Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Security Plans: Potential Impacts for Meteorology Programs

Similar presentations

Presentation on theme: "Cyber Security Plans: Potential Impacts for Meteorology Programs"— Presentation transcript:

1 Cyber Security Plans: Potential Impacts for Meteorology Programs
Cliff Glantz and Guy Landine Pacific Northwest National Laboratory

2 Acknowledgements Guy Landine, Phil Craig, and Will Hutton (PNNL)
David Rahn and Mario Fernandez (NRC) Jeff Hahn and Barry O’Brien (INL) Ray Parks and John Michalski (SNL)

3 Outline Key cyber security definitions
Why should you be concerned with cyber security? The cyber threat -- where does it come from? Review of the rules, guidance, and commitments for nuclear industry cyber security Cyber Security Plans – what are the licensees committing to? What does this mean for meteorological programs?

4 Key Definitions Cyber Security -- measures taken to protect digital equipment/systems against unauthorized access or attack Cyber Attack is any event in which an adversary attempts or commits a malicious exploitation of a digital system. The NRC focuses on systems that perform a function. A critical system (CS) is a system that has a: (1) safety-related function (2) important-to-safety function (3) security function (4) emergency preparedness function (incl. offsite comm.) Also includes support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions.

5 Cyber Security is a “Hot” Topic
Headline stories encountered while preparing this talk: “Vigilante hackers group ‘Anonymous’ declared and online attack against the International Monetary Fund” over the strict conditions imposed by its bailout for Greece”. (AFP) “The Pentagon said that it would consider all options if the United Stations were hit by a cyber attack” and the Defense Department is developing “the first military guidelines for the age of Internet warfare.” (AFP) “Hackers launched a ‘significant and tenacious’ cyber attack on Lockheed Martin, a major defense contractor holding highly sensitive information” (AP)

6 Cyber Security Threat “Terrorist groups and their sympathizers have expressed interest in using cyber means to target the United States and its citizens” “Criminal elements continue to show growing sophistication in their technical capability and targeting. Today, cyber criminals operate a pervasive, mature on-line service economy in illicit cyber capabilities and services, which are available to anyone willing to pay.” -- Dennis Blair, Former White House Director of National Intelligence (Feb. 2, 2010)

7 Threat Agents Insiders Hostile Countries Terrorists and Criminals
Attackers May Utilize Each others Resources… Hackers/Crackers Break into computers for profit or bragging rights Insiders Disrupt their corporate network, sometimes an accident, often for revenge Hostile Countries Attack enemy countries’ computers and infrastructure Terrorists and Criminals Attack systems for cause or ideology or profit

8 In the Past, What Could a Cyber Threat Exploit?
Not much 20 years ago, when nuclear plant systems featured: Limited use of digital systems Proprietary operating systems Legacy hardware Systems dedicated to functions Isolated networks Stand-alone Systems Main Frame with Dumb Terminals

9 What Can the Cyber Threat Exploit Today?
4/13/2017 What Can the Cyber Threat Exploit Today? A lot more! Nuclear facilities are increasing using: Networked, PC-based client-server architecture Modern operating systems with continuously discovered emerging vulnerabilities Non-proprietary hardware Commercial off-the-shelf (COTS) applications Distributed data Expanded use of internet and intranet communications This is the same trend observed in general industry and other critical infrastructures, though the nuclear industry’s implementation often trails by a few years…

10 Driving Factors for Change & Security Tradeoffs
4/13/2017 Driving Factors for Change & Security Tradeoffs Driving Factors: Desire for increased functionality Obsolescence issues (analog parts/support are lacking) Advances in PC technology Increased capabilities and lower equipment costs Drive to share data and conduct data mining Security Tradeoffs: Well known architectures and operating systems Increased operating system complexity Inadequate vendor testing and uncertain vendor security Testing limitations on operational systems Increased connectivity leads to increased risk Widespread availability of hacking tools/capabilities

11 Response by the NRC and Industry
There is growing recognition of the potential threat and consequences of a cyber attack There is a recognized need for cyber security guidance. However; It takes a long time to develop effective cyber security rules, regulations, and guidance Added expense Short-term loss of productivity Shortage of trained cyber security experts who are knowledgeable of the control system environment.

12 NRC and Industry Cyber Security Milestones
NRC Order EA , Interim Safeguards and Security Compensatory Measures for Nuclear Power Plants, (2002). Identify digital systems critical to the safe operation of a plant and evaluate the potential consequences of a compromise. NRC Order EA , Design Basis Threat for Radiological Sabotage (2003). Required each plant to develop a cyber security program. NUREG/CR-6847 Cyber Security Self- Assessment Method for US Nuclear Power Plants (2004) NUREG/CR-6852 An Examination of Cyber Security at Several U.S. Nuclear Power Plants (2005) NEI Cyber Security Program for Power Reactors (2004)

13 NRC Cyber Security Milestones
Regulatory Guide 5.69 Guidance for the Application of the Radiological DBT in the Design, Development and Implementation of a Physical Security Protection Program that Meets 10 CFR Requirements 10 CFR 73.1 (2007) Design Basis Threat Rule 10 CFR (2009) Protection of Digital Computer and Communication Systems and Networks. Regulatory Guide 5.71 (2010) Cyber Security Programs for Nuclear Facilities NEI Rev. 6 (2010) Cyber Security Plan For Power Reactors Licensee Cyber Security Plans (2011?)

