Baixe o app para aproveitar ainda mais
Esta é uma pré-visualização de arquivo. Entre para ver o arquivo original
Technical Guidance Reference Manual IAEA Nuclear Security Series No. 17 Computer Security at Nuclear Facilities INTERNATIONAL ATOMIC ENERGY AGENCY VIENNA ISBN 978–92–0–120110–2 ISSN 1816–9317 This publication seeks to create awareness of the importance of incorporating computer security as a fundamental part of the overall security plan for nuclear facilities. It further aims to provide guidance to nuclear facilities on implementing a computer security programme, and provide advice on evaluating existing programmes, assessing critical digital assets and identifying appropriate risk reduction measures. IA E A N uclear S ecurity S eries N o . 17 C o m p uter S ecurity at N uclear Facilities 11-34841_P1527_cover.indd 1 2011-11-22 10:40:14 RELATED PUBLICATIONS www.iaea.org/books NUCLEAR SECURITY RECOMMENDATIONS ON PHYSICAL PROTECTION OF NUCLEAR MATERIAL AND NUCLEAR FACILITIES (INFCIRC/225/REVISION 5) IAEA Nuclear Security Series No. 13 STI/PUB/1481 (62 pp.; 2011) ISBN 978–92–0–111110–4 Price: €28.00 DEVELOPMENT, USE AND MAINTENANCE OF THE DESIGN BASIS THREAT IAEA Nuclear Security Series No. 10 STI/PUB/1386 (30 pp.; 2009) ISBN 978–92–0–102509–8 Price: €18.00 PREVENTIVE AND PROTECTIVE MEASURES AGAINST INSIDER THREATS IAEA Nuclear Security Series No.8 STI/PUB/1359 (25 pp.; 2008) ISBN 978–92–0–109908–2 Price: €20.00 NUCLEAR SECURITY CULTURE IAEA Nuclear Security Series No. 7 STI/PUB/1347 (37 pp.; 2008) ISBN 978–92–0–107808–7 Price: €30.00 INTERNATIONAL LEGAL FRAMEWORK FOR NUCLEAR SECURITY IAEA International Law Series No. 4 STI/PUB/1486 (30 pp.; 2011) ISBN 978–92–0–111810–3 Price: €26.00 THE MANAGEMENT SYSTEM FOR FACILITIES AND ACTIVITIES IAEA Safety Standards Series No. GS-R-3 STI/PUB/1252 (27 pp.; 2006) ISBN 92–0–106506–X Price: €25.00 APPLICATION OF THE MANAGEMENT SYSTEM FOR FACILITIES AND ACTIVITIES IAEA Safety Standards Series No. GS-G-3.1 STI/PUB/1253 (123 pp.; 2006) ISBN 92–0–106606–6 Price: €31.00 INSTRUMENTATION AND CONTROL SYSTEMS IMPORTANT TO SAFETY IN NUCLEAR POWER PLANTS IAEA Safety Standards Series No. NS-G-1.3 STI/PUB/1116 (91 pp.; 2002) ISBN 92–0–110802–8 Price: €14.50 SOFTWARE FOR COMPUTER BASED SYSTEMS IMPORTANT TO SAFETY IN NUCLEAR POWER PLANTS IAEA Safety Standards Series No. NS-G-1.1 STI/PUB/1095 (89 pp.; 2000) ISBN 92–0–101800–2 Price: €14.50 THE IAEA NUCLEAR SECURITY SERIES Nuclear security issues relating to the prevention and detection of, and response to, theft, sabotage, unauthorized access and illegal transfer or other malicious acts involving nuclear material and other radioactive substances and their associated facilities are addressed in the IAEA Nuclear Security Series of publications. These publications are consistent with, and complement, international nuclear security instruments, such as the amended Convention on the Physical Protection of Nuclear Material, the Code of Conduct on the Safety and Security of Radioactive Sources, United Nations Security Council Resolutions 1373 and 1540, and the International Convention for the Suppression of Acts of Nuclear Terrorism. CATEGORIES IN THE IAEA NUCLEAR SECURITY SERIES Publications in the IAEA Nuclear Security Series are issued in the following categories: • Nuclear Security Fundamentals contain objectives, concepts and principles of nuclear security and provide the basis for security recommendations. • Recommendations present best practices that should be adopted by Member States in the application of the Nuclear Security Fundamentals. • Implementing Guides provide further elaboration of the Recommendations in broad areas and suggest measures for their implementation. • Technical Guidance publications include: Reference Manuals, with detailed measures and/or guidance on how to apply the Implementing Guides in specific fields or activities; Training Guides, covering the syllabus and/or manuals for IAEA training courses in the area of nuclear security; and Service Guides, which provide guidance on the conduct and scope of IAEA nuclear security advisory missions. DRAFTING AND REVIEW International experts assist the IAEA Secretariat in drafting these publications. For Nuclear Security Fundamentals, Recommendations and Implementing Guides, open-ended technical meeting(s) are held by the IAEA to provide interested Member States and relevant international organizations with an appropriate opportunity to review the draft text. In addition, to ensure a high level of international review and consensus, the Secretariat submits the draft texts to all Member States for a period of 120 days for formal review. This allows Member States an opportunity to fully express their views before the text is published. Technical Guidance publications are developed in close consultation with international experts. Technical meetings are not required, but may be conducted, where it is considered necessary, to obtain a broad range of views. The process for drafting and reviewing publications in the IAEA Nuclear Security Series takes account of confidentiality considerations and recognizes that nuclear security is inseparably linked with general and specific national security concerns. An underlying consideration is that related IAEA safety standards and safeguards activities should be taken into account in the technical content of the publications. 11-34841_P1527_cover.indd 2 2011-11-22 10:40:15 COMPUTER SECURITY AT NUCLEAR FACILITIES The following States are Members of the International Atomic Energy Agency: The Agency IAEA held at Uni Headquarters of the contribution of atom AFGHANISTAN ALBANIA ALGERIA ANGOLA ARGENTINA ARMENIA AUSTRALIA AUSTRIA AZERBAIJAN BAHRAIN BANGLADESH BELARUS BELGIUM BELIZE BENIN BOLIVIA BOSNIA AND HERZ BOTSWANA BRAZIL BULGARIA BURKINA FASO BURUNDI CAMBODIA CAMEROON CANADA CENTRAL AFRICAN REPUBLIC CHAD CHILE CHINA COLOMBIA CONGO COSTA RICA CÔTE D’IVOIRE CROATIA CUBA CYPRUS CZECH REPUBLIC DEMOCRATIC REPU OF THE CONGO DENMARK DOMINICAN REPUB ECUADOR EGYPT EL SALVADOR ERITREA ESTONIA ETHIOPIA FINLAND FRANCE GABON GEORGIA GERMANY GHANA GREECE GUATEMALA HAITI HOLY SEE HONDURAS HUNGARY ICELAND INDIA INDONESIA IRAN, ISLAMIC REPUBLIC OF IRAQ IRELAND ISRAEL NIGER NIGERIA NORWAY OMAN PAKISTAN PALAU PANAMA PARAGUAY PERU PHILIPPINES POLAND PORTUGAL QATAR REPUBLIC OF MOLDOVA ’s