This document discusses the need for cyber security programs at nuclear power plants. It notes that industrial control systems and supervisory control and data acquisition (SCADA) systems used in nuclear power are vulnerable to cyber attacks, as evidenced by numerous past hacks. The objective of a cyber security program is to protect critical digital assets from cyber attacks that could adversely impact safety, security, or emergency response. The document outlines similarities between existing nuclear safety and security cultures and how a cyber security culture can be developed. It also discusses challenges and successes in implementing cyber security programs in the United States.
Implementing Cyber Security Programs to Enhance Nuclear Safety Culture
1.
2. Jason M. Hollern
Cyber Security Technical Leader
March 29-30, 2017 – Kyiv, Ukraine
Enhancing the Nuclear
Safety Culture by
Implementing a Cyber
Security Program
3. AREVA NP
The information in this document is AREVA NP property and is intended solely for
the addressees. Reproduction and distribution are prohibited.
p.3
Why Cyber Security for Nuclear Power Plants?
The Nuclear Safety Culture and Nuclear Security Culture
Similarities
Cyber Security Relative to the Nuclear Safety Culture
Safety, Security, and Cyber Security Culture Requirements
Basic Principles Of Nuclear Cyber Security
Key Concepts
U.S.A. Challenges And Successes
Status & Next Steps in the U.S.A.
Conclusions
Agenda
4. AREVA NP
The information in this document is AREVA NP property and is intended solely for
the addressees. Reproduction and distribution are prohibited.
p.4
Why Cyber Security for Nuclear Power Plants?
Cyber Security threats to Industrial
Control Systems (ICS), Supervisory
Control and Data Acquisition (SCADA)
Systems are real.
There have been numerous attacks
on ICS and SCADA Systems
throughout the world.
Seven (7) nuclear sector incidents
were reported to ICS-CERT in 2015.*
* ICS-Cyber Emergency Response
Team 2015 Year In Review
4
5. AREVA NP
The information in this document is AREVA NP property and is intended solely for
the addressees. Reproduction and distribution are prohibited.
p.5
Successful attacks on ICS and SCADA equipment can be exploited
through unmitigated software and hardware vulnerabilities.
Many Critical Digital Assets (CDAs) that are used in the nuclear
power plant cannot be patched, upgraded, or fixed until a refueling
outage.
Potentially unpatched or unmitigated for up to 24 months (or even longer)
A total of 486
vulnerabilities in
ICS/SCADA equipment
were reported to
ICS-CERT in 2015*
* ICS-CERT 2015
Year In Review
Vulnerabilities in ICS Equipment
5
6. AREVA NP
The information in this document is AREVA NP property and is intended solely for
the addressees. Reproduction and distribution are prohibited.
p.6
Recent ICS Hacks
7. AREVA NP
The information in this document is AREVA NP property and is intended solely for
the addressees. Reproduction and distribution are prohibited.
p.7
Cyber Security for Nuclear Power Plants
Objective: To protect digital equipment within the
nuclear power plant from cyber attacks up to and
including the Design Basis Threat (DBT) that would
adversely impact operational safety, security, or
emergency response.
I.E., protect from acts of radiological
sabotage
Ensure safety and important-to-safety
equipment is protected from malicious
cyber acts
7
8. AREVA NP
The information in this document is AREVA NP property and is intended solely for
the addressees. Reproduction and distribution are prohibited.
p.9
Nuclear Industrial Control Systems (ICS)
Safety Systems
• Reactor Protection System
• Emergency Core Cooling
• Safe Shutdown Systems
• Residual Heat Removal
Balance of Plant (BOP) Systems (Important-to-
Safety)
• Turbine Control System
• Steam Generator Level Control (Feedwater)
• Fuel Handling Systems
Emergency Preparedness
• Emergency Radio System
• Meteorological System
Physical Security Systems
• Security Computer
• Intrusion Detection
• Security Cameras
• Vehicle Barriers
• Badging/Access Controls
Examples of Nuclear ICS
9. AREVA NP
The information in this document is AREVA NP property and is intended solely for
the addressees. Reproduction and distribution are prohibited.
p.10
Existing Safety and Security Cultures
Similarities
Nuclear Safety Culture
“The core values and behaviors resulting from a collective commitment
by leaders and individuals to emphasize safety over competing goals to
ensure protection of people and the environment” – US NRC
This requires an investment by employees, management, and
stakeholders by priority, beliefs, and attitudes that a commitment to
safety practices and the issues are given a priority.
Nuclear Security Culture
“Characteristics and attitudes in organizations and of individuals which
establish that the questions relating to protection against the theft and
other unlawful taking of nuclear material on one hand and any deliberate
act (sabotage) directed against nuclear facilities or nuclear material in
use, storage and transport on the other hand, receive the attention
warranted by their significance”
This instills a questioning attitude in individuals and organizations at the
NPP and it prevents hostile action, theft, or deliberate acts that could
lead to protect people, both onsite and offsite, from the dangers of
radiological exposure.
10. AREVA NP
The information in this document is AREVA NP property and is intended solely for
the addressees. Reproduction and distribution are prohibited.
p.11
Cyber Security Relative to the Safety
Culture
Development of a nuclear cyber security culture should not be
different than the process used to develop and implement the safety
and security culture.
Three Major Elements
Commitments of Nuclear Power Plant organizations
Commitments of managers
Commitments of individuals*
The commitments of the organization and the management provide
the structure, framework, hierarchy, support, and tools needed for
individuals to be successful.
