atw 2018-05v6
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>atw</strong> Vol. 63 (<strong>2018</strong>) | Issue 5 ı May<br />
(a)<br />
(b)<br />
| | Fig. 4.<br />
(a) Data Diode (High Sec. to Low Sec. Zone),<br />
(b) Data Diode (Low Sec. to Higher Sec.).<br />
approach, it is the set of diversified and independent<br />
security controls which is able to bring the needed<br />
prevention, detection and response capabilities. The<br />
security defense-in-depth principle shall guide the<br />
selection of security controls [8].<br />
Detective Security Controls<br />
The one most frequently used security control is detective<br />
controls – identifying events after they have happened.<br />
Depending on how soon the detective control is invoked<br />
after an event, a system may uncover a loss long after there<br />
is any opportunity to limit the amount of damages.<br />
Following detective security controls could be used in<br />
NPPs to protect control system of a NPP from emerging<br />
and sophisticate cyber-attacks:<br />
1. Data diodes<br />
Data diodes operate on a simple rule – data moves just in<br />
one direction between networks [14, 15]. For example, in<br />
the nuclear domain, data diodes are used as possible<br />
segregation enforcement between safety and control<br />
networks as well as isolated engineering support networks<br />
and enterprise networks (intranets).<br />
Data diodes can provide enhanced security by e.g.<br />
allowing either incoming or outgoing data. As presented in<br />
Figure 4(a), Data diode just allows data transfer from<br />
High Security Zone to Low Security Zone. In this way,<br />
no manipulation to data can be done and therefore,<br />
manipulated data cannot be sent to I&C system.<br />
Figure 4(b) indicates Data diode data transmission<br />
from a Low Security Zone, e.g. Intranet to Higher Security<br />
Zone. In this way, confidential information will not be<br />
stolen through the Low Security Zone and no control/<br />
command manipulations can be initiated from the Low<br />
Security Zone. Often, lower security zone is composed of<br />
only monitoring systems and in some cases a connection<br />
is only required for time stamping [15, 16]. Figure 5<br />
elaborates how Data diodes maintain the employment<br />
of solutions that meet requirements of high security<br />
levels [17].<br />
The advantage of Data diodes is that they are secure as<br />
cyber-attacks mainly depend on bidirectional traffic [15,<br />
16]. Therefore, data diode could be used as a tool of<br />
detective security control. For e.g. data diode would not<br />
allow to delete any data from the system, which could be<br />
| | Fig. 5.<br />
Secure Centralized Logging via Data Diode [6, 7].<br />
intractable if done once. And also notification will be sent<br />
to the main server by data diodes if there any change<br />
would be made in log file.<br />
2. Preventive, detective and corrective security<br />
control<br />
By assigning detective control, it is possible to collect<br />
digital evidence later on. Based on an annotation by<br />
preventive, detective, corrective and mitigating security<br />
controls potential vulnerabilities at the cybersecurity<br />
architecture or design level may be detected by an analysis<br />
of prioritized paths along the branches of the attack trees<br />
[18]. The specification of the Application Security Controls<br />
may optionally indicate their protective strength with<br />
regard to a specific unskilled/trained/sophisticated/<br />
persistent attacker. Figure 6 shows an Attack Tree Analysis<br />
(ATA) for e.g. of a Turbine Island Electrical System (TI ES)<br />
[18], based on an elaboration by preventive, detective and<br />
corrective security controls.<br />
Attack Trees are based on the semi-formal notation,<br />
e.g. with regard to Causeways and their assumed (and<br />
later on to be assessed) properties. The ATA may start at<br />
an Environment (containing staff) where an attacker<br />
is assumed. Based on the Business Connections the<br />
possible targets (Business Domains) can be evaluated<br />
and the attack trees (spanning the Communication<br />
Connections) can be generated [18].<br />
The security controls are structured in line with ISO/<br />
IEC 27002 [19]. In order to reflect the special nuclear I&C<br />
requirements like handling security of legacy topics, an<br />
additional nuclear I&C security specific IEC 63096 [7] is<br />
introduced to extend the SC45A series of documents<br />
addressing cybersecurity. In future, this standard can also<br />
be used as a basis for refurbishment projects.<br />
3. Standard detective controls<br />
Logging is another detective control, e.g. card reader<br />
indication. If a system is operated by ten log files which are<br />
configurable to some extent. Limited status changes should<br />
be allowed in system log file. Logging events are generated<br />
after each security status change and if for e.g., in every<br />
100 events, there are at most 20 changing speed. But if it is<br />
up to 50 now then it may be an attack. A policy setting<br />
ontrols Event Log behavior when the log file reaches its<br />
maximum size. If this policy is enabled then if setting and a<br />
log file reaches its maximum size new events are not<br />
written to the log and are lost. If it is disabled or do not<br />
configure this policy setting and a log file reaches its<br />
maximum size new events overwrite old events. When<br />
logging is disabled, time losses are evident as security<br />
events should be identified immediately as they occur and<br />
ENVIRONMENT AND SAFETY 287<br />
Environment and Safety<br />
Detective Application Security Controls for Nuclear Safety ı Deeksha Gupta, Karl Waedt and Yuan Gao