atw Vol. 63 (2018) | Issue 5 ı May
ENVIRONMENT AND SAFETY 286
specific Security Degrees, SD1 (most stringent requirements),
SD2 and SD3 (less stringent requirements) as well
as for security Baseline Requirements. This consider I&C
systems of Safety Classes 1, 2, 3 and non-classified (NC)
I&C systems [9], without requiring direct mapping
between Security Degrees and Safety Classes as shown in
Figure 1.
Advanced Persistent Threat (APT)
Major discussions regarding APTs started after the Stuxnet
exploited several zero-day vulnerabilities (that were not yet
known to the equipment vendors) [10, 11]. Experts raised
concerns on how to protect critical infrastructure against
exploitation of unidentified day-zero vulner abilities [10,
11]. The vulnerabilities are not only considered in software
or firmware, but also in the lifecycles of technical, operational
and management of cybersecurity controls. Zero-day
vulnerabilities may exist e.g. in commercial-of-the-shelf
(COTS) software or firmware, custom-based I&C, and
system designs [11]. Also, different versions of Stuxnet
were able to upgrade to the newest version in the same
network. As cyber protection systems cannot immediately
recognize zero-day vulnerabilities, they can stay undetected
for long time [10, 11]. The above concerns regarding
zero day vulnerabilities emphasize importance of using
detective security controls in the systems of a NPP for
cybersecurity.
Security Controls
Security controls are the countermeasures to avoid,
detect, counteract, or minimize security risks to physical
property, computer system, information or other assets
[8]. According to IEC 62645 [8] security controls can be
divided in the following three categories:
• Technical Controls: hardware and/or software solutions
for the protection, detection and mitigation of and
recovery from intrusion or other malicious acts.
• Physical controls: physical barriers for the protection
of computer and supporting assets from physical
damage and unauthorized physical access. The physical
controls include barriers such as locks, physical
encasements, smart electrical cabinets; tamper seals,
isolation rooms, gates and guards.
• Administrative controls: policies, procedures and
practices designed to protect computer systems by
controlling personnel actions and behaviors. The
administrative controls are directive in nature,
specifying what employees and third party personnel
should and should not do. In the nuclear environment,
administrative controls are understood to include
operational and management controls.
Stuxnet
Stuxnet – a powerful and malicious piece of code, is a
500-kilobyte computer worm that affected the software of
minimum 14 industrial locations in Iran [10, 12]. One of
the affected locations was a uranium-enrichment plant.
While a computer virus depends on an individual person to
perform installation, a worm spreads on its own, frequently
throughout computer networks [12]. The worm attacked
in three phases. First, Microsoft Windows® machines and
networks were under the attack. The worm repeatedly
replicated itself. Then, it tried to find Windows-based
Siemens S7 software and used to program industrial
control systems that control equipment, e.g. centrifuges
[10, 12]. Lastly, it compromised the programmable logic
controllers. Two things are important to notice in the case
of Stuxnet; first, results were hidden consequently the
adversary could spy and infiltrate the industrial systems
and force the fast-spinning centrifuges to split themselves
apart without being recognized by operator (e.g. by
displaying valid graphical charts that originated from past
safe plant states); and second – input and output of the
system both were manipulated at the same time. It is
interesting to mention that the development of Stuxnet
started in 2007. Figure 2 provides a cybersecurity threat
landscape timeline related to critical infrastructure,
including NPPs.
| | Fig. 2.
Critical Infrastructure related Cybersecurity Threat Landscape [10].
| | Fig. 3.
Categorization of Security Control.
All three of these elements are critical to the creation of
an effective control environment. Cybersecurity program
shall involve the use of the above mentioned three types
of cybersecurity controls. Cybersecurity controls may
contribute in different manners, mostly by contributing to
– the prevention of cybersecurity events; their detection;
correction, reaction and response [8]. Security controls
could be used to solve the problem of Advanced Persistent
threat like Stuxnet. Figure 3 illustrates the characterization
of security controls.
Preventive: These are controls that prevent the loss or
harm from occurring.
Detective: These controls monitor activity to identify
instances where practices or procedures were
not followed.
Corrective: Corrective controls restore the system or process
back to the state prior to a harmful event.
Security defense-in-depth
Security defense-in-depth is an approach to security
in which multiple and independent security controls,
covering organizational, technical and operational aspects,
are deployed in an architecture, as no individual security
control can provide the expected security [8]. In such
Environment and Safety
Detective Application Security Controls for Nuclear Safety ı Deeksha Gupta, Karl Waedt and Yuan Gao
Change language