Security Control Overlays

NPIC & HMIT 2015: Cyber Security Issues Related to Digital I&C Systems Charlotte, NC, February 26, 2015

HIGH ASSURANCE CYBESECURITY CONTROLS AGAINST PERSISTENT THREATS AND TARGETED ATTACKS ON INSTRUMENTATION AND CONTROL SYSTEMS IN NUCLEAR FACILITIES (Draft) Pavol Zavarsky, CISSP, CISM, CISA, PhD

ABSTRACT In the paper, an insight into two high assurance cybersecurity plan templates for nuclear facilities, namely the templates of the NRC RG 5.71:2010 and NEI 08-09 Rev.6:2010, is provided. The two cybersecurity plan templates were developed to assist nuclear industry to comply with legal requirements of Title 10 of the U.S. Code of Federal Regulation §73.54. Regarding the compliance with the regulatory requirement, the paper discusses the concept of cybersecurity control overlays as a way to achieve a higher level of assurance that instrumentation and control systems in nuclear facilities are adequately protected against both legacy and advanced targeted attacks. In the paper, the control overlays are considered within the concept of layered defense-in-depth. Examples are shown to illustrate that control overlays applied to individual layers of the defense-in-depth result in a cybersecurity protection that can be modelled as an orthogonal two-dimensional layering of security controls. It is emphasized that the two-dimensional layering of security controls makes each layer of the defense-in-depth protection more robust against both intentional and unintentional compromise and in such way facilitates a higher level of assurance of an adequate protection against advanced cyberattacks. Key Words: High assurance, cybersecurity, defense-in-depth, security control overlays

1

INTRODUCTION

Due to complexity of the current threat landscape and existence of a wide range of possible vulnerabilities in operational, technical and management cybersecurity controls, any organization can become a victim of a persistent or advanced targeted attack, performed from inside and/or outside [1],[2]. Therefore, a high assurance cybersecurity protection of critical systems must be comprehensive, robust and resilient to defend against the variety of possible attack vectors exploiting the system vulnerabilities. To achieve the cybersecurity objective, the licensees of the U.S. Nuclear Regulatory Commission (NRC) have been adopting comprehensive cybersecurity risk management frameworks, typically based on an adaptation of the NIST risk management framework and guidelines of the NRC and Nuclear Energy Institute (NEI) [3],[4],[5],[6],[7]. The comprehensive risk management frameworks for nuclear facilities include both security functional and assurance controls. The assurance controls are indispensable for ensuring that required cybersecurity functionality is implemented correctly, operating as intended, and producing desired outcome with respect to meeting cybersecurity requirements for the computer-based systems. There has been a number of newspaper articles published recently, such as the one on almost two thousand security incidents in Korean nuclear power plants during the last five years [8] or the wellpublicized Stuxnet attack on the I&C systems in the Natanz and Bushehr nuclear facilities in Iran [9], that have impact on perceptions of the population regarding possibly limited level of cybersecurity protection of computer-based systems in nuclear facilities. The reported cybersecurity incidents at Korean and Iranian facilities were results of exploitation of vulnerabilities in functional and assurance cybersecurity controls.


Recent studies [10] show that malware plays a role in about forty percent of cybersecurity incidents. The finding confirms that attack vectors on computer-based systems are not limited to exploitation of possible software vulnerabilities. Since computer-based systems throughout their lifecycle contain both technical and non-technical components, and considering limitations of the human component, the systems should be viewed, from risk management perspective, as potentially insecure-by-design system. In critical infrastructure environments, all systems require risk-based cybersecurity protection. For the reason, this paper focuses on the fact that, regardless on whether the computer-based systems were designed as secureby-design or not, the U.S. Title 10 of the Codification of Federal Regulation (CFR) §73.54 requires licensees that are operating nuclear power plants to protect computer-based systems and networks from (i) cyberattacks that modify, destroy, or compromise integrity or confidentiality of data or software; (ii) deny access to systems, services, or data, and (iii) impact operation of systems, networks, and equipment [11]. The high assurance requirements of the Title 10 CFR 73.54 include expectations on a high strength of security functionality of cybersecurity controls and a high degree of assurance that the cybersecurity functionality is complete, consistent, and correct. The paper is organized as follows. First, the current cybersecurity assurance concerns and recently changed threat landscape are briefly outlined in Section 2. Then, cybersecurity plan templates of the U.S. NRC and NEI are compared and their differences are highlighted in Section 3. Possible enhancements of the cybersecurity plan templates are also outlined in Section 3. It is shown that the sets of functional and assurance cybersecurity controls of the plan templates of the NRC RG 5.71:2010 and NEI 08-09 Rev.6:2010 can be enhanced by utilizing recent advances in understanding of the current complex threat environment and advances in the cybersecurity protection. The defensive cybersecurity strategy based on defense-indepth, as required by the U.S. NRC RG 5.71:2010, is revisited in Section 4. In the section, the concepts of security control overlays and two-dimensional layering of mutually independent (orthogonal) security controls are discussed. The control overlays, that are not considered in the NRC RG 5.71:2010 and NEI 0809:2010, but recommended by the NIST SP 800-82 Rev.2:2014 and CNSSI No. 1253:2013, are shown to enable an enhanced assurance on adequacy of cybersecurity defense-in-depth protection of critical computer-based systems against a compromise. Finally, Section 5 concludes the paper.

