Computer Security at Nuclear Facilities

Computer Security at Nuclear Facilities Lecture 2 (of 4) Pavol Zavarsky, CISSP, CISM, CISA, PhD Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

Lecture 2 Objectives

• Introduction to computer security at nuclear facilities (cont.) • Generic computer security risk model • Examples of computer security measures • Baseline computer security measures • Nuclear safety – cybersecurity considerations for security controls • Examples of computer security controls commonly used in IT systems that are not used at nuclear facilities due to nuclear systems’ safety concerns • Design Basis Threat • Glossary of important computer security terms (Appendix 1 and Appendix 2) 1

Computer security risk model – relationship between threats, vulnerabilities, countermeasures and risks Lecture 1

Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

3

Security concepts and relationships [IAEA NST045 Computer Security for Nuclear Security (2017), (adapted from ISO 13335–1)]

Lecture 1

Computer security controls (measures) implemented at nuclear facilities by facility operator “System hardening” = implementation of computer security measures

Risk-informed approach to computer security measures


6

Example of computer security controls (countermeasures) at nuclear facilities: Asset management • comprehensive inventory of assets critical to nuclear security and safety functions • location of the assets • relevance to (1) safety functions and systems, (2) safety-related systems, and (3) security systems • security level assigned to the assets (graded approach) • ownership (protection responsibility) • users / user groups • interconnections and dependencies • what communicates with what, and how and why • procedures / protocols for communication Note: Security countermeasures themselves are likely to contain vulnerabilities (such as misconfigurations, etc.) that can be exploited

Lecture 1

• see V-Model methodology in computer security engineering for nuclear facilities introduced later in Lecture 4


8

Examples of a computer security controls (countermeasures) at nuclear facilities: Whitelisting / Blacklisting Whitelisting • process to identify assets / entities (system interconnections, APIs, DLLs, protocols, software, firmware, scripts, actions, system services, registries, drivers, digital signatures, employees, etc.) that are considered trustworthy and therefore authorized for use or have granted access or privileges Blacklisting • list of entities / assets that are prohibited to be used or have denied privileges or access Related security control: Least functionality – measures to restrict functionality of a system or component to only what is required Lecture 1

Note: Security countermeasures themselves are likely to contain vulnerabilities (such as misconfigurations, etc.) that can be exploited • see V-Model methodology in computer security engineering for nuclear facilities introduced later in Lecture 4

10

Examples of a computer security controls (countermeasures) at nuclear facilities: Whitelisting / Blacklisting

Example: misplaced trust / trust management vulnerabilities • limitations of whitelisting • whitelisting assumption: what meets pre-defined criteria is indeed trusted • whitelisting may result in approving and authorizing untrustworthy system components


12

Example of computer security controls (countermeasures) at nuclear facilities: Least functionality • security control for a system / system component to provide only required capabilities • implementation of the security control restricts / disables functions and services that are not necessary • Example: Unnecessary physical and logical ports and protocols are disabled to prevent unauthorized connection of devices, transfer of information, or tunneling • where feasible, functionality should be limited to a single function per component • scanning tools, intrusion detection and prevention systems, end-point protection technologies (such as deep packet inspection firewalls, “read-only” firewalls, etc. ) are used to identify and prevent use of prohibited commands, functions, protocols, ports, services, …. Lecture 1


15

Example of computer security controls (countermeasures) at nuclear facilities:

Least privilege • computer security control for users (or processes acting on behalf of users) • only accesses and users’ actions which are necessary to accomplish assigned tasks are authorized • least privilege security control is also applied to system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required functions • creation of additional processes, roles, and system accounts might be necessary to achieve least privilege • least privilege control employed at all SDLC lifecycle phases - development, implementation, and operation of systems and system components Lecture 1


17

Example of computer security controls (countermeasures) at nuclear facilities: Separation of duties • Implementation of the control, if properly designed, reduces the potential for abuse of authorized privileges and helps to reduce risk of malevolent activities • Example: Security personnel administering access control functions do not also administer audit functions. “System hardening” = implementation of computer security controls (countermeasures) to make it more difficult to compromise system’s security


19


21

Lecture 1

Generic risk model [U.S. NIST SP 800-30 Guide for conducting risk assessments] Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

25

Lecture 1

[U.K. HMG IA Standard No.1 Technical Risk Assessment]

Generic risk model U.S. NIST SP 800-30 Risk assessment guide

Computer security measures correspond to the possible adverse impact 27

Generic risk model [U.S. NIST SP 800-30 Guide for conducting risk assessments]

