Title: Cyber Security Plans: Potential Impacts for Meteorology Programs
1Cyber Security Plans Potential Impacts for
Meteorology Programs
- Cliff Glantz and Guy Landine
- Pacific Northwest National Laboratory
- cliff.glantz_at_pnnl.gov
- 509-375-2166
2Acknowledgements
- Guy Landine, Phil Craig, and Will Hutton (PNNL)
- David Rahn and Mario Fernandez (NRC)
- Jeff Hahn and Barry OBrien (INL)
- Ray Parks and John Michalski (SNL)
3Outline
- Key cyber security definitions
- Why should you be concerned with cyber security?
- The cyber threat -- where does it come from?
- Review of the rules, guidance, and commitments
for nuclear industry cyber security - Cyber Security Plans what are the licensees
committing to? - What does this mean for meteorological programs?
4Key Definitions
- Cyber Security -- measures taken to protect
digital equipment/systems against unauthorized
access or attack - Cyber Attack is any event in which an adversary
attempts or commits a malicious exploitation of a
digital system. - The NRC focuses on systems that perform a
function. - A critical system (CS) is a system that has a
- (1) safety-related function
- (2) important-to-safety function
- (3) security function
- (4) emergency preparedness function (incl.
offsite comm.) - Also includes support systems and equipment
which, if compromised, would adversely impact
safety, security, or emergency preparedness
functions.
5Cyber Security is a Hot Topic
- Headline stories encountered while preparing this
talk - Vigilante hackers group Anonymous declared and
online attack against the International Monetary
Fund over the strict conditions imposed by its
bailout for Greece. (AFP) - The Pentagon said that it would consider all
options if the United Stations were hit by a
cyber attack and the Defense Department is
developing the first military guidelines for the
age of Internet warfare. (AFP) - Hackers launched a significant and tenacious
cyber attack on Lockheed Martin, a major defense
contractor holding highly sensitive information
(AP)
6Cyber Security Threat
- Terrorist groups and their sympathizers have
expressed interest in using cyber means to target
the United States and its citizens - Criminal elements continue to show growing
sophistication in their technical capability and
targeting. Today, cyber criminals operate a
pervasive, mature on-line service economy in
illicit cyber capabilities and services, which
are available to anyone willing to pay. - -- Dennis Blair, Former White House Director of
National Intelligence (Feb. 2, 2010)
7Threat Agents
8In the Past, What Could a Cyber Threat Exploit?
- Not much 20 years ago, when nuclear plant systems
featured - Limited use of digital systems
- Proprietary operating systems
- Legacy hardware
- Systems dedicated to functions
- Isolated networks
- Stand-alone Systems
- Main Frame with Dumb Terminals
9What Can the Cyber Threat Exploit Today?
- A lot more! Nuclear facilities are increasing
using - Networked, PC-based client-server architecture
- Modern operating systems with continuously
discovered emerging vulnerabilities - Non-proprietary hardware
- Commercial off-the-shelf (COTS) applications
- Distributed data
- Expanded use of internet and intranet
communications - This is the same trend observed in general
industry and other critical infrastructures,
though the nuclear industrys implementation
often trails by a few years
10Driving Factors for Change Security Tradeoffs
- Driving Factors
- Desire for increased functionality
- Obsolescence issues (analog parts/support are
lacking) - Advances in PC technology
- Increased capabilities and lower equipment costs
- Drive to share data and conduct data mining
- Security Tradeoffs
- Well known architectures and operating systems
- Increased operating system complexity
- Inadequate vendor testing and uncertain vendor
security - Testing limitations on operational systems
- Increased connectivity leads to increased risk
- Widespread availability of hacking
tools/capabilities
11Response by the NRC and Industry
- There is growing recognition of the potential
threat and consequences of a cyber attack - There is a recognized need for cyber security
guidance. - However
- It takes a long time to develop effective cyber
security rules, regulations, and guidance - Added expense
- Short-term loss of productivity
- Shortage of trained cyber security experts who
are knowledgeable of the control system
environment.
12NRC and Industry Cyber Security Milestones
- NRC Order EA-02-026, Interim Safeguards and
Security Compensatory Measures for Nuclear Power
Plants, (2002). Identify digital systems critical
to the safe operation of a plant and evaluate the
potential consequences of a compromise. - NRC Order EA-03-086, Design Basis Threat for
Radiological Sabotage (2003). Required each
plant to develop a cyber security program. - NUREG/CR-6847 Cyber Security Self-Assessment
Method for US Nuclear Power Plants (2004) - NUREG/CR-6852 An Examination of Cyber Security at
Several U.S. Nuclear Power Plants (2005) - NEI-04-04 Cyber Security Program for Power
Reactors (2004)
13NRC Cyber Security Milestones
- Regulatory Guide 5.69 Guidance for the
Application of the Radiological DBT in the
Design, Development and Implementation of a
Physical Security Protection Program that Meets
10 CFR 73.55 Requirements - 10 CFR 73.1 (2007) Design Basis Threat Rule
- 10 CFR 73.54 (2009) Protection of Digital
Computer and Communication Systems and Networks. - Regulatory Guide 5.71 (2010) Cyber Security
Programs for Nuclear Facilities - NEI 08-09 Rev. 6 (2010) Cyber Security Plan For
Power Reactors - Licensee Cyber Security Plans (2011?)