2

CURRENT CYBERSECURITY ASSURANCE CONCERNS IN PROTECTING CRITICAL SYSTEMS

According to results of studies performed by Verizon, Microsoft, McAfee, Kaspersky, and Symantec, the current major cybersecurity concerns include the following: (1) increasing distinction between a threat source and threat actors facilitated by availability of various forms of cybercrime-as-a-service; (2) about half of security breaches are committed by well-funded cybercrime professionals; (3) approximately a fifth of all security breaches are performed by state-supported threat actors, with foreign governments acting as threat sources; (4) insufficient protection against targeted attacks plays a major role in about a quarter of cybersecurity incidents; (5) insiders, who can be threatened, bribed, influenced, or pretexted, are threat actors in about one fifth of security incidents; (6) a relatively low level of awareness of cybersecurity professionals of security threats (demonstrated by a lack of understanding of cyberattacks such as Stuxnet, Duqu, or Operation Aurora); (7) unawareness of the teams responsible for cybersecurity of systems that their systems have been compromised (more than a half of all security breaches are discovered by external parties); (8) long average time of discovery of security incidents – the time required for incident discovery is measured in average in months; (9) while anti-malware protection is in many cases a major focus of cybersecurity protection, the malware plays a role only in about 40% of security breaches, emphasizing the need for a more than software security approach to cybersecurity; and (10) privilege abuse by trusted users (system administrators, insiders) is the most common form of misuse actions violating cybersecurity policies - making the trust management an important component of an effective cybersecurity governance. Regarding possible flaws in trust management, the successful Stuxnet and Hartbleed attacks demonstrated limitations of commonly-used whitelisting approach to cybersecurity. In the whitelisting,


there is an assumption that what meets certain pre-defined criteria is indeed trusted. However, as illustrated by the Hartbleed bug in a widely trusted implementation of the Transport Layer Security (TLS) protocol, and by Stuxnet attack that exploited a trusted digital certificate from a major third party, the whitelisting may result in approving and authorizing untrustworthy system components. As shown above, misplacing of trust is common in various areas of cybersecurity and range from misplacing of trust in the knowledge and skills of cybersecurity administrators, through false sense of security caused by a misplaced trust in incident detection capabilities, to the whitelisted trusted insiders who can misuse their system privileges. Cybersecurity control overlays discussed later in this paper can be designed and implemented to provide a higher level of assurance that systems are adequately protected even in cases when the whitelisting process is vulnerable. The Stuxnet attack on the nuclear facility in Iran that exploited several day-zero vulnerabilities reignited discussions on how to protect critical systems against exploitation of unknown day-zero vulnerabilities. Since a vulnerability is an exploitable flaw or weakness in system security procedures, design, implementation, or internal security controls, the vulnerabilities are not limited to vulnerabilities in software or firmware, but occur also in the lifecycles of technical, operational and management cybersecurity controls. Day-zero vulnerabilities, i.e. exploitable publically unknown vulnerabilities, are not limited to vulnerabilities in commercial-of-the-shelf software or firmware. Day-zero vulnerabilities may exist also in custom-based I&C, system designs, security environments, cybersecurity control baselines, security assurance frameworks, and components of security governance. If the cybersecurity protection system is not designed to protect against day-zero vulnerabilities then attacks that are targeting the day-zero vulnerabilities are likely to remain unnoticed until long after the attacks were launched. The above concerns can be related to the risks of targeted attacks that are commonly a realization of a persistent threat. Gaps in cybersecurity knowledge of system administrators, possible flaws in cybersecurity governance, or insiders motivated by external threat sources to serve as threat actors to perform a harm to organizational assets are examples of persistent threats. Advanced persistent threats can be stealthy, concealing themselves, and achieving their goals in a persistent way, over a prolonged period, using a multistep approach. According to a recent ISACA study [12], 92% of respondents believe that the advanced persistent threat is a serious threat. The above cybersecurity concerns reflect some of the recent changes in threat environment and outline the possible challenges in implementation of a risk-based approach to cybersecurity. The existence of variety of cybercrime services at various levels of professionalism available for threat sources; cybersecurity administrators who when tested frequently show a lack of knowledge concerning cybersecurity threats and vulnerabilities; privileged insiders able to perform unauthorized operations, unauthorized access, use, or modification of data or system functions; and expected effectiveness of cybersecurity governance are examples of factors that have to be considered when developing and maintaining a robust cybersecurity framework. If security controls of a cybersecurity protection are vulnerable, then system’s security (integrity, availability, confidentiality) cannot be ensured. Later in this paper, in Section 4, the concept of security control overlays is introduced as a way providing additional layers of protection to security controls. A comprehensive approach to cybersecurity in nuclear facilities, including technical, operational and management controls, is described in the U.S. NRC RG 5.71:2010 and NEI 08-09 Rev.6:2010 and the cybersecurity plan templates therein. The following section gives a brief review and comparison of the two cybersecurity plan templates for nuclear facilities.