Lecture 1 Vulnerability • flaw / weakness in system (i) design, (ii) implementation, (iii) security procedures, or (iv) security controls that could be unintentionally or intentionally exploited

If computer security risk model used to identify appropriate security measures is somehow flawed / vulnerable, then, due to cascading effect, the effectiveness of computer security controls can be inadequate. Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

29

Generic computer security risk model when applied to critical systems: Limitations

Scenario: Risk model component unknown or incorrectly identified Example 1: Vulnerability in the control system of the Spanair plane unknown (0day vulnerability)

Limitations of vulnerability identification tools, penetration testing tools, vulnerabilities in configuration management process, … • cascading effect on effectiveness of security controls Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

31

Generic computer security risk model when applied to critical systems: Limitations (cont.)

Scenario: Risk model component is unknown or incorrectly identified Example 2: Stuxnet 0-Day vulnerabilities

Lecture 1 https://www.symantec.com/connect/blogs/stuxnetusing-three-additional-zero-day-vulnerabilities

Insufficient security controls for the 0-Day vulnerabilities at Iran's Natanz nuclear facility

33

Generic computer security risk model when applied to critical systems: Limitations (cont.)

Scenario: Risk model component is unknown or incorrectly identified Example 3: Heartbleed OpenSSL vulnerability http://www.codenomicon.com/files/pdf/Heartbleed-Story.pdf

Insufficient security controls (in 2014) for the Heartbleed 0Day vulnerability on servers all around the globe, including critical infrastructure systems

35

What is wrong with the generic computer security risk model? Example 4: Vulnerability unknown (not reported) to Japan Nuclear Regulation Authority

Lecture 1

If vulnerability (flaw in the system of the Nuclear Material Control Center in Tokai) was unknown for a year (not reported) to the Japan Nuclear Regulation Authority – how the Regulation Authority was supposed to estimate and address possible risks by appropriate controls/measures?

37

What is wrong with the generic computer security risk model? Example 5: Vulnerability in plant inspection system component unknown to 20 nuclear facilities and to Mitsubishi Electric subsidiary

Lecture 1

Existing security controls were ineffective in the threat event scenario.

39

A vulnerability can be considered as absence of an appropriate security measure (control)

Relationship between risk, threat, vulnerability and security controls

Concept of security control baselines for systems based on impact levels [NIST SP 800-82 Rev.2, NIST SP 800-53 Rev.4, CNSSI 1253:2014]

• Security control baseline used as a starting point of the computer security process, the baseline has to be validated for completeness, effectiveness and residual risks, and appropriately tailored to meet the actual requirements on computer security Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

41

Example: Security baseline for Linux-based Engineering Station • “security hardening” of a system in the “system of systems”

Example: Vulnerability in a system of the “system of systems” • How interconnected systems are protected? • Security zones • Graded approach to security [IAEA NSS 17 Computer Security at Nuclear Facilities] 43

Example: System hardening – Security baseline - Linux security configuration rules (STIG – Security Technical Implementation Guide) - access control baseline security measure Security Rule: All accounts on the system must have unique user or account names Vulnerability Discussion: A unique user name is the first part of identification and authentication process. If user names are not unique, there can be no accountability on the system for auditing purposes. Multiple accounts sharing the same name could result in the denial of service to one or both of the accounts or unauthorized access to files or privileges. Check Content:

Check the system for duplicate account names. Example: # pwck -r

If any duplicate account names are found, this is a finding. Fix Text: Change user account names, or delete accounts, so each account has a unique name.


45

Example: System hardening – Security baseline - Linux security configuration rules (STIG – Security Technical Implementation Guide) - access control baseline security measure (cont.) Security Rule: All accounts must be assigned unique User Identification Numbers (UIDs). Vulnerability Discussion: Accounts sharing a UID have full access to each others' files. This has the same effect as sharing a login. There is no way to assure identification, authentication, and accountability because the system sees them as the same user. If the duplicate UID is 0, this gives potential intruders another privileged account to attack. Check Content:

Perform the following to ensure there are no duplicate UIDs: # pwck -r If any duplicate UIDs are found, this is a finding.

Fix Text: Edit user accounts to provide unique UIDs for each account.


