atw 2018-05v6

More documents

Recommendations

Info

atw Vol. 63 (2018) | Issue 5 ı May ENVIRONMENT AND SAFETY 286 specific Security Degrees, SD1 (most stringent requirements), SD2 and SD3 (less stringent requirements) as well as for security Baseline Requirements. This consider I&C systems of Safety Classes 1, 2, 3 and non-classified (NC) I&C systems [9], without requiring direct mapping between Security Degrees and Safety Classes as shown in Figure 1. Advanced Persistent Threat (APT) Major discussions regarding APTs started after the Stuxnet exploited several zero-day vulnerabilities (that were not yet known to the equipment vendors) [10, 11]. Experts raised concerns on how to protect critical infrastructure against exploitation of unidentified day-zero vulner abilities [10, 11]. The vulnerabilities are not only considered in software or firmware, but also in the lifecycles of technical, operational and management of cybersecurity controls. Zero-day vulnerabilities may exist e.g. in commercial-of-the-shelf (COTS) software or firmware, custom-based I&C, and system designs [11]. Also, different versions of Stuxnet were able to upgrade to the newest version in the same network. As cyber protection systems cannot immediately recognize zero-day vulnerabilities, they can stay undetected for long time [10, 11]. The above concerns regarding zero day vulnerabilities emphasize importance of using detective security controls in the systems of a NPP for cybersecurity. Security Controls Security controls are the countermeasures to avoid, detect, counteract, or minimize security risks to physical property, computer system, information or other assets [8]. According to IEC 62645 [8] security controls can be divided in the following three categories: • Technical Controls: hardware and/or software solutions for the protection, detection and mitigation of and recovery from intrusion or other malicious acts. • Physical controls: physical barriers for the protection of computer and supporting assets from physical damage and unauthorized physical access. The physical controls include barriers such as locks, physical encasements, smart electrical cabinets; tamper seals, isolation rooms, gates and guards. • Administrative controls: policies, procedures and practices designed to protect computer systems by controlling personnel actions and behaviors. The administrative controls are directive in nature, specifying what employees and third party personnel should and should not do. In the nuclear environment, administrative controls are understood to include operational and management controls. Stuxnet Stuxnet – a powerful and malicious piece of code, is a 500-kilobyte computer worm that affected the software of minimum 14 industrial locations in Iran [10, 12]. One of the affected locations was a uranium-enrichment plant. While a computer virus depends on an individual person to perform installation, a worm spreads on its own, frequently throughout computer networks [12]. The worm attacked in three phases. First, Microsoft Windows® machines and networks were under the attack. The worm repeatedly replicated itself. Then, it tried to find Windows-based Siemens S7 software and used to program industrial control systems that control equipment, e.g. centrifuges [10, 12]. Lastly, it compromised the programmable logic controllers. Two things are important to notice in the case of Stuxnet; first, results were hidden consequently the adversary could spy and infiltrate the industrial systems and force the fast-spinning centrifuges to split themselves apart without being recognized by operator (e.g. by displaying valid graphical charts that originated from past safe plant states); and second – input and output of the system both were manipulated at the same time. It is interesting to mention that the development of Stuxnet started in 2007. Figure 2 provides a cybersecurity threat landscape timeline related to critical infrastructure, including NPPs. | | Fig. 2. Critical Infrastructure related Cybersecurity Threat Landscape [10]. | | Fig. 3. Categorization of Security Control. All three of these elements are critical to the creation of an effective control environment. Cybersecurity program shall involve the use of the above mentioned three types of cybersecurity controls. Cybersecurity controls may contribute in different manners, mostly by contributing to – the prevention of cybersecurity events; their detection; correction, reaction and response [8]. Security controls could be used to solve the problem of Advanced Persistent threat like Stuxnet. Figure 3 illustrates the characterization of security controls. Preventive: These are controls that prevent the loss or harm from occurring. Detective: These controls monitor activity to identify instances where practices or procedures were not followed. Corrective: Corrective controls restore the system or process back to the state prior to a harmful event. Security defense-in-depth Security defense-in-depth is an approach to security in which multiple and independent security controls, covering organizational, technical and operational aspects, are deployed in an architecture, as no individual security control can provide the expected security [8]. In such Environment and Safety Detective Application Security Controls for Nuclear Safety ı Deeksha Gupta, Karl Waedt and Yuan Gao
