atw Vol.

atw Vol. 63 (2018) | Issue 5 ı May

Detective Application Security Controls

for Nuclear Safety

Deeksha Gupta, Karl Waedt and Yuan Gao

The current Draft Nuclear IEC 63096 New Work Item Proposal (NWIP), a new downstream standard of IEC

62645, distinguishes between preventive, detective and corrective security controls. The focus of this paper is on

resilient detective cybersecurity controls that are needed especially for high security degrees in the context of Advanced

Persistent Threats (APTs). The Stuxnet malware demonstrates that sophisticated attacks on physical processes

can make use of both, the manipulation of output signals that control the automation equipment in parallel with

manipulations of the graphical process feedback information displayed to users. In the international IAEA coordinated

research proposal CRP J02008 several project partners investigate (as one of the objectives) the development of

detective security controls that do not rely on the process control software itself. Thus, a manipulation of the process

control software could still be detected by the detective security controls implemented by diverse means.

Implementing detective security controls at this conceptual

level requires knowledge about selected analog and binary

variables corresponding to the current state of physical

processes. This knowledge (expressed as modeled specifications

of expected safe transitions and value ranges) is

needed in order to detect potential manipulations. In

the case of Stuxnet this corresponds to detecting the

high frequency speed variations of centrifuges (with the

aim of physically destroying them) without regard to

the ( manipulated, maliciously reassuring) information

displayed to operators.

This paper will address the selection of process

variables, the different points at which these process

variables can be acquired, the equipment used for the

acquisition (e.g. additional networking equipment or

enhanced embedded software), the aggregation of the

variables, the detective logic and the reporting towards a

Security Information and Event Management System

( SIEM). The paper will also explain how existing nuclear

safety impact analyses can be leveraged by replacing the

typical safety events (e.g. due to ageing or random failures)

by graded targeted security attack events.

The semi-formal description of the detective security

controls will make use of the Application Security Control

(ASC) concepts as introduced by ISO/IEC 27034-x.

This approach is fully in line with Nuclear IEC 62859

that provides requirements on coordinating safety

and cybersecurity. The recommendations on separating

selected detective security controls from the process

control software can be achieved by avoiding an increased

complexity and the possibility of retroactions of security

measures on safety related functionality.

to physical property, computer system, information or

other assets.

The detective application security controls provide

alternative or enhanced protection means as part of a

security defense-in-depth concept. Accordingly, for a new

NPP they may serve as security enhancements while for an

existing NPP they may serve as an effective and cost-saving

alternative, in cases where the legacy process control

software cannot be easily revised to include cybersecurity

specific functionality.

In principle the term “Cybersecurity Control” or just

“Security Control” denotes one or a set of Cyber Security

countermeasures. Security Controls are applied during all

lifecycle phases of the I&C-product or project [4]. In an

( initially) non safety related context several Security

Controls are similar to measures that are by default implemented

in safety systems. These include, e.g., the degree

of requirements traceability (e.g., to avoid the intro duction

of requirements on debugging functionality that may later

be misused for manipulations) and requirements on

testing. However, the Security Level [2, 3] of a subsystem

may be increased due to results of a risk assessment [5].

This may mandate the implementation of individual

security controls that have to be met only for higher safety

classes [4].

IEC 62645 [8] is the top level nuclear cybersecurity

standard. It defines security controls for the nuclear

285

ENVIRONMENT AND SAFETY

Introduction

Cybersecurity is considered as a major element of physical

protection plans for nuclear facilities and it should be

implemented from the initial phase of nuclear facility

design [1]. In nuclear power plants (NPPs), I&C systems

have evolved during the last decades from non-digital

equipment and standalone environments to digital

technologies and interconnected systems. Such an

evolution exposes them to risks related to cyberattacks.

The cyberattack can later affect the safety of the NPP.

Cyberattack or digital attack is the attempt by digital

means to destroy, expose, alter, disable, steal or gain

unauthorized access to or make unauthorized use of an

asset [2]. To minimize these risks security controls

provides the countermeasures to avoid, detect, counteract

| | Fig. 1.

Example Plant Operation related to Security Control for a Detective System [6, 7].