3

CYBERSECURITY PLAN TEMPLATES FOR NUCLEAR FACILITIES

All licensees that are currently licensed to operate nuclear facilities in the U.S. are required to prepare and submit for approval a cybersecurity plan that complies with Title 10 CFR §73.54 requirements. To be approved by the U.S. Nuclear Regulatory Commission, the plan must provide a high assurance that digital computer and communications systems and networks are adequately protected against cyberattacks, up to


and including the design basis threat [11]. To assist licensees to comply with regulatory requirements of Title 10 CFR §73.54, the NRC developed and made publically available the regulatory guide NRC RG 5.71:2010 Cyber Security Programs for Nuclear Facilities [5]. To comply with Title 10 CFR §73.54, the licensees can utilize also guidance of the U.S. Nuclear Energy Institute NEI 08-09 Rev.6:2010 [6]. The cybersecurity plans for nuclear facilities that follow guidelines of the NRC RG 5.71:2010 and NEI 08-09 Rev.6:2010 contain high assurance elements that enable to maintain security of critical digital assets associated with safety, security, and emergency preparedness (SSEP) functions throughout the assets’ lifecycle. The high assurance elements of the plan include, among others, ongoing assessments of security controls, change control, and periodic reviews of the cyber security program. The high assurance controls in the security plan facilitate its continuous improvement. Both the NRC RG 5.71:2010 and NEI 08-09 Rev.6:2010 contain templates of cybersecurity plans that can be used by the licensees to prepare actual cybersecurity plans for their facilities. Similarities and differences in the two guideline documents, considering primarily the sets of cybersecurity controls in the plan templates, are described in the following subsection.

3.1 Comparison of the NRC RG 5.71:2010 and NEI 08-09 Rev.6:2010 Cybersecurity Plan Templates The cybersecurity plan template of the NRC is an integral component of the regulatory guide NRC RG 5.71:2010 Cyber Security Program for Nuclear Facilities released in January 2010. The NEI 08-09 Rev.6 Cyber Security Plan for Nuclear Power Reactors became available at the NRC website in April 2010. The central objective of both NRC RG 5.71 and NEI 08-09 is protection of the health and safety of the public from radiological sabotage caused by a possible cyberattack. Cybersecurity plan templates of both NRC RG 5.71:2010 and NEI 08-09 Rev.6:2010 contain cybersecurity controls that are tailored versions of security controls recommended by the NIST SP 800-53 and NIST SP 800-82:2009. Since the NIST SP 80053 catalog of controls was developed to apply to a broader set of the U.S. federal security policies than those required to comply with the Title 10 CFR 73.54, the NRC RG 5.71:2010 and NEI 08-09 Rev.6:2010 cybersecurity plan templates contain tailored subsets of controls from the NIST SP 800-53 controls catalog. A major difference in the content and coverage of cyber-security plan templates of the NRC RG 5.71:2010 and NEI 08-09:2010 appears to result from the use of different versions of reference documents. While the template of the NRC RG 5.71 contains the tailored cybersecurity controls of NIST SP 800-53 Rev.3:2009, the plan template of the NEI 08-09 Rev. 6 was designed by tailoring security controls of the NIST 800-53 Rev.2:2008. In other words, even that the NEI 08-09 Rev.6:2010 was released three months after the NRC RG 5.71:2010, the set of considered security controls in the security plan template of the NEI 08-09 Rev.6:2010 is not as recent as the set of controls considered in the NRC RG 5.71:2010. Note however, that both the NIST SP 800-53 Rev.3:2009 and NIST SP 800-82:2009, the key sources of information on security controls for both the NRC RG 5.71:2010 and NEI 08-09 Rev.6:2010, have been superseded by their completely revised and significantly enhanced versions of NIST SP 800-53 Rev.4:2013 and NIST SP 800-82 Rev.2:2014. Some security control enhancements that are part of the cybersecurity plan template of the NRC RG 5.71:2010 and that are not explicitly recommended in the NEI 08-09 Rev.6:2010 include controls on incident reporting, cyber incident response plan, contingency planning policy and procedures, crossfunctional cyber security team, and enhancements of security controls for security awareness roles and responsibilities. Table I illustrates some of the differences in cybersecurity controls of the plan templates of the NRC RG 5.71:2010 and NEI 08-09 Rev.6:2010. The NRC RG 5.71:2010 and NEI 08-09 Rev.6:2010 provide a holistic approach to cybersecurity that utilizes both functional security controls and assurance security controls to provide an adequate level of assurance that computer-based systems are appropriately protected against any intentionally and unintentionally caused harm. What might be viewed as a possible limitation of the two regulatory guides and the cybersecurity plan templates therein is that they are not explicitly identifying the cybersecurity


assurance controls. The distinction between the assurance-related and functionality-related controls is important when a licensee is considering possible enhancements in cybersecurity functionality and cybersecurity capability that would provide a higher level of assurance that the critical digital assets and SSEP functions are appropriately protected. Ideally, each functional cybersecurity control should have a risk-based cybersecurity assurance control overlay. Table I. Example of some additional cybersecurity controls in the NRC RG 5.71:2010 cybersecurity plan template compared to the plan template of the NEI 08-09 Rev.6:2010 NIST SP 800-53 control identifier [4]

