From MITRE ATT&CKcon Power Hour December 2020
By Jacob Benjamin, Principal Industrial Consultant Dragos, INL, & University of Idaho
Design Basis Threat (DBT) is concept introduced by the Nuclear Regulatory Commission (NRC). It is a profile of the type, composition, and capabilities of an adversary. DBT is the key input nuclear power plants use for the design of systems against acts of radiological sabotage and theft of special nuclear material. The NRC expects its licensees, nuclear power plants, to demonstrate that they can defend against the DBT. Currently, cyber is included in DBTs simply as a prescribed list of IT centric security controls. Using MITRE’s ATT&CK framework, Cyber DBTs can be created that are specific to the facility, its material, or adversary activities.
2. PREVIOUS ICS EXPERIENCE
+ Idaho National Laboratory
+ Areva NP
+ Duke Energy
ABOUT THE PRESENTER
JACOB BENJAMIN – DIRECTOR OF PROFESSIONAL SERVICES
RESEARCH AREAS
+ Nuclear Cybersecurity
+ Cyber Risk Management
+ Wireless Security
+ Software-Defined Networking
+ Malware Analysis
+ Steganography Detection
CREDENTIALS
+ Ph.D., Computer Science
+ M.S., Cybersecurity
+ B.S., Computer Science
+ CISSP
3. + What is a DBT?
+ How are they
developed?
+ What does a DBT look
like?
+ Are there cyber DBTs?
DESIGN BASIS THREAT (DBT)
OVERVIEW
4. “ATTEMPT OF THEFT OF A SIGNIFICANT AMOUNT OF
NUCLEAR MATERIAL (E.G. 10KG OF PU) BY A GROUP OF
6 OUTSIDERS EQUIPPED WITH 10 KG TNT EXPLOSIVE,
AUTOMATIC WEAPONS (INCLUDING LIGHT INFANTRY
WEAPONS) AND SPECIFIC COMMERCIALLY AVAILABLE
INTRUSION TOOLS. THEY HAVE A COMPREHENSIVE
KNOWLEDGE OF THE FACILITY AND ASSOCIATED
PHYSICAL PROTECTION MEASURES. WILLING TO DIE
OR TO KILL. NO COLLUSION WITH INSIDER.”
IAEA DBT WORKSHOP
EXAMPLE DBT
5. S E N S I N G O P P O R T U N I T I E S
RESPONSE TIME VS ADVERSARY TASK TIME
Adversary Task Time
Adversary Task Time Remaining After 1st Sensing
PPS Response Time
T0 TD Ti Tc
Detection
Time
Response
Force Time
Time
Remaining
After
Interruption
Adversary
Detected
Adversary
Interrupted
Time
First
Sensing
Adversary
Begins Task
Adversary
Completes
Task
6. Z
Z
Z
CYBER SECURITY
FOR NUCLEAR POWER PLANTS
KEY DOCUMENTS
• NEI 04-04, Voluntary Cyber Program
• 10 CFR 73.54, The Cyber Rule
• NEI 08-09, Cyber Security Plan
• NEI 13-10, Cyber Security Assessments
CHALLENGES
• Describing the cyber threat landscape
• Modeling cyber-initiated events
• Mal-operation vs malware
USING ATT&CK
• Describe threat behavior
• Conduct adversary emulation
• Evaluate actual events & case studies
Cybersecurity risk mitigation for
nuclear power plants began in
2002 and 2003, when the NRC
included cybersecurity
requirements in the Physical
Security and Design Basis Threat
Orders.
7. Z
Z
Z
USING TRADITIONAL DBT
ANALYSIS FOR CYBER
PAST CYBER EVENTS
Nuclear sector
Energy sector
ICS overall
CREDIBLE THREAT INTELLIGENCE
Dragos World View Bulletins
CISA / ICS-CERT
Vendors
SITE SPECIFIC TARGETS
Crown Jewel Analysis
Consequence-based targeting
8. EXAMPLE CYBER DBT DEVELOPMENT
• SIS
• Turbines
• Generators
Targets
• CrashOverride
• Trisis
• Stuxnet
Past
Events
• World View
• CISA
• Vendors
Threat
Intel
9. ATTEMPT TO CAUSE A LOSS OF SAFETY IMPACT.
ADVERSARY HAS BEEN KNOWN TO USE DRIVE-BY
COMPROMISE, EXTERNAL REMOTE SERVICES, VALID
ACCOUNTS, SUPPLY CHAIN COMPROMISE, AND ICS-
TAILORED MALWARE. THEY HAVE DESTRUCTIVE
CAPABILITIES, UNDERSTAND PROCESS IMPLICATIONS,
AND HAVE SPECIFIC KNOWLEDGE OF INDUSTRIAL
CONTROL SYSTEMS. WILLING TO CAUSE PHYSICAL
HARM OR KILL. NO COLLUSION WITH INSIDER.
CYBER DBT
RESULT
13. • DIGEST THREAT INTELLIGENCE
• WorldView, CISA, vendors, etc.
• UNDERSTAND YOUR SYSTEMS
• Crown Jewel Analysis
• EVALUATE YOUR DEFENSES
• Quantify your mitigation and detection coverage
• FOCUS ON THREAT BEHAVIORS
• Combine and correlate this information with a common lexicon (ATT&CK)
HOW TO CREATE A CYBER DBT
SUMMARY
14. • ASSESS EFFECTIVENESS OF DEFENSES
• EVALUATE THREAT DETECTION COVERAGE
• DEVELOP AND TEST IR PLAYBOOKS
• TRAIN PERSONNEL
• IDENTIFY ‘BEYOND DESIGN’ SCENARIOS
WHY SHOULD YOU USE CYBER DBTS?
SUMMARY