Computer Security at Nuclear Facilities

Computer Security at Nuclear Facilities

Computer Security at Nuclear Facilities Lecture 4 (of 4) Pavol Zavarsky, CISSP, CISM, CISA, PhD Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

Lecture 4 Objectives

• Responsibilities for computer security at nuclear facilities • Categorization of functions and systems for determination of appropriate level of safety and computer security protection • Defensive computer security architecture at nuclear facilities • defence-in-depth, graded approach to computer security, security levels, security zones • computer security architecture modeling • Introduction to computer security assurance • Conclusions

Computer Security for Nuclear Security (IAEA NST045 2017)

Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

6

Design Basis Threat (DBT) • assumes that adversaries are willing to kill or be killed and are knowledgeable about specific target selection • various possible modes of attack performed by adversaries – e.g., coordinating a bomb assault with another assault • includes a wide range of plausible weapons, means and attack scenarios available to attackers • includes threat posed by an insider or a group of insiders • assumes capabilities of adversaries to operate as one or more teams and attack from multiple entry points Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

8

Computer Security for Nuclear Security (IAEA NST045 2017) Computer security controls at State level Examples: 1. National Vulnerability Database https://web.nvd.nist.gov 2. Computer Security Resource Center http://csrc.nist.gov 3. Industrial Control Systems Cyber Emergency Resource Team http://ics-cert.us-cert.gov

10

[IAEA NSS 17 Computer Security at Nuclear Facilities]

Graded approach to security Lecture 1

graded approach • scope, depth and rigour of management and technical computer security measures are proportional to the potential impact of a failure of a function

• protection levels with level-specific security measures • security measures defined for each level • generic security measures apply to systems in all levels Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

12

Lecture 1

nuclear facility functions are assigned to security levels  Systems that are performing the function inherit the security level of the function • system categorization = assigning a system to a protection level

defence in depth • Implementing several layers of defence, including both administrative aspects (procedures, instructions, sanctions, access control rules, confidentiality rules) and technical aspects (multiple layers of protection together with measures for detection and delay) that adversaries would have to overcome or circumvent to achieve their objectives Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

14

Graded approach to security - categorization of systems into levels based on possible negative impact of the system compromise [IAEA NSS 17]


16

Computer Security at Nuclear Facilities [IAEA NSS 17]

System Classification Functions of prime concern are control and data processes associated with safety • other functions may be a concern in terms of support to the safety functions, of possible compromise of safety through secondary or indirect effects • IAEA safety standards categorize nuclear facility equipment according to their function


18

IAEA NSS 17 Computer Security at Nuclear Facilities

System classification (1) Systems important to safety Plant equipment (incomplete list)

• Safety systems — Protection systems: I&C systems for automatically-initiated reactor and plant protection actions — Safety actuation systems: I&C systems that accomplish safety actions, initiated by the protection systems and by manual actuations — Safety system support systems: I&C for emergency power supply systems • Safety-related systems — Process control systems: I&C systems for plant control — Control room I&C including the alarm systems — Fuel handling and storage I&C systems — Fire protection systems — Access control systems, voice and data communication infrastructure


20

IAEA NSS 17 Computer Security at Nuclear Facilities

System classification (2) I&C systems for functions not important to safety Non-plant equipment (incomplete list) a) Office automation • work permit and work order systems: coordination of work activities for a sound working environment • engineering and maintenance systems: systems that handle details of plant operation, maintenance and technical support • configuration management systems: tracking of plant configuration - including models, versions and parts installed at the nuclear facility • document management systems: storing and retrieving plant information, e.g. drawings, minutes of meetings • intranet: facilitates access to all plant documentation — both technical and administrative — on a need to know basis b) External connectivity • Email, web site, and other forms of external connectivity Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

22

NPP I&C Systems Safety Classification (cont.) https://www.nrc.gov/docs/ML1209/ML120970232.pdf

Safety categories in different classification systems

All classification systems – to ensure that safety is never compromised

Different countries and international organizations use different categorization schemes • the IEC categorization defines three safety categories, A, B and C • the IAEA adopted a three-level distinction between safety systems, safety related systems and nonsafety systems


