Cyber Security in a Nuclear Context
Mitchell Hewes & Nick Howarth
Our Facilities
UNCLASSIFIED
So what is Security?
risk = likelihood x impact
• Mathematically security controls address risks by
minimising the likelihood or impact.
• How we see a risk is weighted by our perception of the
threat and our own historical experiences.
• Application of security controls to
a set of very complex
programmable electronic devices.
• “Digital Assets” encompassing
the hardware, software, and information.
Computer Security
Makeup of a Control System
•
Field Devices
•
Field Controllers
Cyber Attacks
•
Shamoon
•
Stuxnet
•
Siberian pipeline sabotage
Protect the Process
• Confidentiality: Unauthorised logic changes must be
prevented.
• Integrity: Field Device Outputs/Inputs must remain
immutable throughout their usable lifetime.
• Availability: Everything should remain in an operable
How?
• Personnel Security
• Physical Security Controls
– “Perimeter” is not enough. • Network Segregation
– It Works! (if you do it properly)
• Ensure Authenticity (users, communications) • Change Control
Air Gap
• Physical isolation of a network from unsecured networks. – Provable unidirectional communication – data diode. – Reduces the attack surface.
• Is it really possible to isolate a control system? – Software patches.
– Engineering and maintenance updates. • Each transfer/modification comes with a risk
– Policy around transfers.
Priorities
• Plant Equipment fits into one of three categories.
1. Essential for Nuclear Safety.
2. Significant additional contribution to Nuclear Safety.
3. All other plant systems.
• Nuclear safety and nuclear security have a common
purpose — the protection of people, society and the environment.
INTERNATIONAL NUCLEAR SAFETY GROUP, The Interface Between Safety and Security at Nuclear Power Plants, INSAG-24, IAEA, Vienna (2010).
Design Problems
• Risks to a safety or safety related system could have significant
impact on the levels of defense in depth for the facility.
• Lifecycle of a typical Nuclear Facility is considerable.
– Reactor design to decommission can be 50-80 years. – A waste storage facility - ???
• We are the custodians of these facilities and this
Technical Guidance
• Produced by the IAEA in consultation with states, regulators, and
facility operators.
– NSS 17 Computer Security at Nuclear Facilities
– NST047 Computer Security Techniques for Nuclear Facilities – NST036 Computer Security for I&C systems at Nuclear Facilities
• Openly available and offer advice that is relevant for even
A Graded Approach
• Many systems in a Nuclear Facility – Protection System
– Physical Access Control System – Reactor Control System
• All separate systems
– Consider and characterize risks to each individually – Segregate and apply security controls to reduce risk
Don’t bolt it on…
Cyber Security at the
OPAL Research Reactor
A brief introduction to OPAL
• Open Pool Australian Light Water Reactor • 20MW Thermal
• Utilisation:
– Radiopharmaceutical Production – Silicon Doping (NTD)
– Neutron Beams (Bragg Institute) – Other Irradiations
A brief introduction to OPAL
• 1997 – Replacement Research Reactor Project (RRRP)
first funded
• 2000 – Contract signed with INVAP • 2001 – License to construct issued • 2006 – Operating license issued • 12 August 2006 – First Criticality • April 2007 – Official Opening
Protection Systems
• First Reactor Protection System • Second Reactor Protection System
Control Systems
• Reactor Control and Monitoring System
• Other PLCs
A Disclaimer
• This is what we do at OPAL
• This may or may not be suitable for your own facilities
and organisations
Organisational
• Dedicated IT people for the plant
– Not corporate IT – Not I&C Engineers
Physical
• Protected site
• Protected building
• Secure rooms and cabinets • Monitoring
Physical
• No wireless • No exceptions
Physical
• Keep contractor’s IT assets away
– Maintain a dedicated computer for each contractor – They’ll complain, but they’ll comply
• Keep corporate IT assets away
– Dedicated engineering workstations and laptops
Physical
• Don’t leave boxes lying around
– Stand alone systems rot
• Consolidate and virtualise whatever you can
– Vendors wont always appreciate it
Physical
• Keep your plant offline, use data diodes if you really
must have real time access to data
• Physical media controls
– Physically block USB and other media, remove external
media drives
Logical
• Use data diodes to control what data is coming to/from
the plant
• Physical media control software, for instances where
you really must have physical media
Logical
• Conventional cyber security controls
How did we get there?
• Australian Government Information Security Manual
(ISM), from the Australian Signals Directorate
• http://asd.gov.au
The ISM in Context
From high level controls…
…to low level controls
Process
UNCLASSIFIED
Security
Policy • High level 1 pager
Security Risk Management
Plan
• What are the risks, and how bad are they?
• What controls will mitigate those risks, and how good are they?
System Security Plan • How are we implementing those controls? SOPs and other lower level Docs
• e.g. training material, checklists, forms
SRMP
• You already do HAZOPs and CHAZOPs, now do the same for IT security • Generic SCADA Risk Management Framework For Australian Critical
Infrastructure Developed by the IT Security Expert Advisory Group (ITSEAG) (Revised March 2012)
http://www.tisn.gov.au/Documents/SCADA-Generic-Risk-Management-Framework.pdf
The ‘Top 35’
• Strategies to Mitigate Targeted Cyber Intrusions
http://www.asd.gov.au/infosec/top35mitigationstrategies.htm
• If you don’t want the whole ISM, do the Top 35
The ‘Top 4’
1. Application whitelisting of permitted/trusted programs, to prevent execution of
malicious or unapproved programs including .DLL files, scripts and installers.
2. Patch applications e.g. Java, PDF viewer, Flash, web browsers and Microsoft Office.
Patch/mitigate systems with "extreme risk" vulnerabilities within two days. Use the latest version of applications.
3. Patch operating system vulnerabilities. Patch/mitigate systems with "extreme risk"
vulnerabilities within two days. Use the latest suitable operating system version. Avoid Microsoft Windows XP.
4. Restrict administrative privileges to operating systems and applications based on
user duties. Such users should use a separate unprivileged account for email and web browsing.