PLANING, DESIGN AND IMPLEMENTATION OF PKI FOR THE INCREASING I

1
PLANING, DESIGN AND IMPLEMENTATION OF PKI FOR THE
INCREASING IC SAFETY.
State Institute of Information
Technology, Lithuania

• Saulius Sidaras
• Director, State Institute of Information
  Technology, Lithuania
• E mail saulsid_at_viti.lt
• IAEA Technical Meeting on
• Impact of Modern Technology on Instrumentation
  and Control in Nuclear Power Plants
• (621-I2-TM-26932)
• 13 to 16 September 2005, Chatou, France

2
SUMMARY
State Institute of Information
Technology, Lithuania

• INTRODUCTION
• WHY NOW?
• AUTHORIZATION MANAGEMENT
• CHARACTERISTICS OF IDENTIFICATION MEANS
• IC ITT FRAGMENTS
• SAFETY AND SECURITY REQUIREMENTS
• WHAT TO DO?
• IMPLEMENTATION OF PKI STRUCTURE
• THREE GENERAL KEY TASKS FOR SECURITY IN VIRTUAL
  AREAS
• IMPLEMENTATION PROBLEMS AT PLANT
• ROI REALIZED?

3
INTRODUCTION

• There is no doubt, that Public Key
  Infrastructure (PKI), built upon a security
  solution called public key cryptography, is a
  fundamental facility to ensure security on the
  Internet. Among the advantages the PKI can offer
  to an organization are
• Authentication
• Access Control
• Data (incl. Code) Integrity
• Non-repudiation
• Confidential Communication.
• Surprisingly few of organizations adequately
  protect themselves from eavesdropping, data
  theft, and other forms of fraud.
• It is not a new idea, method, but a very well
  structured and developed method with reliable
  technologies which are ready and there is the
  best time for its implementation.

4
WHY NOW?

• HIGH RELIABILITY OF AUTHORIZATION MANAGEMENT WITH
  PKI
• CLOSE FULL IMPLEMENTATION OF WORLDWIDE
  IDENTIFICATION MEANS
• HIGH RELIABILITY FOR I C ITT SEPARATION
  MEANS
• DECREASED PRICE OF PKI TECHNOLOGIES.

5
AUTHORIZATION MANAGEMENT

• A very well developed INFOSEC discipline for
  protection of classified material exists.
• Nuclear power plant information resources
  generally are not classified, however the most
  sensitive ones and software code can be equated
  to classified material class.
• Risk management allows flexibility through
  various protection levels against unauthorized
  access to classified material class.
• Protective security could use a multi-layered
  approach, known as defence in depth. Defence in
  depth means combining of several measures to make
  unauthorized access difficult for an external
  intruder or an employee who does not need to
  know.
• All codes and their modifications (according to
  configuration management) can be signed only by
  an authorized employee.

6
CHARACTERISTICS OF IDENTIFICATION MEANS

• Smart card with credentials approved by
  certificates
• - e-Passport (only to visit rooms, without
  access to IC resources)
• - eIDl, issued for staff (can be for visitors
  too)
• - eIDn, issued by the National Authority (can be
  supplemented by second special certificate for
  the object)
• - eIDf, issued by foreign country.
• Smart Card interfaces
• - Contactless (RFID) (for visitors, who have
  national e-document of such type, can be for
  staff, who dont need access to the compartment
  c
• - Contact (for staff, who work with classified
  resources, can be with one or dual certificates).

7
IC ITT FRAGMENTS

• Resources are separated from possible external
  and internal users according to multi-layered
  approach by various means Routers, Firewalls,
  Guards, Gateways, one-way Gateways
• Pure One-way in real computer-based systems is
  barely to implement because of inevitable other
  direction operations
• One-way GW are really pseudo one-way,
  implemented using a set of various protection
  means
• Application of PKI certificates (1 or 2) would
  essentially help to solve the problem.

8
SAFETY AND SECURITY REQUIREMENTS
There are a lot of requirements in nuclear area
concerning control of access, interaction of
systems, subjects and objects identification,
authentification, authorization,
accountability NS-R-1 Nuclear power plants
safety requirements

• 5.64. The plant shall be isolated from the
  surroundings by suitable layout of the structural
  elements in such a way that access to it can be
  permanently controlled. In particular, provision
  shall be made in the design of the buildings and
  the layout of the site for personnel and/or
  equipment for the control of access, and
  attention shall be paid to guarding against the
  unauthorized entry of persons and goods to the
  plant.
• 5.65. Unauthorized access to, or interference
  for any reason with, structures, systemsand
  components important to safety shall be
  prevented. Where access is necessary for
  maintenance, testing or inspection purposes, it
  shall be ensured in the design that the necessary
  activities can be performed without significantly
  reducing the reliability of safety related
  equipment.