24

NPP I&C Systems Safety Classification (cont.) https://www.nrc.gov/docs/ML1209/ML120970232.pdf Safety categories in different classification systems


26

Example: Digital I&C system architecture for a NPP with three lines of defence

http://www.neimagazine.com/features/featurethe-uk-eprtm-digital-ic-system/featurethe-uk-eprtm-digital-ic-system-1.html http://www.neimagazine.com/features/featurethe-uk-eprtm-digital-ic-system/ Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

28

Defence-in-depth computer security • complementary and redundant security controls that establish multiple layers of protection to safeguard computer-based critical digital assets • applied and maintained to ensure capability to detect, prevent, respond to, mitigate, and recover from any possible unauthorized acts • implemented comprehensively so that any failure to meet a security requirement or a set of security requirements, while undesirable, will not constitute or result in a safety concern

Examples of unauthorized acts on critical computer-based assets that are prevented by the multiple layers of defence-in-depth protection: (i) (ii) (iii)

denial of an authorized access to systems, services, or data adverse impacts on integrity of data, software, hardware and firmware adverse impacts on operation of systems, networks, and associated equipment Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

30

Security classification in accordance with IEC 61266 safety classification Note: List of nuclear facility functions and their mapping to systems is available, n the document published by the U.S. Nuclear Regulatory Commission titled “Classification Approach for Digital I&C Systems at U.S. Nuclear Power Plants” available at https://www.nrc.gov/docs/ML1209/ML120970232.pdf Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

[IEC 61226 Nuclear power plants Instrumentation, control and electrical power systems important to safety Categorization of functions and classification of systems] 32

Graded approach to security [IAEA NSS 17 Computer Security at Nuclear Facilities] Example: a simplified illustrative example of how safety classification of nuclear facility functions can be mapped to computer security levels.

IEC 62443-3-3 Industrial communication networks Network and system security Part 3-3: System security requirements and security levels


35

Example: System classification http://www.neimagazine.com/features/featurethe-uk-eprtm-digital-ic-system/featurethe-uk-eprtm-digital-ic-system-1.html http://www.neimagazine.com/features/featurethe-uk-eprtm-digital-ic-system/


37

Example: Computer network segmentation and redundancies in the Westinghouse NPP I&C system architecture Network segmentation and redundancies • components of defensive computer security architecture


41

Example: A general zone model of a nuclear facility with five security levels Standard approach to protect functions of a nuclear facility is to use system architecture based on the concepts of security levels and security zones:  Security level assigned to a zone is based upon the highest degree of security protection required by a function performed by a system within that zone.  The zone concept demands that the same security level is assigned to all systems within that zone.  Typically, a nuclear facility zone model consists of many different zones, where several zones may have assigned the same security level Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

43

• In practice, a zone comprises one or more systems, each system comprising one or more subsystems (digital assets) to perform assigned function

• system boundaries are useful in defining zone boundaries • zone boundaries have data flow control mechanisms, such as firewalls, gateways, and data diodes

• zone boundaries assist in prevention of 1) an unauthorized access; 2) errors propagating from one zone to another; 3) any unauthorized communication from a zone with lower protection requirements to a zone with higher ones • a cyber-attack originating from outside of nuclear facility would need to cross several zone boundaries between zones in different security levels before having opportunity to attack a system at Security Level 1, 2 or 3. • defence-in-depth approach to computer security • security measures at lower security levels contribute to protection of systems at the higher levels • the architecture enables implementation of graded approach to security Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

45

Example: Defensive computer security architecture at nuclear facility with five security levels • Systems assigned to the most stringent security level are placed within the most secure zone boundaries • In the defence in depth architecture, a direct path through several zones is not allowed • Remote access to systems in the most stringent security level is not possible due to unidirectional (outbound-only) traffic • Technical measures that provide security at the boundaries of zones must be resilient to cyber-attacks and provide indications of potential malicious activity or compromise Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

