Title: PLANING, DESIGN AND IMPLEMENTATION OF PKI FOR THE INCREASING I
1PLANING, DESIGN AND IMPLEMENTATION OF PKI FOR THE
INCREASING IC SAFETY.
State Institute of Information
Technology, Lithuania
- Saulius Sidaras
- Director, State Institute of Information
Technology, Lithuania - E mail saulsid_at_viti.lt
- IAEA Technical Meeting on
- Impact of Modern Technology on Instrumentation
and Control in Nuclear Power Plants - (621-I2-TM-26932)
- 13 to 16 September 2005, Chatou, France
2SUMMARY
State Institute of Information
Technology, Lithuania
- INTRODUCTION
- WHY NOW?
- AUTHORIZATION MANAGEMENT
- CHARACTERISTICS OF IDENTIFICATION MEANS
- IC ITT FRAGMENTS
- SAFETY AND SECURITY REQUIREMENTS
- WHAT TO DO?
- IMPLEMENTATION OF PKI STRUCTURE
- THREE GENERAL KEY TASKS FOR SECURITY IN VIRTUAL
AREAS - IMPLEMENTATION PROBLEMS AT PLANT
- ROI REALIZED?
3INTRODUCTION
- There is no doubt, that Public Key
Infrastructure (PKI), built upon a security
solution called public key cryptography, is a
fundamental facility to ensure security on the
Internet. Among the advantages the PKI can offer
to an organization are - Authentication
- Access Control
- Data (incl. Code) Integrity
- Non-repudiation
- Confidential Communication.
- Surprisingly few of organizations adequately
protect themselves from eavesdropping, data
theft, and other forms of fraud. - It is not a new idea, method, but a very well
structured and developed method with reliable
technologies which are ready and there is the
best time for its implementation. -
4WHY NOW?
- HIGH RELIABILITY OF AUTHORIZATION MANAGEMENT WITH
PKI - CLOSE FULL IMPLEMENTATION OF WORLDWIDE
IDENTIFICATION MEANS - HIGH RELIABILITY FOR I C ITT SEPARATION
MEANS - DECREASED PRICE OF PKI TECHNOLOGIES.
5AUTHORIZATION MANAGEMENT
- A very well developed INFOSEC discipline for
protection of classified material exists. - Nuclear power plant information resources
generally are not classified, however the most
sensitive ones and software code can be equated
to classified material class. - Risk management allows flexibility through
various protection levels against unauthorized
access to classified material class. - Protective security could use a multi-layered
approach, known as defence in depth. Defence in
depth means combining of several measures to make
unauthorized access difficult for an external
intruder or an employee who does not need to
know. - All codes and their modifications (according to
configuration management) can be signed only by
an authorized employee.
6CHARACTERISTICS OF IDENTIFICATION MEANS
- Smart card with credentials approved by
certificates - - e-Passport (only to visit rooms, without
access to IC resources) - - eIDl, issued for staff (can be for visitors
too) - - eIDn, issued by the National Authority (can be
supplemented by second special certificate for
the object) - - eIDf, issued by foreign country.
- Smart Card interfaces
- - Contactless (RFID) (for visitors, who have
national e-document of such type, can be for
staff, who dont need access to the compartment
c - - Contact (for staff, who work with classified
resources, can be with one or dual certificates).
7IC ITT FRAGMENTS
- Resources are separated from possible external
and internal users according to multi-layered
approach by various means Routers, Firewalls,
Guards, Gateways, one-way Gateways - Pure One-way in real computer-based systems is
barely to implement because of inevitable other
direction operations - One-way GW are really pseudo one-way,
implemented using a set of various protection
means - Application of PKI certificates (1 or 2) would
essentially help to solve the problem.
8SAFETY AND SECURITY REQUIREMENTS
There are a lot of requirements in nuclear area
concerning control of access, interaction of
systems, subjects and objects identification,
authentification, authorization,
accountability NS-R-1 Nuclear power plants
safety requirements
- 5.64. The plant shall be isolated from the
surroundings by suitable layout of the structural
elements in such a way that access to it can be
permanently controlled. In particular, provision
shall be made in the design of the buildings and
the layout of the site for personnel and/or
equipment for the control of access, and
attention shall be paid to guarding against the
unauthorized entry of persons and goods to the
plant. - 5.65. Unauthorized access to, or interference
for any reason with, structures, systemsand
components important to safety shall be
prevented. Where access is necessary for
maintenance, testing or inspection purposes, it
shall be ensured in the design that the necessary
activities can be performed without significantly
reducing the reliability of safety related
equipment.
