Presentation on theme: "Cyber Security Plans: Potential Impacts for Meteorology Programs"— Presentation transcript:
1Cyber Security Plans: Potential Impacts for Meteorology Programs Cliff Glantz and Guy LandinePacific Northwest National Laboratory
2Acknowledgements Guy Landine, Phil Craig, and Will Hutton (PNNL) David Rahn and Mario Fernandez (NRC)Jeff Hahn and Barry O’Brien (INL)Ray Parks and John Michalski (SNL)
3Outline Key cyber security definitions Why should you be concerned with cyber security?The cyber threat -- where does it come from?Review of the rules, guidance, and commitments for nuclear industry cyber securityCyber Security Plans – what are the licensees committing to?What does this mean for meteorological programs?
4Key DefinitionsCyber Security -- measures taken to protect digital equipment/systems against unauthorized access or attackCyber Attack is any event in which an adversary attempts or commits a malicious exploitation of a digital system.The NRC focuses on systems that perform a function.A critical system (CS) is a system that has a:(1) safety-related function(2) important-to-safety function(3) security function(4) emergency preparedness function (incl. offsite comm.)Also includes support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions.
5Cyber Security is a “Hot” Topic Headline stories encountered while preparing this talk:“Vigilante hackers group ‘Anonymous’ declared and online attack against the International Monetary Fund” over the strict conditions imposed by its bailout for Greece”. (AFP)“The Pentagon said that it would consider all options if the United Stations were hit by a cyber attack” and the Defense Department is developing “the first military guidelines for the age of Internet warfare.” (AFP)“Hackers launched a ‘significant and tenacious’ cyber attack on Lockheed Martin, a major defense contractor holding highly sensitive information” (AP)
6Cyber Security Threat“Terrorist groups and their sympathizers have expressed interest in using cyber means to target the United States and its citizens”“Criminal elements continue to show growing sophistication in their technical capability and targeting. Today, cyber criminals operate a pervasive, mature on-line service economy in illicit cyber capabilities and services, which are available to anyone willing to pay.”-- Dennis Blair, Former White House Director of National Intelligence (Feb. 2, 2010)
7Threat Agents Insiders Hostile Countries Terrorists and Criminals Attackers May Utilize Each others Resources…Hackers/CrackersBreak into computers for profit or bragging rightsInsidersDisrupt their corporate network, sometimes an accident, often for revengeHostile CountriesAttack enemy countries’ computers and infrastructureTerrorists and CriminalsAttack systems for cause or ideology or profit
8In the Past, What Could a Cyber Threat Exploit? Not much 20 years ago, when nuclear plant systems featured:Limited use of digital systemsProprietary operating systemsLegacy hardwareSystems dedicated to functionsIsolated networksStand-alone SystemsMain Frame with Dumb Terminals
9What Can the Cyber Threat Exploit Today? 4/13/2017What Can the Cyber Threat Exploit Today?A lot more! Nuclear facilities are increasing using:Networked, PC-based client-server architectureModern operating systems with continuously discovered emerging vulnerabilitiesNon-proprietary hardwareCommercial off-the-shelf (COTS) applicationsDistributed dataExpanded use of internet and intranet communicationsThis is the same trend observed in general industry and other critical infrastructures, though the nuclear industry’s implementation often trails by a few years…
10Driving Factors for Change & Security Tradeoffs 4/13/2017Driving Factors for Change & Security TradeoffsDriving Factors:Desire for increased functionalityObsolescence issues (analog parts/support are lacking)Advances in PC technologyIncreased capabilities and lower equipment costsDrive to share data and conduct data miningSecurity Tradeoffs:Well known architectures and operating systemsIncreased operating system complexityInadequate vendor testing and uncertain vendor securityTesting limitations on operational systemsIncreased connectivity leads to increased riskWidespread availability of hacking tools/capabilities
11Response by the NRC and Industry There is growing recognition of the potential threat and consequences of a cyber attackThere is a recognized need for cyber security guidance.However;It takes a long time to develop effective cyber security rules, regulations, and guidanceAdded expenseShort-term loss of productivityShortage of trained cyber security experts who are knowledgeable of the control system environment.
12NRC and Industry Cyber Security Milestones NRC Order EA , Interim Safeguards and Security Compensatory Measures for Nuclear Power Plants, (2002). Identify digital systems critical to the safe operation of a plant and evaluate the potential consequences of a compromise.NRC Order EA , Design Basis Threat for Radiological Sabotage (2003). Required each plant to develop a cyber security program.NUREG/CR-6847 Cyber Security Self- Assessment Method for US Nuclear Power Plants (2004)NUREG/CR-6852 An Examination of Cyber Security at Several U.S. Nuclear Power Plants (2005)NEI Cyber Security Program for Power Reactors (2004)
13NRC Cyber Security Milestones Regulatory Guide 5.69 Guidance for the Application of the Radiological DBT in the Design, Development and Implementation of a Physical Security Protection Program that Meets 10 CFR Requirements10 CFR 73.1 (2007) Design Basis Threat Rule10 CFR (2009) Protection of Digital Computer and Communication Systems and Networks.Regulatory Guide 5.71 (2010) Cyber Security Programs for Nuclear FacilitiesNEI Rev. 6 (2010) Cyber Security Plan For Power ReactorsLicensee Cyber Security Plans (2011?)