47

Example: Defensive computer security architecture at nuclear facility with five security levels

Security zone • a logical and physical concept for grouping of systems • Principle of separation (along with principles of redundancy, diversity, and defence in depth) plays a key role in providing a high assurance that systems at nuclear facilities are designed with safety as the utmost priority Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

50

Graded approach to security [IAEA NSS 17 Computer Security at Nuclear Facilities] Example: Domain Based Security methodology can be used for the design and implementation of the graded approach to cybersecurity (while considering safety requirements) Domain Based Security methodology supports the concepts of zones, security levels, defence in depth and graded approach to security, while constantly considering safety and regulatory requirements on the computer security architecture IEC 62443-3-3 Industrial communication networks - Network and system security Part 3-3: System security requirements and security levels


52

Graded approach to security [IAEA NSS 17 Computer Security at Nuclear Facilities] Domain Based Security (DBSy) InfoSec Business Model: Example


54

http://www.safetyinengineering.com/FileUploads/Nuclear%20Plant%20Information%20Security_1375871013_2.pdf

Example: Domain Based Security (DBSy) Infosec Architecture Model Note: Fully-developed DBSy model would contain details on security controls (firewalls, unidirectional networks, … )

DBSy methodology supports the concepts of zones, security levels, defence in depth and graded approach to security, while constantly considering safety and regulatory requirements on the computer security architecture

IEC 62443-3-3 Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels

• grouping of computer-based systems into business function domains (with security levels), infrastructure islands and security zones Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

59

security engineering • interdisciplinary approach and means to enable realization of secure systems • SDLC approach: (1) identification of applicable laws, regulations, needs, security requirements and documenting the requirements; (2) design, development, implementation, and system validation while considering the complete problem systems security engineering • an engineering field that applies scientific, engineering, and information assurance principles to deliver trustworthy systems that satisfy stakeholder requirements within their established risk tolerance Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

Abbreviations: Computer Security Defensive Architecture (CSDA) Computer Security Program (CSP) 61

security engineering • interdisciplinary approach and means to enable realization of secure systems • SDLC approach: (1) identification of applicable laws, regulations, needs, security requirements and documenting the requirements; (2) design, development, implementation, and system validation while considering the complete problem

IAEA SSG-39 Design of I&C systems for NPPs

Safety – computer security considerations in I&C system development lifecycle • Neither operation nor failure of any computer security control should adversely affect the ability of a system to perform its safety function • If there is a conflict between safety and security, then design considerations taken to ensure safety should be maintained

• Failure modes of computer security features and the systems security engineering effects of these failure modes on I&C functions should • an engineering field that applies be known, documented and considered in system hazard scientific, engineering, and information assurance principles to analyses deliver trustworthy systems that satisfy stakeholder requirements within their established risk tolerance Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

63

Computer security assurance at nuclear facilities V-Model for computer security risk management process [IAEA NST047]

V-model system engineering approach guides the process • going down the left side, requirements, in increasing detail, down to the smallest system components • going up the right side, testing, in decreasing detail, up to the installation and commissioning • horizontal lines indicate verification of requirements for a given level • verification activities may occur between any two phases • verification evaluates quality of outputs of an activity against requirements - to ensure sufficient quality before used by a subsequent phase


65

[IAEA NST047] V-Model for computer security

risk management process V-model system engineering approach guides the process (cont.) Computer security functional analysis (system engineering approach) • determines what the computer security system needs to do (i.e., identification of functional requirements at overall, system and component levels) • requirements on architecture, independence/isolation, interfaces, redundancy, diversity, defence-in-depth, access control granularity, insider threat mitigation, … • Functional analysis utilizes use cases and activity (data flow) diagrams • Requirements on security protection system at various levels of detail • Requirements on individual security functions, design, development and and implementation of the functions Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

68

IAEA NST047 V-Model for computer security risk management process Verification activities may include: — Verifying the threat characterization — Verifying that the defensive architecture as designed, or as built, meets all requirements. Graded approach when determining depth and breadth of verification and validation activities • the greatest level of effort is applied to those functions or systems assigned to the most stringent security levels (i.e., those requiring the greatest level of protection) • Example: Force-on-Force inspections and exercises


