atw 2018-05v6


atw Vol. 63 (2018) | Issue 5 ı May



| | Fig. 4.

(a) Data Diode (High Sec. to Low Sec. Zone),

(b) Data Diode (Low Sec. to Higher Sec.).

approach, it is the set of diversified and independent

security controls which is able to bring the needed

prevention, detection and response capabilities. The

security defense-in-depth principle shall guide the

selection of security controls [8].

Detective Security Controls

The one most frequently used security control is detective

controls – identifying events after they have happened.

Depending on how soon the detective control is invoked

after an event, a system may uncover a loss long after there

is any opportunity to limit the amount of damages.

Following detective security controls could be used in

NPPs to protect control system of a NPP from emerging

and sophisticate cyber-attacks:

1. Data diodes

Data diodes operate on a simple rule – data moves just in

one direction between networks [14, 15]. For example, in

the nuclear domain, data diodes are used as possible

segregation enforcement between safety and control

networks as well as isolated engineering support networks

and enterprise networks (intranets).

Data diodes can provide enhanced security by e.g.

allowing either incoming or outgoing data. As presented in

Figure 4(a), Data diode just allows data transfer from

High Security Zone to Low Security Zone. In this way,

no manipulation to data can be done and therefore,

manipulated data cannot be sent to I&C system.

Figure 4(b) indicates Data diode data transmission

from a Low Security Zone, e.g. Intranet to Higher Security

Zone. In this way, confidential information will not be

stolen through the Low Security Zone and no control/

command manipulations can be initiated from the Low

Security Zone. Often, lower security zone is composed of

only monitoring systems and in some cases a connection

is only required for time stamping [15, 16]. Figure 5

elaborates how Data diodes maintain the employment

of solutions that meet requirements of high security

levels [17].

The advantage of Data diodes is that they are secure as

cyber-attacks mainly depend on bidirectional traffic [15,

16]. Therefore, data diode could be used as a tool of

detective security control. For e.g. data diode would not

allow to delete any data from the system, which could be

| | Fig. 5.

Secure Centralized Logging via Data Diode [6, 7].

intractable if done once. And also notification will be sent

to the main server by data diodes if there any change

would be made in log file.

2. Preventive, detective and corrective security


By assigning detective control, it is possible to collect

digital evidence later on. Based on an annotation by

preventive, detective, corrective and mitigating security

controls potential vulnerabilities at the cybersecurity

architecture or design level may be detected by an analysis

of prioritized paths along the branches of the attack trees

[18]. The specification of the Application Security Controls

may optionally indicate their protective strength with

regard to a specific unskilled/trained/sophisticated/

persistent attacker. Figure 6 shows an Attack Tree Analysis

(ATA) for e.g. of a Turbine Island Electrical System (TI ES)

[18], based on an elaboration by preventive, detective and

corrective security controls.

Attack Trees are based on the semi-formal notation,

e.g. with regard to Causeways and their assumed (and

later on to be assessed) properties. The ATA may start at

an Environment (containing staff) where an attacker

is assumed. Based on the Business Connections the

possible targets (Business Domains) can be evaluated

and the attack trees (spanning the Communication

Connections) can be generated [18].

The security controls are structured in line with ISO/

IEC 27002 [19]. In order to reflect the special nuclear I&C

requirements like handling security of legacy topics, an

additional nuclear I&C security specific IEC 63096 [7] is

introduced to extend the SC45A series of documents

addressing cybersecurity. In future, this standard can also

be used as a basis for refurbishment projects.

3. Standard detective controls

Logging is another detective control, e.g. card reader

indication. If a system is operated by ten log files which are

configurable to some extent. Limited status changes should

be allowed in system log file. Logging events are generated

after each security status change and if for e.g., in every

100 events, there are at most 20 changing speed. But if it is

up to 50 now then it may be an attack. A policy setting

ontrols Event Log behavior when the log file reaches its

maximum size. If this policy is enabled then if setting and a

log file reaches its maximum size new events are not

written to the log and are lost. If it is disabled or do not

configure this policy setting and a log file reaches its

maximum size new events overwrite old events. When

logging is disabled, time losses are evident as security

events should be identified immediately as they occur and


Environment and Safety

Detective Application Security Controls for Nuclear Safety ı Deeksha Gupta, Karl Waedt and Yuan Gao

More magazines by this user
Similar magazines