18
www.inl.gov Evolution of cyber threat to Nuclear Systems Robert Hoffman NHS Consultant, INL
ww
w.inl.gov
Evolution of cyber threat to Nuclear Systems
Robert Hoffman
NHS Consultant,
INL
Mission Support Center: Forward Looking Threat Analysis
2
Threat analysis for prevention, detection, resilience & proactive
response for “all-hazards” to cyber-physical control systems.
• Threat Analysis for Actionable Strategic Intelligence
– Not just the latest tactical incident
– Term, Trend, Threat Actor Analysis
– Characterize Risk for investment decisions & responses
– Identify future Gaps & solutions for defense of key assets
• Teams of Subject Matter Experts: Analyst, Cyber, Sector
– Technical Analysis of Intelligence
– Cyber on Control Systems
– Electric power, nuclear processes
– Wireless communication, network engineers
– Human factors, systems of systems approach
• Cooperative Government Program Relationships
– Multiple Vulnerability Assessment Programs
– DOE: Mitigation R&D, Industry threat outreach
– DHS: ICS-CERT ops center, incident response teams
– International partners & programs
• Extend INL’s Industry Experience & Infrastructure Leadership
– Asset Owners & Operators
– Equipment Vendors
– Integrators & Security Providers
• The state of cyber in a nuclear security world
• Introduce key factors influencing that world and driving fundamental change.
• Friction being created as the nuclear security and cyber security worlds collide.
• FACTORS: Attack escalation with increased capability, Inter-connectedness/efficiency, Asymmetry (nature of war), rate of technology change/adoption, etc..
• Impact of cyber on risk models, PRA and Global DBT.
Cyber Threat Evolution
Unique Nuclear Considerations
• Materials Protection & Accountability
– theft
• Fuel Processing Facilities
– sabotage
• Nuclear Power Plants
– release
• Supporting Infrastructure
– loss of critical services
4
Physical Cyber Interdependency:
• Access Control Systems
• Non Safety Systems
• Physical Security
• Transportation
• Waste Processing
• HVAC
• Fire Protection
• Materials monitoring
• Emergency Response
• Power subsystems
• Safeguards
• INL cyber / nuclear experts provide technical assistance focused on the development of implementation strategies for IAEA NSS 13, Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities, (INFCIRC/225/Revision 5)
– Japan, South Korea have been centered on test bed and training development and the incorporation of Industrial Control System (ICS) security considerations.
– IPPAS mission cyber module updates and performance in Finland, Romania and South Korea.
– Provided cyber nuclear component to US – Japan bi-lateral security assessment as part of Material Protection Control and Accounting (MPC&A)
“Computer based systems used for physical protection, nuclear safety, and nuclear accountancy and control should be protected against compromise (e.g. cyber attack,
manipulation or falsification) consistent with the threat assessment or design basis threat.”
INFCIRC rev.5 Cyber Integration
IAEA INFCIRC 225.rev 5 has global impacts on cyber nuclear
security - every country is striving to find a viable path forward.
Challenges: Myths in “Air Gapped” Systems
• Corporate Net connected to ICS (firewall)
• Remote access by engineering stations or support vendors
• Field devices comm ports with little or no authentication
• Required Calibration: laptops & handhelds
• Wireless communications instead of cable
• Removable media: upgrades & backups
– Flash drives
– CD’s
– External hard drives
– “a periodic net connection”
• Unified Buses: Common buses for Control & Safety Systems
6
Data Acquisition
ServerDatabase
Server
Configuration
Server
Engineering
Workstations
HMI
Primary
Historian
Remote Net Router
• Operations
• Engineering
• Business Partners
• Vendor Support
Control System
Modem Pool
Field Devices
Safety System
Field Controllers
Control System Network
HMI
Industrial
Wireless
Challenges: Information Technology vs.Industrial Control Systems (ICS)
Topic IT ICS
Design PhilosophyInformation Protection,
Rapid change in function
Functional Reliability,
Designed on
Electromech Fault Basis
Uptime Regular maintenance
down timesNearly 100%
Change & Patch
ManagementRegular and scheduled
Formal Testing and
Strategic scheduling
Incident Response &
Forensics
Well defined and
deployed
Uncommon, no forensics
beyond event re-creation
Technology Support
Lifetime2 to 3 years 10 to 20 years
7
Aggressor perspective
Topic ICS Opportunity
Design PhilosophyFunctional Reliability,
Electromech Fault BasisPreplanned manipulation
of 1 – n devices
UptimeNearly 100%
Supports interaction during
“off normal hours”
Change & Patch
Management
Testing and Strategic
schedulingMinimizes impact to
malware execution
Incident Response &
Forensics
Uncommon, no forensics
beyond event re-creation
Abnormal behavior creates
engineering investigation,
not cyber forensics
Technology Support
Lifetime10 to 20 years
High ROI and malware
sustainability for target
environment
8
ICS centric Vulnerability
Discovery has become not
only mainstream but “coin
of the realm” for a subset
of the global security
community… The
response requires a
coordinated effort,
prioritization and
dedicated resources.