15Cyber Security Rule (10 CFR 73.54) Requires “Provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks”Applies to safety, security, and emergency preparedness (SSEP) systems and those digital devices that can that can adversely affect SSEP functions.Protect the confidentiality, availability, and integrity of systems and data.Analyze all digital assets, systems, and networks to determine which ones require protection under this Rule.Establish, implement, and maintain a cyber security program to protect these assets.Implement security controls to protect the identified assets from cyber attacks.
16Cyber Security Rule 73.54 (Cont.) Requirements Apply and maintain defense-in-depth protective strategies to ensure the capability to detect, respond to, and recover from cyber attacks.Ensure that the functions performed by the critical assets are not impacted due to cyber attacks.Ensure that personnel, including contractors, are aware of cyber security requirements and receive training appropriate to their duties.Evaluate and manage cyber risks.Ensure that modifications to assets or the facility are evaluated prior to implementation to ensure that cyber security performance objectives are met.
17Cyber Security Rule 73.54 (Cont.) Requirements Implement an Incident Response and Recovery Plan:Maintain the capability for timely detection and response to cyber attacksMitigate consequences of cyber attacksCorrect exploited vulnerabilitiesRestore affected systems, networks, or equipmentDevelop and maintain written policies and procedures for implementing the program and plan requirements. Make these available for inspection by NRC.Periodically review the effectiveness of the program.The cyber security program shall be a component of the physical security program.Retain cyber security-related records for at least 3 years.
18What have the Licensees Committed to do in their Cyber Security Plans? Analyze all digital computer, communication systems and networks and identify CSs and associated digital assets.Form a Cyber Security Assessment Team (CSAT) to:Oversee the cyber security assessment processEvaluate potential threats, vulnerabilities, consequencesEvaluate and document the effectiveness of existing cyber security training, security controls, defensive strategies, and attack mitigation methodsConfirm findings of tabletop reviews and conduct walk-down inspections and/or electronic verification of all CSs
19CSP Requires: Implement a Defensive Architecture
20CSP Requires: A Comprehensive Set of Security Controls Security Controls fall into three classes:ManagementOperationalTechnicalEach class is made up of families of security controls.Management Class of Security ControlsAnalyzing Digital Computer Systems and Applying Cyber Security ControlsCyber Security Assessment and AuthorizationSystem and Service AcquisitionEvaluate and Manage Cyber Risk
21Security Controls (cont) Operational Class of Security ControlsDefense-in-DepthSystem and Information IntegrityCyber Security TrainingConfiguration ManagementMaintenanceMedia ProtectionCyber Security Contingency Planning (Continuity of Operations)Attack Mitigation and Incident ResponsePersonnel SecurityPhysical and Operational Environmental Protection
22Security Controls (cont) Technical Class of Security ControlsAccess ControlAudit and AccountabilityIdentification and AuthenticationCDA, System and Communications ProtectionSystem HardeningThe three classes of security controls are divided into 19 families, which in turn contain close to 140 individual security controls. Each security controls has number of required elements.
23A simple example System and Service Acquisition System and Service Acquisition Policy and ProceduresSupply Chain ProtectionEstablish trusted distribution pathsValidation of VendorsTamper proof products or tamper seals are requiredTrustworthiness (QA of software)Integration of Security Capabilities (follow security controls)Developer Security TestingDevelopers/integrations must create a security test and evaluation plan and an implementation planProducts must meet security requirements and be free of testable vulnerabilities and known malicious code.Licensee Security Testing
24CSP Requires: Ongoing Assessment of Cyber Security Controls Monitoring is required to confirm that security controls are implemented correctly, operating as intended, and achieving security goalsElectronic vulnerability scanning of CSs is required.“When there is a risk of operational disruption, electronic vulnerability scans are conducted during periods of scheduled outage. Test beds and vendor maintained environments may be used for or in substitution for performing vulnerability scans.”
25CSP Requirements for Modifying or Dropping a Security Control Alternative security controls can be employed if you:Document the basis for employing alternative countermeasuresAnalyze and document the alternative countermeasure to show it provides a ≥ level of protectionOne or more required security controls can be dropped after:Performing an analysis that demonstrates the attack vector that these security control(s) defend against does not exist on this CS. This demonstrates that these security control(s) are not necessary on this CS.Documenting the analysis so that it is available for review by NRC inspectors.
26What Questions Should Meteorological Systems “Owners” be Asking Themselves? Are my met monitoring/processing systems connected to systems that perform SSEP systems?Do my digital communications conform to the defensive architecture requirements?What form is my data communication? Does it use TCP/IP? Or does it use a more secure method?How do I know my met hardware (e.g., data loggers) and software are secure? Do I know my vendors security program? What is their security testing program?Do I regularly patch my operating systems?Can vendors remotely access my met systems?How do I maintain adequate physical security on met systems located outside the perimeter fence?
27A New Age of Cyber Security is Dawning There are a lot of bad guys out there looking to compromise nuclear power plant systems.Cyber security enhances overall plant security.It will take time and resources to appropriately implement the CSP.There may be a need to rethink how you do your digital communications.Don’t get caught with your pants down! Be aware of what is coming and be proactive in your planning!
28Discussion, Questions, Comments? Cliff GlantzPNNLPO Box 999Richland, WA