Environment and Safety

Detective Application Security Controls for Nuclear Safety ı Deeksha Gupta, Karl Waedt and Yuan Gao

atw Vol. 63 (2018) | Issue 5 ı May 284 CALENDAR Calendar 2018 08.05.-10.05.2018 29 th Conference of the Nuclear Societies in Israel. Herzliya, Israel. Israel Nuclear Society and Israel Society for Radiation Protection, ins-conference.com 13.05.-19.05.2018 BEPU-2018 – ANS International Conference on Best-Estimate Plus Uncertainties Methods. Lucca, Italy, NINE – Nuclear and INdustrial Engineering S.r.l., ANS, IAEA, NEA, www.nineeng.com/bepu/ 13.05.-18.05.2018 RadChem 2018 – 18 th Radiochemical Conference. Marianske Lazne, Czech Republic, www.radchem.cz 14.05.-16.05.2018 ATOMEXPO 2018. Sochi, Russia, atomexpo.ru 15.05.-17.05.2018 11 th International Conference on the Transport, Storage, and Disposal of Radioactive Materials. London, United Kingdom, Nuclear Institute, www.nuclearinst.com 20.05.-23.05.2018 5 th Asian and Oceanic IRPA Regional Congress on Radiation Protection – AOCRP5. Melbourne, Australia, Australian Radiation Protection Society (ARPS) and International Radiation Protection Association (IRPA), www.aocrp-5.org 23.05.-25.05.2018 15 th International Conference of Young Scientists on Energy Issues. Kaunas, Lithuania, Lithuanian Energy Institute in partnership with Nuclear Society of Lithuania, cyseni.com/ 29.05.-30.05.2018 49 th Annual Meeting on Nuclear Technology AMNT 2018 | 49. Jahrestagung Kerntechnik. Berlin, Germany, DAtF and KTG, www.nucleartech-meeting.com – See you there! 03.06.-07.06.2018 38 th CNS Annual Conference and 42nd CNS-CNA Student Conference. Saskotoon, SK, Canada, Canadian Nuclear Society CNS, www.cns-snc.ca 03.06.-06.06.2018 HND2018 12 th International Conference of the Croatian Nuclear Society. Zadar, Croatia, Croatian Nuclear Society, www.nuklearno-drustvo.hr 04.06.-05.06.2018 13 th European Nuclear Energy Forum. Bratislava, Slova Republic, European Commission, ec.europa.eu 04.06.-07.06.2018 10 th Symposium on CBRNE Threats. Rovaniemi, Finland, Finnish Nuclear Society, ats-fns.fi 04.06.-08.06.2018 5 th European IRPA Congress – Encouraging Sustainability in Radiation Protection. The Hague, The Netherlands, Dutch Society for Radiation Protection (NVS), local organiser, irpa2018europe.com 04.06.-05.06.2018 eurelectric Power Summit 2018 – “Watt’s Next? New Players, Products and Peers”. Ljubljana, Slovenia, eurelectric, www.eurelectric.org 06.06.-08.06.2018 2 nd Workshop on Safety of Extended Dry Storage of Spent Nuclear Fuel. Garching near Munich, Germany, GRS, www.grs.de 06.06.-07.06.2018 2018 Decommissioning Strategy Forum. Nashville, TN, U.S.A. go.exchangemonitor.com 14.06.-15.06.2018 Kernkraftwerk Rheinsberg – Zukunft eines kulturellen Erbes. Kernkraftwerk Rheinsberg, Germany, EWN GmbH, Stadtgeschichte Rheinsberg e.V., stadtgeschichte.rheinsberg@gmail.com, www.ewn-gmbh.net 18.06.-19.06.2018 Decom2018. London, United Kingdom, Nuclear Industry Association (NIA), decom2018.co.uk 25.06.-26.06.2018 index2018 – International Nuclear Digital Experience. Paris, France, Société Française d’Energie Nucléaire, www.sfen.org, www.sfen-index2018.org 27.06.-29.06.2018 EEM – 2018 15 th International Conference on the European Energy Market. Lodz, Poland, Lodz University of Technology, Institute of Electrical Power Engineering, Association of Polish Electrical Engineers (SEP), www.eem18.eu 24.06.-30.06.2018 ANNETTE Summer School on Nuclear Technology, Nuclear Waste Management and Radiation Protection. Turku, Finland, Advanced Networking for Nuclear Education, Training and Transfer of Expertise, annettesummerschool.org, www.enen.eu 29.07.-02.08.2018 International Nuclear Physics Conference 2019. Glasgow, United Kingdom, www.iop.org 22.08.