9

• NS-G-1.3 Guidances for IC system important to
  safety in Nuclear power plants
• 4.51. Access to equipment in systems important
  to safety should be appropriately limited, in
  view of the need to prevent both unauthorized
  access and the possibility of error by authorized
  personnel. Effective methods include appropriate
  combinations of physical security (locked
  enclosures, locked rooms, alarms on panel doors)
  and administrative measures according to the
  degree of supervision in the area where the
  equipment is located.
• 4.52. Two areas of concern in relation to access
  control are set point adjustments and calibration
  adjustments, because of their importance in
  preventing degraded system performance due to
  potential errors in operation or maintenance.
• 4.53. For access control to digital
  computer based systems, means should be
  employed for restricting electronic access to
  software and data. These restrictions should be
  applied to access via network connections and
  maintenance equipment.

10

• IEC 61513 General requirements for IC system
  important to safety
• 5.4.2 Overall security plan
• Security measures are required to protect the
  information processed within systems important to
  safety against unauthorised modification
  (integrity), disruption of access (availability)
  and unauthorised disclosure (confidentiality).
• NOTE 1. For IC systems in nuclear power plants,
  integrity and availability requirements
  predominate over confidentiality.
• Software (programme code as well as parameters
  and data) may be especially vulnerable during the
  design and maintenance process. Threats that need
  to be considered include deliberate malicious
  modifications that cause erroneous behaviour of
  the software either in general or triggered by
  certain time or data constraints.
• NOTE 2. Threats arising from unintended
  modifications are addressed in the system
  requirements specification (see 6.1.1.4).
• The overall security plan specifies the
  procedural and technical measures to be taken to
  protect the architecture, of IC systems from
  deliberate and intelligent attacks that may
  jeopardise functions important to safety.

11

• The security requirements of functions and
  systems important to safety shall be identified
  in the system security plan (see 6.2.2).
• The risk arising from unauthorised access
  and modification shall be managed in a
  systematic manner during all phases of the life
  cycle from inception to disposal.
• The security provisions for a system shall be
  such that they do not have a significant impact
  on its reliability or availability.
• The rigour of security requirements for a
  particular system and associated equipment is
  determined by the functions performed by the
  system. CB systems that perform category A
  functions have higher security requirements than
  those that would be acceptable for CB systems
  carrying out category B or C functions.
• To maintain security of systems at a continuously
  high level a site-specific security policy shall
  be established. It shall contain
  procedures related to the interface
  between administrative and technical security,
  access to systems, security aspects of data
  handling, security aspects of modification and
  maintenance, security auditing and reporting,
  and security training.

12

• Systems performing functions important to safety
  shall be physically protected against
  unauthorised access. Access control shall include
  strong identification and authentication of
  personnel for systems carrying category A
  functions and reliable identification of
  personnel for systems carrying category B and C
  functions (see 7.12 of IAEA 50-SG-D3).
• Features for remote (external to the plant)
  access to systems implementing category A
  functions shall not be implemented. If remote
  access features internal to the plant are
  provided, they shall be analysed and it shall be
  demonstrated that they do not introduce
  additional risk of either unauthorised system
  access or additional sources of potential
  failures of the systems.
• Access to systems should be logged recording the
  personnel, the type of access, the time, and the
  actions carried out.
• Security logs shall be formally inspected at
  defined intervals for systems performing category
  A functions and should be checked periodically
  for systems performing category B and C
  functions.

13
6.2.2 System security plan

• The system security plan is defined to be
  consistent with the overall security plan.
• During system specification and design the
  requirements for technical counter-measures
  identified for the system in the overall security
  plan (see 5.4.2) should be transformed into
  technical design requirements and documented.
• An assessment of the design documentation shall
  take place to verify that the counter-measures
  identified within the system security analysis
  have been correctly implemented.
• During verification and validation of the system,
  the effectiveness of the security functions shall
  be demonstrated through suitable tests with the
  system in its final configuration.

