Cyber Security Plans by fjzhangxiaoquan


									    Cyber Security Plans:
     Potential Impacts for
    Meteorology Programs

        Cliff Glantz and Guy Landine
    Pacific Northwest National Laboratory


     Guy Landine, Phil Craig,
     and Will Hutton (PNNL)
     David Rahn and Mario
     Fernandez (NRC)
     Jeff Hahn and Barry
     O’Brien (INL)
     Ray Parks and John
     Michalski (SNL)


     Key cyber security definitions
     Why should you be concerned with
     cyber security?
     The cyber threat -- where does it come
     Review of the rules, guidance, and
     commitments for nuclear industry
     cyber security
     Cyber Security Plans – what are the
     licensees committing to?
     What does this mean for
     meteorological programs?

    Key Definitions

      Cyber Security -- measures taken to protect digital
      equipment/systems against unauthorized access or attack
      Cyber Attack is any event in which an adversary attempts
      or commits a malicious exploitation of a digital system.
       The NRC focuses on systems that perform a function.
      A critical system (CS) is a system that has a:
       (1) safety-related function
       (2) important-to-safety function
       (3) security function
       (4) emergency preparedness function (incl. offsite comm.)
    Also includes support systems and equipment which, if
       compromised, would adversely impact safety, security, or
       emergency preparedness functions.

    Cyber Security is a “Hot” Topic

    Headline stories encountered while preparing this talk:
      “Vigilante hackers group ‘Anonymous’ declared and
      online attack against the International Monetary Fund”
      over the strict conditions imposed by its bailout for
      Greece”. (AFP)
      “The Pentagon said that it would consider all options if the
      United Stations were hit by a cyber attack” and the
      Defense Department is developing “the first military
      guidelines for the age of Internet warfare.” (AFP)
      “Hackers launched a ‘significant and tenacious’ cyber
      attack on Lockheed Martin, a major defense contractor
      holding highly sensitive information” (AP)

    Cyber Security Threat

     “Terrorist groups and their sympathizers
     have expressed interest in using cyber
     means to target the United States and its
     “Criminal elements continue to show
     growing sophistication in their technical
     capability and targeting. Today, cyber
     criminals operate a pervasive, mature
     on-line service economy in illicit cyber
     capabilities and services, which are
     available to anyone willing to pay.”

     -- Dennis Blair, Former White House Director of National
     Intelligence (Feb. 2, 2010)

    Threat Agents

          Hackers/Crackers                              Insiders
                                                  Disrupt their corporate
         Break into computers for
                                                  network, sometimes an
         profit or bragging rights
                                                accident, often for revenge

                               Attackers May Utilize
                                   Each others

          Hostile Countries                   Terrorists and Criminals
         Attack enemy countries’                 Attack systems for cause
       computers and infrastructure                 or ideology or profit

    In the Past, What Could a Cyber Threat Exploit?

    Not much 20 years ago, when nuclear plant systems
      Limited use of digital systems
      Proprietary operating systems
      Legacy hardware
      Systems dedicated to functions
      Isolated networks
         Stand-alone Systems
         Main Frame with Dumb Terminals

    What Can the Cyber Threat Exploit Today?

    A lot more! Nuclear facilities are increasing using:
       Networked, PC-based client-server architecture
       Modern operating systems with continuously discovered
       emerging vulnerabilities
       Non-proprietary hardware
       Commercial off-the-shelf (COTS) applications
       Distributed data
       Expanded use of internet and intranet communications

    This is the same trend observed in general industry and
      other critical infrastructures, though the nuclear industry’s
      implementation often trails by a few years…
     Driving Factors for Change & Security Tradeoffs
     Driving Factors:
        Desire for increased functionality
        Obsolescence issues (analog parts/support are lacking)
        Advances in PC technology
        Increased capabilities and lower equipment costs
        Drive to share data and conduct data mining

     Security Tradeoffs:
       Well known architectures and operating systems
       Increased operating system complexity
       Inadequate vendor testing and uncertain vendor security
       Testing limitations on operational systems
       Increased connectivity leads to increased risk
       Widespread availability of hacking tools/capabilities
     Response by the NRC and Industry
       There is growing recognition of the potential threat
       and consequences of a cyber attack
       There is a recognized need for cyber security

       It takes a long time to develop effective cyber
       security rules, regulations, and guidance
       Added expense
       Short-term loss of productivity
       Shortage of trained cyber security experts who are
       knowledgeable of the control system environment.