9- NS-G-1.3 Guidances for IC system important to
safety in Nuclear power plants - 4.51. Access to equipment in systems important
to safety should be appropriately limited, in
view of the need to prevent both unauthorized
access and the possibility of error by authorized
personnel. Effective methods include appropriate
combinations of physical security (locked
enclosures, locked rooms, alarms on panel doors)
and administrative measures according to the
degree of supervision in the area where the
equipment is located. - 4.52. Two areas of concern in relation to access
control are set point adjustments and calibration
adjustments, because of their importance in
preventing degraded system performance due to
potential errors in operation or maintenance. - 4.53. For access control to digital
computer based systems, means should be
employed for restricting electronic access to
software and data. These restrictions should be
applied to access via network connections and
maintenance equipment.
10- IEC 61513 General requirements for IC system
important to safety - 5.4.2 Overall security plan
- Security measures are required to protect the
information processed within systems important to
safety against unauthorised modification
(integrity), disruption of access (availability)
and unauthorised disclosure (confidentiality). - NOTE 1. For IC systems in nuclear power plants,
integrity and availability requirements
predominate over confidentiality. - Software (programme code as well as parameters
and data) may be especially vulnerable during the
design and maintenance process. Threats that need
to be considered include deliberate malicious
modifications that cause erroneous behaviour of
the software either in general or triggered by
certain time or data constraints. - NOTE 2. Threats arising from unintended
modifications are addressed in the system
requirements specification (see 6.1.1.4). - The overall security plan specifies the
procedural and technical measures to be taken to
protect the architecture, of IC systems from
deliberate and intelligent attacks that may
jeopardise functions important to safety.
11- The security requirements of functions and
systems important to safety shall be identified
in the system security plan (see 6.2.2). - The risk arising from unauthorised access
and modification shall be managed in a
systematic manner during all phases of the life
cycle from inception to disposal. - The security provisions for a system shall be
such that they do not have a significant impact
on its reliability or availability. - The rigour of security requirements for a
particular system and associated equipment is
determined by the functions performed by the
system. CB systems that perform category A
functions have higher security requirements than
those that would be acceptable for CB systems
carrying out category B or C functions. - To maintain security of systems at a continuously
high level a site-specific security policy shall
be established. It shall contain
procedures related to the interface
between administrative and technical security,
access to systems, security aspects of data
handling, security aspects of modification and
maintenance, security auditing and reporting,
and security training.
12- Systems performing functions important to safety
shall be physically protected against
unauthorised access. Access control shall include
strong identification and authentication of
personnel for systems carrying category A
functions and reliable identification of
personnel for systems carrying category B and C
functions (see 7.12 of IAEA 50-SG-D3). - Features for remote (external to the plant)
access to systems implementing category A
functions shall not be implemented. If remote
access features internal to the plant are
provided, they shall be analysed and it shall be
demonstrated that they do not introduce
additional risk of either unauthorised system
access or additional sources of potential
failures of the systems. - Access to systems should be logged recording the
personnel, the type of access, the time, and the
actions carried out. - Security logs shall be formally inspected at
defined intervals for systems performing category
A functions and should be checked periodically
for systems performing category B and C
functions.
136.2.2 System security plan
- The system security plan is defined to be
consistent with the overall security plan. - During system specification and design the
requirements for technical counter-measures
identified for the system in the overall security
plan (see 5.4.2) should be transformed into
technical design requirements and documented. - An assessment of the design documentation shall
take place to verify that the counter-measures
identified within the system security analysis
have been correctly implemented. - During verification and validation of the system,
the effectiveness of the security functions shall
be demonstrated through suitable tests with the
system in its final configuration.