atw Vol. 63 (2018) | Issue 5 ı May (a) (b) | | Fig. 4. (a) Data Diode (High Sec. to Low Sec. Zone), (b) Data Diode (Low Sec. to Higher Sec.). approach, it is the set of diversified and independent security controls which is able to bring the needed prevention, detection and response capabilities. The security defense-in-depth principle shall guide the selection of security controls [8]. Detective Security Controls The one most frequently used security control is detective controls – identifying events after they have happened. Depending on how soon the detective control is invoked after an event, a system may uncover a loss long after there is any opportunity to limit the amount of damages. Following detective security controls could be used in NPPs to protect control system of a NPP from emerging and sophisticate cyber-attacks: 1. Data diodes Data diodes operate on a simple rule – data moves just in one direction between networks [14, 15]. For example, in the nuclear domain, data diodes are used as possible segregation enforcement between safety and control networks as well as isolated engineering support networks and enterprise networks (intranets). Data diodes can provide enhanced security by e.g. allowing either incoming or outgoing data. As presented in Figure 4(a), Data diode just allows data transfer from High Security Zone to Low Security Zone. In this way, no manipulation to data can be done and therefore, manipulated data cannot be sent to I&C system. Figure 4(b) indicates Data diode data transmission from a Low Security Zone, e.g. Intranet to Higher Security Zone. In this way, confidential information will not be stolen through the Low Security Zone and no control/ command manipulations can be initiated from the Low Security Zone. Often, lower security zone is composed of only monitoring systems and in some cases a connection is only required for time stamping [15, 16]. Figure 5 elaborates how Data diodes maintain the employment of solutions that meet requirements of high security levels [17]. The advantage of Data diodes is that they are secure as cyber-attacks mainly depend on bidirectional traffic [15, 16]. Therefore, data diode could be used as a tool of detective security control. For e.g. data diode would not allow to delete any data from the system, which could be | | Fig. 5. Secure Centralized Logging via Data Diode [6, 7]. intractable if done once. And also notification will be sent to the main server by data diodes if there any change would be made in log file. 2. Preventive, detective and corrective security control By assigning detective control, it is possible to collect digital evidence later on. Based on an annotation by preventive, detective, corrective and mitigating security controls potential vulnerabilities at the cybersecurity architecture or design level may be detected by an analysis of prioritized paths along the branches of the attack trees [18]. The specification of the Application Security Controls may optionally indicate their protective strength with regard to a specific unskilled/trained/sophisticated/ persistent attacker. Figure 6 shows an Attack Tree Analysis (ATA) for e.g. of a Turbine Island Electrical System (TI ES) [18], based on an elaboration by preventive, detective and corrective security controls. Attack Trees are based on the semi-formal notation, e.g. with regard to Causeways and their assumed (and later on to be assessed) properties. The ATA may start at an Environment (containing staff) where an attacker is assumed. Based on the Business Connections the possible targets (Business Domains) can be evaluated and the attack trees (spanning the Communication Connections) can be generated [18]. The security controls are structured in line with ISO/ IEC 27002 [19]. In order to reflect the special nuclear I&C requirements like handling security of legacy topics, an additional nuclear I&C security specific IEC 63096 [7] is introduced to extend the SC45A series of documents addressing cybersecurity. In future, this standard can also be used as a basis for refurbishment projects. 3. Standard detective controls Logging is another detective control, e.g. card reader indication. If a system is operated by ten log files which are configurable to some extent. Limited status changes should be allowed in system log file. Logging events are generated after each security status change and if for e.g., in every 100 events, there are at most 20 changing speed. But if it is up to 50 now then it may be an attack. A policy setting ontrols Event Log behavior when the log file reaches its maximum size. If this policy is enabled then if setting and a log file reaches its maximum size new events are not written to the log and are lost. If it is disabled or do not configure this policy setting and a log file reaches its maximum size new events overwrite old events. When logging is disabled, time losses are evident as security events should be identified immediately as they occur and ENVIRONMENT AND SAFETY 287 Environment and Safety Detective Application Security Controls for Nuclear Safety ı Deeksha Gupta, Karl Waedt and Yuan Gao
Page 1: nucmag.com 2018 5 285 Security Cont
Page 4 and 5: atw Vol. 63 (2018) | Issue 5 ı May
Page 40: atw Vol. 63 (2018) | Issue 5 ı May
Page 57 and 58: Kommunikation und Training für Ker
Page 65 and 66:
atw Vol. 63 (2018) | Issue 5 ı May
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
The International Expert Conference
show all

atw 2018-05v6

Create successful ePaper yourself

Delete template?

Save as template?