Nuclear Security Requires Cyber Security
Nuclear Security Requires Cyber Security A. DAVID MCKINNON, PH.D., MARY SUE HOXIE Cyber Physical Security Team, National Security Directorate Project on Nuclear Issues (PONI) Fall 2015 Conference
PNNL-SA-113027
October 20, 2015
1
Cyber Security—It’s not new Passing notes in class Secrets Confidentiality From Billy to Suzy Integrity During class, not afterwards Availability Consequences varied Security impact levels
October 20, 2015
2
Confidentiality “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542] A loss of confidentiality is the unauthorized disclosure of information. Nuclear security relevance Protecting restricted data from unauthorized access Protecting facility design information Protecting the PII of nuclear workers
October 20, 2015
3
Integrity “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” [44 U.S.C., Sec. 3542] A loss of integrity is the unauthorized modification or destruction of information. Nuclear security relevance Corrupted radiation sensor data will impact worker safety Missing/destroyed historical data will impact after-action reviews of incidents Modified plant configuration parameters may lead to inefficient operation or even unsafe operation Integrity is critical for real-time control applications
October 20, 2015
4
Availability “Ensuring timely and reliable access to and use of information…” [44 U.S.C., SEC. 3542] A loss of availability is the disruption of access to or use of information or an information system. Nuclear security relevance Continuity of operations, surviving a natural disasters, etc. Delayed data delivery will impact real-time control operations Availability has historically been provided via fault tolerance and redundancy
October 20, 2015
5
Real World Nuclear Examples Davis Besse Nuclear Power Plant* Slammer worm infected plant, Aug. 20, 2003 Shut down the digital portion of Safety Parameter Display System (SPDS) and Plant Process Computer (PPC) for several hours Worm started at contractor’s site and spread to the corporate plant network Davis Besse Nuclear Power Plant
Korea Hydro & Nuclear Power (KHNP)** Phishing emails to retirees & 3rd party contractors Malware email received, Dec. 09, 2014 Information released, Dec. 15-23, 2014 & March 2015 Received threat to shutdown nuclear power plant
Nuclear security is impacted by cyber security *US
DHS, http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2008-12/ICSsecurity_ISPAB-dec2008_SPMcGurk.pdf, Accessed: 4 Feb 2015 October 20, 2015 Kim, “End to End: In the case of Cyber Security Threats to KHNP”, IAEA Computer Security in a Nuclear World Conferenc, Vienna, June 2015. **Min Baek, “ROK’s Regulatory Perspective for Cyber Security of Nuclear Facilities”, IAEA Computer Security in a Nuclear World Conference, Vienna, June 2015. **Gahm-Yong
6
Cyber Security Target was breached late 2013 Customer credit card data was stolen Attack vector: HVAC vendor’s remote access
Heartbleed Exploit extracted encryption keys from OpenSLL servers Timeline March 2012, OpenSLL 1.0.1 released April 2014, vulnerability publicly disclosed
Required: massive server patching and password changing
Adversaries may attack indirectly, you may never see an early indicator Critical software flaws may be discovered years after deployments October 20, 2015
7
Cyber Security in 2015 Anthem Discovered January 29, 2015, attack began in Dec. 2014 Breach of 80 million SS# and other personal information* Phishers set up false information sites*
Premera Blue Cross Disclosed March 17, 2015 Discovered January 29, 2015, initial attack occurred on May 5, 2014** Breach of financial and medical records of 11 million customers†
Office of Personnel Management (OPM) Disclosed May 2015 Data breach impacted 21 million people††
The nuclear workforce is at risk from non-nuclear cyber attacks *Krebs
on Security, http://krebsonsecurity.com/2015/02/phishers-pounce-on-anthem-breach/, Acc.: 6 July 2015 Update, http://premeraupdate.com/, Acc.: 6 July 2015 †Krebs on Security, http://krebsonsecurity.com/2015/03/premera-blue-cross-breach-exposes-financial-medical-records/, Acc.: 6 July 2015 ††Information about OPM Cybersecurity Incidents, https://www.opm.gov/cybersecurity/, Acc. 13 September 2015 **Premera
October 20, 2015
8
Cyber-Physical Security Enigma (World War II) Stolen machines enabled cryptanalysis Decrypted messages sunk ships
German Steel Mill (2014) Email used to steal credentials Attackers moved from the business network to control network Blast furnace suffered massive damage
IAEA Cyber Security in a Nuclear World Demonstration (2015) “Art of the possible” live demonstration Cyber attack on cameras enabled physical (information) theft at 3rd party Stolen information enabled design of a custom cyber attack Cyber attack disabled a key pump October 20, 2015
9
Assess Your Risks What are your “Crown Jewels”?
Are you prepared for natural disasters? Fire, flood, storms, …
Who is your most likely “attacker”? Clueless/Careless insider Malicious insider “Script kiddie” Organized crime Advanced (enough) Persistent (enough) Threat
Source: SEL, Inc., https://www.selinc.com/cybersecurity/posters/
What are they worth to you? (Ransom / Blackmail) What are they worth to someone else? Are you a pawn in somebody else’s chess game?