-31.08.2018 Frédéric Joliot/Otto Hahn (FJOH) Summer School FJOH-2018 – Maximizing the Benefits of Experiments for the Simulation, Design and Analysis of Reactors. Aix-en-Provence, France, Nuclear Energy Division of Commissariat à l’énergie atomique et aux énergies alternatives (CEA) and Karlsruher Institut für Technologie (KIT), www.fjohss.eu 28.08.-31.08.2018 TINCE 2018 – Technological Innovations in Nuclear Civil Engineering. Paris Saclay, France, Société Française d’Energie Nucléaire, www.sfen.org, www.sfen-tince2018.org 03.09.-06.09.2018 Jahrestagung des Fachverbandes Strahlenschutz. Dresden, Germany, Fachverband für Strahlenschutz e.V., www.fs-ev.org 05.09.-07.09.2018 World Nuclear Association Symposium 2018. London, United Kingdom, World Nuclear Association (WNA), www.world-nuclear.org 09.09.-14.09.2018 21 st International Conference on Water Chemistry in Nuclear Reactor Systems. San Francisco, CA, USA, EPRI – Electric Power Research Institute, www.epri.com 17.09.-21.09.2018 62 nd IAEA General Conference. Vienna, Austria. International Atomic Energy Agency (IAEA), www.iaea.org 17.09.-20.09.2018 FONTEVRAUD 9. Avignon, France, Société Française d’Energie Nucléaire (SFEN), www.sfen-fontevraud9.org 17.09.-19.09.2018 4 th International Conference on Physics and Technology of Reactors and Applications – PHYTRA4. Marrakech, Morocco, Moroccan Association for Nuclear Engineering and Reactor Technology (GMTR), National Center for Energy, Sciences and Nuclear Techniques (CNESTEN) and Moroccan Agency for Nuclear and Radiological Safety and Security (AMSSNuR), phytra4.gmtr.ma 26.09.-28.09.2018 44 th Annual Meeting of the Spanish Nuclear Society. Avila, Spain, Sociedad Nuclear Española, www.sne.es 30,.09.-05.10.2018 14 th Pacific Basin Nuclear Conference (PBNC). San Francisco, CA, USA, pbnc.ans.org/ 30.09.-04.10.2018 TopFuel 2018. Prague, Czech Republic, European Nuclear Society (ENS), American Nuclear Society (ANS). Atomic Energy Society of Japan, Chinese Nuclear Society and Korean Nuclear Society, www.euronuclear.org 01.10.-05.10.2018 3 rd European Radiological Protection Research Week ERPW. Rovinj, Croatia, ALLIANCE, EURADOS, EURAMED, MELODI and NERIS, www.erpw2018.com 02.10.-04.10.2018 7 th EU Nuclear Power Plant Simulation ENPPS Forum. Birmingham, United Kingdom, Nuclear Training & Simulation Group, www.enpps.tech 14.10.-18.10.2018 12 th International Topical Meeting on Nuclear Reactor Thermal-Hydraulics, Operation and Safety – NUTHOS-12. Qingdao, China, Elsevier, www.nuthos-12.org 14.10.-18.10.2018 NuMat 2018. Seattle, United States, www.elsevier.com 16.10.-17.10.2018 4 th GIF Symposium at the 8th edition of Atoms for the Future. Paris, France, www.gen-4.org 22.10.-24.10.2018 DEM 2018 Dismantling Challenges: Industrial Reality, Prospects and Feedback Experience. Paris Saclay, France, Société Française d’Energie Nucléaire, www.sfen.org, www.sfen-dem2018.org 24.10.-26.10.2018 NUWCEM 2018 Cement-based Materials for Nuclear Waste. Avignon, France, French Commission for Atomic and Alternative Energies and Société Française d’Energie Nucléaire, www.sfen-nuwcem2018.org 24.10.-25.10.2018 Chemistry in Power Plant. Magdeburg, Germany, VGB PowerTech e.V., www.vgb.org 05.11.-08.11.2018 International Conference on Nuclear Decom missioning – ICOND 2018. Aachen, Eurogress, Germany, achen Institute for Nuclear Training GmbH, www.icond.de 06.11-08.11.2018 G4SR-1 1 st International Conference on Generation IV and Small Reactors. Ottawa, Ontario, Canada. Canadian Nuclear Society (CNS), and Canadian Nuclear Laboratories (CNL), www.g4sr.org 03.12.-14.12.2018 United Nations, Conference of the Parties – COP24. Katowice, Poland, United Nations Framework Convention on Climate Change – UNFCCC, www.cop24.katowice.eu 2019 07.05.-08.05.2019 50 th Annual Meeting on Nuclear Technology AMNT 2019 | 50. Jahrestagung Kerntechnik. Berlin, Germany, DAtF and KTG, www.nucleartech-meeting.com Calendar

