Cyber Security Plans: Potential Impacts for

Meteorology Programs

Cliff Glantz and Guy LandinePacific Northwest National Laboratory

cliff.glantz@pnnl.gov509-375-2166

1

Acknowledgements

Guy Landine, Phil Craig, and Will Hutton (PNNL)David Rahn and Mario Fernandez (NRC)Jeff Hahn and Barry O’Brien (INL)

• Ray Parks and John Michalski (SNL)

2

Outline

• Key cyber security definitions • Why should you be concerned with

cyber security? • The cyber threat -- where does it come

from? • Review of the rules, guidance, and

commitments for nuclear industry cyber security

• Cyber Security Plans – what are the licensees committing to?

• What does this mean for meteorological programs?

3

Key Definitions

4

• Cyber Security -- measures taken to protect digital equipment/systems against unauthorized access or attack

• Cyber Attack is any event in which an adversary attempts or commits a malicious exploitation of a digital system. The NRC focuses on systems that perform a function.

• A critical system (CS) is a system that has a:(1) safety-related function(2) important-to-safety function(3) security function(4) emergency preparedness function (incl. offsite comm.)

Also includes support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions.

Cyber Security is a “Hot” Topic

Headline stories encountered while preparing this talk:• “Vigilante hackers group ‘Anonymous’ declared and online

attack against the International Monetary Fund” over the strict conditions imposed by its bailout for Greece”. (AFP)

• “The Pentagon said that it would consider all options if the United Stations were hit by a cyber attack” and the Defense Department is developing “the first military guidelines for the age of Internet warfare.” (AFP)

• “Hackers launched a ‘significant and tenacious’ cyber attack on Lockheed Martin, a major defense contractor holding highly sensitive information” (AP)

5

Cyber Security Threat

• “Terrorist groups and their sympathizers have expressed interest in using cyber means to target the United States and its citizens”

• “Criminal elements continue to show growing sophistication in their technical capability and targeting. Today, cyber criminals operate a pervasive, mature on-line service economy in illicit cyber capabilities and services, which are available to anyone willing to pay.”

-- Dennis Blair, Former White House Director of National Intelligence (Feb. 2, 2010)

6

Threat Agents

7

In the Past, What Could a Cyber Threat Exploit?

Not much 20 years ago, when nuclear plant systems featured: •Limited use of digital systems•Proprietary operating systems•Legacy hardware•Systems dedicated to functions•Isolated networks

– Stand-alone Systems – Main Frame with Dumb Terminals

8

What Can the Cyber Threat Exploit Today?

A lot more! Nuclear facilities are increasing using:• Networked, PC-based client-server architecture• Modern operating systems with continuously discovered emerging

vulnerabilities• Non-proprietary hardware• Commercial off-the-shelf (COTS) applications• Distributed data• Expanded use of internet and intranet communications

This is the same trend observed in general industry and other critical infrastructures, though the nuclear industry’s implementation often trails by a few years…

9

Driving Factors for Change & Security TradeoffsDriving Factors:• Desire for increased functionality• Obsolescence issues (analog parts/support are lacking)• Advances in PC technology• Increased capabilities and lower equipment costs• Drive to share data and conduct data mining

Security Tradeoffs:• Well known architectures and operating systems• Increased operating system complexity• Inadequate vendor testing and uncertain vendor security• Testing limitations on operational systems• Increased connectivity leads to increased risk• Widespread availability of hacking tools/capabilities

10

Response by the NRC and Industry

• There is growing recognition of the potential threat and consequences of a cyber attack

• There is a recognized need for cyber security guidance.

However;• It takes a long time to develop effective cyber

security rules, regulations, and guidance• Added expense• Short-term loss of productivity• Shortage of trained cyber security experts who are

knowledgeable of the control system environment.

11

NRC and Industry Cyber Security Milestones

• NRC Order EA-02-026, Interim Safeguards and Security Compensatory Measures for Nuclear Power Plants, (2002). Identify digital systems critical to the safe operation of a plant and evaluate the potential consequences of a compromise.

• NRC Order EA-03-086, Design Basis Threat for Radiological Sabotage (2003). Required each plant to develop a cyber security program.

• NUREG/CR-6847 Cyber Security Self-Assessment Method for US Nuclear Power Plants (2004)

• NUREG/CR-6852 An Examination of Cyber Security at Several U.S. Nuclear Power Plants (2005)

• NEI-04-04 Cyber Security Program for Power Reactors (2004)

12

• Regulatory Guide 5.69 Guidance for the Application of the Radiological DBT in the Design, Development and Implementation of a Physical Security Protection Program that Meets 10 CFR 73.55 Requirements

• 10 CFR 73.1 (2007) Design Basis Threat Rule

• 10 CFR 73.54 (2009) Protection of Digital Computer and Communication Systems and Networks.

• Regulatory Guide 5.71 (2010) Cyber Security Programs for Nuclear Facilities

• NEI 08-09 Rev. 6 (2010) Cyber Security Plan For Power Reactors

• Licensee Cyber Security Plans (2011?)13

NRC Cyber Security Milestones

10 CFR 73.54 – Brief, General Requirements

14

Cyber Security Rule (10 CFR 73.54) Requires

• “Provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks”

• Applies to safety, security, and emergency preparedness (SSEP) systems and those digital devices that can that can adversely affect SSEP functions.