14 10 CFR 73.54 – Brief, General Requirements

15 Cyber Security Rule (10 CFR 73.54) Requires
“Provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks” Applies to safety, security, and emergency preparedness (SSEP) systems and those digital devices that can that can adversely affect SSEP functions. Protect the confidentiality, availability, and integrity of systems and data. Analyze all digital assets, systems, and networks to determine which ones require protection under this Rule. Establish, implement, and maintain a cyber security program to protect these assets. Implement security controls to protect the identified assets from cyber attacks.

16 Cyber Security Rule 73.54 (Cont.) Requirements
Apply and maintain defense-in-depth protective strategies to ensure the capability to detect, respond to, and recover from cyber attacks. Ensure that the functions performed by the critical assets are not impacted due to cyber attacks. Ensure that personnel, including contractors, are aware of cyber security requirements and receive training appropriate to their duties. Evaluate and manage cyber risks. Ensure that modifications to assets or the facility are evaluated prior to implementation to ensure that cyber security performance objectives are met.

17 Cyber Security Rule 73.54 (Cont.) Requirements
Implement an Incident Response and Recovery Plan: Maintain the capability for timely detection and response to cyber attacks Mitigate consequences of cyber attacks Correct exploited vulnerabilities Restore affected systems, networks, or equipment Develop and maintain written policies and procedures for implementing the program and plan requirements. Make these available for inspection by NRC. Periodically review the effectiveness of the program. The cyber security program shall be a component of the physical security program. Retain cyber security-related records for at least 3 years.

18 What have the Licensees Committed to do in their Cyber Security Plans?
Analyze all digital computer, communication systems and networks and identify CSs and associated digital assets. Form a Cyber Security Assessment Team (CSAT) to: Oversee the cyber security assessment process Evaluate potential threats, vulnerabilities, consequences Evaluate and document the effectiveness of existing cyber security training, security controls, defensive strategies, and attack mitigation methods Confirm findings of tabletop reviews and conduct walk-down inspections and/or electronic verification of all CSs

19 CSP Requires: Implement a Defensive Architecture

20 CSP Requires: A Comprehensive Set of Security Controls
Security Controls fall into three classes: Management Operational Technical Each class is made up of families of security controls. Management Class of Security Controls Analyzing Digital Computer Systems and Applying Cyber Security Controls Cyber Security Assessment and Authorization System and Service Acquisition Evaluate and Manage Cyber Risk

21 Security Controls (cont)
Operational Class of Security Controls Defense-in-Depth System and Information Integrity Cyber Security Training Configuration Management Maintenance Media Protection Cyber Security Contingency Planning (Continuity of Operations) Attack Mitigation and Incident Response Personnel Security Physical and Operational Environmental Protection

22 Security Controls (cont)
Technical Class of Security Controls Access Control Audit and Accountability Identification and Authentication CDA, System and Communications Protection System Hardening The three classes of security controls are divided into 19 families, which in turn contain close to 140 individual security controls. Each security controls has number of required elements.

23 A simple example System and Service Acquisition
System and Service Acquisition Policy and Procedures Supply Chain Protection Establish trusted distribution paths Validation of Vendors Tamper proof products or tamper seals are required Trustworthiness (QA of software) Integration of Security Capabilities (follow security controls) Developer Security Testing Developers/integrations must create a security test and evaluation plan and an implementation plan Products must meet security requirements and be free of testable vulnerabilities and known malicious code. Licensee Security Testing

24 CSP Requires: Ongoing Assessment of Cyber Security Controls
Monitoring is required to confirm that security controls are implemented correctly, operating as intended, and achieving security goals Electronic vulnerability scanning of CSs is required. “When there is a risk of operational disruption, electronic vulnerability scans are conducted during periods of scheduled outage. Test beds and vendor maintained environments may be used for or in substitution for performing vulnerability scans.”

25 CSP Requirements for Modifying or Dropping a Security Control
Alternative security controls can be employed if you: Document the basis for employing alternative countermeasures Analyze and document the alternative countermeasure to show it provides a ≥ level of protection One or more required security controls can be dropped after: Performing an analysis that demonstrates the attack vector that these security control(s) defend against does not exist on this CS. This demonstrates that these security control(s) are not necessary on this CS. Documenting the analysis so that it is available for review by NRC inspectors.

26 What Questions Should Meteorological Systems “Owners” be Asking Themselves?
Are my met monitoring/processing systems connected to systems that perform SSEP systems? Do my digital communications conform to the defensive architecture requirements? What form is my data communication? Does it use TCP/IP? Or does it use a more secure method? How do I know my met hardware (e.g., data loggers) and software are secure? Do I know my vendors security program? What is their security testing program? Do I regularly patch my operating systems? Can vendors remotely access my met systems? How do I maintain adequate physical security on met systems located outside the perimeter fence?

27 A New Age of Cyber Security is Dawning
There are a lot of bad guys out there looking to compromise nuclear power plant systems. Cyber security enhances overall plant security. It will take time and resources to appropriately implement the CSP. There may be a need to rethink how you do your digital communications. Don’t get caught with your pants down! Be aware of what is coming and be proactive in your planning!

28 Discussion, Questions, Comments?
Cliff Glantz PNNL PO Box 999 Richland, WA

Download ppt "Cyber Security Plans: Potential Impacts for Meteorology Programs"

Similar presentations

Ads by Google