     NRC and Industry Cyber Security Milestones
      NRC Order EA-02-026, Interim Safeguards and
      Security Compensatory Measures for Nuclear
      Power Plants, (2002). Identify digital systems critical to
      the safe operation of a plant and evaluate the potential
      consequences of a compromise.
      NRC Order EA-03-086, Design Basis Threat for
      Radiological Sabotage (2003). Required each plant
      to develop a cyber security program.
      NUREG/CR-6847 Cyber Security Self-
      Assessment Method for US Nuclear Power Plants
      NUREG/CR-6852 An Examination of Cyber
      Security at Several U.S. Nuclear Power Plants
      NEI-04-04 Cyber Security Program for Power
      Reactors (2004)
     NRC Cyber Security Milestones

      Regulatory Guide 5.69 Guidance for the Application
      of the Radiological DBT in the Design, Development
      and Implementation of a Physical Security Protection
      Program that Meets 10 CFR 73.55 Requirements
      10 CFR 73.1 (2007) Design Basis Threat Rule
      10 CFR 73.54 (2009) Protection of Digital Computer
      and Communication Systems and Networks.
      Regulatory Guide 5.71 (2010) Cyber Security
      Programs for Nuclear Facilities
      NEI 08-09 Rev. 6 (2010) Cyber Security Plan For
      Power Reactors
      Licensee Cyber Security Plans (2011?)
     10 CFR 73.54 – Brief, General Requirements

     Cyber Security Rule (10 CFR 73.54) Requires

       “Provide high assurance that digital computer and
       communication systems and networks are adequately
       protected against cyber attacks”
       Applies to safety, security, and emergency
       preparedness (SSEP) systems and those digital devices
       that can that can adversely affect SSEP functions.
       Protect the confidentiality, availability, and integrity of
       systems and data.
       Analyze all digital assets, systems, and networks to
       determine which ones require protection under this Rule.
       Establish, implement, and maintain a cyber security
       program to protect these assets.
       Implement security controls to protect the identified
       assets from cyber attacks.
     Cyber Security Rule 73.54 (Cont.)
       Apply and maintain defense-in-depth protective
       strategies to ensure the capability to detect, respond to,
       and recover from cyber attacks.
       Ensure that the functions performed by the critical assets
       are not impacted due to cyber attacks.
       Ensure that personnel, including contractors, are aware
       of cyber security requirements and receive training
       appropriate to their duties.
       Evaluate and manage cyber risks.
       Ensure that modifications to assets or the facility are
       evaluated prior to implementation to ensure that cyber
       security performance objectives are met.

     Cyber Security Rule 73.54 (Cont.)
      Implement an Incident Response and Recovery Plan:
          Maintain the capability for timely detection and response to
          cyber attacks
          Mitigate consequences of cyber attacks
          Correct exploited vulnerabilities
          Restore affected systems, networks, or equipment
       Develop and maintain written policies and procedures
       for implementing the program and plan requirements.
       Make these available for inspection by NRC.
       Periodically review the effectiveness of the program.
       The cyber security program shall be a component of the
       physical security program.
       Retain cyber security-related records for at least 3 years.

     What have the Licensees Committed
     to do in their Cyber Security Plans?