Commitments of the individual are the most important because they
maintain a positive attitude of ownership, maintain a level of
awareness supported by training, compliance with procedures and
rules, and maintain a questioning attitude.
11. AREVA NP
The information in this document is AREVA NP property and is intended solely for
the addressees. Reproduction and distribution are prohibited.
p.13
Requirements in the U.S.A.
Nuclear Safety Culture
Law in the US to establish a Nuclear Safety Culture: “will adopt a positive
safety culture that is commensurate with the safety and security
significance of their activities,” (2011)
Nuclear Security Culture
Law in the US through the U.S. Code of Federal Regulations that requires
nuclear licensees to protect the plant from malicious action that could
result in an offsite release in of radiological materials
Nuclear Cyber Security Culture
None
10 CFR 73.54 – Cyber Security Rule, “Protection of Digital Computer and
Communication systems and Networks” – Does not mandate an outright
Cyber Security Culture
12. AREVA NP
The information in this document is AREVA NP property and is intended solely for
the addressees. Reproduction and distribution are prohibited.
p.14
Cyber Program Implementation Objectives
Counter the threat & comply with
regulations
► Infrastructure & Program Development
►Training and Awareness
► Vulnerability Assessment – Critical Digital
Assets
► Vulnerability Mitigation Plan
► Implement Remediations
► Maintain Program
The Threat
Threats to OT/ICS leveraging
vulnerabilities associated with 5 basic
attack vectors.
Nation State Actors (APT), Malicious
Insiders, Activists, Accidental Exposure
In the US in 2015, seven incidents were
reported in the nuclear sector.
Basic Principles of Nuclear Cyber Security
Physical Access
Wired Access
Wireless Access
Portable Media
Regulations
► May not yet be promulgated by regulator
► Basis varies by country
o United States: 10 CFR 73.54 -> US NRC RG 5.71,
NEI 13-10, and NEI 08-09
o International: IAEA Nuclear Series #17, IEC
62645, and ISO 27000 Series
Attack Vectors
13. AREVA NP
The information in this document is AREVA NP property and is intended solely for
the addressees. Reproduction and distribution are prohibited.
p.15
Identification of digital ICS equipment in scope of cyber
security program
Employee and Vendor Training
Deterministic Network Segregation
Do not allow remote access to ICS, production, safety, security, monitoring, etc.
systems from business networks, vendors, public, or offsite.
Portable Media Device (PMD) Protection
Flash drives, cell phones, laptops, etc.
Application of cyber security controls
Risk based analysis
Consequence based analysis
Threat and Compromise Monitoring
Processes, procedures, and infrastructure technology
Tamper indication
Near real-time monitoring (SIEM)
Key Strategies and Concepts
14. AREVA NP
The information in this document is AREVA NP property and is intended solely for
the addressees. Reproduction and distribution are prohibited.
p.16
Challenges
Centralized nuclear industry consensus on cyber security program
implementation
Management commitment to comprehensive cyber security
program, staff, and resources
Development of comprehensive programmatic procedures to have
repeatable results and success on the first attempt
Assessment and ongoing monitoring program development (technical
and programmatic)
Successes
Industry and regulator coordination through conferences, workshops,
and technical taskforces
Interim Milestones completion, inspections, and inherent protections
U.S.A Challenges and Successes
15. AREVA NP
The information in this document is AREVA NP property and is intended solely for
the addressees. Reproduction and distribution are prohibited.
p.17
Executive Sponsor
Cyber Security Program Owner
Cyber Security Incident Response Team (CSIRT)
Cyber Security Assessment Team (CSAT)
Cyber Security Specialists (CSS)
All Employees
Cyber Security Team and
Responsibilities
17
16. AREVA NP
The information in this document is AREVA NP property and is intended solely for
the addressees. Reproduction and distribution are prohibited.
p.18
Plants have developed a Cyber Security
Program
Determined the CDAs
Deterministically segregated their control system
networks from the business networks (installed
data diodes)
Developed a robust PMD program
Instituted security rounds to monitor physical
tampering
Implemented general awareness training for
cyber security and effects of cyber
compromise on critical plant systems.
Accomplishments in the U.S.A
17. AREVA NP
The information in this document is AREVA NP property and is intended solely for
the addressees. Reproduction and distribution are prohibited.
p.19
Currently working on full implementation of their cyber
program
Conducting cyber security assessments on CDAs
Remediating cyber security technical/programmatic control failures
Developing near real-time detection capabilities
Developing training for the general employees, cyber security
staff, and workers that interface with ICS
Develop procedures to implement technical and programmatic
cyber security controls
Regulatory inspections after 31/12/2017
Current and Future Activities in
the U.S.A.
18. AREVA NP
The information in this document is AREVA NP property and is intended solely for
the addressees. Reproduction and distribution are prohibited.
p.20
Cyber Security for nuclear power plants is needed to combat
current ICS threats and instill and enhanced nuclear safety
culture
IT Systems and protection strategies are different from OT/ICS
Systems typically found in nuclear control system networks
The U.S.A. has implemented a program to protect Critical
Systems (Safety, Important-to-Safety, etc.) and CDAs from a
cyber attack
There is still more work to be done in the U.S.A. and
worldwide
Cyber Security is implicitly linked to nuclear safety!
Conclusions
19. AREVA NP
The information in this document is AREVA NP property and is intended solely for
the addressees. Reproduction and distribution are prohibited.
p.21
Questions