atw 2018-05v6
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>atw</strong> Vol. 63 (<strong>2018</strong>) | Issue 5 ı May<br />
Detective Application Security Controls<br />
for Nuclear Safety<br />
Deeksha Gupta, Karl Waedt and Yuan Gao<br />
The current Draft Nuclear IEC 63096 New Work Item Proposal (NWIP), a new downstream standard of IEC<br />
62645, distinguishes between preventive, detective and corrective security controls. The focus of this paper is on<br />
resilient detective cybersecurity controls that are needed especially for high security degrees in the context of Advanced<br />
Persistent Threats (APTs). The Stuxnet malware demonstrates that sophisticated attacks on physical processes<br />
can make use of both, the manipulation of output signals that control the automation equipment in parallel with<br />
manipulations of the graphical process feedback information displayed to users. In the international IAEA coordinated<br />
research proposal CRP J02008 several project partners investigate (as one of the objectives) the development of<br />
detective security controls that do not rely on the process control software itself. Thus, a manipulation of the process<br />
control software could still be detected by the detective security controls implemented by diverse means.<br />
Implementing detective security controls at this conceptual<br />
level requires knowledge about selected analog and binary<br />
variables corresponding to the current state of physical<br />
processes. This knowledge (expressed as modeled specifications<br />
of expected safe transitions and value ranges) is<br />
needed in order to detect potential manipulations. In<br />
the case of Stuxnet this corresponds to detecting the<br />
high frequency speed variations of centrifuges (with the<br />
aim of physically destroying them) without regard to<br />
the ( manipulated, maliciously reassuring) information<br />
displayed to operators.<br />
This paper will address the selection of process<br />
variables, the different points at which these process<br />
variables can be acquired, the equipment used for the<br />
acquisition (e.g. additional networking equipment or<br />
enhanced embedded software), the aggregation of the<br />
variables, the detective logic and the reporting towards a<br />
Security Information and Event Management System<br />
( SIEM). The paper will also explain how existing nuclear<br />
safety impact analyses can be leveraged by replacing the<br />
typical safety events (e.g. due to ageing or random failures)<br />
by graded targeted security attack events.<br />
The semi-formal description of the detective security<br />
controls will make use of the Application Security Control<br />
(ASC) concepts as introduced by ISO/IEC 27034-x.<br />
This approach is fully in line with Nuclear IEC 62859<br />
that provides requirements on coordinating safety<br />
and cybersecurity. The recommendations on separating<br />
selected detective security controls from the process<br />
control software can be achieved by avoiding an increased<br />
complexity and the possibility of retroactions of security<br />
measures on safety related functionality.<br />
to physical property, computer system, information or<br />
other assets.<br />
The detective application security controls provide<br />
alternative or enhanced protection means as part of a<br />
security defense-in-depth concept. Accordingly, for a new<br />
NPP they may serve as security enhancements while for an<br />
existing NPP they may serve as an effective and cost-saving<br />
alternative, in cases where the legacy process control<br />
software cannot be easily revised to include cybersecurity<br />
specific functionality.<br />
In principle the term “Cybersecurity Control” or just<br />
“Security Control” denotes one or a set of Cyber Security<br />
countermeasures. Security Controls are applied during all<br />
lifecycle phases of the I&C-product or project [4]. In an<br />
( initially) non safety related context several Security<br />
Controls are similar to measures that are by default implemented<br />
in safety systems. These include, e.g., the degree<br />
of requirements traceability (e.g., to avoid the intro duction<br />
of requirements on debugging functionality that may later<br />
be misused for manipulations) and requirements on<br />
testing. However, the Security Level [2, 3] of a subsystem<br />
may be increased due to results of a risk assessment [5].<br />
This may mandate the implementation of individual<br />
security controls that have to be met only for higher safety<br />
classes [4].<br />
IEC 62645 [8] is the top level nuclear cybersecurity<br />
standard. It defines security controls for the nuclear<br />
285<br />
ENVIRONMENT AND SAFETY<br />
Introduction<br />
Cybersecurity is considered as a major element of physical<br />
protection plans for nuclear facilities and it should be<br />
implemented from the initial phase of nuclear facility<br />
design [1]. In nuclear power plants (NPPs), I&C systems<br />
have evolved during the last decades from non-digital<br />
equipment and standalone environments to digital<br />
technologies and interconnected systems. Such an<br />
evolution exposes them to risks related to cyberattacks.<br />
The cyberattack can later affect the safety of the NPP.<br />
Cyberattack or digital attack is the attempt by digital<br />
means to destroy, expose, alter, disable, steal or gain<br />
unauthorized access to or make unauthorized use of an<br />
asset [2]. To minimize these risks security controls<br />
provides the countermeasures to avoid, detect, counteract<br />
| | Fig. 1.<br />
Example Plant Operation related to Security Control for a Detective System [6, 7].<br />
Environment and Safety<br />
Detective Application Security Controls for Nuclear Safety ı Deeksha Gupta, Karl Waedt and Yuan Gao