70

Assurance controls for computer security measures at nuclear facilities V-model defines relationship between lifecycle phases of requirements specification, design, integration, installation and operation, and how verification and validation activities relate to development activities Typical design analysis, verification and validation techniques: a) Traceability analysis - to confirm implementation and validation of requirements b) Failure mode analysis - to confirm that all known failure modes are detectable by testing c) Defence in depth and diversity analysis - to eliminate vulnerability of cybersecurity protection systems to a common cause failure; d) Security testing of security controls (SDLC of the testing with its own V-model) e) Analysis to confirm that controls were designed to incorporate features that are known to promote high reliability, such as redundancy, testability, and rigorous qualification f) Confirmation of functional requirements on computer security protection for various operating modes of the I&C system, including requirements on correct system behaviour during and after power interruptions, restart or reboot Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

72

Computer security assurance Computer security requirements traceability matrix • matrix documenting system’s 1. agreed upon security requirements derived and aggregated from ALL sources 2. security controls to meet the requirements 3. controls implementation status and 4. schedule and resources required for assessment of the controls • the requirements traceability matrix relates requirements from requirement source documents to the security certification process • the matrix ensures that all security requirements are identified and investigated

• each row of the matrix identifies a specific requirement and provides the details of how it was tested or analyzed Example: US DHS Cybersecurity Requirements Traceability Matrix https://www.dhs.gov/sites/default/files/publications/Requirements%20Traceability%20Matrix%20%28RTM%29.docx


74

Example: US DHS Cybersecurity Requirements Traceability Matrix https://www.dhs.gov/sites/default/files/publications/Requirements%20Traceability%20Matrix%20%28RTM%29.docx

76

Example (cont.): US DHS Cybersecurity Requirements Traceability Matrix https://www.dhs.gov/sites/default/files/publications/Requirements%20Traceability%20Matrix%20%28RTM%29.docx


77

Example (cont.): U.S. DHS Cybersecurity Requirements Traceability Matrix

78

Example: NPP I&C system computer security assessment • a typical NPP unit has approximately 10 000 sensors and detectors and 5000 km of I&C cables; total mass of I&C related components is of 1000 tonnes https://www.iaea.org/About/Policy/GC/GC52/GC52InfDocuments/Eng lish/gc52inf-3-att5_en.pdf ]

• • • •

approx. 500 Critical Digital Assets (CDAs) 547 security controls / asset assessment time 6 min for each control Total assessment effort: 500 x 547 x 6 = 1,641,000 min = 27, 350 hours = approx. 13 years FTE (Full Time Equivalent FTE = 2.080 hours/year) http://www.westinghousenuclear.com/Portals/0/operating%20p lant%20services/automation/cyber%20security/NA0142%20Cyber%20Security%20Assessments%20flysheet.pdf Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

79

Computer Security at Nuclear Facilities Lecture 4 (of 4)

Recommended reading: 1. IEC 63096 Nuclear power plants - Instrumentation and control-systems Security controls 2. IAEA NST047, Computer Security Techniques for Nuclear Facilities, Technical Guidance http://www-ns.iaea.org/downloads/security/security-series-drafts/tech-guidance/nst047.pdf


81

Computer Security at Nuclear Facilities Lecture 4 (of 4) Pavol Zavarsky, CISSP, CISM, CISA, PhD Department of Nuclear System Safety Engineering, Nagaoka University of Technology, Nagaoka, Japan, 2017

Conclusion Lecture 4 Objectives

• Responsibilities for computer security at nuclear facilities • Categorization of functions and systems for determination of appropriate level of safety and computer security protection • Defensive computer security architecture at nuclear facilities • defence-in-depth, graded approach to computer security, security levels, security zones • computer security architecture modeling • Introduction to computer security assurance • Conclusions

Computer Security at Nuclear Facilities