NRC RG 5.71:2010 [5]

NEI 08-09 Rev.6:2010 [6]

Incident response

IR-6

IR-6 control tailored in the plan template (C.8.6 in [5])

N/A

Cyber incident response plan

IR-8

Contingency planning policy and procedures

CP-1

Family of security controls

Awareness and training: Roles and responsibilities Build and train cross-functional cyber security team

AT-3 NIST SP 800-82, Rev.2 (Sec. 4.2)

IR-8 control tailored in the plan template (C.8.8 in [5]) CP-1 control tailored in the plan template(C.9.1 in [5]) AT-3 control tailored in the plan template (C.10.10 in [5]) The control tailored in the plan template (C.10.5 in [5])

N/A N/A N/A N/A

Even that Table I suggests that the cybersecurity plan template of the NRC RG 5.71:2010 might be considered to be more comprehensive than the plan template of the NEI 08-09 Rev.6:2010, significant improvements have been made in recent years (since 2010 when the two guideline documents were published) in understanding advanced and sophisticated cybersecurity threats and the ways how to protect against the threats. The following subsection shows examples of cybersecurity controls and control enhancements from all three families of controls, i.e. technical, operational, and management, which can increase capabilities of protection systems in dealing with advanced threats and possibly unknown vulnerabilities.

3.2 Possible control enhancements of the NRC RG 5.71:2010 cybersecurity plan template The NRC RG 5.71:2010 cybersecurity plan template was developed to provide a comprehensive range of countermeasures to assist NRC licensees to comply with the Title 10 CFR 73.54 legal requirements. The built-in high assurance controls in the NRC RG 5.71-compliant cybersecurity plan require updating of the plan and existing cybersecurity controls when changes occur to critical digital assets or environment (NRC RG 5.71:2010, Sec. A.4.2.4, p. A-10). The changes to environment include advances in cybersecurity best practices and changes in the regulatory environment. Availability of new and comprehensively updated security controls catalogs, the NIST SP 800-53 Rev.4:2013 and NIST SP 800-82 Rev.2:2014, are examples of the changes in environment that may initiate an internal re-assessment of a continued suitability of the existing cyber security plans for nuclear facilities. While legacy security threats remained unchanged in recent years, the new understanding of conditions that correspond to advanced and persistent security threats need to be considered, as required by the continuous improvement principle of the NRC RG 5.71:2010, in security protection strategies and corresponding cybersecurity plans for I&C systems in nuclear facilities. The following three tables, Table II, Table III and Table IV, list examples of possible enhancements of (i) technical, (ii) operational, and (iii) management cybersecurity controls that are currently not included in the NRC RG 5:71:2010 cybersecurity plan template. Note also that robustness and resiliency of cybersecurity protection in nuclear facilities can be refined by security control overlays, i.e. sets of controls designed to address specific requirements, technologies or environments of operation.


Table II. Sample of technical security controls of the NRC RG 5.71:2010 cybersecurity plan template and examples of possible enhancements of the controls based on the NIST SP 800-53 Rev.4:2013 Technical controls of the NRC RG 5.71:2010 B1.3 Access enforcement

B1.4 Information flow enforcement

B.1.6 Least privilege Access control B.1 B.2.6 Audit review, analysis and reporting

B.2.9 Protection of audit information

B.4 Identification and authentication

Possible cybersecurity enhancements of the NRC RG 5.71:2010 technical controls NIST SP 80053 control Control enhancement identifier AC-3(3) Access enforcement by mandatory access control. AC-3(10) Audited override of access control mechanisms. Enforcement of limitation on embedded data types within other data types. Prohibiting AC-4(5) of levels of data type embedding that are beyond the capability of inspection tools. Parsing of transferred information to facilitate security policy decisions on source, AC-4(13) destination, certificates, classification, attachments, and other security-related differentiators. AC-4(14) Restrictions on data structures by policy filters. AC-4(17) Authentication of source and destination points for information transfer. All information, including metadata and the data to which the metadata applies, is AC-4(19) subject to filtering and inspection. AC-6(1) All access is explicitly authorized. Auditing the possible misuse of privileged functions by authorized users to mitigate AC-6(9) risk from insider threat and the advanced persistent threat. Implementation of a tamperproof reference monitor to enforce mandatory access AC-25 control. AU-6(4) Central review and analysis of audit records from multiple components. Correlation of information from audit records with information from monitoring of AU-6(6) physical access to enhance ability to identify suspicious, inappropriate, unusual, unauthorized, or malevolent activity. AU-6(9) Correlation of audit information with information from non-technical sources. AU-9(1) Audit information written to hardware-enforced write-once media. Protection of audit information by limiting the access to audit functionality to a subset of privileged users. The subset of users should exclude the individuals who are subject AU-9(4) of an audit or who may affect the reliability of audit information by inhibiting audit activities or modifying audit records. Protection of audit information by dual authorization. The dual authorization requires AU-9(5) an approval by two authorized individuals. Authorization of read-only access to audit information by privileged users to limit AU-9(6) potential risks of deleting the audit records to cover up malicious activity. Out-of-band-authentication to independently verify the authentication and / or IA-2(13) requested action to mitigate actual or suspected man-in-the-middle attacks. IA-5 Protecting authenticator content from unauthorized disclosure and modification. Implementation of security safeguards to manage risks of compromise due to IA-5(8) individuals having accounts on multiple systems.

