atw 2018-05v6

inforum

atw Vol. 63 (2018) | Issue 5 ı May

Detective Application Security Controls

for Nuclear Safety

Deeksha Gupta, Karl Waedt and Yuan Gao

The current Draft Nuclear IEC 63096 New Work Item Proposal (NWIP), a new downstream standard of IEC

62645, distinguishes between preventive, detective and corrective security controls. The focus of this paper is on

resilient detective cybersecurity controls that are needed especially for high security degrees in the context of Advanced

Persistent Threats (APTs). The Stuxnet malware demonstrates that sophisticated attacks on physical processes

can make use of both, the manipulation of output signals that control the automation equipment in parallel with

manipulations of the graphical process feedback information displayed to users. In the international IAEA coordinated

research proposal CRP J02008 several project partners investigate (as one of the objectives) the development of

detective security controls that do not rely on the process control software itself. Thus, a manipulation of the process

control software could still be detected by the detective security controls implemented by diverse means.

Implementing detective security controls at this conceptual

level requires knowledge about selected analog and binary

variables corresponding to the current state of physical

processes. This knowledge (expressed as modeled specifications

of expected safe transitions and value ranges) is

needed in order to detect potential manipulations. In

the case of Stuxnet this corresponds to detecting the

high frequency speed variations of centrifuges (with the

aim of physically destroying them) without regard to

the ( manipulated, maliciously reassuring) information

displayed to operators.

This paper will address the selection of process

variables, the different points at which these process

variables can be acquired, the equipment used for the

acquisition (e.g. additional networking equipment or

enhanced embedded software), the aggregation of the

variables, the detective logic and the reporting towards a

Security Information and Event Management System

( SIEM). The paper will also explain how existing nuclear

safety impact analyses can be leveraged by replacing the

typical safety events (e.g. due to ageing or random failures)

by graded targeted security attack events.

The semi-formal description of the detective security

controls will make use of the Application Security Control

(ASC) concepts as introduced by ISO/IEC 27034-x.

This approach is fully in line with Nuclear IEC 62859

that provides requirements on coordinating safety

and cybersecurity. The recommendations on separating

selected detective security controls from the process

control software can be achieved by avoiding an increased

complexity and the possibility of retroactions of security

measures on safety related functionality.

to physical property, computer system, information or

other assets.

The detective application security controls provide

alternative or enhanced protection means as part of a

security defense-in-depth concept. Accordingly, for a new

NPP they may serve as security enhancements while for an

existing NPP they may serve as an effective and cost-saving

alternative, in cases where the legacy process control

software cannot be easily revised to include cybersecurity

specific functionality.

In principle the term “Cybersecurity Control” or just

“Security Control” denotes one or a set of Cyber Security

countermeasures. Security Controls are applied during all

lifecycle phases of the I&C-product or project [4]. In an

( initially) non safety related context several Security

Controls are similar to measures that are by default implemented

in safety systems. These include, e.g., the degree

of requirements traceability (e.g., to avoid the intro duction

of requirements on debugging functionality that may later

be misused for manipulations) and requirements on

testing. However, the Security Level [2, 3] of a subsystem

may be increased due to results of a risk assessment [5].

This may mandate the implementation of individual

security controls that have to be met only for higher safety

classes [4].

IEC 62645 [8] is the top level nuclear cybersecurity

standard. It defines security controls for the nuclear

285

ENVIRONMENT AND SAFETY

Introduction

Cybersecurity is considered as a major element of physical

protection plans for nuclear facilities and it should be

implemented from the initial phase of nuclear facility

design [1]. In nuclear power plants (NPPs), I&C systems

have evolved during the last decades from non-digital

equipment and standalone environments to digital

technologies and interconnected systems. Such an

evolution exposes them to risks related to cyberattacks.

The cyberattack can later affect the safety of the NPP.

Cyberattack or digital attack is the attempt by digital

means to destroy, expose, alter, disable, steal or gain

unauthorized access to or make unauthorized use of an

asset [2]. To minimize these risks security controls

provides the countermeasures to avoid, detect, counteract

| | Fig. 1.

Example Plant Operation related to Security Control for a Detective System [6, 7].

Environment and Safety

Detective Application Security Controls for Nuclear Safety ı Deeksha Gupta, Karl Waedt and Yuan Gao

More magazines by this user
Similar magazines