Could you survive and/or recover from an cyber security incident? October 20, 2015
10
PNNL-SA-113027
October 20, 2015
1
Cyber Security—It’s not new Passing notes in class Secrets Confidentiality From Billy to Suzy Integrity During class, not afterwards Availability Consequences varied Security impact levels
October 20, 2015
2
Confidentiality “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542] A loss of confidentiality is the unauthorized disclosure of information. Nuclear security relevance Protecting restricted data from unauthorized access Protecting facility design information Protecting the PII of nuclear workers
October 20, 2015
3
Integrity “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” [44 U.S.C., Sec. 3542] A loss of integrity is the unauthorized modification or destruction of information. Nuclear security relevance Corrupted radiation sensor data will impact worker safety Missing/destroyed historical data will impact after-action reviews of incidents Modified plant configuration parameters may lead to inefficient operation or even unsafe operation Integrity is critical for real-time control applications
October 20, 2015
4
Availability “Ensuring timely and reliable access to and use of information…” [44 U.S.C., SEC. 3542] A loss of availability is the disruption of access to or use of information or an information system. Nuclear security relevance Continuity of operations, surviving a natural disasters, etc. Delayed data delivery will impact real-time control operations Availability has historically been provided via fault tolerance and redundancy
October 20, 2015
5
Real World Nuclear Examples Davis Besse Nuclear Power Plant* Slammer worm infected plant, Aug. 20, 2003 Shut down the digital portion of Safety Parameter Display System (SPDS) and Plant Process Computer (PPC) for several hours Worm started at contractor’s site and spread to the corporate plant network Davis Besse Nuclear Power Plant
Korea Hydro & Nuclear Power (KHNP)** Phishing emails to retirees & 3rd party contractors Malware email received, Dec. 09, 2014 Information released, Dec. 15-23, 2014 & March 2015 Received threat to shutdown nuclear power plant
Nuclear security is impacted by cyber security *US
DHS, http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2008-12/ICSsecurity_ISPAB-dec2008_SPMcGurk.pdf, Accessed: 4 Feb 2015 October 20, 2015 Kim, “End to End: In the case of Cyber Security Threats to KHNP”, IAEA Computer Security in a Nuclear World Conferenc, Vienna, June 2015. **Min Baek, “ROK’s Regulatory Perspective for Cyber Security of Nuclear Facilities”, IAEA Computer Security in a Nuclear World Conference, Vienna, June 2015. **Gahm-Yong
6
Cyber Security Target was breached late 2013 Customer credit card data was stolen Attack vector: HVAC vendor’s remote access
Heartbleed Exploit extracted encryption keys from OpenSLL servers Timeline March 2012, OpenSLL 1.0.1 released April 2014, vulnerability publicly disclosed
Required: massive server patching and password changing
Adversaries may attack indirectly, you may never see an early indicator Critical software flaws may be discovered years after deployments October 20, 2015
7
Cyber Security in 2015 Anthem Discovered January 29, 2015, attack began in Dec. 2014 Breach of 80 million SS# and other personal information* Phishers set up false information sites*
Premera Blue Cross Disclosed March 17, 2015 Discovered January 29, 2015, initial attack occurred on May 5, 2014** Breach of financial and medical records of 11 million customers†
Office of Personnel Management (OPM) Disclosed May 2015 Data breach impacted 21 million people††
The nuclear workforce is at risk from non-nuclear cyber attacks *Krebs
on Security, http://krebsonsecurity.com/2015/02/phishers-pounce-on-anthem-breach/, Acc.: 6 July 2015 Update, http://premeraupdate.com/, Acc.: 6 July 2015 †Krebs on Security, http://krebsonsecurity.com/2015/03/premera-blue-cross-breach-exposes-financial-medical-records/, Acc.: 6 July 2015 ††Information about OPM Cybersecurity Incidents, https://www.opm.gov/cybersecurity/, Acc. 13 September 2015 **Premera
October 20, 2015
8
Cyber-Physical Security Enigma (World War II) Stolen machines enabled cryptanalysis Decrypted messages sunk ships
German Steel Mill (2014) Email used to steal credentials Attackers moved from the business network to control network Blast furnace suffered massive damage
IAEA Cyber Security in a Nuclear World Demonstration (2015) “Art of the possible” live demonstration Cyber attack on cameras enabled physical (information) theft at 3rd party Stolen information enabled design of a custom cyber attack Cyber attack disabled a key pump October 20, 2015
9
Assess Your Risks What are your “Crown Jewels”?
Are you prepared for natural disasters? Fire, flood, storms, …
Who is your most likely “attacker”? Clueless/Careless insider Malicious insider “Script kiddie” Organized crime Advanced (enough) Persistent (enough) Threat
Source: SEL, Inc., https://www.selinc.com/cybersecurity/posters/
What are they worth to you? (Ransom / Blackmail) What are they worth to someone else? Are you a pawn in somebody else’s chess game?
Could you survive and/or recover from an cyber security incident? October 20, 2015
10
