Computer Security at Nuclear Facilities

3 downloads 0 Views 3MB Size Report
Baseline computer security controls at nuclear facilities ... Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, ...
Computer Security at Nuclear Facilities Lecture 3 (of 4) Pavol Zavarsky, CISSP, CISM, CISA, PhD Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

Lecture 3 Objectives

• International / national standards and guidance available to those responsible for computer security at nuclear facilities • Baseline computer security controls at nuclear facilities • Examples of tailoring of initial computer security baseline controls commonly used in IT systems for use at nuclear facilities • Tailoring by considering nuclear systems’ safety concerns, regulatory requirements and • Computer security controls unique to nuclear facilities

Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

1

Computer security at nuclear facilities

Lecture 1

Lessons can be learned from other domains Protection of computer systems in NPPs is achieved by adapting the best practice methods and tools developed within the wider computer security community (e.g., ISO/IEC 27001, 27002, 27005, …) while taking into account the specificities of the nuclear industry [IAEA NSS 17] ISO/IEC 27001:2013 IT – Security techniques – Information security management systems – Requirements IEC 62645: 2014 Nuclear power plants – I&C systems – Requirements for security programmes for computer-based systems

Cybersecurity specificities of nuclear facilities: • Insider threats exist within nuclear facilities;

• Advanced persistent threats (APTs) are targeting nuclear facilities and may already exist within the facilities; • Additional security measures beyond the generic measures (such as those in the ISO/ IEC 27k and NIST SP 800-82 and 800-53) are necessary for systems at nuclear facilities

Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

3

There are two international standards, with mutually complementary scopes, that define requirements for IT and I&C security management systems, namely: 1. ISO/IEC 27001:2013 IT – Security techniques – Information security management systems – Requirements

2. IEC 62645: 2014 Nuclear power plants – I&C systems – Requirements for security programmes for computer-based systems • ISO/IEC 27001:2013 requirements on IT security management system apply mostly to offsite project development environments formed by traditional IT • IEC 62645:2014 was developed specifically for nuclear power plant I&C cybersecurity and unique environments at the nuclear facilities A combination of the IEC standard security requirements for I&C systems for on-site environments (i.e., IEC 62645 requirements) with requirements for off-site IT-based project development environments (ISO/IEC 27001:2013) facilitate a development of a comprehensive approach to IT security management that applies to all project development sites and lifecycle phases Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

5

Example: Importance of SDLC approach to computer security

The IEC 62645:2014 titled “Nuclear power plants - Instrumentation and control systems Requirements for security programmes for computer-based systems” requires owners and operators of nuclear facilities to “assume overall responsibility for all aspects of computer security to ensure the facility is safe and secure”. • Owners and operators of nuclear power plants bear responsibility for assessing and managing potential for adverse effects on safety, security, and emergency preparedness functions posed by attacks on I&C systems • Owners and operators of nuclear facilities are responsible for providing high assurance that critical functions are adequately protected • I&C systems are expected to be designed, developed and implemented to meet robust security requirements so that the owners and operators of the nuclear facility can accept the responsibility for all aspects of computer and I&C system security Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

7

Computer security assurance • assessment by accredited independent certifications bodies

Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

9

IAEA NSS 17: Logical process how a nuclear facility can develop, implement,

maintain and improve cybersecurity:

a) Follow national legal and regulatory requirements; b) Examine relevant IAEA and other international and national guidance; c) Ensure senior management support and adequate resources; d) Define cybersecurity perimeter; e) Identify interactions between cyber security and facility operation, nuclear safety and other aspects of site security; f) Create a computer security policy; g) Perform risk assessment; h) Select, design and implement protective cyber security measures; i)

Integrate cybersecurity within the facility’s management system;

j) Regularly audit, review and improve the system Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

11

Cybersecurity at nuclear facilities There have been many positive developments in the area of cybersecurity for NPPs. References (incomplete list) Practical guidance from the International Atomic Energy Agency (168 member states) • • • • • • • • •

IAEA Nuclear Security Series No. 17 Computer security at nuclear facilities IAEA NST036 Computer security of I&C systems at nuclear facilities IAEA NST045 Computer security for nuclear security IAEA NST047 Computer security techniques for nuclear facilities IAEA Specific Safety Guide SSG-39 Design of Instrumentation and Control Systems for nuclear power plants IAEA NSS No. 8 Preventive and protective measures against insider threats IAEA NSS No.23-G Security of nuclear information IAEA TDL 006 Conducting computer security assessments at nuclear facilities IAEA NSS Glossary Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