Statute was approved on 23 October 1956 by the Conference on the Statute of the ted Nations Headquarters, New York; it entered into force on 29 July 1957. The Agency are situated in Vienna. Its principal objective is “to accelerate and enlarge the ic energy to peace, health and prosperity throughout the world’’. EGOVINA BLIC LIC ITALY JAMAICA JAPAN JORDAN KAZAKHSTAN KENYA KOREA, REPUBLIC OF KUWAIT KYRGYZSTAN LAO PEOPLE’S DEMOCRATIC REPUBLIC LATVIA LEBANON LESOTHO LIBERIA LIBYA LIECHTENSTEIN LITHUANIA LUXEMBOURG MADAGASCAR MALAWI MALAYSIA MALI MALTA MARSHALL ISLANDS MAURITANIA MAURITIUS MEXICO MONACO MONGOLIA MONTENEGRO MOROCCO MOZAMBIQUE MYANMAR NAMIBIA NEPAL NETHERLANDS NEW ZEALAND NICARAGUA ROMANIA RUSSIAN FEDERATION SAUDI ARABIA SENEGAL SERBIA SEYCHELLES SIERRA LEONE SINGAPORE SLOVAKIA SLOVENIA SOUTH AFRICA SPAIN SRI LANKA SUDAN SWEDEN SWITZERLAND SYRIAN ARAB REPUBLIC TAJIKISTAN THAILAND THE FORMER YUGOSLAV REPUBLIC OF MACEDONIA TUNISIA TURKEY UGANDA UKRAINE UNITED ARAB EMIRATES UNITED KINGDOM OF GREAT BRITAIN AND NORTHERN IRELAND UNITED REPUBLIC OF TANZANIA UNITED STATES OF AMERICA URUGUAY UZBEKISTAN VENEZUELA VIETNAM YEMEN ZAMBIA ZIMBABWE C I IAEA NUCLEAR SECURITY SERIES No. 17 TECHNICAL GUIDANCE OMPUTER SECURITY AT NUCLEAR FACILITIES REFERENCE MANUAL NTERNATIONAL ATOMIC ENERGY AGENCY VIENNA, 2011 IAEA Comp — n S I I 1 3. C Age IAE COPYRIGHT NOTICE All IAEA scientific and technical publications are protected by the terms of the Universal Copyright Convention as adopted in 1952 (Berne) and as revised in 1972 (Paris). The copyright has since been extended by the World Intellectual Property Organization (Geneva) to include electronic and virtual intellectual property. Permission to use whole or parts of texts contained in IAEA publications in to royalty ag translations are should be addr Marketin Internatio Vienna In PO Box 1 1400 Vie fax: +43 tel.: +43 email: sa http://ww Library Cataloguing in Publication Data uter security at nuclear facilities : reference manual : technical guidance. Vienna : International Atomic Energy Agency, 2011. p. ; 24 cm. — (IAEA nuclear security series, ISSN 1816–9317 ; o. 17) TI/PUB/1527 SBN 978–92–0–120110–2 ncludes bibliographical references. . Nuclear facilities — Security measures. 2. Computer security. omputer networks — Security measures. I. International Atomic Energy ncy. II. Series. AL 11–00703 printed or electronic form must be obtained and is usually subject reements. Proposals for non-commercial reproductions and welcomed and considered on a case-by-case basis. Enquiries essed to the IAEA Publishing Section at: g and Sales Unit, Publishing Section nal Atomic Energy Agency ternational Centre 00 nna, Austria 1 2600 29302 1 2600 22417 les.publications@iaea.org w.iaea.org/books © IAEA, 2011 Printed by the IAEA in Austria December 2011 STI/PUB/1527 FOREWORD The possibility that nuclear or other radioactive material could be used for malicious purposes cannot be ruled out in the current global situation. States have responded to this risk by engaging in a collective commitment to strengthen the protection and control of such material and to respond effectively to nuclear security events. States have agreed to strengthen existing instruments and have established ne worldwide. Nu technologies an used or transpo Through establish, main has adopted a an effective na relevant inter protection; ma trafficking in s With its Nuclea and sustaining The IA Fundamentals, nuclear secur Technical Guid Each Stat provide for the facilities and ac transport; to c material; and to This publ Security Series on national ex computer secu consideration b The prep been made po Member State included consu then circulated suggestions. T considered in t w international legal instruments to enhance nuclear security clear security is fundamental in the management of nuclear d in applications where nuclear or other radioactive material is rted. its Nuclear Security Programme, the IAEA supports States to tain and sustain an effective nuclear security regime. The IAEA comprehensive approach to nuclear security. This recognizes that tional nuclear security regime builds on: the implementation of national legal instruments; information protection; physical terial accounting and control; detection of and response to uch material; national response plans; and contingency measures. r Security Series, the IAEA aims to assist States in implementing such a regime in a coherent and integrated manner. EA Nuclear Security Series comprises Nuclear Security which include objectives and essential elements of a State’s ity regime; Recommendations; Implementing Guides; and ance. e carries the full responsibility for nuclear security, specifically: to security of nuclear and other radioactive material and associated tivities; to ensure the security of such material in use, storage or in ombat illicit trafficking and the inadvertent movement of such be prepared to respond to a nuclear security event. ication is in the Technical Guidance category of the IAEA Nuclear , and deals with computer security at nuclear facilities. It is based perience and practices as well as publications in the fields of rity and nuclear security. The guidance is provided for y States, competent authorities and operators. aration of this publication in the IAEA Nuclear Security Series has ssible by the contributions of a large number of experts from s. An extensive consultation process with all Member States ltants meetings and open-ended technical meetings. The draft was to all Member States for 120 days to solicit further comments and he comments received from Member States were reviewed and he final version of the publication. This repor omissions on the Although g this publication, consequences wh The use o judgement by the their authorities a The mentio registered) does construed as an e EDITORIAL NOTE t does not address questions of responsibility, legal or otherwise, for acts or part of any person. reat care has been taken to maintain the accuracy of information contained in neither the IAEA nor its Member States assume any responsibility for ich may arise from its use. f particular designations of countries or territories does not imply any publisher, the IAEA, as to the legal status of such countries or territories, of nd institutions or of the delimitation of their boundaries. n of names of specific companies or products (whether or not indicated as not imply any intention to infringe proprietary rights, nor should it be ndorsement or recommendation on the part of the IAEA. CONTENTS 1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1. Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2. Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2. 1.2. 1.3. Con 1.4. Stru 1.5. Me 1.6. Key PART I. MAN 2. REGULA 2.1. Leg 2.2. Reg 2.3. Site 2.3. 2.3. 2.3. 2.4. Ass 3. MANAG 4. ORGANI 4.1. Aut 4.1. 4.1. 4.1. 4.1. 4.1. 4.2. Com 4.2. 1. Nuclear security and computer security objectives. . . . . 1 2. Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 ditions specific to nuclear facilities . . . . . . . . . . . . . . . . . . . 3 cture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 thodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 AGEMENT GUIDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 TORY AND MANAGEMENT CONSIDERATIONS . . . . 9 islative considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 ulatory considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 security framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1. Computer security policy . . . . . . . . . . . . . . . . . . . . . . . . 12 2. Computer systems at nuclear facilities . . . . . . . . . . . . . . 13 3. Defence in depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 essing the threat environment . . . . . . . . . . . . . . . . . . . . . . . . 13 EMENT SYSTEMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 ZATIONAL ISSUES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 horities and responsibilities. . . . . . . . . . . . . . . . . . . . . . . . . . 16 1. Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2. Computer Security Officer . . . . . . . . . . . . . . . . . . . . . . . 17 3. Computer security team . . . . . . . . . . . . . . . . . . . . . . . . . 18 4. Other management responsibilities . . . . . . . . . . . . . . . . . 18 5. Individual responsibilities . . . . . . . . . . . . . . . . . . . . . . . . 18 puter security culture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 1. Computer security training programme . . . . . . . . . . . . . 20 PART II. IMPLEMENTATION GUIDE . . . . . . . . . . . . . . . . . . . . . . . . . 21 5. IMPLEMENTING COMPUTER SECURITY . . . . . . . . . . . . . . . . . . 23 5.1. Computer security plan and policy . . . . . . . . . . . . . . . . . . . . . . . 23 5.1.1. Computer security policy . . . . . . . . . . . . . . . . . . . . . . . . 23 5.1.2. Computer security plan . . . . . . . . . . . . . . . . . . . . . . . . . . 23 5.1. 5.2. Inte 5.2. 5.2. 5.3. Ass 5.4. Com 5.4. 5.4. 5.5. Gra 5.5. 5.5. 5.5. 5.5. 6. THREAT 6.1. Bas 6.2. Ris 6.3. Thr 6.3. 6.3. 6.3. 6.4. Sim 7. SPECIAL 7.1. Fac 7.2. Dif ind 7.3. Dem rela 7.4. Con 7.5. Sec 7.6. Thi 3. CSP components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 raction with other domains of security . . . . . . . . . . . . . . . . . 25 1. Physical security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 2. Personnel security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 et analysis and management . . . . . . . . . . . . . . . . . . . . . . . . . 26 puter system classification . . . . . . . . . . . . . . . . . . . . . . . . . 26 1. Safety importance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 2. Security or security related systems . . . . . . . . . . . . . . . . 29 ded approach to computer security . . . . . . . . . . . . . . . . . . . . 29 1. Security levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 2. Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 3. Example of the application of a security level model . . . 31 4. Decoupling zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 S, VULNERABILITIES AND RISK MANAGEMENT. . . 35 ic concepts and relationships . . . . . . . . . . . . . . . . . . . . . . . . 36 k assessment and management . . . . . . . . . . . . . . . . . . . . . . . 36 eat identification and characterization . . . . . . . . . . . . . . . . . 37 1. Design basis threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2. Attacker profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 3. Attack scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 plified outcomes of risk assessment . . . . . . . . . . . . . . . . . . . 43 CONSIDERATIONS FOR NUCLEAR FACILITIES. . . . 43 ility lifetime phases and modes of operation. . . . . . . . . . . . . 45 ferences between IT systems and ustrial control systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 and for additional connectivity and ted consequences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 siderations on software updates . . . . . . . . . . . . . . . . . . . . . . 47 ure design and specifications for computer systems . . . . . . . 48 rd party/vendor access control procedure . . . . . . . . . . . . . . . 48 REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 BIBLIOGRAPHY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 ANNEX I: ATTACK SCENARIOS AGAINST SYSTEMS IN NUCLEAR FACILITIES . . . . . . . . . . . . . . . . . . . . . . . . . 55 ANNEX II: A METHODOLOGY FOR IDENTIFYING C ANNEX III: T C DEFINITIONS OMPUTER SECURITY REQUIREMENTS . . . . . . . . . . . 59 HE ROLE OF HUMAN ERROR IN OMPUTER SECURITY . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 1. INTRODUCTION 1.1. BACKGROUND Attention to computer security has intensified in the last decade as clear and recurring proof of the vulnerabilities of computer systems has come to light. Malicious expl frequency and occurrences o infrastructure h and issue new requirements, w stages of opera creating a rich which the ISO/ The IAEA other standards specific condit need for a publ solutions was experience of security guida infrastructure. and lessons lea the context of applicable indu 1.2. OBJECT 1.2.1. Nucle Nuclear s criminal or in material, othe activities, and harmful conseq Compute objectives are a improvement o 1 oitation of these vulnerabilities has been witnessed with growing impact. In an increasingly complex threat scenario, the possible f cyberterrorism as a means of attacking a State’s critical as prompted a number of national authorities to prepare defences regulations. Such regulations establish computer security hich affect nuclear facilities at multiple levels