle
• Overall responsibility for all aspects of computer security
• Installation, authorisation and control of the computer security process
• Providing adequate resources
• Nomination of a computer system security officer (CSSO) and a deputy
Job profile for a CSSO
• Adviser to the company’s management
• Co-ordination and control of the production of computer security documents
• Support to all departments
• Conducting risk assessment
• Implementing computer security measures
• Documentation of the computer security status and providing periodic reports to
management
• Planning and coordination of computer security training
• Investigation of computer security emergencies and breaches of security
• Incident manager of relevant IT emergencies
• Head of the computer security team
VTT Industrial management and innovation systems
Organisational aspects and daily operations
• Maintenance and modification management (change control)
• Checking compliance with security policies and plans
• Monitoring operations and audit trails
• Abnormal event handling
VTT Industrial management and innovation systems
The zone model of security as used in NPPs
Subzone 1B Sub-
zone Subzone 4A
3B
Sub- Sub-
Zone 2 - zone zone
Subzone 1A
IT-system 3A 3C Subzone 4B
Zone 1 Zone 2 Zone 3 Zone 4
NPP IT-systems
Remote-Access
VTT Industrial management and innovation systems
Characteristics of the nuclear industry
• A controversial industry
• a somewhat larger likelihood of becoming a target for attacks
• generating stations may experience extended shut downs based on a
suspicion that safety is challenged
• anti-nuclear groups may enter unlawful activities for their own ends
• Very similar needs as other process industries, i.e. different from
typical needs within business and administration,
• but also some additional needs
• regulatory oversight implies a demonstration that applied security
measures can be considered reasonable and enough
• a heavy modifications managment process
• a smaller number of vendors for I&C equipment
VTT Industrial management and innovation systems
VTT Industrial management and innovation systems
Safety and security
• Safety has the highest priority
• Cyber security is not an end in itself, but should be seen as a
component in overall safety and availability
• Security breaks are not likely to compromise safety, but breaks
may
• compomise the integrity of computer based systems
• cause unplanned outages for event analysis and elimination of
vulnerabilities
• decrease the availability and reliability of important systems
• may pave the way for later attacks of a more serious nature
VTT Industrial management and innovation systems
Further development of the document (1/2)
Guidance on a managerial level
• creation of an awareness of the issue
• guidance for planning and implementing security measures
• stressing the importance of a continued effort
Guidance on a technical level
• making an inventory of computer based systems
• assessing vulnerabilities and risks
• the design basis threat
• assessing needs for external connectivity
• measures for increased security
• administrative measures
• technical measures
• licensing requirements
VTT Industrial management and innovation systems
Further development of the document (2/2)
Administrative measures for increased security
• authorisation
• lap-tops, hand held devices, memory sticks
• protection against insiders
• etc.
Technical measures for increased security
• system architectures
• division into zones
• ensuring unidirectional communication
• authentication
• encryption
• embedded computers
• wireless technologies
• intrusion testing
• modification management
• etc.
VTT Industrial management and innovation systems
Questions to be addressed in the future
• Technical questions
• is it better to use open or proprietary software for high integrity
applications?
• how to design for long life cycles in a period of rapid technological
development?
• Administrative questions
• how can the right balance be found between a too lax and a too rigid
security system?
• what is a reasonable division between security precautions
implemented by operators of important systems and by the society
• Policy questions
• is it possible to use market mechanisms to achieve the actions
necessary?
• is it possible to reach significantly better safety and security in the
future than today?
VTT Industrial management and innovation systems
Proprietary or Open Source SW
Proprietary SW Open Source SW
• development is driven by profit • development is driven by
maximisation application needs
• adapted to the needs of large • can be adapted to the needs in
markets (office, home, media) specialised fields
• race to become an owner of a de • builds on existing and open
facto standard standards
• a need to interface to all existing • not used SW modules can be
protocols and HW removed for simplicity
• new SW versions depend on • move to new versions can be
vendor marketing policy handled in a planned process
• need to upgrade to rapidly • smaller need to upgrade to new
changing versions versions
• no possibilities to inspect SW • application development and
development process and code source code can be inspected
VTT Industrial management and innovation systems
Questions to be addressed in the future
• Technical questions
• is it better to use open or proprietary software for high integrity
applications?
• how to design for long life cycles in a period of rapid technological
development?
• Administrative questions
• how can the right balance be found between a too lax and a too rigid
security system?
• what is a reasonable division between security precautions
implemented by operators of important systems and by the society
• Policy questions
• is it possible to use market mechanisms to achieve the actions
necessary?
• is it possible to reach significantly better safety and security in the
future than today?
VTT Industrial management and innovation systems
The theory of risk homeostasis
VTT Industrial management and innovation systems
Conclusions
• Risk assessment and safety engineering can and should be used
in designing for cyber security
• the design basis threat
• a graded approach
• defense in depth
• Safety and security are complementary ends and have to be
approached with both technical and administrative means
• Computer developers and users have to have an understanding
of threats and basic security measures
• There is a continuing race between security provisions and an
unknown population of hostile attackers
• Interactions between different areas of application are needed
• A systems oriented thinking can help in finding cost effective
solutions
VTT Industrial management and innovation systems
Thank you. Questions?