atw Vol. 63 (2018) | Issue 5 ı May Detective Application Security Controls for Nuclear Safety Deeksha Gupta, Karl Waedt and Yuan Gao The current Draft Nuclear IEC 63096 New Work Item Proposal (NWIP), a new downstream standard of IEC 62645, distinguishes between preventive, detective and corrective security controls. The focus of this paper is on resilient detective cybersecurity controls that are needed especially for high security degrees in the context of Advanced Persistent Threats (APTs). The Stuxnet malware demonstrates that sophisticated attacks on physical processes can make use of both, the manipulation of output signals that control the automation equipment in parallel with manipulations of the graphical process feedback information displayed to users. In the international IAEA coordinated research proposal CRP J02008 several project partners investigate (as one of the objectives) the development of detective security controls that do not rely on the process control software itself. Thus, a manipulation of the process control software could still be detected by the detective security controls implemented by diverse means. Implementing detective security controls at this conceptual level requires knowledge about selected analog and binary variables corresponding to the current state of physical processes. This knowledge (expressed as modeled specifications of expected safe transitions and value ranges) is needed in order to detect potential manipulations. In the case of Stuxnet this corresponds to detecting the high frequency speed variations of centrifuges (with the aim of physically destroying them) without regard to the ( manipulated, maliciously reassuring) information displayed to operators. This paper will address the selection of process variables, the different points at which these process variables can be acquired, the equipment used for the acquisition (e.g. additional networking equipment or enhanced embedded software), the aggregation of the variables, the detective logic and the reporting towards a Security Information and Event Management System ( SIEM). The paper will also explain how existing nuclear safety impact analyses can be leveraged by replacing the typical safety events (e.g. due to ageing or random failures) by graded targeted security attack events. The semi-formal description of the detective security controls will make use of the Application Security Control (ASC) concepts as introduced by ISO/IEC 27034-x. This approach is fully in line with Nuclear IEC 62859 that provides requirements on coordinating safety and cybersecurity. The recommendations on separating selected detective security controls from the process control software can be achieved by avoiding an increased complexity and the possibility of retroactions of security measures on safety related functionality. to physical property, computer system, information or other assets. The detective application security controls provide alternative or enhanced protection means as part of a security defense-in-depth concept. Accordingly, for a new NPP they may serve as security enhancements while for an existing NPP they may serve as an effective and cost-saving alternative, in cases where the legacy process control software cannot be easily revised to include cybersecurity specific functionality. In principle the term “Cybersecurity Control” or just “Security Control” denotes one or a set of Cyber Security countermeasures. Security Controls are applied during all lifecycle phases of the I&C-product or project [4]. In an ( initially) non safety related context several Security Controls are similar to measures that are by default implemented in safety systems. These include, e.g., the degree of requirements traceability (e.g., to avoid the intro duction of requirements on debugging functionality that may later be misused for manipulations) and requirements on testing. However, the Security Level [2, 3] of a subsystem may be increased due to results of a risk assessment [5]. This may mandate the implementation of individual security controls that have to be met only for higher safety classes [4]. IEC 62645 [8] is the top level nuclear cybersecurity standard. It defines security controls for the nuclear 285 ENVIRONMENT AND SAFETY Introduction Cybersecurity is considered as a major element of physical protection plans for nuclear facilities and it should be implemented from the initial phase of nuclear facility design [1]. In nuclear power plants (NPPs), I&C systems have evolved during the last decades from non-digital equipment and standalone environments to digital technologies and interconnected systems. Such an evolution exposes them to risks related to cyberattacks. The cyberattack can later affect the safety of the NPP. Cyberattack or digital attack is the attempt by digital means to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset [2]. To minimize these risks security controls provides the countermeasures to avoid, detect, counteract | | Fig. 1. Example Plant Operation related to Security Control for a Detective System [6, 7]. Environment and Safety Detective Application Security Controls for Nuclear Safety ı Deeksha Gupta, Karl Waedt and Yuan Gao