While Table II above contains a sample of possible additional technical cybersecurity controls, Table III lists examples of possible additional operational cybersecurity controls and control enhancements, such as protection of integrity of firmware, that are not explicitly considered in the NRC RG 5.71:2010 cybersecurity plan template. Layering of cybersecurity controls in control overlays is discussed in Sec. 4. Note, for example, that the technical cybersecurity control enhancement AU-9(5) recommended in Table II can be complemented with the operational control enhancement CM-5(4) listed in Table III. The additional controls and control enhancements listed in Table II and Table III, together with tailored security controls of the NRC RG 5.71:2010 plan template, can provide a higher level of confidence on the robustness and resiliency of the cybersecurity protection of the industrial and control systems in nuclear facilities. The controls and control can be tailored to I&C system specific environment to expand the set of technical, operational and management families of cybersecurity controls of the plan template NRC RG 5.71:2010.


Table III. Sample of operational security controls of the NRC RG 5.71:2010 cybersecurity plan template and examples of possible enhancements of the controls based on the NIST SP 800-53 Rev.4:2013 Operational controls of the NRC RG 5.71:2010

C3. System and information integrity

C.3.7 Software, firmware, and information integrity

C.3 System and information integrity

C.9 Contingency planning C.10 Awareness and training

Possible cybersecurity enhancements of the NRC RG 5.71:2010 operational controls NIST SP 800-53 Control enhancement control identifier Detection and protection against unauthorized operating system commands, and SI-3(8) protection against reply of authorized commands. Rejection of unauthorized commands. Correlation of monitoring information from diverse set of information sources (physical SI-4(17) and cyber) for integrated situational awareness and capability to detect sophisticated cyberattacks and to investigate the methods employed to carry out such attacks. SI-4(19) / Additional monitoring of privileged system users and individuals who have been SI-4(20) identified as posing an increased level of risk. SI-7 Deployment of integrity verification tools to detect unauthorized changes to firmware. Verification of the integrity of the boot process to provide an assurance that only trusted SI-7(9) and authorized code is executed during the boot process. Implementation of security controls to protect integrity of boot firmware to prevent SI-7(10) sophisticated targeted cyberattacks by embedding a persistent malicious code within firmware. Any unauthorized modification of the boot firmware must be prevented. Software integrity verification prior execution to reduce likelihood of executing malicious SI-7(12) code or code that contains unauthorized modifications. Source code requirement for the authorization and use of a binary and machineSI-7(14) executable code. Implementation of cryptographic controls to authenticate software and firmware prior to SI-7(15) installation to protect against malicious code. Information input validation and elimination of any unpredictable behavior when invalid SI-10(3) inputs are received. SI-10(5) Application of the concept of whitelisting to information inputs. Implementation of the concept of non-persistence for selected system components to SI-14 mitigate the risk from advanced persistent threat. Information output validation to ensure that the information is consistent with the SI-15 expected content and to alert monitoring tools that anomalous behavior has been discovered. Hardware-enforced or software-enforced memory protection from unauthorized code SI-16 execution. CP-12

AT-2(2)

AT-3(4) CM-3(6) CM-4(1)

C.11 Configuration management

CM-4(2) CM-5(3) CM-5(4)

Identification of conditions under which the system reverts to predefined safe-mode of operation in which only certain functions could be carried out. Communication of employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established policies and procedures. Training of the personnel to recognize suspicious communications and anomalous behavior to supplement automated detection and protection tools as a part of the defensein-depth strategy. Ensuring that management of cryptographic means, certificates, policies, and procedures is under the configuration management. Analysis of both technical and non-technical changes in a separate test environment before implementation in operational environment. Verification of security functions after the system is changed. The verification includes both human and technical components of the security functions. Software and firmware components are prevented from installation unless signed with recognized and approved certificates. The digital signatures and verification of the signatures is used as a method for code authentication. Enforcement of dual authorization for implementing changes to system components and information.


Table IV. Sample of management security controls of the NRC RG 5.71:2010 cybersecurity plan template and examples of possible enhancements of the controls based on the NIST SP 800-53 Rev.4:2013 Management controls of the NRC RG 5.71:2010