47

Example: System hardening – Security baseline - Linux security configuration rules (STIG – Security Technical Implementation Guide) – system authentication baseline security measure Security Rule: The system must require authentication upon booting into single-user and maintenance modes. Vulnerability Discussion: If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. Check Content: Check if the system requires a password for entering single-user mode. # grep '~:S:' /etc/inittab If /sbin/sulogin is not listed, this is a finding. Fix Text: Edit /etc/inittab and set sulogin to run in single-user mode. Example line in /etc/inittab: # what to do in single-user mode ls:S:wait:/etc/init.d/rc S ~~:S:respawn:/sbin/sulogin Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

49

Example: Computer security baseline control - Linux computer security configuration rules Security Rule: Direct logins must not be permitted to shared, default, application, or utility accounts. Vulnerability Discussion: Shared accounts (accounts where two or more people log in with the same user identification) do not provide identification and authentication. There is no way to provide for non-repudiation or individual accountability. Check Content: Use the last command to check for multiple accesses to an account from different workstations/IP addresses. # last -R If users log directly onto accounts, rather than using the switch user (su) command from their own named account to access them, this is a finding. Fix Text: Use the switch user (su) command from a named account login to access shared accounts. Maintain audit trails to identify the actual user of the account name. Document requirements and procedures for users/administrators to log into their own accounts first and then switch user (su) to the account to be shared. 51

U.S. NIST Risk Management Framework – Security Lifecycle [NIST SP 800-53 Rev.4:2013] Regulatory frameworks for nuclear facilities have been influenced by the U.S. NIST RMF

U.S. Nuclear Regulatory Commission Regulatory Guide NRC RG 5.71 serves as a “template” for many countries with nuclear facilities.

53

Families and classes of security controls [NIST SP 800-53, NIST SP-800-82, CNSSI 1253, NRC RG 5.71] 1. The U.S. NRC RG 5.71 adopts NIST SP 800-53 and NIST SP 800-82 security control high impact baselines as foundation for tailoring the controls to the specificities of nuclear facilities

2. Many countries with nuclear facilities have been adopting the U.S. NRC RG 5.71 as foundation for tailoring the U.S. regulatory guide to their respective national legal and regulatory frameworks


55

Tailoring of baseline security controls Examples of IT security baseline controls that are partially implemented or not implemented at nuclear facilities due to safety-security considerations • differences in protections of computer-based systems at nuclear facilities and IT systems at non-nuclear facilities The U.S. Nuclear Regulatory Commission’s Cyber Security Regulatory Framework for Nuclear Power Reactors US NUREG/CR-7141]

Security controls from the catalog of controls of the Risk Management Framework of the NIST SP 800-53: 1. fully included by the NRC regulatory framework 2. partially included (modified) 3. not used in the NRC regulatory framework (because of the unique nature of NPP environment) 4. security controls unique to critical digital assets (CDAs) at nuclear facilities (controls unique to the NRC regulatory framework) Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

57

Examples of security controls that are not implemented due to safety-security considerations and/or regulatory constraints AC-10 Concurrent Session Control NIST security control AC-10 was not included in the suite of NRC security controls Explanation: • allowing concurrent system account sessions to be launched by a single user or account presents an unacceptable risk to critical safety, security, and emergency preparedness (SSEP) functions • allowing multiple user sessions opens the possibility for profiles and passwords to be shared • unauthorized persons could access sessions that are inadvertently left open

59

Examples of security controls that are not implemented due to safety-security considerations and/or regulatory constraints AC-17 Remote Access NIST security control AC-17 was not included in the suite of NRC security controls Explanation: • remote access to CDAs is prohibited in the highest security levels • remote user access would compromise comprehensive defense-in-depth strategy (isolation and compartmentalization of CDAs) See NRC RG 5.71 security control B.1.15 – Network Access Control


61

Computer security baseline controls


Lecture 1

63

Computer security baseline controls Design Basis Threat (DBT) • assumes that adversaries are willing to kill or be killed and are knowledgeable about specific target selection • various possible modes of attack performed by adversaries – e.g., coordinating a bomb assault with another assault • a wide range of plausible weapons, means and attack scenarios available to attackers • threat posed by an insider or a group of insiders • capabilities of adversaries to operate as one or more teams and attack from multiple entry points Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

