atw 2018-05v6


atw Vol. 63 (2018) | Issue 5 ı May


specific Security Degrees, SD1 (most stringent requirements),

SD2 and SD3 (less stringent requirements) as well

as for security Baseline Requirements. This consider I&C

systems of Safety Classes 1, 2, 3 and non-classified (NC)

I&C systems [9], without requiring direct mapping

between Security Degrees and Safety Classes as shown in

Figure 1.

Advanced Persistent Threat (APT)

Major discussions regarding APTs started after the Stuxnet

exploited several zero-day vulnerabilities (that were not yet

known to the equipment vendors) [10, 11]. Experts raised

concerns on how to protect critical infrastructure against

exploitation of unidentified day-zero vulner abilities [10,

11]. The vulnerabilities are not only considered in software

or firmware, but also in the lifecycles of technical, operational

and management of cybersecurity controls. Zero-day

vulnerabilities may exist e.g. in commercial-of-the-shelf

(COTS) software or firmware, custom-based I&C, and

system designs [11]. Also, different versions of Stuxnet

were able to upgrade to the newest version in the same

network. As cyber protection systems cannot immediately

recognize zero-day vulnerabilities, they can stay undetected

for long time [10, 11]. The above concerns regarding

zero­ day vulnerabilities emphasize importance of using

detective security controls in the systems of a NPP for


Security Controls

Security controls are the countermeasures to avoid,

detect, counteract, or minimize security risks to physical

property, computer system, information or other assets

[8]. According to IEC 62645 [8] security controls can be

divided in the following three categories:

• Technical Controls: hardware and/or software solutions

for the protection, detection and mitigation of and

recovery from intrusion or other malicious acts.

• Physical controls: physical barriers for the protection

of computer and supporting assets from physical

damage and unauthorized physical access. The physical

controls include barriers such as locks, physical

encasements, smart electrical cabinets; tamper seals,

isolation rooms, gates and guards.

• Administrative controls: policies, procedures and

practices designed to protect computer systems by

controlling personnel actions and behaviors. The

administrative controls are directive in nature,

specifying what employees and third party personnel

should and should not do. In the nuclear environment,

administrative controls are understood to include

operational and management controls.


Stuxnet – a powerful and malicious piece of code, is a

500-kilobyte computer worm that affected the software of

minimum 14 industrial locations in Iran [10, 12]. One of

the affected locations was a uranium-enrichment plant.

While a computer virus depends on an individual person to

perform installation, a worm spreads on its own, frequently

throughout computer networks [12]. The worm attacked

in three phases. First, Microsoft Windows® machines and

networks were under the attack. The worm repeatedly

replicated itself. Then, it tried to find Windows-based

Siemens S7 software and used to program industrial

control systems that control equipment, e.g. centrifuges

[10, 12]. Lastly, it compromised the programmable logic

controllers. Two things are important to notice in the case

of Stuxnet; first, results were hidden consequently the

adversary could spy and infiltrate the industrial systems

and force the fast-spinning centrifuges to split themselves

apart without being recognized by operator (e.g. by

displaying valid graphical charts that originated from past

safe plant states); and second – input and output of the

system both were manipulated at the same time. It is

interesting to mention that the development of Stuxnet

started in 2007. Figure 2 provides a cybersecurity threat

landscape timeline related to critical infrastructure,

including NPPs.

| | Fig. 2.

Critical Infrastructure related Cybersecurity Threat Landscape [10].

| | Fig. 3.

Categorization of Security Control.

All three of these elements are critical to the creation of

an effective control environment. Cybersecurity program

shall involve the use of the above mentioned three types

of cybersecurity controls. Cybersecurity controls may

contribute in different manners, mostly by contributing to

– the prevention of cybersecurity events; their detection;

correction, reaction and response [8]. Security controls

could be used to solve the problem of Advanced Persistent

threat like Stuxnet. Figure 3 illustrates the characterization

of security controls.

Preventive: These are controls that prevent the loss or

harm from occurring.

Detective: These controls monitor activity to identify

instances where practices or procedures were

not followed.

Corrective: Corrective controls restore the system or process

back to the state prior to a harmful event.

Security defense-in-depth

Security defense-in-depth is an approach to security

in which multiple and independent security controls,

covering organizational, technical and operational aspects,

are deployed in an architecture, as no individual security

control can provide the expected security [8]. In such

Environment and Safety

Detective Application Security Controls for Nuclear Safety ı Deeksha Gupta, Karl Waedt and Yuan Gao

More magazines by this user
Similar magazines