Cyber Security Plans: Potential Impacts for Meteorology Programs

1
Cyber Security Plans Potential Impacts for
Meteorology Programs

• Cliff Glantz and Guy Landine
• Pacific Northwest National Laboratory
• cliff.glantz_at_pnnl.gov
• 509-375-2166

2
Acknowledgements

• Guy Landine, Phil Craig, and Will Hutton (PNNL)
• David Rahn and Mario Fernandez (NRC)
• Jeff Hahn and Barry OBrien (INL)
• Ray Parks and John Michalski (SNL)

3
Outline

• Key cyber security definitions
• Why should you be concerned with cyber security?
  
• The cyber threat -- where does it come from?
• Review of the rules, guidance, and commitments
  for nuclear industry cyber security
• Cyber Security Plans what are the licensees
  committing to?
• What does this mean for meteorological programs?

4
Key Definitions

• Cyber Security -- measures taken to protect
  digital equipment/systems against unauthorized
  access or attack
• Cyber Attack is any event in which an adversary
  attempts or commits a malicious exploitation of a
  digital system.
• The NRC focuses on systems that perform a
  function.
• A critical system (CS) is a system that has a
• (1) safety-related function
• (2) important-to-safety function
• (3) security function
• (4) emergency preparedness function (incl.
  offsite comm.)
• Also includes support systems and equipment
  which, if compromised, would adversely impact
  safety, security, or emergency preparedness
  functions.

5
Cyber Security is a Hot Topic

• Headline stories encountered while preparing this
  talk
• Vigilante hackers group Anonymous declared and
  online attack against the International Monetary
  Fund over the strict conditions imposed by its
  bailout for Greece. (AFP)
• The Pentagon said that it would consider all
  options if the United Stations were hit by a
  cyber attack and the Defense Department is
  developing the first military guidelines for the
  age of Internet warfare. (AFP)
• Hackers launched a significant and tenacious
  cyber attack on Lockheed Martin, a major defense
  contractor holding highly sensitive information
  (AP)

6
Cyber Security Threat

• Terrorist groups and their sympathizers have
  expressed interest in using cyber means to target
  the United States and its citizens
• Criminal elements continue to show growing
  sophistication in their technical capability and
  targeting. Today, cyber criminals operate a
  pervasive, mature on-line service economy in
  illicit cyber capabilities and services, which
  are available to anyone willing to pay.
• -- Dennis Blair, Former White House Director of
  National Intelligence (Feb. 2, 2010)

7
Threat Agents
8
In the Past, What Could a Cyber Threat Exploit?

• Not much 20 years ago, when nuclear plant systems
  featured
• Limited use of digital systems
• Proprietary operating systems
• Legacy hardware
• Systems dedicated to functions
• Isolated networks
• Stand-alone Systems
• Main Frame with Dumb Terminals

9
What Can the Cyber Threat Exploit Today?

• A lot more! Nuclear facilities are increasing
  using
• Networked, PC-based client-server architecture
• Modern operating systems with continuously
  discovered emerging vulnerabilities
• Non-proprietary hardware
• Commercial off-the-shelf (COTS) applications
• Distributed data
• Expanded use of internet and intranet
  communications
• This is the same trend observed in general
  industry and other critical infrastructures,
  though the nuclear industrys implementation
  often trails by a few years

10
Driving Factors for Change Security Tradeoffs

• Driving Factors
• Desire for increased functionality
• Obsolescence issues (analog parts/support are
  lacking)
• Advances in PC technology
• Increased capabilities and lower equipment costs
• Drive to share data and conduct data mining
• Security Tradeoffs
• Well known architectures and operating systems
• Increased operating system complexity
• Inadequate vendor testing and uncertain vendor
  security
• Testing limitations on operational systems
• Increased connectivity leads to increased risk
• Widespread availability of hacking
  tools/capabilities

11
Response by the NRC and Industry

• There is growing recognition of the potential
  threat and consequences of a cyber attack
• There is a recognized need for cyber security
  guidance.
• However
• It takes a long time to develop effective cyber
  security rules, regulations, and guidance
• Added expense
• Short-term loss of productivity
• Shortage of trained cyber security experts who
  are knowledgeable of the control system
  environment.