C.12 System and service acquisition

C.13 Security assessment and risk management

4

Possible cybersecurity enhancements of the NRC RG 5.71:2010 management controls NIST SP 800-53 Control enhancement control identifier Documentation and allocation of resources required to protect the system as part of the SA-2 investment control process and establishing a discrete line item for cybersecurity in process planning and budgeting. The acquisition process includes, explicitly or by reference, the following: (a) cybersecurity functional requirements; (b) cybersecurity strength requirements; (c) cybersecurity assurance requirements; (d) cybersecurity-related documentation requirements; SA-4 (e) requirements for protecting cybersecurity-related documentation; (f) description of system development environment and environment in which the system is intended to operate; and (g) acceptance criteria. The documentation for acquired system, system component or system service includes (a) secure configuration, installation, and operation; (b) effective use and maintenance of cybersecurity functions and mechanisms; (c) description of known vulnerabilities regarding the configuration and use of privileged administrative functions; (d) description SA-5 of user-accessible cybersecurity functions and mechanisms; (e) methods of interaction with the system in a secure manner; (f) user responsibilities in maintaining the cybersecurity of the system, component, or service. The level of protection of the documentation is commensurate with the security category or classification of the system. SAValidation that the received system and system components from a supply chain are 12(10) genuine and have not been altered. SAAnalysis and testing of the supply chain elements, processes and actors, not just the 12(11) delivered items. Establishment of identity and traceability of supply chain elements, processes, and actors SAfor the system, system component or service to facilitate identification and monitoring of 12(14) risk events and activities and to reduce likelihood of supply chain-originated adverse events. Management of cybersecurity resources. Planning includes all resources needed to PM-3 implement cybersecurity program. Development and maintenance of inventory of all authorized system components PM-5 throughout the system lifecycle to facilitate ongoing assessment of risks. Establishment of outcome-based metrics to measure the effectiveness and efficiency of the PM-6 cybersecurity program and controls employed to support the program. The cybersecurity authorization process is used to explicitly authorize system components, PM-10 technical, operational and management controls to facilitate ongoing understanding and assigned responsibilities for all accepted risks to operations, assets, and human safety. PM-12 Establishment, implementation and continuous improvement of an insider threat program. Cybersecurity workforce development and improvement program complementary to PM-13 cybersecurity awareness and training programs.

SECURITY CONTROL OVERLAYS IN LAYERED DEFENSE-IN-DEPTH HIGH ASSURANCE CYBERSECURITY PROTECTION

The general concept of overlays is not new and has been used in various areas of cybersecurity, from denial of service protection to wireless security. In this section, the NIST concept of security control overlays [5],[13],[14] is discussed in the context of the NRC RG 5.71:2010 defense-in-depth cybersecurity. The defense-in-depth architecture, outlined in Fig.1, includes defensive levels of increasing security. The security levels are separated by security boundaries at which security policies on digital communication between the levels are enforced. Systems requiring the greatest degree of security are located within a


greater number of security boundaries. The NRC RG 5.71:2010 emphasizes that the most secure way to meet many of the requirements of Title 10 CFR 73.54 is a digital isolation of critical computer-based systems. The Stuxnet attack, the attack that was able to bypass the security control of the digital air-gap isolation that separated system components of different security levels, has been called by many as a “game changer” in industrial control systems cybersecurity. In the “game” where a computer-based system of high criticality has to be protected against a possible compromise, the digital air-gap isolation of the system is not anymore considered as a high assurance cybersecurity control.

Figure 1. Simplified cybersecurity defensive architecture with five concentric cyber security defensive levels separated by security boundaries [5].

The defense-in-depth is a fundamental strategy that has been used in protecting safety of operations in nuclear facilities. Note however that the defense-in-depth has been implemented in the Korean nuclear power plants hacked close to two thousand times in the last five years [8], and the defense-in-depth was also an integral part of the protection of the I&C systems targeted by the Stuxnet attack in the nuclear facility in Natanz in Iran. Examples of recent exploitations of vulnerabilities in defense-in-depth protection systems are many. The NEI Magazine [15] recently analyzed a well-publicized example of a tragic accident that occurred despite layers of built-in defense-in-depth protection, state-of-the-art control systems, defined safety procedures, and qualified and experienced personnel responsible for a safe operation of the system. Layering of cybersecurity controls in cybersecurity control overlays, such as an air-gap control overlay, can provide an enhanced robustness and resiliency of individual layers of the defense-in-depth cybersecurity protection against a compromise. Cybersecurity control overlays, as the name suggests, provide additional layers of protection to security controls. The control overlays can combine cybersecurity controls from the technical, operational and management families of controls. In general, cybersecurity control overlays can be formed by (i) controls to enhance cybersecurity functionality, (ii) controls to enhance cybersecurity assurance, and (iii) controls that complement cybersecurity functionality with a cybersecurity assurance. Therefore, cybersecurity control overlays can be designed to provide a more robust and resilient I&C system protection capabilities than protection offered by baseline cybersecurity controls. In addition to generic standardized control overlays [14], the cybersecurity control overlays for protection of I&C systems can be designed to be I&C systems-centric. For enhanced robustness, resiliency and comprehensiveness of cybersecurity protection, security control overlays for I&C systems may each contain several tailored NIST SP 800-53 Rev.4:2013 security controls, such as those shown in Table II, Table III and Table IV. Example 1: A set of controls that form an overlay may include technical, operational and management controls, such as access control, identification, authentication, authorization and configuration management controls. In the example, and in compliance with classification used in the NIST SP 800-53 Rev.3, the access control, identification, and authentication are considered to belong to the technical class of security controls, authorization is a management control, and configuration management is an operational security control. The security control overlays of the AC-7 Least Privilege can include, for example, CA-7 Continuous Monitoring, CM-3(1) Prohibition of Changes, and CM-7 Least Functionality. Security control overlays are suitable in situations where due to safety-security constraints [17],[18],[19],[20] a cybersecurity control is potentially vulnerable. In the situations, the control overlays may be designed to add compensating controls to the potentially vulnerable baseline controls to increase their robustness and resiliency. The increased robustness of security protection facilitated by the control