and at the various tion. In parallel, information security has itself evolved rapidly, set of international best practices and standard documents among IEC 27000 series [1–5] is rapidly achieving prominence. , while recognizing the core validity of the ISO 27000 series and across industries and business, wishes to focus attention on the ions affecting computer security at nuclear facilities. Thus, the ication recognizing and compiling relevant guidance and adequate identified. This publication brings together the knowledge and specialists who have applied, tested and reviewed computer nce and standards within nuclear facilities and other critical It compiles and describes those special provisions, best practices rned which apply within the nuclear discipline and puts them in a security programme consistent with other IAEA guidance and strial standards. IVE ar security and computer security objectives ecurity involves the prevention of, detection of, and response to, tentional, unauthorized acts involving or directed at nuclear r radioactive material, associated facilities, or associated other intentional acts that could directly or indirectly produce uences to persons, property, society or to the environment. r security plays an increasingly vital role in ensuring that these chieved. Thus, this publication will address the establishment and f programmes to protect those computer systems, networks and 2 other digital systems that are critical for the safe and secure operation of the facility and for preventing theft, sabotage and other malicious acts. All other systems required for the operation of the facility, or any support or business system whose unauthorized modification or change could compromise the security posture or operability will be covered by extending the provisions in this publication to those systems. In this context, malicious acts involving computer systems and relevant to nuclear security — Informati malicious — Attacks computer — Comprom modes of Compute confidentiality, systems and pr systems that ca nuclear facilitie 1.2.2. Scope The prim of incorporatin plan for nuclea The pub facilities on im presenting so procedures de achieving and strategy and co This refe programmes, a reduction meas may be grouped as: on gathering attacks aimed at planning and executing further acts; disabling or compromising the attributes of one or several s crucial to facility security or safety; ise of one or several computers combined with other concurrent attack, such as physical intrusion to target locations. r security objectives are commonly defined as protecting the integrity and availability attributes of electronic data or computer ocesses. By identifying and protecting these attributes in data or n have an adverse impact on the safety and security functions in s, the security objectives can be met. ary aim of this publication is to create awareness of the importance g computer security as a fundamental part of the overall security r facilities. lication further aims to provide guidance specific to nuclear plementing a computer security programme. This is achieved by me suggested approaches, structures and implementation signed for nuclear facilities. Together, these are crucial for maintaining the level of protection defined in the site security nforming to national nuclear security objectives. rence manual also aims to provide advice on evaluating existing ssessing critical digital assets and identifying appropriate risk ures. 1.3. CONDITIONS SPECIFIC TO NUCLEAR FACILITIES The need for guidance addressing computer security at nuclear facilities is supported by the special conditions characterizing the industry. The following list is a sample of these conditions, which will be dealt with in full in this publication: — Nuclear facilities must abide by requirements set by their national regulator systems o — Nuclear f not comm induced b — Compute requirem limited ra or an enti those af Section 7 1.4. STRUCT The guid includes policy with security r to all stages of operations and This publ — Part I (Se judgemen managem the regula — Part II (S the imple 1.5. METHOD The basic methodologies 3 y bodies which may directly or indirectly regulate computer r set guidance. acilities may have to protect against additional threats which are only considered in other industries. Such threats may also be y the sensitive nature of the nuclear industry. r security requirements in nuclear facilities may differ from ents in other concerns. Typical business operations involve only a nge of requirements. Nuclear facilities need to take a wider base rely different set of considerations into account than, for example, fecting e-commerce, banking or even military applications. highlights and explains these differences in detail. URE ance in this publication is intended for a wide audience that makers, nuclear security regulators, facility management, staff esponsibilities, technical staff, vendors and contractors. It applies the facility’s systems life cycle, including design, development, maintenance. ication is divided into two parts: ctions 2–4) is intended to support managers in making balanced ts and informed decisions concerning policy, design and ent of computer security within facilities. It provides guidance on tory and managerial provisions of computer security. ections 5–7) addresses technical and administrative guidance in mentation of a comprehensive computer security plan. OLOGY methodology used to implement computer security is similar to used to ensure nuclear security and safety. This highlights the 4 need and the advantage of integrating computer security within the overarching facility security plans from the beginning. Successful protection of computer systems may be achieved by adapting the best practice methods and tools developed within the wider computer security community while taking into account the specificities of the nuclear industry. The following logical process, described in detail in Section 5, highlights how a nuclear facility can develop, implement, maintain and improve computer security: — Follow n — Examine — Ensure se — Define a — Identify t nuclear s — Create a c — Perform r — Select, de — Integrate — Regularly This pub methodology w computer secur existing nation publication). 