• Protect the confidentiality, availability, and integrity of systems and data.

• Analyze all digital assets, systems, and networks to determine which ones require protection under this Rule.

• Establish, implement, and maintain a cyber security program to protect these assets.

• Implement security controls to protect the identified assets from cyber attacks.

15

Cyber Security Rule 73.54 (Cont.) Requirements• Apply and maintain defense-in-depth protective

strategies to ensure the capability to detect, respond to, and recover from cyber attacks.

• Ensure that the functions performed by the critical assets are not impacted due to cyber attacks.

• Ensure that personnel, including contractors, are aware of cyber security requirements and receive training appropriate to their duties.

• Evaluate and manage cyber risks.• Ensure that modifications to assets or the facility are

evaluated prior to implementation to ensure that cyber security performance objectives are met.

16

Cyber Security Rule 73.54 (Cont.) Requirements• Implement an Incident Response and Recovery Plan:

– Maintain the capability for timely detection and response to cyber attacks

– Mitigate consequences of cyber attacks– Correct exploited vulnerabilities– Restore affected systems, networks, or equipment

• Develop and maintain written policies and procedures for implementing the program and plan requirements. Make these available for inspection by NRC.

• Periodically review the effectiveness of the program. • The cyber security program shall be a component of the

physical security program.• Retain cyber security-related records for at least 3 years.

17

What have the Licensees Committed to do in their Cyber Security Plans?

• Analyze all digital computer, communication systems and networks and identify CSs and associated digital assets.

• Form a Cyber Security Assessment Team (CSAT) to:– Oversee the cyber security assessment process– Evaluate potential threats, vulnerabilities,

consequences– Evaluate and document the effectiveness of

existing cyber security training, security controls, defensive strategies, and attack mitigation methods

– Confirm findings of tabletop reviews and conduct walk-down inspections and/or electronic verification of all CSs

18

CSP Requires: Implement a Defensive Architecture

19

CSP Requires: A Comprehensive Set of Security Controls

• Security Controls fall into three classes:– Management– Operational – Technical

• Each class is made up of families of security controls.

• Management Class of Security Controls– Analyzing Digital Computer Systems and Applying Cyber

Security Controls– Cyber Security Assessment and Authorization– System and Service Acquisition– Evaluate and Manage Cyber Risk

 20

Security Controls (cont)

• Operational Class of Security Controls – Defense-in-Depth– System and Information Integrity– Cyber Security Training – Configuration Management– Maintenance– Media Protection– Cyber Security Contingency Planning (Continuity of

Operations)– Attack Mitigation and Incident Response– Personnel Security– Physical and Operational Environmental Protection

21

Security Controls (cont)

• Technical Class of Security Controls – Access Control – Audit and Accountability– Identification and Authentication– CDA, System and Communications Protection – System Hardening

• The three classes of security controls are divided into 19 families, which in turn contain close to 140 individual security controls. Each security controls has number of required elements.

22

A simple example

• System and Service Acquisition– System and Service Acquisition Policy and Procedures– Supply Chain Protection

• Establish trusted distribution paths• Validation of Vendors• Tamper proof products or tamper seals are required

– Trustworthiness (QA of software)– Integration of Security Capabilities (follow security controls)– Developer Security Testing

• Developers/integrations must create a security test and evaluation plan and an implementation plan

• Products must meet security requirements and be free of testable vulnerabilities and known malicious code.

– Licensee Security Testing

23

CSP Requires: Ongoing Assessment of Cyber Security Controls

• Monitoring is required to confirm that security controls are implemented correctly, operating as intended, and achieving security goals

• Electronic vulnerability scanning of CSs is required.• “When there is a risk of operational disruption, electronic

vulnerability scans are conducted during periods of scheduled outage. Test beds and vendor maintained environments may be used for or in substitution for performing vulnerability scans.”

24

CSP Requirements for Modifying or Dropping a Security Control

• Alternative security controls can be employed if you:– Document the basis for employing alternative

countermeasures– Analyze and document the alternative countermeasure

to show it provides a ≥ level of protection• One or more required security controls can be dropped

after:– Performing an analysis that demonstrates the attack vector

that these security control(s) defend against does not exist on this CS. This demonstrates that these security control(s) are not necessary on this CS.

– Documenting the analysis so that it is available for review by NRC inspectors.

25

What Questions Should Meteorological Systems “Owners” be Asking Themselves?

• Are my met monitoring/processing systems connected to systems that perform SSEP systems?

• Do my digital communications conform to the defensive architecture requirements?

• What form is my data communication? Does it use TCP/IP? Or does it use a more secure method?

• How do I know my met hardware (e.g., data loggers) and software are secure? Do I know my vendors security program? What is their security testing program?

• Do I regularly patch my operating systems?• Can vendors remotely access my met systems?• How do I maintain adequate physical security on met

systems located outside the perimeter fence?

26

A New Age of Cyber Security is Dawning

• There are a lot of bad guys out there looking to compromise nuclear power plant systems.

• Cyber security enhances overall plant security.• It will take time and resources to appropriately

implement the CSP.• There may be a need to rethink how you do

your digital communications.• Don’t get caught with your pants down! Be

aware of what is coming and be proactive in your planning!

27

Discussion, Questions, Comments?

Cliff GlantzPNNLPO Box 999Richland, WA 99352509-375-2166cliff.glantz@pnnl.gov

28