1410 CFR 73.54 Brief, General Requirements
15Cyber Security Rule (10 CFR 73.54) Requires
- Provide high assurance that digital computer and
communication systems and networks are adequately
protected against cyber attacks - Applies to safety, security, and emergency
preparedness (SSEP) systems and those digital
devices that can that can adversely affect SSEP
functions. - Protect the confidentiality, availability, and
integrity of systems and data. - Analyze all digital assets, systems, and networks
to determine which ones require protection under
this Rule. - Establish, implement, and maintain a cyber
security program to protect these assets. - Implement security controls to protect the
identified assets from cyber attacks.
16Cyber Security Rule 73.54 (Cont.) Requirements
- Apply and maintain defense-in-depth protective
strategies to ensure the capability to detect,
respond to, and recover from cyber attacks. - Ensure that the functions performed by the
critical assets are not impacted due to cyber
attacks. - Ensure that personnel, including contractors, are
aware of cyber security requirements and receive
training appropriate to their duties. - Evaluate and manage cyber risks.
- Ensure that modifications to assets or the
facility are evaluated prior to implementation to
ensure that cyber security performance objectives
are met.
17Cyber Security Rule 73.54 (Cont.) Requirements
- Implement an Incident Response and Recovery Plan
- Maintain the capability for timely detection and
response to cyber attacks - Mitigate consequences of cyber attacks
- Correct exploited vulnerabilities
- Restore affected systems, networks, or equipment
- Develop and maintain written policies and
procedures for implementing the program and plan
requirements. Make these available for
inspection by NRC. - Periodically review the effectiveness of the
program. - The cyber security program shall be a component
of the physical security program. - Retain cyber security-related records for at
least 3 years.
18What have the Licensees Committed to do in their
Cyber Security Plans?
- Analyze all digital computer, communication
systems and networks and identify CSs and
associated digital assets. - Form a Cyber Security Assessment Team (CSAT) to
- Oversee the cyber security assessment process
- Evaluate potential threats, vulnerabilities,
consequences - Evaluate and document the effectiveness of
existing cyber security training, security
controls, defensive strategies, and attack
mitigation methods - Confirm findings of tabletop reviews and conduct
walk-down inspections and/or electronic
verification of all CSs
19CSP Requires Implement a Defensive Architecture
20CSP Requires A Comprehensive Set of Security
Controls
- Security Controls fall into three classes
- Management
- Operational
- Technical
- Each class is made up of families of security
controls. - Management Class of Security Controls
- Analyzing Digital Computer Systems and Applying
Cyber Security Controls - Cyber Security Assessment and Authorization
- System and Service Acquisition
- Evaluate and Manage Cyber Risk
-
21Security Controls (cont)
- Operational Class of Security Controls
- Defense-in-Depth
- System and Information Integrity
- Cyber Security Training
- Configuration Management
- Maintenance
- Media Protection
- Cyber Security Contingency Planning (Continuity
of Operations) - Attack Mitigation and Incident Response
- Personnel Security
- Physical and Operational Environmental Protection
22Security Controls (cont)
- Technical Class of Security Controls
- Access Control
- Audit and Accountability
- Identification and Authentication
- CDA, System and Communications Protection
- System Hardening
- The three classes of security controls are
divided into 19 families, which in turn contain
close to 140 individual security controls. Each
security controls has number of required
elements.
23A simple example
- System and Service Acquisition
- System and Service Acquisition Policy and
Procedures - Supply Chain Protection
- Establish trusted distribution paths
- Validation of Vendors
- Tamper proof products or tamper seals are
required - Trustworthiness (QA of software)
- Integration of Security Capabilities (follow
security controls) - Developer Security Testing
- Developers/integrations must create a security
test and evaluation plan and an implementation
plan - Products must meet security requirements and be
free of testable vulnerabilities and known
malicious code. - Licensee Security Testing
24CSP Requires Ongoing Assessment of Cyber
Security Controls
- Monitoring is required to confirm that security
controls are implemented correctly, operating as
intended, and achieving security goals - Electronic vulnerability scanning of CSs is
required. - When there is a risk of operational disruption,
electronic vulnerability scans are conducted
during periods of scheduled outage. Test beds
and vendor maintained environments may be used
for or in substitution for performing
vulnerability scans.
25CSP Requirements for Modifying or Dropping a
Security Control
- Alternative security controls can be employed if
you - Document the basis for employing alternative
countermeasures - Analyze and document the alternative
countermeasure to show it provides a level of
protection - One or more required security controls can be
dropped after - Performing an analysis that demonstrates the
attack vector that these security control(s)
defend against does not exist on this CS. This
demonstrates that these security control(s) are
not necessary on this CS. - Documenting the analysis so that it is available
for review by NRC inspectors.
26What Questions Should Meteorological Systems
Owners be Asking Themselves?
- Are my met monitoring/processing systems
connected to systems that perform SSEP systems? - Do my digital communications conform to the
defensive architecture requirements? - What form is my data communication? Does it use
TCP/IP? Or does it use a more secure method? - How do I know my met hardware (e.g., data
loggers) and software are secure? Do I know my
vendors security program? What is their security
testing program? - Do I regularly patch my operating systems?
- Can vendors remotely access my met systems?
- How do I maintain adequate physical security on
met systems located outside the perimeter fence?
27A New Age of Cyber Security is Dawning
- There are a lot of bad guys out there looking to
compromise nuclear power plant systems. - Cyber security enhances overall plant security.
- It will take time and resources to appropriately
implement the CSP. - There may be a need to rethink how you do your
digital communications. - Dont get caught with your pants down! Be aware
of what is coming and be proactive in your
planning!
28Discussion, Questions, Comments?
- Cliff Glantz
- PNNL
- PO Box 999
- Richland, WA 99352
- 509-375-2166
- cliff.glantz_at_pnnl.gov