1.6. KEY TER As word practice, this s throughout this In the co to the comput make up func desktop compu level compone controllers). In may be suscept ational legal and regulatory requirements; relevant IAEA and other international guidance; nior management support and adequate resources; computer security perimeter; he interactions between computer security and facility operation, afety and other aspects of site security; omputer security policy; isk assessment; sign and implement protective computer security measures; computer security within the facility’s management system; audit, review and improve the system. lication will examine in greater detail those steps in the here specific provisions for nuclear facilities exist. Other stages of ity methodology may be implemented through direct reference to al and international standards (see the references at the end of this MINOLOGY s assume different meanings within different communities of ection clarifies the meaning of certain important terms as used publication. ntext of this publication, computers and computer systems refer ation, communication, instrumentation and control devices that tional elements of the nuclear facility. This includes not only ters, mainframe systems, servers, network devices, but also lower nts such as embedded systems and PLCs (programmable logic essence, this publication is concerned with all components that ible to electronic compromise. Throughout this publication the term computer security will be used to cover the security of all computers as defined above and all interconnected systems and networks formed by the sum of the elements. The terms IT security and cyber security are, for the purpose of this publication, considered synonyms of computer security and will not be used in this publication. Computer security as defined here is a subset of information security (as defined, for example in ISO/IEC 27000 [1]) with which it shares many of the goals, methodo Definitio end of this man 5 logy and terminology. ns of additional terms used in this publication are provided at the ual. . Part I MANAGEMENT GUIDE . 2. REGULATORY AND MANAGEMENT CONSIDERATIONS This section highlights the core components of the high level framework for computer security in nuclear facilities. In particular, it addresses issues relevant to the legislative and regulatory bodies as well as to facilities’ management and security strateg normative inst computer secur 2.1. LEGISLA A key ro security as w 9 y. Figure 1 shows a simplified visualization of the hierarchy of ruments relevant to the establishment and implementation of a ity programme in a nuclear facility. TIVE CONSIDERATIONS le of the State is in establishing the legal framework for nuclear ell as for computer security in general. These should, when FIG. 1. Relevant normative instruments. 10 adequately implemented, have a major impact on the safety and security of nuclear facilities. The State legal system should at least provide the legislative and regulatory framework that covers protection of sensitive information and addresses any activity that might precipitate breaches of nuclear security. Owing to the specificity of its issues, computer security may need special legislative provisions to take into account the unique crimes and modes of operation associated with computer systems. States should carefully consider whether their c perpetrated wit influence comp — Laws con — Laws on — Laws on — Laws ma — Laws on It is imp updated to inc other potentia Given th carry out mal boundaries and of formulation relevance dedic the Convention 2.2. REGULA The regu guidance and m interpreting an indicate releva publications. The acti explicitly reco material and regulations for preparing regu urrent legislation adequately covers malicious acts that may be h the aid of computers. Among others, important laws that may uter security and its implementation include: cerning computer offences; terrorism; the protection of critical national infrastructure; ndating disclosure of information; privacy and handling of personal information. ortant that State legislation is continuously reviewed and lude provisions for new and emerging criminal activities and l threats to computer security. e nature of computer networks, it is possible for adversaries to icious acts within a State while located outside its physical thus potentially out of reach of the State legal system. At the time of this publication the only international legal instrument of ated to regulating international cooperation on computer crimes is on Cybercrime of the Council of Europe [6]. TORY CONSIDERATIONS latory body should take relevant legislation into account in its ake available to operators the tools and the means for correctly d implementing legal obligations. Regulators could also select or nt guidance of reference such as ISO standards or IAEA vities of regulators in relation to computer security should gnize the objective of protection against the theft of nuclear sabotage resulting in possible radiological release. Therefore, nuclear security and safety should also be considered when lations on computer security. It is advisable that State regulatory bodies (where more than one body is involved) collaborate to achieve harmonized views on necessary requirements to be placed. The State regulatory bodies could, at a minimum, provide a high level statement of computer security regulatory requirements. More detailed regulatory requirements could also include provisions for: — Managem — Compute of Compu — Compute (Section • Compu • Risk ide • Risk ma • Compu • Continu — Audit and regulator Requirem development m instead focus o dependent. Facilitie requirements t equivalent or requirements 2.3. SITE SEC Site secur management, t through the im All discip computer) inte posture as ma disciplines of requirements o 11 ent commitment for computer security (Section 4). r security programme ownership including designation of the roles ter Security Officer(s) and team(s) (Section 4). r security policy, implementation plan, and enforcement plan 5), including: ter security perimeter identification; ntification; nagement strategy; ter security training and awareness programme; ity of operations plan. review process, whether internal, external or carried out by the s themselves. ents should not prescribe detailed technical solutions, because ay