overlays can be visualized by using traditional attack tree modelling. The attack tree representation reveals that the enforced protection that corresponds to the combined security controls of the control overlay is represented by a transformation of an OR node of the attack tree into a more robust and resilient AND node. Example 2: Let us suppose that a system has a vulnerability in implementation of the least privilege cybersecurity control AC-7 that allows the existing anti-malware protection system to be compromised. The vulnerability can be represented as a leaf of an OR node in the attack tree. An overlay of the vulnerable control that would prohibit any unauthorized change can be designed to serve as compensating cybersecurity control. From the attack tree modelling perspective, the overlay would result in transformation of the OR node in the attack tree into a more difficult to compromise AND node. As illustrated in the example in Fig.2 by the dotted line, the overlay results in an additional layer of protection at the cybersecurity control level.

Figure 2. Example of an attack tree modelling of enhanced robustness of cybersecurity protection against a compromise by a control overlay.

Example 3: In this example, the control overlay is designed for a scenario where access control to assets can be compromised by a trusted privileged insider by disclosing (e.g., selling) the content of the password database to an external entity. The baseline security control employed is the use of encrypted passwords (hashes) in the password database, and the trusted insider has an authorized legitimate access to the database of hashed passwords. A possible security control that reduces likelihood of a misappropriate use of the password database by the insider is an addition of a significant amount of hashes of fake passwords, called honeywords [21], to the passwords database. The system is designed so that an alarm is raised whenever any of the honeywords is used to access the password protected assets, indicating that the access control system has been compromised. Even that authors in [21] do not relate their honeywords system with the concept of security control overlays, the set of security controls (hashes of passwords + hashes of honeywords + alarm) they are proposing can be viewed as a textbook example of an effective and efficient security control overlay. A cybersecurity control overlay for NPP I&C systems may contain several tailored cybersecurity controls. The graded approach to cybersecurity can be applied to the design of control overlays to meet specific cybersecurity requirements at each layer of the defense-in-depth protection. The following subsection discusses the concept of orthogonality of cybersecurity control overlays in the defense-in-depth protection of critical computer-based systems. 4.1 Independency (orthogonality) of cybersecurity controls in control overlays The property of orthogonality has been used for centuries in various areas, from biological sciences through mechanical engineering to telecommunications. The applications of the orthogonality principle include estimations of dependencies between system components, reductions of interferences between processes, and enhancements of robustness of systems against adverse situations. A high level cybersecurity assurance can be achieved by security controls that are addressing cybersecurity threats both from security functionality and assurance perspectives. As described above, functional and assurance cybersecurity controls can be combined in control overlays and implemented by using a graded approach at each layer of


the defense-in-depth protection. Layering of mutually complementary and independent (orthogonal) security controls, either functional, assurance, or both, provides an enhanced robustness of the individual security layers against their possible compromise. Example: One of the vulnerabilities exploited by the Stuxnet attack was a vulnerability in malware detection capabilities. When infected removable drive was attached to a clean uninfected machine, at that time, the malware files on the removable drive were not hidden, and were detectable. However, the malware on the unauthorized removable media was visible only for a short time until the malware’s presence was successfully hidden by a Windows rootkit installed from the compromised removable media. A properly designed control overlay, formed by a set of mutually independent (orthogonal) and complementary security controls would make the infection of the system by the rootkit less likely. The robustness of a functional cybersecurity control can be enhanced, in some cases, by splitting the control into two or more mutually orthogonal (independent) and complementary components. An example of splitting of a cybersecurity control into its two or more orthogonal components, to increase the robustness of the control against incidental and intentional compromises, is a dual control and splitting of authorization privileges between several administrative functions in enforcing an access control that is more resilient against errors and misuse. Splitting of authorization and authentication controls into their mutually orthogonal components is proposed in Table III in the previous section as a way to achieve an enhanced protection of critical systems against advanced and persistent Stuxnet-like attacks. Examples of deviations from orthogonality of functional and assurance security controls are relatively common and may result, for example, in flaws, incompleteness, and inaccuracies in findings obtained by internal audits of cybersecurity controls. In an audit example scenario, deviations from orthogonality (independency) might be caused by interdependencies between the audited security system and the actual audit design and implementation. The internal assessor’s involvement in the phases of the system development lifecycle can be an obstacle later in the assessment phase when an unbiased and objective assessment of the cybersecurity posture of the developed system is required. As shown in the example in the next paragraph, even if the separation-of-duties principle to enforce the orthogonality principle of controls is strictly followed, other environmental factors and human relationships can affect the robustness of the combined controls of the control overlay. Note: The orthogonality (independency) of controls that form a control overlay might not be enough to sufficiently enhance robustness of the baseline cybersecurity protection of the non-overlaid control. In some cases, the security control overlay formed by independent controls may lead to a false sense of enhanced security. In addition to the principle of orthogonality, the robustness of individual security controls that form the overlay plays a major role in the overall strength of the combined controls. Therefore, for example, an overlay formed by an addition of a relatively weak control to a baseline cybersecurity control is likely to result in a minor or negligible enhancement of the robustness of the non-overlaid control. To illustrate the concept of enhancing cybersecurity controls by combining mutually independent controls of different strengths, the Sarbanes-Oxley Act in 2002 introduced new requirements aimed to enhance audit accuracy of internal processes. However, results of the study [16] indicate that due to a weakness in the design of the additional control, namely a lack of accountability of auditors for their conclusions, there was no significant difference in the audit accuracy between pre-SOX and post-SOX periods.