65

Example: Force on Force (FOF) Inspections and Exercises • U.S. NRC carries out FOF inspections at all Nuclear Power Plant (NPP) sites at least once every three years; • NPP is given notice of an upcoming inspection about two to three months in advance. • FOF inspection, which is typically conducted over the course of 3 weeks, includes both tabletop drills and exercises that simulate combat between a mock adversary force and the licensee’s security force. • At NPP, the adversary force attempts to reach and simulate damage to key safety systems and components. • The licensee’s security force, in turn, interposes itself to prevent the adversaries from reaching target sets • An FOF inspection typically includes three FOF exercises over three nights. Plant defenders know that a mock attack will take place sometime during a specific period of several hours, but they do not know what the attack scenario will be. • Participants carry weapons modified to shoot laser bursts, and wear laser sensors to indicate hits. Other weapons and explosives are also simulated. Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

67

Development, Use and Maintenance of the Design Basis Threat Implementing Guide International Atomic Energy Agency, Vienna 2009 http://www-pub.iaea.org/MTCD/Publications/PDF/Pub1386_web.pdf • • • •

• • •

Guidance on how to develop, use and maintain a design basis threat (DBT) describes a DBT identifies and recommends the roles and responsibilities of organizations that should be involved in the development, use and maintenance of a DBT; describes how to conduct a national threat assessment as a precursor to a DBT; explains how a DBT can be developed; explains how a DBT is incorporated into a State’s nuclear security regime; explains the conditions for a review of the DBT, and how the review and update are conducted.


69

Computer Security of Instrumentation and Control (I&C) Systems in Nuclear Facilities Lecture 2 (of 4) Recommended reading: 1. IAEA NST045, Computer Security for Nuclear Security, Implementation Guide http://www-ns.iaea.org/downloads/security/security-series-drafts/implem-

guides/nst045.pdf

2. IAEA NST047, Computer Security Techniques for Nuclear Facilities, Technical Guidance http://www-ns.iaea.org/downloads/security/security-series-drafts/tech-

guidance/nst047.pdf

3.

Glossary of computer security terms (see appendices of the presentation slides for Lecture 2: Appendix 1 IAEA NSS Glossary and Appendix 2 Glossary of the Committee on National Security Systems (CNSS))


71

Computer Security at Nuclear Facilities Lecture 2 (of 4) Pavol Zavarsky, CISSP, CISM, CISA, PhD Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

Conclusion Lecture 2 Objectives

• Introduction to computer security at nuclear facilities (cont.) • Generic computer security risk model • Examples of computer security measures • Baseline computer security measures • Nuclear safety – cybersecurity considerations for security controls • Examples of computer security controls commonly used in IT systems that are not used at nuclear facilities due to nuclear systems’ safety concerns • Design Basis Threat • Glossary of computer security terms (read Appendix 1 and Appendix 2) Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

73

Lecture 2 Appendix 1

information security Preservation of the confidentiality, integrity and availability of information. computer security A particular aspect of information security that is concerned with computer based systems, networks and digital systems. integrity 1. The property of accuracy and completeness of information 2. The property of protecting the accuracy and completeness of assets. access control Means to ensure that access to assets is authorized and restricted based on business and security requirements. Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

75

IAEA NSS glossary (cont.)


adversary Any individual performing or attempting to perform a malicious act. Adversary typically refers to somebody actually attempting to carry out a malicious act, whereas threat tends to be used to refer to a postulated adversary against which security measures are designed. attack An attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset. authentication The provision of assurance that a claimed characteristic of an entity is correct. authorization The granting by a competent authority of written permission for operation of an associated facility or for carrying out an associated activity, or a document granting such permission. computer security incident An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of a computer based, networked or digital information system or the information that the system processes, stores, or transmits or that constitutes a violation or imminent risk of violation of security policies, security procedures, or acceptable use policies.


76



computer security perimeter The logical border around a network to which critical assets are connected and to which access is controlled. computer security policy Aggregate of directives, regulations, rules and practices that prescribes how an organization manages and protects computers and computer systems. confidentiality The property that information is not made available or disclosed to unauthorized individuals, entities, or processes. configuration management The process of identifying and documenting characteristics of a facility’s protection system — including computer systems and software — and of ensuring that changes to these characteristics are properly developed, assessed, approved, issued, implemented, verified, recorded and incorporated into the facility documentation contingency plan A part of the security plan, or a stand-alone document, that identifies reasonably foreseeable security events, provides initial planned actions, and assigns responsibilities to appropriate personnel.