rapidly make such details obsolete. Requirements could n expected outcomes as these can be written to be less technology s may be required to demonstrate conformity to national security hrough an approved overall site security plan (SSP) or any set of documents. State regulatory bodies should issue for computer security as part of the requirements for the SSP. URITY FRAMEWORK ity is primarily a management responsibility, specifically of senior o ensure that legislative and regulatory requirements are fully met plementation of the SSP. lines of security (including personnel, physical, information and ract and complement each other to establish a facility’s security y be defined in the SSP (see Fig. 2). A failure in any of the security could impact the other domains and cause extra n the remaining aspects of security. Computer security is a 12 cross-cutting d nuclear facility All prov regard to the gr taking into con It is also the various dis appropriate le 2.3.1. Comp Managem increasingly us has brought mu ensure the corr adequate and b acts without un All nucle which is endor specifies the o A compu and should b responsibilities and human reso iscipline that has interactions with all other areas of security in a . isions in this publication should be implemented with constant eater framework of the SSP. The SSP should likewise be designed sideration computer security from its inception. management’s responsibility to ensure proper coordination of ciplines of security and integration of computer security at the vel. uter security policy ent should be aware that computer technology is being ed for many vital functions at nuclear facilities. This development ltiple benefits to operational safety and efficiency. Nonetheless, to ect functionality of a computer system, they are required to have alanced security barriers to maximize protection against malicious necessarily hampering system operations. ar facilities should therefore have a computer security policy, sed and enforced by the site’s most senior manager. The policy verall computer security goals at the facility. ter security policy should be part of the overall site security policy e negotiated and coordinated with other relevant security . When establishing a computer security policy, its impact on legal urces should also be considered. FIG. 2. Interplay of the different domains of security. Computer security policy and the associated plan are discussed in greater detail in Section 5. 2.3.2. Computer systems at nuclear facilities The computer systems and networks supporting nuclear facility operations include many non-standard information technology (IT) computer systems in terms of archite can include spe alarm and trac security and e proprietary imp differences sti considered wh uniqueness of Section 7. 2.3.3. Defen Protectio methods of pro have to be ove objectives. The prim security breac primarily throu levels of prote system compro the subsequent defence in dept could lead to co that could giv independent ef of defence in d 2.4. ASSESS The com scenario. Whi 13 cture, configuration, or performance requirements. These systems cialized industrial control systems (ICSs), access control systems, king systems, and information systems pertaining to safety and mergency response. While ICSs have evolved from strictly lementations to more mainstream computer architecture, striking ll exist between ICSs and standard IT systems that must be en preparing the site security plan. A full discussion of the computer systems associated with nuclear facilities is located in ce in depth n requirements should reflect the concept of multiple layers and tection (structural, technical, personnel and organizational) that rcome or circumvented by adversaries in order to achieve their ary means of preventing and mitigating the consequences of hes is ‘defence in depth’. Defence in depth is implemented gh the combination of a number of consecutive and independent ction that would have to fail or be defeated before a computer mise could occur. If one level of protection or barrier were to fail, level or barrier would be available. When properly implemented, h ensures that no single technical, human or organizational failure mputer system compromise, and that the combinations of failures e rise to a computer incident are of very low probability. The fectiveness of the different levels of defence is a necessary element epth. ING THE THREAT ENVIRONMENT puter security threat environment is a fast changing, evolving le a good computer security programme will ensure its own 14 durability, specific controls in place against the most prevalent threats at the present time do not guarantee protection against tomorrow’s threats. The responsible State authority should periodically issue a threat evaluation including threats to the security of computer systems and information on current attack vectors related to the security of computer systems used at nuclear facilities. A typical tool used to determine threat levels and as a basis for developing a security posture is the design basis threat (DBT, see Section 6.3.1). It is vit assessment, w Section 6 sources of attac and methodolo A mana objectives and manner. Manag culture. Many systems. These and economic mutually reinfo Managem compliance wi by nature dyna environment; continuous ass management p This sect with the necess that should be computer secur — Informati — Formal ri — Legislativ al that facilities maintain an active and ongoing threat hich is regularly briefed to management and operations. contains a detailed, but non-exhaustive, description of potential k and associated attack mechanisms relevant to nuclear facilities, gies used to evaluate and identify threats. 