Glantz-Cyber Security by wanghonghx


									An Insider’s Perspective on the
NRC’s New Cyber Security Rule
 and Forthcoming Regulatory
Guidance: Potential Impacts on
 Meteorology and Emergency
   Preparedness Programs
                  Prepared by:
  Cliff Glantz, Phil Craig, and Guy Landine
   Pacific Northwest National Laboratory
                 Richland, WA
Key Presentation Themes

 Cyber security is a real concern
 The cyber threat landscape
 The new Nuclear Regulatory
 Commission (NRC) Cyber
 Security Rule -- 10 CFR 73.54
 The new cyber security
 regulatory guide -- RG-5.71
    The Concern…

     Cyber security is an issue of
     grave national importance.
     The NRC is concerned that a
     cyber attack can impact
     safety, security, and
     emergency response
     NERC is concerned that a
     cyber attack can impact the
     ability of the electric grid “to
     keep the lights on”.

Cyber Threat Landscape

 Potential “Threat Agents”
   Organized crime
   Cyber warfare
What is a Cyber Attack?
 A cyber attack can include a wide variety of
 computer-based events that could impact:
    Confidentiality: violate the security of
    data or software. Unauthorized access
    (internal or external) by those without
    appropriate authorization and “need to
    Integrity: modify, destroy, or
    compromise data or software. This can
    involve the insertion of erroneous or
    misleading data or the unauthorized take-
    over of a system
    Availability: deny access to systems,
    networks, services, or data.
Types of Threats
   Targeted threats are directed at a specific control system or facility
   Untargeted are focused on any computer with a given operating
   systems or commonly used software (e.g., Windows XP, Excel)
   Malicious -- intending to do harm
   Inadvertent -- an accidental outcome
   Insider can be someone employed at the facility or a vendor
   Outsider can have no direct connection to the target, but may still
   have considerable knowledge
   Outsiders can exploit insiders with or without their explicit cooperation
   Direct involves an exploit on the targeted system
   Indirect involves exploiting a support system (e.g., power, cooling)
Examples of Potential Cyber Attacks
 A USB memory stick labeled as plant property is
 “dropped” in a parking lot at a local shopping
 center. It contains malware that would be
 installed on a company computer if someone
 good Samaritan plugs in the “lost” stick on a work
 computer to see who it belongs to.
 An internet connection (wired or wireless) or
 modem used to access meteorological data
 systems is hacked and the intruder gains system
 administrator control.
 A freeware meteorological program is
 downloaded to a business computer for
 legitimate purpose. It contains malware. The
 program is downloaded to a laptop used to adjust
 settings on meteorological and other monitoring
 instruments and impacts system performance.
History of Cyber Security Guidance
    NRC Order EA-02-026, Interim Safeguards and Security
    Compensatory Measures for Nuclear Power Plants in
    NRC Order EA-03-086, Design Basis Threat for Radiological
    Sabotage, was released in April 2003
    NUREG/CR-6847, Cyber Security Self-Assessment Method for
    U.S. Nuclear Power Plants
    NEI 04-04 Rev. 1, Cyber Security Program for Power Reactors
    (November 2005)
    Regulatory Guide (RG) 1.152 Rev. 2, Criteria for Use of
    Computers in Safety Systems of Nuclear Power Plants.
    Branch Technical Position (BTP) 7-14 Rev. 5, Guidance on
    Software Reviews for Digital Computer-Based Instrumentation
    and Control Systems.
                  10 CFR 73.54 - Scope
    Protection of Digital Computer and
    Communication Systems and Networks (2009)
     Each licensee… shall provide high assurance that digital
     computer and communication systems and networks are
     adequately protected against cyber attacks, up to and
     including the design basis threat…
     The licensee shall protect digital computer and
     communication systems/networks associated with:
       Safety-related and important-to safety functions;
       Security functions;
       Emergency preparedness (EP) functions, including offsite
       communications; and
       Support systems and equipment which, if compromised, would
       adversely impact safety, security, or EP (SSEP) functions.

           10 CFR 73.54 – Protect Systems

     The licensee shall protect SSEP systems and networks
     from cyber attacks that would:
        Adversely impact the integrity or confidentiality of
        data and/or software
        Deny access to systems, services, and/or data
        Adversely impact the operation of systems,
        networks, and associated equipment.

               10 CFR 73.54 – First Steps

     The licensee shall:
       Analyze digital computer and communication systems
       and networks and identify those assets that must be
       protected against cyber attacks. These are called
       critical digital assets.
       Establish, implement, and maintain a cyber security
       program for the protection of the critical digital assets
       Incorporate the cyber security program as a
       component of the physical protection program.

           10 CFR 73.54 – Program Design

     The cyber security program must be
     designed to:
        Implement security controls to protect
        the critical digital assets from cyber
        Apply and maintain defense-in depth
        protective strategies to ensure the
        capability to detect, respond to, and
        recover from cyber attacks
        Mitigate the adverse affects of cyber
        Ensure the functions of critical digital
        assets are not adversely impacted due
        to cyber attacks.
     10 CFR 73.54 – More Program Requirements

      The licensee shall:
        Ensure that appropriate facility personnel,
        including contractors, are aware of cyber
        security requirements and receive the
        training necessary to perform their assigned
        duties and responsibilities.
        Evaluate and manage cyber risks.
        Ensure that modifications to critical digital
        assets are evaluated before implementation
        to ensure that the cyber security performance
        objectives are maintained.