77



countermeasure An action taken to counteract threat(s), or to eliminate or reduce vulnerability(ies). Note: In safety, the term “countermeasure” is specifically reserved for actions aimed at alleviating the radiological consequences of an accident. defence in depth Implementing several layers of defence, including both administrative aspects (procedures, instructions, sanctions, access control rules, confidentiality rules) and technical aspects (multiple layers of protection together with measures for detection and delay) that adversaries would have to overcome or circumvent to achieve their objectives. Note: The term “defence in depth” is widely used in safety standards with a similar general concept graded approach 1. The application of nuclear security measures proportional to the potential consequences of a malicious act. 2. An approach or process by which the scope, depth and rigour of the management and engineering control measures (such as physical protection system) are commensurate with the evaluation of the threat and the magnitude of any hazard involved with the failure of the item or process concerned.


78



design basis threat 1. A description of the attributes and characteristics of potential insider/external adversaries who might attempt unauthorized removal of nuclear material or radioactive material or sabotage, against which a physical protection system is designed and evaluated. 2.

A comprehensive description of the motivation, intentions and capabilities of potential adversaries against which protection systems are designed and evaluated.

insider An individual with authorized access to associated facilities or associated activities or to sensitive information or sensitive information assets, who could commit, or facilitate the commission of a malicious act.

need to hold A principle by which individuals are permitted to have in their physical possession only the information assets that are necessary to conduct their work effectively. need to know A principle under which users, processes and systems are granted access to only the information, capabilities and assets which are necessary for execution of their authorized functions.


79



nuclear security The prevention of, detection of, and response to, criminal or intentional unauthorized acts involving or directed at nuclear material, other radioactive material, associated facilities, or associated activities. nuclear security culture The characteristics and attitudes in organizations and of individuals which establish that security issues receive the attention warranted by their significance nuclear security measures Measures intended to prevent a threat from completing a malicious act or to detect or respond to nuclear security events. nuclear security system An integrated set of nuclear security measures regulatory body One or more authorities designated by the government of a State as having legal authority for conducting the regulatory process, including issuing authorizations.


80



risk The potential that a given threat will exploit vulnerabilities of an asset, or group of assets, and thereby cause harm to organization, other organizations, individuals or society. It is measured in terms of a combination of the likelihood of an event and the severity of its consequences risk assessment The overall process of systematically identifying, estimating, analysing and evaluating risk for the purpose of informing priorities, developing or comparing courses of action, and informing decision making. security plan A document — prepared by the operator and possibly required to be reviewed by the regulatory body — that presents a detailed description of the security arrangements in place at a facility. sensitive information Information, in whatever form, including software, the unauthorized disclosure, modification, alteration, destruction, or denial of use of which could compromise nuclear security. sensitive information assets Any equipment or components that are used to store, process, control or transmit sensitive information. For example, sensitive information assets include control systems, networks, information systems and any other electronic or physical media. Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

81



social engineering A non-technical form of information gathering or attack that relies on human interaction to manipulate people into inadvertently breaking security procedures, for example disclosing information or performing other actions with a security impact. security A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s risk management approach security controls Management, operational, and technical safeguards or countermeasures prescribed for an information system to protect confidentiality, integrity, and availability of the system and its information security control baseline Set of minimum security controls defined for a low-impact, moderate- impact, or high-impact information system security categorization Process of determining security category for information and/or information system Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

82

Glossary [The Committee on National Security Systems (CNSS) Instruction No. 4009]


security control enhancements Security capability to 1) add additional functionality to a basic control; and/or 2) increase the strength of a basic control security domain A domain that implements a security policy and is administered by a single authority (see also DBSy Domain Based Security risk assessment methodology) security perimeter Physical and logical boundaries that are defined for a system or domain within which a particular security policy or security architecture is applied security plan Formal document that provides an overview of security requirements for a system and describes the security controls in place or planned for meeting those requirements security posture Security status of an enterprise’s networks, information, and systems based on cybersecurity resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes


83



security category The characterization of information and/or information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, individuals, other organizations, and the Nation security engineering Interdisciplinary approach and means to enable the realization of secure systems. It focuses on defining customer needs, security protection requirements, and required functionality early in the systems development lifecycle, documenting requirements, and then proceeding with design, development, implementation and system validation while considering the complete problem systems security engineering An engineering field that applies scientific, engineering, and information assurance principles to deliver trustworthy systems that satisfy stakeholder requirements within their established risk tolerance security requirements Requirements levied on a system that are derived from applicable laws, directives, policies, contractual requirements, standards, instructions, regulations, procedures, and business needs to ensure confidentiality, integrity, and availability of systems and information being processed, stored, or transmitted