13

Cybersecurity at nuclear facilities References (incomplete list) • IEC 62859 Nuclear power plants - Instrumentation and control systems - Requirements for coordinating safety and cybersecurity • IEC 62645 Nuclear power plants - Instrumentation and control systems - Requirements for security programmes for computer-based systems • IEC 62138 Nuclear power plants - Instrumentation and control systems important to safety - Software aspects for computer-based systems performing category B or C functions • IEC 61226 Nuclear power plants - Instrumentation, control and electrical power systems important to safety - Categorization of functions and classification of systems

• IEC 63096 Nuclear power plants - Instrumentation and control-systems - Security controls (Draft) • IEC 61513 Nuclear power plants - Instrumentation and control important to safety General requirements for systems Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

15

Cybersecurity at nuclear facilities References (incomplete list) • U.S. Title 10 Code of Federal Regulation (10 CFR) 73.54, Protection of digital computer and communication systems and networks • U.S. NRC Regulatory Guide (NRC RG) 5.71, Cyber security programs for nuclear facilities • U.S. NRC Regulatory Guide (NRC RG) 1.152, Rev. 3, Criteria for use of computers in safety systems of nuclear power plants • U.S. Nuclear Energy Institute NEI 08-09, Cyber security plan for nuclear power plants

• U.S. Nuclear Energy Institute NEI 10-04, Identifying systems and assets subject to the cyber security rule • U.S. Nuclear Energy Institute NEI 13-10, Cyber security control assessments

• U.S. National Institute of Standards and Technology NIST SP 800-53, Recommended security controls for Federal information systems • U.S. Dept. Homeland Security, Nuclear sector cybersecurity framework implementation guidance for U.S. nuclear power reactors Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

17

Cybersecurity at nuclear facilities References (incomplete list) • IEC 62443-1-1 Industrial communication networks - Network and system security - Part 1-1: Terminology, concepts and models • IEC 62443-2-1 Industrial communication networks - Network and system security - Part 2-1: Cyber security management system (CSMS) for industrial automation and control systems (IACS) • IEC 62443-2-4 Security for industrial automation and control systems - Part 2-4: Security program requirements for IACS service providers • IEC 62443-3-3 Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels

Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

21

Cybersecurity at nuclear facilities References (incomplete list) • ISO/IEC 27000 Information Security Management Systems (ISMS) – Overview • ISO/IEC 27001 Information Security Management Systems (ISMS) – Requirements

• ISO/IEC 27002 Code of practice for information security controls • ISO/IEC 27005 Information security risk management • ISO/IEC TR 27008 Guidelines for auditors on information security controls • ISO/IEC 27004 Information security management — Measurement • ISO/IEC 27014 Governance of information security

• ISO/IEC TR 27016 Information security management – Organizational economics • ISO/IEC 27035 Information security Incident Management • ISO/IEC 27036 Information Security for Supplier/Acquirer Relationships Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

23

U.S. NIST Risk Management Framework – Security Lifecycle [NIST SP 800-53 Rev.4:2013] Lecture 1

Regulatory frameworks for nuclear facilities have been influenced by the U.S. NIST RMF

U.S. Nuclear Regulatory Commission Regulatory Guide NRC RG 5.71 serves as a “template” for many countries with nuclear facilities.

Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

26

Families and classes of security controls [NIST SP 800-53, NIST SP-800-82, CNSSI 1253, NRC RG 5.71] Lecture 1

1. The U.S. NRC RG 5.71 adopts NIST SP 800-53 and NIST SP 800-82 security control high impact baselines as foundation for tailoring the controls to the specificities of nuclear facilities

2. Many countries with nuclear facilities have been adopting the U.S. NRC RG 5.71 as foundation for tailoring the U.S. regulatory guide to their respective national legal and regulatory frameworks

Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

28

Example to illustrate selection of initial security control baselines from the NIST SP 800-53 catalog of controls for tailoring of the controls for their use to protect systems at nuclear facilities

Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

30

Tailoring of initial baseline security controls • differences in protections of computer-based systems at nuclear facilities and IT systems at non-nuclear facilities The U.S. Nuclear Regulatory Commission’s Cyber Security Regulatory Framework for Nuclear Power Reactors US NUREG/CR-7141]

Initial security baseline controls:

1. fully included by the NRC regulatory framework 2. partially included (tailored / modified) 3. not used in the NRC regulatory framework (because of the unique nature of NPP environment) 4. security controls unique to critical digital assets (CDAs) at nuclear facilities (controls unique to the NRC regulatory framework)

Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

32

Tailoring of initial baseline security controls for systems at nuclear facilities (cont.)

Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

34

Examples of tailoring of initial baseline security controls for nuclear facilities IA-5: Authenticator Management (part of the Identification and Authentication family of controls) • issuing and revoking authenticators when no longer needed • management of authenticators for temporary access (e.g. required for remote maintenance) Authenticator examples: passwords, tokens, biometrics, PKI certificates, and key cards • In many cases, developers ship system components with factory default authentication credentials to allow for initial installation and configuration • Default authentication credentials are often known, discoverable, and present security risk

Authenticator management security control includes protection of authenticators • storing passwords in hashed or encrypted formats accessible with administrator privileges, maintaining possession of individual authenticators, not sharing individual authenticators with others, reporting lost, stolen, or compromised authenticators immediately, … Organization-defined settings and restrictions for various authenticator characteristics: • minimum password length, password composition, validation time window for time synchronous one-time tokens, number of allowed rejections during the verification stage of biometric authentication, … Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

36

Tailoring of initial baseline security controls for systems at nuclear facilities (cont.) IA-5: Authenticator Management (Identification and Authentication) Control: Organization manages information system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator; b. Establishing initial authenticator content for authenticators defined by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; e. Changing default content of authenticators prior to information system installation; f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; g. Changing/refreshing authenticators [Assignment: organization-defined time period]; h. Protecting authenticator content from unauthorized disclosure and modification; i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and j. Changing authenticators for group/role accounts when membership to those accounts changes. Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

39

Tailoring of initial baseline security controls for systems at nuclear facilities (cont.) IA-5: Authenticator Management • protections to prohibit passwords reuse IA-5 1(e) have NOT been selected • protections to manage PKI-authentication IA-5 2(a), (b), (c) were also NOT selected due to potential difficulties in authenticating key users in emergency circumstances that posed an increased risk to safety and security in NPPs

• Security control IA-5(3) was NOT selected because of the potential difficulty in arranging and securing the appropriate individuals for conducting the in-person distribution posed an increased risk to safety and security in NPPs during emergency events

Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

41

Tailoring of baseline security controls (cont.) Examples of IT security controls of the NIST RMF that are partially implemented or not implemented for systems at nuclear facilities due to safety-security considerations NIST CP-10: Information (IT) system recovery and reconstitution Control: Organization provides for recovery and reconstitution of an information system to a known state after a disruption, compromise, or failure. NRC C.9.7: Nuclear facility system recovery and reconstitution Control: Nuclear facility operator employs mechanisms with supporting procedures that allow critical digital assets to be recovered and reconstituted to a known secure state following a disruption or failure and only when initiated by authorized personnel. Operator performs regression testing before returning to normal operations to ensure that critical digital assets (CDAs) are performing correctly.

Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

43

Tailoring of baseline security controls (cont.): Examples of NRC computer security controls at nuclear facilities that partially match NIST security controls for non-nuclear (IT) systems NIST CP-10: Information System (IT) Recovery and Reconstitution The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. NRC C.9.7: Control: Nuclear facility operator employs mechanisms with supporting procedures that allow critical digital assets to be recovered and reconstituted to a known secure state following a disruption or failure and only when initiated by authorized personnel. Operator performs regression testing before returning to normal operations to ensure that CDAs are performing correctly.