          10 CFR 73.54 – Cyber Security Plan

     Establish, implement, and maintain an effective cyber
     security plan that:
       describes how the cyber security program will implement the Rule
       Describes how the licensee will account for site-specific conditions
       that affect implementation
       includes measures for incident response and recovery during
       and after a cyber attack. The plan must describe how the licensee
            maintain the capability for timely detection and response to
            cyber attacks
            mitigate the consequences of cyber attacks
            correct exploited vulnerabilities
            restore affected systems, networks, and/or equipment affected
            by cyber attacks.

       10 CFR 73.54 – Policies, Records, Etc.
     The licensee shall:
        develop and maintain written policies
        and implementing procedures to
        implement the cyber security plan.
        make policies, implementing
        procedures, site-specific analysis, and
        other supporting technical information
        available upon request for NRC
        review the cyber security program as a
        component of the physical security
        retain all records and supporting
        technical documentation required to
        satisfy the requirements

       Cyber Security Programs for Nuclear Facilities

                      Evolution of the Reg Guide
     • 2007 - work on DG-5022 begins in the fall
     • 2008 - DG-5022 provided to industry in May
             1st stakeholder meeting conducted in July
             Revised DG-5022 provided to industry in November
             2nd stakeholder meeting in December
     • 2009 - RG-5.71 presented to the ACRS in February
             Revised RG-5.71 provided to industry in June
             3rd stakeholder meeting conducted in July

                             Coming Soon
     • Revised RG-5.71 to be presented to the ACRS in Nov. 2009
     • Final RG-5.71 to be released sometime after the ACRS
       gives its approval.
                     RG-5.71 Contents

     Current size – about 120 pages
       A. Introduction
       B. Discussion
       C. Regulatory Position
       D. Implementation
       Appendix A Generic Cyber Security Plan Template
       Appendix B Technical Security Controls
       Appendix C Operational and Management Security Controls
       Appendix D Reporting of Attacks and Incidents
                         RG-5.71 Focus

     Provide cyber security throughout
     the system lifecycle:
     • Concept phase
     • Requirements phase
     • Design Phase
     • Implementation Phase
     • Test Phase
     • Installation, Checkout and
       Acceptance Testing Phase
     • Operations Phase
     • Maintenance Phase
     • Retirement Phase

            RG-5.71 – Cyber Security Team
     Form a Cyber Security Team
        Senior Plant Manager will be
        designated as the “Cyber Security
        Program Sponsor”
        Cyber Security Program
        Manager will oversee the Cyber
        Security Program
        Cyber Security Specialists
        Cyber Security Incident
        Response Team that will include
        representatives from physical
        security, operations, engineering,
        IT and other organizations
        Other plant staff will also have
        cyber security roles
     Provide staff training

      RG-5.71 – Identify Critical Digital Assets
     Identify critical digital systems and networks (critical
     systems) that provide a safety, security, or emergency
     preparedness function
     Identify the critical digital assets that are part of, or are
     connected to critical systems

       RG-5.71 – Cyber Security Assessment

     Perform a cyber security assessment. This is a follow-up
     to the NEI 04-04 assessment
     Assessment consists of:
         Tabletop review
         Physical Inspection
         Electronic verification
     Conduct assessment on all critical digital assets and it
     extends out through all connection pathways (i.e., a “pull
     the wire” assessment).

      RG-5.71 – Defensive Architecture
     Part of Defense in Depth Protective Strategy

         Level 4: Vital Area
         Level 3: Protected Area
         Level 2: Owner-Controlled Area
         Level 1: Corporate Accessible Area
         Level 0: Public Accessible Area

               RG-5.71 – Security Controls
     Implement a comprehensive set of security controls based on the
     guidance provided in NIST SP 800-53 “Recommended Security
     Controls for Federal Information Systems”

         RG-5.71 – Security Controls (cont)

     A commitment by the licensee to
     implement a cyber security program with
     rigorous security controls will be
     specified in the Cyber Security Plan
     required by 10 CFR 73.54.
     Details on the security controls are
     provided in the Appendices A, B, and C
     of RG-5.71
     A twist -- licensees are preparing their
     cyber security plans by following NEI 08-
     09 and not Appendix A of RG-5.71
     A counter twist – the NRC must approve
     the licensees cyber security plans.
           RG-5.71 – Additional Guidance

     The RG-5.71 also provides guidance on:
       Continuous Monitoring and Assessment
       Configuration Management
       Security Impact Analysis of Changes
       and Environment
       Effectiveness Analysis
       Ongoing Assessment of Security
       Vulnerability Scans/Assessments
       Change Control
       Security Program Review

 Summary Guidance for Meteorology and
     other EP Program Managers
Be aware of the cyber security threat
Assess the cyber security of your
systems and networks
Assess the cyber security of your
communication pathways
Look for and eliminate cyber
Be pro-active in defending your systems
Don’t be afraid to ask for help from your
plant or corporate cyber security
Discuss cyber security needs with your
On the Horizon…

  Cyber Security NUREG/CRs
  Industry Cyber Security
  Revised Guidance
  NRC cyber security
  From NERC/FERC revised
  Critical Infrastructure
  Protection Standards (CIPS)
  NERC audits

               Cliff Glantz
Pacific Northwest National Laboratory
               PO Box 999
         Richland, WA 99352

To top