84



security requirements baseline Minimum requirements necessary for a system to comply with legal, regulatory and contractual requirements and to maintain an acceptable level of risk security requirements traceability matrix Matrix documenting the system’s agreed upon security requirements derived and aggregated from ALL sources, corresponding security controls to meet the requirements, controls implementation status and schedule and resources required for assessment of the controls. Example: US DHS Cybersecurity Requirements Traceability Matrix https://www.dhs.gov/sites/default/files/publications/Requirements%20Traceability%20Matrix%20%28RTM%29.docx

security safeguards Protective (preventive, detective and corrective) measures /controls prescribed to meet security requirements specified for a system. Safeguards may include technical security controls, management constraints, personnel security, and security of physical structures, areas, and devices system Any organized assembly of resources and procedures united and regulated by interaction or interdependence to accomplish a set of specific functions Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

85



system integrity The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental system development life cycle (SDLC) The scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal access control The process of granting or denying specific requests: 1) for obtaining and using information and related information processing services; and 2) to enter specific physical facilities access control mechanism Security safeguards (i.e., hardware and software features, physical controls, operating procedures, management procedures, and various combinations of these) designed to detect and deny unauthorized access and permit authorized access to an information system access control list (ACL) A list of permissions associated with an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

86



discretionary access control (DAC) An access control policy that specifies that a subject that has been granted access to information can do one or more of the following: (i) pass the information to other subjects or objects; (ii) grant its privileges to other subjects; (iii) change security attributes on subjects, objects, information systems, or system components; (iv) choose the security attributes to be associated with newly-created or revised objects; or (v) change the rules governing access control. Mandatory access controls restrict this capability. mandatory access control (MAC) An access control policy that is uniformly enforced across all subjects and objects within the boundary of an information system. A subject that has been granted access to information is constrained from doing any of the following: (i) passing the information to unauthorized subjects or objects; (ii) granting privileges to other subjects; (iii) changing security attributes on subjects, objects, the information system, or system components; (iv) choosing the security attributes to be associated with newly created or modified objects; or (v) changing the rules governing access control role-based access control (RBAC) Access control based on user roles (i.e., a collection of access authorizations a user receives based on an explicit or implicit assumption of a given role). A given role may apply to a single individual or to several individuals access level A category within a given security classification limiting entry or system connectivity to only authorized persons


87



access profile Association of a user with a list of protected objects the user may access access type Privilege to perform action on an object. Read, write, execute, append, modify, delete, and create are examples of access types accountability 1. The principle that an individual is entrusted to safeguard and control equipment, keying material, and information and is answerable to proper authority for the loss or misuse of that equipment or information.

2.

The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.

accreditation Formal declaration by an accrediting authority that a system is approved to operate at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards. cyber defense Capability to discover, detect, analyze, and mitigate threats and vulnerabilities. Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

88



add-on security Incorporation of new or additional hardware, software, or firmware safeguards in an operational information system adequate security Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of an asset sensitivity A measure of the importance assigned to information by its owner, for the purpose of an adequate protection advanced persistent threat (APT) Adversary with sophisticated levels of expertise and significant resources, allowing it through the use of multiple different attack vectors (e.g., cyber, physical, and deception) to generate opportunities to achieve its objectives, which are typically to establish and extend footholds within the information technology infrastructure of organizations for purposes of continually exfiltrating information and/or to undermine or impede critical aspects of a mission, program, or organization, or place itself in a position to do so in the future. The advanced persistent threat pursues its objectives repeatedly over an extended period of time, adapting to a defender’s efforts to resist it, and with determination to maintain the level of interaction needed to execute its objectives. adversary Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

89



air gap An interface between two systems at which (a) they are not connected physically and (b) any logical connection is not automated (i.e., data is transferred through the interface only manually, under human control). assurance The grounds for confidence that the set of intended security controls in an information system are effective in their application attack Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself blended attack A type of attack that combines multiple attack methods against one or more vulnerabilities passive attack An attack that does not alter systems or data social engineering An attempt to trick someone into revealing information (e.g., a password) that can be used to attack systems or networks Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

90



spear phishing A colloquial term that can be used to describe any targeted phishing attack spoofing Faking sending address of a transmission to gain unauthorized access into a system or resources. Impersonation and masquerading are forms of spoofing replay attack An attack that involves the capture of transmitted authentication or access control information and its subsequent retransmission with the intent of producing an unauthorized effect or gaining unauthorized access attack tree A branching, hierarchical data structure that represents potential approaches to achieving an event in which system security is penetrated or compromised in a specified way system assurance The level of confidence that system functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted throughout the system lifecycle