Explanation: • CDAs at NPPs are generally not transaction-based assets. Rollback processes used for recovery of transaction-based systems (transaction rollback) is not relevant for CDAs recovery • Safety requirements that must be met prior to operating or restarting safety-related CDAs preclude immediate or automatic start-up following disruption or unscheduled CDA shutdowns • NRC regulations stipulate that operator cannot restart CDAs that were recovered from disruption without mandated reviews and approvals from senior management and the NRC • Operator is required to perform regression testing as a standard procedure prior to restarting CDAs Department of Nuclear System Safety Engineering, Nagaoka 45 that were recovered following a disruption University of Technology, Nagaoka, Japan, 2017

Example to illustrate selection of initial security control baselines from the NIST SP 800-53 catalog of controls for tailoring of the controls for their use to protect systems at nuclear facilities

Example of NRC computer security controls at nuclear facilities that partially match NIST security controls for non-nuclear information systems Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

47

Example to illustrate selection of initial security control baselines from the NIST SP 800-53 catalog of controls for tailoring of the controls for their use to protect systems at nuclear facilities

Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

49

Tailoring of baseline security controls (cont.): Examples of NRC computer security controls at nuclear facilities that partially match NIST security controls for non-nuclear (IT) systems PE-10: Emergency shutoff Control: The organization: a. Provides the capability of shutting off power to a system or individual system components in emergency situations; b. Places emergency shutoff switches or devices to facilitate safe and easy access for personnel; and c. Protects emergency power shutoff capability from unauthorized activation. Supplemental Guidance: The control applies primarily to facilities containing concentrations of information system resources including data centers, server rooms, and mainframe computer rooms.

Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

51

Examples of NRC security controls that partially match NIST security controls PE-10: Emergency shutoff Control: The organization: a. Provides the capability of shutting off power to a system or individual system components in emergency situations; b. Places emergency shutoff switches or devices to facilitate safe and easy access for personnel; and c. Protects emergency power shutoff capability from unauthorized activation. Supplemental Guidance: The control applies primarily to facilities containing concentrations of information system resources including data centers, server rooms, and mainframe computer rooms.

Explanation: • the control is partially covered through regulations that address safety-related systems associated with reactor safety • no condition exists that specifically addresses non-safety related security systems • providing safe and easy access may not be possible as many nuclear facility locations may involve areas where "easy access" is prevented as a means to maintain safety Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

53

Example to illustrate selection of initial security control baselines from the NIST SP 800-53 catalog of controls for tailoring of the controls for their use to protect systems at nuclear facilities

SI = System and Information Integrity family of security controls

Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

55

Tailoring of baseline security controls (cont.): Examples of NRC computer security controls at nuclear facilities that partially match NIST security controls for non-nuclear (IT) systems SI-3: Malicious code protection Control: The organization: a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; c. Configures malicious code protection mechanisms to: 1. Perform periodic scans of the information system [organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed 2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator] in response to malicious code detection d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

57

Tailoring of baseline security controls (cont.): Examples of NRC computer security controls at nuclear facilities that partially match NIST security controls for non-nuclear (IT) systems SI-3: Malicious code protection Control: The organization: a.

Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;

b.

Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;

c.

Configures malicious code protection mechanisms

d.

Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system

Explanation: The baseline security control on malicious code protection at nuclear facilities addresses all SI-3 security control item and required security control enhancements, with the exception of automated update of malicious code protection mechanisms • Nuclear regulatiory requirements require plant personnel to update malicious code protection mechanisms only when directed by a privileged user who conducts an assessment of the proposed updates before executing the protection actions Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

59

Examples of security controls that are not implemented due to safety-security considerations and/or regulatory constraints or other reasons

61

Example of a security control unique to the nuclear regulatory framework Anticipated Failure Response • related to the NIST security control SI-13, Predictable Failure Prevention • addresses the threat posed to critical plant functions caused by a failure of CDAs because of unanticipated loss of critical system components • Anticipated Failure Response security control stresses compliance with existing requirements on protection of availability of CDAs (e.g., technical specifications, preventative maintenance, security plans, emergency plans, correction action programs), and includes additional measures to take if these requirements do not apply to a specific CDA.

Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

63

Examples of security controls that are not implemented due to safety-security considerations, regulatory constraints or other reasons SI-8 Spam Protection Control: The organization: a. Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; b. Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures. Information system entry and exit points include: • firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, mobile devices, and notebook computers Spam can be transported by different means including email, email attachments, and via web browsers Spam protection mechanisms include spam signature definitions Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

65

Examples of security controls that are not implemented due to safety-security considerations, regulatory constraints or other reasons SI-8 Spam Protection SI-8 Spam Protection security control is not part of the NRC security control baseline

• spam protection requirements outside the scope of NRC's regulatory authority for cyber security at the NPPs Explanation: • ICSs do not generally employ spam protection because CDAs do not use electronic mail or web access services and functions • defense-in-depth protective strategy prohibits email and web services and functions from existing on CDAs or from connecting to the protected environment Q: Spam protection for non-safety systems? Outside of the scope of regulatory requirements.

Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

67

Security controls from the NIST Risk Management Framework controls NIST SP 800-53: 1. included in full in the nuclear regulatory framework 2. partially addressed 3. not used in the NRC regulatory framework (because of the unique nature of NPP environment) 4. security controls unique to the NRC regulatory framework

Example: Access Control AC-5 Separation of Duties

69

Example NRC security controls that fully match the NIST security controls AC-5 Separation of Duties Control: The organization: a. Separates organization-defined duties of individuals; b. Documents separation of duties of individuals Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion Separation of duties includes (i) dividing a duty (or duties) to different individuals and/or roles • system management, configuration management, quality assurance and testing, network security, … (ii) ensuring that there is “no conflict of interests” • personnel administering access control functions do not also administer audit functions Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

71

Examples of security controls that are not implemented due to safety-security considerations and/or regulatory constraints

Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

73

Examples of security controls that are not implemented due to safety-security considerations and/or regulatory constraints SC-10 Network Disconnect Control: The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. •

network disconnect security control applies to both internal and external networks



terminating network connections associated with communications sessions include





de-allocating associated TCP/IP address / port pairs at the operating system level



de-allocating networking assignments at the application level if multiple application sessions are using a single, operating systemlevel network connection

time periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses

NIST security control Network Disconnect is not included in the suite of NRC security controls because of the potential to impact safety • At NPPs, network communication sessions are generally left open for long periods of time to facilitate monitoring of critical safety control systems • implementation of network disconnect security control would have a direct impact on the operational integrity ofDepartment safetyof Nuclear functions at the NPP System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

75

Examples of security controls unique to the NRC regulatory framework Supervision and Review – Access Control • Supervision and Review – Access Control is related to the NIST security control AC-13, Supervision and Review – Access Control, which was withdrawn by NIST and incorporated into AC-2 Account Management and AU-6 Audit Review, Analysis and Reporting

• NRC security control Supervision and Review – Access Control addresses the potential threat caused by a failure to detect unauthorized access or misuse of user credentials because of a lack of supervision and review of user activities • Implementation of Supervision and Review – Access Control security control provides additional assurance that management reviews of user access and other activity are occurring on an ongoing basis - to address the threat of unauthorized access to CDAs

Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

77

Examples of security controls unique to the NRC regulatory framework Automated Marking Automated Marking is related to the NIST security control AC-15 Automated Marking (incorporated into MP-3 Media Marking)

Automated Marking addresses the potential threat caused by leaking and mishandling of protected data due to improper marking of a CDA output or lack of clear data handling instructions Implementation of the Automated Marking security control allows: • identification of various levels or categories of data sensitivity and associated handling instructions • standard naming convention for the categories • ensuring that any hard or soft copy output generated by CDAs are automatically marked using a standard convention Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

79

Examples of security controls unique to the NRC regulatory framework Automated Labeling Automated Labeling addresses the potential threat caused by leaking and mishandling of protected data Note: While “marking” in Automated Marking refers to human-readable security attributes, “labeling” denotes digital computer-readable attributes • implementation of automated labeling provides assurance that the CDA data as it moves across networks, systems and devices retains the label of its security classification so that the CDA data can be processed and protected appropriately

Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

81

Examples of security controls unique to the nuclear regulatory framework Network Access Control Network Access Control addresses the potential threat caused by unauthorized access to CDAs, CDA networks, or CDA data through failure to restrict connectivity to authorized and approved devices. Note: Remote access (NIST security control AC-17) is not applicable because it is prohibited as a path to CDAs • Network Access Control security control emphasizes the need to protect critical assets from unauthorized connectivity • Implementation of Network Access Control security control provides assurance that no devices are able to connect to CDAs or associated networks without prior authorization

Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

83

Examples of security controls unique to the nuclear regulatory framework

Restrictions on Insecure Protocols • addresses the potential threat to CDAs caused by failure to restrict or eliminate known insecure protocols • implementation of the restrictions provides assurance that communication protocols which lack security features are sufficiently restricted to minimize risks to CDAs that use the protocols Monitoring and Managing Insecure Connections • addresses the potential threat to CDAs caused by a failure to properly monitor or manage communication connections • monitoring and managing connections provides assurance that all connections and communication devices on CDA networks and critical systems are known, identified, authorized, properly configured, and operating in accordance with policy, procedure, and the site’s defensive architecture Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