14
IEC 62138 Standard requirements for computer
based IC systems (category B or C) important to
safety

• 6.1.6 Security
• The objective of security is to provide adequate
  confidence that unauthorised persons and systems
  can neither modify the software and its data nor
  gain access to the system functions, and yet to
  ensure that this is not denied to authorised
  persons and systems. Clauses 5.4.2 (Overall
  Security Plan) and 6.2.2 (System Security Plan)
  of IEC 61513 provides requirements for security,
  at the level of the IC architecture and of an
  individual IC system. This clause provides
  additional requirements specific, or of
  particular importance, to software.
• 1. An analysis of the security threats and
  vulnerability regarding the software aspects of
  the IC system shall be performed and documented.
  It should take into account the relevant phases
  of the System and Software Safety Lifecycles. It
  should determine the requirements regarding the
  protection, the accessibility, the
  confidentiality and the integrity of data and
  functions.
• These may include
• identification of security critical data and
  functions
• identification and authentication of
  personnel
• access control to security critical data and
  functions
• management of security critical data and
  functions
• traceability of security related actions to
  personnel.
• 2. Software development shall be performed
  according to the provisions of a Security
  Assurance Plan or of the Quality Assurance Plan.
  These provisions shall take into account the
  results of the threat and vulnerability analysis.
  They shall be consistent with the requirements of
  clauses 5.4.2 (Overall Security Plan) and 6.2.2
  (System Security Plan) of IEC 61513.

15
WHAT TO DO?

• Implement integrated Identification /
  Authentification / Authorization / Account /
  Control (I/A/A/A/C) system of all subjects and
  objects in nuclear power plant using PKI elements
  with own CA, RA, TSP.
• Identify all subjects and objects (staff,
  visitors, transport, equipment, materials,
  unknown objects).
• Authentify (using Crypto technologies) all
  subjects and objects, which require access to the
  resources (staff, visitors (access to territory,
  rooms, ITT resources), ITT resources to ITT
  resources).
• Authorize all subjects and objects, which
  require access to the resources, according to the
  resources sensitivity level and rendered rights
  to the entities.
• Account dynamics of all subjects and objects
  (all ITT resources (stored, transferred,
  including programs code) are signed with digital
  signature).
• Control dynamics of all subjects and objects
  coherently and reliably.

16
IMPLEMENTATION OF PKI STRUCTURE
17
PLANT NEEDS AT LEAST

• Certificate Management System, CA
• Registration Authority, RA
• Hardware Security Module, HSM (together with Key
  management system, KMS, CKMS)
• Registration Authority, RA
• SmartCard
• SmartCard Reader
• Application software for creation and validation
  of Digital Signature.
• CA Architecture (An typical example shows a
  majority of NPP software for PKI needs)

18
THREE GENERAL KEY TASKS FOR SECURITY IN VIRTUALLY
AREAS

• Organisational security
• Immediate tasks
• - Developing a vision and concept
• - Preparing new, modifying current IAEA
  doctrine, regulations, standards
• - Developing a security policy which clearly
  defines objectives and measures
• Future tasks
• - Set of Regulaments
• - Responsibilities
• - Security coercions culture
• - Configuration Management.
• Physical security
• New more effective measures for regulation of
  access to areas, buildings, rooms.
• Logical security
• New more effectives measures for regulation of
  access to ITT resources, mechanisms to ensure the
  authenticity and integrity of data and code.

19
IMPLEMENTATION PROBLEMS AT PLANT (Sorted by
complication and term increase order)

• Implementation of PKI infrastructure in the
  object solutions are submitted commercially,
  prices decrease.
• Physical Access Control change in the existing
  object base changes are simple, but must be
  carried out in the functioning object.
• Introduction of electronic signature for signing
  codes and data
• - for non classified resources introduce only
  under convenient circumstances
• - for security systems introduce step by step
• 1) for existing equipment implement additional
  preAccess means, which would allow access to
  classified resources only for certified staff and
  would record changes
• 2) prepare and issue standard documents, which
  require to use Electronic signature for signing
  resources and carry out self-controls in projects
  of new equipment . Use 2 signatures under
  necessity.

20
ROI REALIZED?

• Increased safety security
• Unification of all I/A/A/S/A/C processes
• Reduced operating costs.

21
State Institute of Information
Technology, Lithuania

• Questions?
• For more Information
• Phone
  E-mail
• Saulius Sidaras
  saulsid_at_viti.lt
• 370 52767227
• Website
• http//www.viti.lt