      Analyze all digital computer, communication
      systems and networks and identify CSs and
      associated digital assets.
      Form a Cyber Security Assessment Team
      (CSAT) to:
         Oversee the cyber security assessment process
         Evaluate potential threats, vulnerabilities,
         Evaluate and document the effectiveness of
         existing cyber security training, security controls,
         defensive strategies, and attack mitigation methods
         Confirm findings of tabletop reviews and conduct
         walk-down inspections and/or electronic verification
         of all CSs
     CSP Requires: Implement a Defensive

     CSP Requires: A Comprehensive Set of
     Security Controls
      Security Controls fall into three classes:
      Each class is made up of families of security controls.

      Management Class of Security Controls
         Analyzing Digital Computer Systems and Applying Cyber
         Security Controls
         Cyber Security Assessment and Authorization
         System and Service Acquisition
         Evaluate and Manage Cyber Risk

     Security Controls (cont)

      Operational Class of Security Controls
         System and Information Integrity
         Cyber Security Training
         Configuration Management
         Media Protection
         Cyber Security Contingency Planning (Continuity of
         Attack Mitigation and Incident Response
         Personnel Security
         Physical and Operational Environmental Protection

     Security Controls (cont)

      Technical Class of Security Controls
         Access Control
         Audit and Accountability
         Identification and Authentication
         CDA, System and Communications Protection
         System Hardening

      The three classes of security controls are divided into
      19 families, which in turn contain close to 140
      individual security controls. Each security controls has
      number of required elements.

     A simple example

      System and Service Acquisition
        System and Service Acquisition Policy and Procedures
        Supply Chain Protection
           Establish trusted distribution paths
           Validation of Vendors
           Tamper proof products or tamper seals are required
        Trustworthiness (QA of software)
        Integration of Security Capabilities (follow security controls)
        Developer Security Testing
           Developers/integrations must create a security test and
           evaluation plan and an implementation plan
           Products must meet security requirements and be free of
           testable vulnerabilities and known malicious code.
        Licensee Security Testing
     CSP Requires: Ongoing Assessment of
     Cyber Security Controls

      Monitoring is required to confirm that security controls are
      implemented correctly, operating as intended, and
      achieving security goals
      Electronic vulnerability scanning of CSs is required.
      “When there is a risk of operational disruption, electronic
      vulnerability scans are conducted during periods of
      scheduled outage. Test beds and vendor maintained
      environments may be used for or in substitution for
      performing vulnerability scans.”

     CSP Requirements for Modifying or
     Dropping a Security Control

      Alternative security controls can be employed if you:
         Document the basis for employing alternative
         Analyze and document the alternative countermeasure
         to show it provides a ≥ level of protection
      One or more required security controls can be dropped
        Performing an analysis that demonstrates the attack vector
        that these security control(s) defend against does not exist
        on this CS. This demonstrates that these security control(s)
        are not necessary on this CS.
        Documenting the analysis so that it is available for review
        by NRC inspectors.

     What Questions Should Meteorological
     Systems “Owners” be Asking Themselves?
      Are my met monitoring/processing systems connected to
      systems that perform SSEP systems?
      Do my digital communications conform to the defensive
      architecture requirements?
      What form is my data communication? Does it use
      TCP/IP? Or does it use a more secure method?
      How do I know my met hardware (e.g., data loggers) and
      software are secure? Do I know my vendors security
      program? What is their security testing program?
      Do I regularly patch my operating systems?
      Can vendors remotely access my met systems?
       How do I maintain adequate physical security on met
      systems located outside the perimeter fence?
     A New Age of Cyber Security is Dawning

      There are a lot of bad guys out there looking
      to compromise nuclear power plant systems.
      Cyber security enhances overall plant
      It will take time and resources to appropriately
      implement the CSP.
      There may be a need to rethink how you do
      your digital communications.
      Don’t get caught with your pants down! Be
      aware of what is coming and be proactive in
      your planning!

     Discussion, Questions, Comments?

                    Cliff Glantz
                    PO Box 999
                    Richland, WA 99352


To top