91



audit Independent review and examination of records and activities to assess the adequacy of system controls and ensure compliance with established policies and operational procedures authentication Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system authentication mechanism Hardware or software-based mechanisms that force users to prove their identity before accessing data on a device authenticity The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator multifactor authentication Authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g. password/personal identification number (PIN)); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric)


92



strong authentication A method used to secure computer systems and/or networks by verifying a user’s identity by requiring two-factors in order to authenticate (something you know, something you are, or something you have). mutual authentication The process of both entities involved in a transaction verifying each other authorization Access privileges granted to a user, program, or process or the act of granting the access privileges authorization to operate The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, based on the implementation of an agreed-upon set of security controls authorized user Any appropriately cleared individual with a requirement to access an information system


93



authorizing official A senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation availability 1. Ensuring timely and reliable access to and use of information 2. Timely, reliable access to data and information services for authorized users backdoor An undocumented way of gaining access to computer system blacklist A list of discrete entities, such as hosts or applications that have been previously determined to be excluded from the system and its operation boundary Physical or logical perimeter of a system


94



boundary protection Monitoring and control of communications at the external boundary of an information system to prevent and detect malicious and other unauthorized communications, through the use of boundary protection devices (e.g. gateways, routers, firewalls, guards, encrypted tunnels, data diods). boundary protection device A device with appropriate mechanisms that: (i) facilitates the adjudication of different interconnected system security policies (e.g., controlling the flow of information into or out of an interconnected system); and/or (ii) provides information system boundary protection. clearance A formal security determination by an authorized adjudicative office that an individual is authorized access, on a need to know basis, to a specific level of classified information (TOP SECRET, SECRET, or CONFIDENTIAL) compensating security control The security controls employed in lieu of the recommended controls that provide equivalent or comparable protection for an information system or organization compromise Disclosure of information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

95



computer abuse Intentional or reckless misuse, alteration, disruption, or destruction of information processing resources confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information configuration management A collection of activities focused on establishing and maintaining the integrity of information technology products and information systems, through control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle countermeasures Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. (Synonymous with security controls and safeguards) safeguards Preventive, protective and detective measures to meet security requirements specified for an information system. Safeguards may include technical security features, management constraints, personnel security, and security of physical structures, areas, and devices. (Synonymous with security controls and countermeasures) Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

96



technical security controls Security controls (i.e., safeguards or countermeasures) that are primarily implemented and executed through mechanisms contained in the hardware, software, or firmware components of the system covert channel An unintended or unauthorized intra-system channel that enables two cooperating entities to transfer information in a way that violates the system's security policy overt channel Communications path within a computer system or network designed for the authorized transfer of data cyber incident Actions taken through the use of an information system or network that result in an actual or potentially adverse effect on an information system, network, and/or the information residing therein cybersecurity Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation


97



cyberspace The interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries data integrity The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing, and while in transit data loss The exposure of proprietary, sensitive, or classified information through either data theft or data leakage defense-in-depth Strategy integrating people, technology, and operations capabilities to establish barriers across multiple layers and missions of the organization demilitarized zone Perimeter network segment that is logically between internal and external networks. Its purpose is to enforce the internal network’s Information Assurance (IA) policy for external information exchange and to provide external, untrusted sources with restricted access to releasable information while shielding the internal networks from outside attacks


98



denial of service (DoS) Prevention of authorized access to resources or the delaying of time-critical operations depth An attribute associated with an assessment method that addresses the rigor and level of detail associated with the application of the method. The values for the depth attribute, hierarchically from less depth to more depth, are basic, focused, and comprehensive exfiltration The unauthorized transfer of information from an information system fail safe A mode of termination of system functions that prevents damage to specified system resources and system entities (i.e., specified data, property, and life) when a failure occurs or is detected in the system (but the failure still might cause a security compromise) fail secure A mode of termination of system functions that prevents loss of secure state when a failure occurs or is detected in the system (but the failure still might cause damage to some system resource or system entity)


99



failover Capability to switch over automatically (typically without human intervention or warning) to a redundant or standby system upon the failure or abnormal termination of the previously active system fault tree analysis A top-down, deductive failure analysis in which an undesired state of a system (top event) is analyzed using Boolean logic to combine a series of lower-level events. An analytical approach whereby an undesired state of a system is specified and the system is then analyzed in the context of its environment of operation to find all realistic ways in which the undesired event (top event) can occur flooding An attack that attempts to cause a failure in a system by providing more input than the system can process properly hacker Unauthorized user who attempts to or gains access to an information system high impact The loss of confidentiality, integrity, or availability that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests


100



identification Process of discovering identity of a person or item from the entire collection of persons or items identity Set of physical and behavioral characteristics by which an individual is uniquely recognizable

impact The effect on organizational operations, organizational assets, individuals, other organizations, or the Nation. impact level The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability impact value The assessed potential impact resulting from a compromise of the confidentiality, integrity, or availability of an information type, expressed as a value of low, moderate, or high spillage Security incident that results in transfer of classified information onto an information system not authorized to store or process that information Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

101



incident An occurrence that results in actual or potential jeopardy to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies tampering Intentional but unauthorized act resulting in the modification of a system, components of systems, its intended behavior, or data information security The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability information security policy Aggregate of directives, regulations, and rules that prescribe how an organization manages, protects, and distributes information information security risk The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

102



system security plan Formal document that provides an overview of security requirements for a system and describes the security controls in place or planned for meeting those requirements information system A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information systems also include specialized systems such as industrial/process controls systems and environmental control systems information system resilience Ability of an information system to continue to: (i) operate under adverse conditions or stress, even if in a degraded state, while maintaining essential operational capabilities insider threat The threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm through espionage, terrorism, unauthorized disclosure, or through the loss or degradation of resources or capabilities information technology (IT) Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. The term information technology includes computers, software, firmware and related resources Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

103



integrity Guarding against unauthorized information modification or destruction, and includes ensuring information non-repudiation and authenticity non-repudiation Protection against an individual falsely denying having performed a particular action. Provides the capability to determine whether a given individual took a particular action such as creating information, sending a message, approving information, or receiving a message interface Boundary between independent systems or modules where interactions take place intrusion A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system or system resource without having authorization to do so. intrusion detection Process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents


104



intrusion prevention Process of monitoring the events occurring in a computer system or network, analyzing them for signs of possible incidents, and attempting to stop detected possible incidents least privilege Principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function need-to-know Principle that access is limited to resources required to carry out official duties split knowledge Separation of data or information into two or more parts, each part constantly kept under control of separate authorized individuals or teams so that no one individual or team will know the whole data likelihood of occurrence Probability that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities logic bomb A piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

105



malicious code Software or firmware intended to perform an unauthorized process that will have adverse impact on confidentiality, integrity, or availability of an information system malicious cyber activity Activities that seek to compromise or impair the confidentiality, integrity, or availability of computers, information or communications systems, networks, physical or virtual infrastructure controlled by computers or information systems, or information man-in-the-middle attack A form of active attack in which the attacker intercepts and selectively modifies communicated data to masquerade as one of the entities involved in a communication masquerading A type of threat action whereby an unauthorized entity gains access to a system or performs a malicious act by illegitimately posing as an authorized entity scanning Sending packets or requests to another system to gain information, e.g., to be used in a subsequent attack


106



media sanitization Actions taken to render data written on media unrecoverable by both ordinary and extraordinary means mobile code Software programs or parts of programs obtained from remote systems, transmitted across a network, and executed on a local system without explicit installation or execution by the recipient network resilience A computing infrastructure that is highly resistant to disruption and able to operate in a degraded mode if damaged, provides rapid recovery if failure occurs and scalability to meet unpredictable demands patch management Systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions. These revisions are known as patches, hot fixes, and service packs penetration testing Test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system precursor A sign (indicator) that an attacker may be preparing to cause an incident Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

107



phishing Technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person privileged user A user that is authorized (and, therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform proactive cyber defense A continuous process to manage and harden devices and networks according to known best practices risk A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. risk management The process to manage information security risk that includes: (i) establishing the context for risk-related activities; (ii) risk assessment; (iii) responding to risk once determined; and (iv) risk monitoring over time Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

108



risk assessment (risk analysis) Process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.

risk mitigation Prioritizing, evaluating, and implementing the appropriate risk-reducing controls / countermeasures recommended from the risk management process risk response Accepting, avoiding, mitigating, sharing, or transferring risk risk tolerance The level of risk an entity is willing to assume in order to achieve a desired result residual risk Portion of risk remaining after security measures have been applied risk management framework (RMF) A structured approach to oversee and manage risk for an enterprise Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

109



resilience The ability to prepare for and adapt to changing conditions, withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents robustness Ability to operate correctly and reliably across a wide range of operational conditions, and to fail gracefully outside of that operational range


110