3. MANAGEMENT SYSTEMS gement system is responsible for establishing policies and enabling the objectives to be achieved in an efficient and effective ement systems are a vital support element to a nuclear security activities at nuclear facilities are controlled by management ideally integrate security, safety, health, environmental, quality elements in a single management tool or a set of integrated and rcing systems [7, 8]. ent systems must be reviewed to ensure completeness and th site security policies. More generally, management systems are mic and must adapt to changing conditions in the facility and in the they cannot be implemented as a one-off measure but need essment and improvement. Figure 3 illustrates the life cycle of rocesses. ion aims to supplement present guidance on management systems ary details for computer security management. The key elements reviewed or added to integrate the necessary provisions for ity are: on assets identification and classification; sk analysis; e and regulatory compliance; — Business — Compete — Business — Logical a — System li — Configur — Amendm — Implemen — Acceptan — Complian 15 operational requirements; ncy requirements for key persons; continuity; ccess management; fe cycle security; ation management; ent and approval of computer security measures; tation of identified computer security measures; ce of implemented computer security measures; ce with approved computer security measures; FIG. 3. The security management life cycle. 16 — Immediate analysis of computer security incidents and appropriate reporting; — Regular reporting on compliance; — Regular reviews of implemented security measures (audits) by internal and external parties; — Awareness training; — New risks and changes to identified risks; — Changes — Medium The proc all phases of detailed in the 4.1. AUTHOR The secti and the specia programme suc 4.1.1. Mana A facility an adequate p should: — Assume o — Define th — Ensure co — Set the ri — Assign or — Ensure ad — Ensure an — Provide programm to legislative and regulatory requirements; term plans for information security. esses above should be seen as ongoing activities that run through system life cycles. The specifics of implementation should be computer security plan discussed in Section 5. 4. ORGANIZATIONAL ISSUES ITIES AND RESPONSIBILITIES ons that follow detail the minimum requirements for management list staff needed to establish and maintain a computer security cessfully. gement ’s senior management initiates computer security by establishing rocess and support organization. To achieve this, management verall responsibility for all aspects of computer security; e facility’s security objectives; mpliance with laws and regulations; sk acceptance level for the facility; ganizational computer security responsibilities; equate communication between different aspects of security; enforceable computer security policy is established; adequate resources to implement a viable computer security e; — Ensure periodic audits and updates of computer security policy and procedures; — Ensure support for training and awareness programmes. Generally, implementation of the permanent computer security process is delegated to specialists within the organization. 4.1.2. Comp Compute important to as body. In this pu other instances ‘Information S approach is use should be kept clear and acces The CSO knowledge of o are knowledge integrate peopl The typic — Advising — Leading t — Coordina activities guideline — Coordina discipline — Identifyin computer equipmen — Conducti — Conducti security b — Developi — Developi emergenc organizat 17 uter Security Officer r security touches almost all facility activities. It is therefore sign overarching computer security oversight to one well defined blication, the title ‘Computer Security Officer’ (CSO) is used; in this function may be referred to as ‘IT Security Officer’ or ecurity Officer’, or may be assigned to multiple roles. Whichever d, this function should be closely coordinated across the facility, independent of the implementing departments, and should have sible reporting lines to senior management. should have in-depth knowledge of computer security and good ther aspects of security in nuclear facilities. Further requirements of nuclear safety and project management, and the ability to e coming from different disciplines into an efficient team. al responsibilities of a CSO or equivalent include: the company’s management on computer security. he computer security team. ting and controlling the development of computer security (e.g. implementing security policy, directives, procedures, s, measures). ting with physical security and other security and safety s to plan security measures and response to security incidents. g systems critical to computer security within a facility (i.e. the security baseline). Asset owners should be informed of their t’s role in computer security. ng periodic computer security risk assessments. ng periodic inspections, audits and reviews of the computer aseline and providing status reports to top management. ng and implementing computer security training and evaluation. ng and leading incident response for relevant computer security ies, including coordination with relevant internal and external ions. 18 — Investigating computer security incidents and developing post-incident procedures and preventive actions. — Participating in site security assessment initiatives. — Participating in requirement analysis in the acquisition/development of new systems. 4.1.3. Computer security team It is esse expertise assoc as well as phy computer secu organization. T responsibilities 4.1.4. Other The vario appropriate lev responsibilities — Operating — Providing computer security, — Notifying computer or proces — Ensuring issues rel — Ensuring contractin — Tracking — Enforcing 4.1.5. Indivi Each per computer secur ntial for the CSO to have access to adequate interdisciplinary iated with computer security, facility safety, and plant operations sical and personnel security. This may consist of a dedicated rity team or ad hoc access to specific expertise within the he goal of this team is to support the CSO in fulfilling his/her . management responsibilities us levels of management within an organization must ensure the el of computer security within their areas of responsibility. Typical include: within the guidance of the site computer security plan; operational requirements and feedback to the CSO relevant to security and resolving potential conflicts between operational, and safety requirements; the CSO of any conditions that may lead to changes in the security posture, such as personnel changes, equipment changes, s changes; that staff are sufficiently trained and briefed on computer security evant to their roles; that subcontractors and third party vendors working for the g unit operate within the context of the site security plan; , monitoring