5

CONCLUSIONS

In the post-Stuxnet era, in addition to the legacy cyberthreats of past decades, advanced targeted, persistent, and highly sophisticated threats must be considered in protecting critical digital assets. The threats are attempting to exploit vulnerabilities, including day-zero vulnerabilities, in system design, security policies, procedures, and other operational, management and technical controls, both from inside and outside of system boundaries. The NRC RG 5.71:2010 requires a continuous improvement of cybersecurity practices and technologies to respond to sophisticated and evolving threats in an effective and


timely manner. The paper after a brief review and comparison of cybersecurity plan templates of U.S. Nuclear Regulatory Committee and Nuclear Energy Institute suggests possible enhancements of the plan templates as a part of the NRC recommended continuous improvement process. The proposed enhancements of the cybersecurity plan templates correspond to recent progresses in understanding of highly sophisticated, targeted, and persistent cybersecurity threats and on ways how to protect the I&C systems against the threats. Cybersecurity control overlays are advocated in the paper as a way to raise assurance on the robustness, resiliency, and comprehensiveness of cybersecurity defense-in-depth protection against a compromise. An attack tree example is shown to visualize the effect of the control overlays on enhanced cybersecurity. The layering of controls in security control overlays can be I&C system-centric and correspond to the principle of graded cybersecurity in nuclear facilities. The importance of independency (orthogonality) of controls that form the control overlays is also emphasized in the paper.

6

REFERENCES

1. M. Martellini et al, “Cyber security for nuclear power plants”, U.S. Department of State (Jan. 2012). 2. CNN report: “U.S. nuclear plants remain vulnerable to terrorists”, CNN News (Aug.15, 2013). 3. NIST, “Framework for improving critical infrastructure cybersecurity” (Feb. 2014). 4. NIST SP 800-53, Rev. 4, “Security and privacy controls for federal information systems” (April 2013). 5. U.S. Nuclear Regulatory Commission, NRC Regulatory Guide 5.71 “Cyber security programs for nuclear facilities,” NRC, Rockville, MD (Jan. 2010). 6. Nuclear Energy Institute “Cyber security plan for nuclear power reactors”, NEI 08-09 Re. 6 (Apr. 2010). 7. K. Waedt, A. Kuskov, P. Zavarsky, “Domain Based Security (DBSy) applied to safety I&C systems”, IAEA Technical Meeting on Engineering and Design Aspects of Computer Security for I&C Systems at NPPs, Garching, Germany (Sept. 2014). 8. “Korean nuclear power plants exposed to 1,843 hacks over five years,” Business Korea (Oct. 10, 2014). 9. N. Falliere et al, “W32.Stuxnet Dossier”, Symantec (2011). 10. “Verizon data breach investigations report”, Verizon (2013). 11. U.S. Nuclear Regulatory Commission, Title 10 CFR 73.54 “Protection of digital computer and communication systems and networks” (March 2009). 12. “2014 Advanced persistent threat awareness”, ISACA (2014). 13. NIST SP 800-82 Rev.2, “Guide on industrial control systems security”, Draft, (May 2014). 14. CNSS Instruction No. 1253, “Security control overlays for industrial control systems” (Jan. 2013). 15. “Putting people in the mix,” Nuclear Engineering International, NEI Magazine (July 2014). 16. T.G. Ryu, B. Uliss, C.Y. Roh, “The Effect of the Sarbanes-Oxley Act on Auditors’ Audit Performance”, Journal of Financial Accounting, vol.1, pp. 1–7 (2009). 17. IEC 62859 “Nuclear Power Plants – Instrumentation and Control Systems – Requirements for Coordinating Safety and Cybersecurity”, Draft (2014). 18. IEC 62645 Ed.1.0, “Nuclear Power Plants – Instrumentation and Control Systems – Requirements for Security Programmes for Computer-based Systems”, Draft (2014). 19. IAEA Nuclear Security Series No.17, “Computer Security at Nuclear Facilities”, Vienna (2011). 20. K. Waedt and A. Kuskov, “Nuclear Safety and Cyber Security Controls”, 45th Annual International Expert Conference on Nuclear Technology, Frankfurt, Germany (May 2014). 21. A. Juels and R. L. Rivest, ``Honeywords: Making Password-Cracking Detectable'', 20th ACM Conference on Computer and Communications Security CCS 2013, (Nov. 2013).