The industry of today is
operating upon the
battlefield of tomorrow…
Critical Infrastructure Cyber Threats
Smallest LargestCONSEQUENCES
Less
Very
LIK
ELIH
OO
D Directed
Corruption
Sophisticated
Injection
Poison Data
Compromise Process
Disruption
Concentrated
DDOS
Probe
DOS
Worm
System Compromise
System Control
General Cyber Attacks - Less Structured
• Notoriety and Fame
“Just to Do It”• Hacking Economy
Directed Cyber Attacks – Structured Hackers
• Direct & Targeted Monetary Gain
• Extreme Activist / Groups
• Disgruntled Employee
Strategic Information Warfare
• Major Economic Gain
• Cyber Terrorism
• Asymmetric Warfare
GRP III
• Nation States
• Terrorist
• Autonomous
Collectives
GRP II
• Organized Crime
• Competitors
• Hackers for HireGRP I
• Mainstream
• GRP II & III
Low & slow
Persistent Presence
Cyber Activists
10
Evolving Nature of Cyber Threat
• Lack of institutional constraints: “As with other Anonymous posts, it is hard to verify if the attackers are part of the hacking collective and whether they are responsible for the attack on the Vatican site. Anonymous is a decentralized, loosely organized collection of hactivists with no real leadership. In the past, hackers have claimed actions on behalf of Anonymous only to have others within the collective deny those actions.”
Is the
guard at
your gate
working
for you?
Security Solutions?
Security firm finds SCADA software flaws; won't report them to vendorsReVuln will sell vulnerability information to private buyers as part of a commercial service, the company says
IDG News service – November 2012
• Malta-based security start-up firm ReVulnclaims to be sitting on a stockpile of vulnerabilities in industrial control software, but prefers to sell the information to governments and other paying customers instead of disclosing it to the affected software vendors.
• In a video released Monday, ReVulnshowcased nine "zero-day" vulnerabilities which, according to the company, affect SCADA (supervisory control and data acquisition) software from General Electric, Schneider Electric, Kaskad, Rockwell Automation, Eaton and Siemens. ReVulndeclined to disclose the name of the affected software products.
The attackers "can take control of the machine with the maximum
privileges (SYSTEM on Windows) granted by the
affected service," ReVuln co-founder and security
researcher Luigi Auriemma said Monday via email. "They
can install rootkits and other types of malware or obtain
sensitive data (like passwords used on other computers of
the same network) and obviously they can control the
whole infrastructure."
Cyber-Physical Challenges in Nuclear Facilities
14
Framework for Consequence/ Threat-Driven Design
Blended Local Attack (digital &
material sabotage)
Directed remote attack with witting
insider & supply chain (Nations/groups)
Directed remote attack with unwitting insider (Nations/groups)
Remote directed attack (APT)
Cybersecurity defenses versus unstructured/non-directed cyber threats (crime, Botnets, etc.)
Type of ThreatConsequence Scale Protection Scale
Plant Process
Safety
Radiologic
Safety
Radiologic
Worst Case
Data Theft
Disrupt
Operations
Disrupt
Cyber
Commercial
Risk
People
Risk
Prevention
Signature
Security
Solutions
Detect
Manage
Recover
Redundant
Systems
Engineering
Two person
Rule
Engineering
Full
Spectrum
Defense
Applies to very small
group (.01%) of
assets
Applies to small
group of assets
(CDAs)
Current Process to Manage Safety Risk
Design Basis:
Perform specific
control functions to
failsafe or maintain
the safe operations
16
Problem: For an adversary specifically “targeting” your facility, with modern
digital I&C you will be operating in “contested waters” in all layers (you
are/will be “owned”)
Questions / Comments