14IEC 62138 Standard requirements for computer
based IC systems (category B or C) important to
safety
- 6.1.6 Security
- The objective of security is to provide adequate
confidence that unauthorised persons and systems
can neither modify the software and its data nor
gain access to the system functions, and yet to
ensure that this is not denied to authorised
persons and systems. Clauses 5.4.2 (Overall
Security Plan) and 6.2.2 (System Security Plan)
of IEC 61513 provides requirements for security,
at the level of the IC architecture and of an
individual IC system. This clause provides
additional requirements specific, or of
particular importance, to software. - 1. An analysis of the security threats and
vulnerability regarding the software aspects of
the IC system shall be performed and documented.
It should take into account the relevant phases
of the System and Software Safety Lifecycles. It
should determine the requirements regarding the
protection, the accessibility, the
confidentiality and the integrity of data and
functions. - These may include
- identification of security critical data and
functions - identification and authentication of
personnel - access control to security critical data and
functions - management of security critical data and
functions - traceability of security related actions to
personnel. - 2. Software development shall be performed
according to the provisions of a Security
Assurance Plan or of the Quality Assurance Plan.
These provisions shall take into account the
results of the threat and vulnerability analysis.
They shall be consistent with the requirements of
clauses 5.4.2 (Overall Security Plan) and 6.2.2
(System Security Plan) of IEC 61513.
15WHAT TO DO?
- Implement integrated Identification /
Authentification / Authorization / Account /
Control (I/A/A/A/C) system of all subjects and
objects in nuclear power plant using PKI elements
with own CA, RA, TSP. - Identify all subjects and objects (staff,
visitors, transport, equipment, materials,
unknown objects). - Authentify (using Crypto technologies) all
subjects and objects, which require access to the
resources (staff, visitors (access to territory,
rooms, ITT resources), ITT resources to ITT
resources). - Authorize all subjects and objects, which
require access to the resources, according to the
resources sensitivity level and rendered rights
to the entities. - Account dynamics of all subjects and objects
(all ITT resources (stored, transferred,
including programs code) are signed with digital
signature). - Control dynamics of all subjects and objects
coherently and reliably.
16IMPLEMENTATION OF PKI STRUCTURE
17PLANT NEEDS AT LEAST
- Certificate Management System, CA
- Registration Authority, RA
- Hardware Security Module, HSM (together with Key
management system, KMS, CKMS) - Registration Authority, RA
- SmartCard
- SmartCard Reader
- Application software for creation and validation
of Digital Signature. - CA Architecture (An typical example shows a
majority of NPP software for PKI needs)
18THREE GENERAL KEY TASKS FOR SECURITY IN VIRTUALLY
AREAS
- Organisational security
- Immediate tasks
- - Developing a vision and concept
- - Preparing new, modifying current IAEA
doctrine, regulations, standards - - Developing a security policy which clearly
defines objectives and measures - Future tasks
- - Set of Regulaments
- - Responsibilities
- - Security coercions culture
- - Configuration Management.
- Physical security
- New more effective measures for regulation of
access to areas, buildings, rooms. - Logical security
- New more effectives measures for regulation of
access to ITT resources, mechanisms to ensure the
authenticity and integrity of data and code.
19IMPLEMENTATION PROBLEMS AT PLANT (Sorted by
complication and term increase order)
- Implementation of PKI infrastructure in the
object solutions are submitted commercially,
prices decrease. - Physical Access Control change in the existing
object base changes are simple, but must be
carried out in the functioning object. - Introduction of electronic signature for signing
codes and data - - for non classified resources introduce only
under convenient circumstances - - for security systems introduce step by step
- 1) for existing equipment implement additional
preAccess means, which would allow access to
classified resources only for certified staff and
would record changes - 2) prepare and issue standard documents, which
require to use Electronic signature for signing
resources and carry out self-controls in projects
of new equipment . Use 2 signatures under
necessity.
20ROI REALIZED?
- Increased safety security
- Unification of all I/A/A/S/A/C processes
- Reduced operating costs.
21 State Institute of Information
Technology, Lithuania
- Questions?
- For more Information
- Phone
E-mail - Saulius Sidaras
saulsid_at_viti.lt - 370 52767227
- Website
- http//www.viti.lt