12
NRC and Industry Cyber Security Milestones

• NRC Order EA-02-026, Interim Safeguards and
  Security Compensatory Measures for Nuclear Power
  Plants, (2002). Identify digital systems critical
  to the safe operation of a plant and evaluate the
  potential consequences of a compromise.
• NRC Order EA-03-086, Design Basis Threat for
  Radiological Sabotage (2003). Required each
  plant to develop a cyber security program.
• NUREG/CR-6847 Cyber Security Self-Assessment
  Method for US Nuclear Power Plants (2004)
• NUREG/CR-6852 An Examination of Cyber Security at
  Several U.S. Nuclear Power Plants (2005)
• NEI-04-04 Cyber Security Program for Power
  Reactors (2004)

13
NRC Cyber Security Milestones

• Regulatory Guide 5.69 Guidance for the
  Application of the Radiological DBT in the
  Design, Development and Implementation of a
  Physical Security Protection Program that Meets
  10 CFR 73.55 Requirements
• 10 CFR 73.1 (2007) Design Basis Threat Rule
• 10 CFR 73.54 (2009) Protection of Digital
  Computer and Communication Systems and Networks.
• Regulatory Guide 5.71 (2010) Cyber Security
  Programs for Nuclear Facilities
• NEI 08-09 Rev. 6 (2010) Cyber Security Plan For
  Power Reactors
• Licensee Cyber Security Plans (2011?)

14
10 CFR 73.54 Brief, General Requirements
15
Cyber Security Rule (10 CFR 73.54) Requires

• Provide high assurance that digital computer and
  communication systems and networks are adequately
  protected against cyber attacks
• Applies to safety, security, and emergency
  preparedness (SSEP) systems and those digital
  devices that can that can adversely affect SSEP
  functions.
• Protect the confidentiality, availability, and
  integrity of systems and data.
• Analyze all digital assets, systems, and networks
  to determine which ones require protection under
  this Rule.
• Establish, implement, and maintain a cyber
  security program to protect these assets.
• Implement security controls to protect the
  identified assets from cyber attacks.

16
Cyber Security Rule 73.54 (Cont.) Requirements

• Apply and maintain defense-in-depth protective
  strategies to ensure the capability to detect,
  respond to, and recover from cyber attacks.
• Ensure that the functions performed by the
  critical assets are not impacted due to cyber
  attacks.
• Ensure that personnel, including contractors, are
  aware of cyber security requirements and receive
  training appropriate to their duties.
• Evaluate and manage cyber risks.
• Ensure that modifications to assets or the
  facility are evaluated prior to implementation to
  ensure that cyber security performance objectives
  are met.

17
Cyber Security Rule 73.54 (Cont.) Requirements

• Implement an Incident Response and Recovery Plan
• Maintain the capability for timely detection and
  response to cyber attacks
• Mitigate consequences of cyber attacks
• Correct exploited vulnerabilities
• Restore affected systems, networks, or equipment
• Develop and maintain written policies and
  procedures for implementing the program and plan
  requirements. Make these available for
  inspection by NRC.
• Periodically review the effectiveness of the
  program.
• The cyber security program shall be a component
  of the physical security program.
• Retain cyber security-related records for at
  least 3 years.