85

Examples of security controls unique to the nuclear regulatory framework

Proprietary Protocol Visibility addresses the potential threat to CDAs caused by the inability to assess, monitor, or secure a communications channel due to a lack of visibility into the technical aspects of the proprietary protocol • implementation of the Proprietary Protocol Visibility security control provides assurance that proprietary protocols do not operate in the CDA environment where their presence can compromise security and provide opportunities for cyber-based attacks Resource Priority addresses the threat caused by loss of availability of CDA functionality because of resource exhaustion of lower-priority CDA functions or processes • Resource Priority security control ensures that the sharing of digital resources (bandwidth, storage, access control, routing, etc.) does not allow processes associated with lower functional priorities to interfere with or deny resources or access to resources required by CDAs with a higher processing priority Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

87

Examples of security controls unique to the nuclear regulatory framework Trusted Path addresses the threats: (1) caused by inadvertent or malicious exposure or capture of valid user credentials during an authentication/user login process (2) threat to CDA functional integrity and availability because of a failure to protect transmitted data • Trusted path ensures that applicable communication paths verify user and CDA credentials and encrypt information flow where feasible

Thin Nodes Thin nodes address the potential threat to CDAs caused by the presence of data, application software, and sensitive information on client CDAs • Deployment of system components with minimal functionality (e.g., diskless nodes and thin client technologies) reduces the need to secure every user endpoint and may reduce the exposure of CDAs to a successful attack Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

89

Examples of security controls unique to the nuclear regulatory framework

Heterogeneity / Diversity • related to the NIST security control SC-29 Heterogeneity

• addresses the potential threat of compromise of CDAs because of a large percentage of systems sharing a common flaw or weakness • deployment of a diverse or heterogeneous hardware and software platforms reduces the risk of a successful exploitation compromising significant portions of a network environment because of a common flaw or vulnerability Security of Non-authenticated Human-Machine Interaction threat exists when CDAs, because of technical or operational limitations, cannot support authentication methods • in circumstances in which CDAs do not permit individual authentication for accessing critical processes, alternative safeguards must be provided to ensure that access and use of CDAs is limited to authorized personnel, and that actions performed on CDAs can be attributed to specific individuals Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

91

Examples of security controls unique to the nuclear regulatory framework NRC RG 5.71 security control B.5.5 – Installing Operating Systems, Applications, and ThirdParty Software Updates • addresses threat to CDAs due to insufficient management of software updates to critical systems and Critical Digital Assets • the security control requires that security patches received from vendors and other third party entities are tested, applied and controlled in a standardized manner

NRC RG 5.71 security control C.12.6 – Licensee/Operator Testing addresses a possible compromise of security of Critical Digital Assets due to introduction of insecure or insufficiently tested application or system software • The licensee/operator control is an added measure beyond developer security testing where a licensed utility validates security tests conducted by developers and ensures software security requirements are adequately addressed Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

93

Computer Security at Nuclear Facilities Lecture 3 (of 4)

Recommended reading: 1. U.S. Nuclear Regulatory Commission Regulatory Guide 5.71 (NRC RG 5.71) Cyber Security Programs for Nuclear Facilities http://www-ns.iaea.org/downloads/security/security-series-drafts/implem-

guides/nst045.pdf

2. NIST SP 800-53 Rev.5 Security and Privacy Controls for Information Systems and Organizations https://csrc.nist.gov/csrc/media/publications/sp/800-53/rev-5/draft/documents/sp800-53r5draft.pdf

3. U.S. Committee on National Security Systems Instruction (CNSSI) No. 1253 http://www.dss.mil/documents/CNSSI_No1253.pdf

Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

95

Computer Security at Nuclear Facilities Lecture 3 (of 4) Pavol Zavarsky, CISSP, CISM, CISA, PhD Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

Conclusion Lecture 3 Objectives

• International / national standards and guidance available to those responsible for computer security at nuclear facilities • Baseline computer security controls at nuclear facilities • Examples of tailoring of initial computer security baseline controls commonly used in IT systems for use at nuclear facilities • Tailoring by considering nuclear systems’ safety concerns, regulatory requirements and • Computer security controls unique to nuclear facilities Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

97