18
What have the Licensees Committed to do in their
Cyber Security Plans?

• Analyze all digital computer, communication
  systems and networks and identify CSs and
  associated digital assets.
• Form a Cyber Security Assessment Team (CSAT) to
• Oversee the cyber security assessment process
• Evaluate potential threats, vulnerabilities,
  consequences
• Evaluate and document the effectiveness of
  existing cyber security training, security
  controls, defensive strategies, and attack
  mitigation methods
• Confirm findings of tabletop reviews and conduct
  walk-down inspections and/or electronic
  verification of all CSs

19
CSP Requires Implement a Defensive Architecture
20
CSP Requires A Comprehensive Set of Security
Controls

• Security Controls fall into three classes
• Management
• Operational
• Technical
• Each class is made up of families of security
  controls.
• Management Class of Security Controls
• Analyzing Digital Computer Systems and Applying
  Cyber Security Controls
• Cyber Security Assessment and Authorization
• System and Service Acquisition
• Evaluate and Manage Cyber Risk
•  

21
Security Controls (cont)

• Operational Class of Security Controls
• Defense-in-Depth
• System and Information Integrity
• Cyber Security Training
• Configuration Management
• Maintenance
• Media Protection
• Cyber Security Contingency Planning (Continuity
  of Operations)
• Attack Mitigation and Incident Response
• Personnel Security
• Physical and Operational Environmental Protection
  

22
Security Controls (cont)

• Technical Class of Security Controls
• Access Control
• Audit and Accountability
• Identification and Authentication
• CDA, System and Communications Protection
• System Hardening
• The three classes of security controls are
  divided into 19 families, which in turn contain
  close to 140 individual security controls. Each
  security controls has number of required
  elements.

23
A simple example

• System and Service Acquisition
• System and Service Acquisition Policy and
  Procedures
• Supply Chain Protection
• Establish trusted distribution paths
• Validation of Vendors
• Tamper proof products or tamper seals are
  required
• Trustworthiness (QA of software)
• Integration of Security Capabilities (follow
  security controls)
• Developer Security Testing
• Developers/integrations must create a security
  test and evaluation plan and an implementation
  plan
• Products must meet security requirements and be
  free of testable vulnerabilities and known
  malicious code.
• Licensee Security Testing

24
CSP Requires Ongoing Assessment of Cyber
Security Controls

• Monitoring is required to confirm that security
  controls are implemented correctly, operating as
  intended, and achieving security goals
• Electronic vulnerability scanning of CSs is
  required.
• When there is a risk of operational disruption,
  electronic vulnerability scans are conducted
  during periods of scheduled outage. Test beds
  and vendor maintained environments may be used
  for or in substitution for performing
  vulnerability scans.

25
CSP Requirements for Modifying or Dropping a
Security Control

• Alternative security controls can be employed if
  you
• Document the basis for employing alternative
  countermeasures
• Analyze and document the alternative
  countermeasure to show it provides a level of
  protection
• One or more required security controls can be
  dropped after
• Performing an analysis that demonstrates the
  attack vector that these security control(s)
  defend against does not exist on this CS. This
  demonstrates that these security control(s) are
  not necessary on this CS.
• Documenting the analysis so that it is available
  for review by NRC inspectors.

26
What Questions Should Meteorological Systems
Owners be Asking Themselves?

• Are my met monitoring/processing systems
  connected to systems that perform SSEP systems?
• Do my digital communications conform to the
  defensive architecture requirements?
• What form is my data communication? Does it use
  TCP/IP? Or does it use a more secure method?
• How do I know my met hardware (e.g., data
  loggers) and software are secure? Do I know my
  vendors security program? What is their security
  testing program?
• Do I regularly patch my operating systems?
• Can vendors remotely access my met systems?
• How do I maintain adequate physical security on
  met systems located outside the perimeter fence?

27
A New Age of Cyber Security is Dawning

• There are a lot of bad guys out there looking to
  compromise nuclear power plant systems.
• Cyber security enhances overall plant security.
• It will take time and resources to appropriately
  implement the CSP.
• There may be a need to rethink how you do your
  digital communications.
• Dont get caught with your pants down! Be aware
  of what is coming and be proactive in your
  planning!

28
Discussion, Questions, Comments?

• Cliff Glantz
• PNNL
• PO Box 999
• Richland, WA 99352
• 509-375-2166
• cliff.glantz_at_pnnl.gov