and reporting events of security relevance; personnel security measures. dual responsibilities son within an organization is responsible for carrying out the ity plan. Specific responsibilities include: — Knowledge of the baseline computer security procedures; — Knowledge of job specific computer security procedures; — Operating within the parameters of the computer security policies; — Notifying management of any changes that may lead to a reduced computer security posture; — Notifying management of any incidents or possible incidents involving a compromise of computer security; — Attending 4.2. COMPUT A robust effective secur security aware characteristics management s security progra by those that h facilities or act that a credible information on is a subset of t above characte Experien incidents are h largely on the errors that cou developed thro and increase c discussions, tra periodically m indicators can organization: — Compute understoo — Clear and systems b — Staff mem the contro 19 initial and refresher security training on a regular basis. ER SECURITY CULTURE computer security culture is an essential component of any ity plan. It is important for management to ensure that computer ness is fully integrated into the overall site security culture. The of nuclear security culture are the beliefs, attitudes, behaviour and ystems, the assembly of which lead to a more effective nuclear mme. The foundation of nuclear security culture is recognition — ave a role to play in regulating, managing or operating nuclear ivities or even those that could be affected by these activities — threat exists and that nuclear security is important. (For more nuclear security culture, see Ref. [9].) Computer security culture he overall security culture and is based on an application of the ristics to computer security awareness. ce has demonstrated that the majority of computer security uman related and the security of any computer system depends behaviour of all its users. Annex III provides examples of human ld lead to security compromise. The computer security culture is ugh a collection of many activities designed to inform personnel omputer security awareness (e.g. posters, notices, management ining, tests, etc.). Computer security culture attributes should be easured, reviewed, and continuously improved. The following be used to evaluate the computer security culture in an r security requirements are clearly documented and well d by staff. effective processes and protocols exist for operating computer oth inside and outside the organization. bers understand and are aware of the importance of adhering to ls within the computer security programme. 20 — Computer systems are maintained to ensure that they are secure and operated in accordance with computer security baseline and procedures. — Management are fully committed to and supportive of security initiatives. 4.2.1. Computer security training programme A strong training programme is one of the cornerstones of a computer security culture on the importa security. The awar — Successfu programm Training expected — Enhanced security managers — Training procedure — Staff shou responsib The train security awar improvement o . It is crucial to educate staff, contractors and third party vendors nce of observing security procedures and maintaining a culture of eness programme should include the following requirements: l completion of a computer security training and/or awareness e should be a precondition for access to computer systems. should be commensurate with system security levels and the role of users. training/qualifications should be provided to individuals with key responsibilities (e.g. CSO, computer security team, project , IT administrators). should be repeated periodically for all staff to include new s and emerging threats. ld be required to acknowledge that they understand their security ilities. ing programme should include metrics to evaluate computer eness, training effectiveness, and processes for continuous r retraining. Part II IMPLEMENTATION GUIDE . 5. IMPLEMENTING COMPUTER SECURITY This publication does not establish minimum standards of acceptable risk or a specific set of mitigation measures that could be used. Any set of specific standards would be rapidly outdated as digital systems change, new threats emerge, new mitigation tools become available and regulatory requirements change. Part II and concrete computer secur These rec be used as guid achieve the de objectives [10– 5.1. COMPU 5.1.1. Comp As introd level compute appropriate re should be facto and control pol — Enforcea — Achievab — Auditable 5.1.2. Comp The com the form of o specifies and d facility and is a The plan vulnerabilities, measures to est facilitate recov 23 of the publication focuses on compiling a set of methodological recommendations to support and guide the implementation of ity in nuclear facilities. ommendations are neither prescriptive nor definitive and should ance; where appropriate, alternative measures may be adopted to sired defence in depth and other fundamental nuclear security 12]. TER SECURITY PLAN AND POLICY uter security policy uced in Section 2.3.1, a computer security policy sets the high r security goals of an organization. The policy must meet gulatory requirements. Computer security policy requirements red into lower level documents, which will be used to implement icy. Additionally, the policy must be: ble; le; . uter security plan puter security plan (CSP) is the implementation of that policy in rganizational roles, responsibilities, and procedures. The plan etails the means for achieving the computer security goals at the part of (or linked to) the overall SSP. should contain the primary actions in terms of susceptibility to protective measures, consequence analysis and mitigation ablish and maintain the nuclear facility’s acceptable cyber risk and ery to a safe operational state. 24 5.1.3. CSP components Based on the established computer security policy, each individual plan component tries to achieve its distinct goals and objectives. The minimum content and itemization of the CSP is suggested in the subsections below: (a) Organization and responsibilities: (1) Orga (2) Resp (3) Perio (b) Asset ma (1) List o (2) List o (3) Netw syste (c) Risk, vul (1) Secur (2) Self-a (3) Audi (4) Regu (d) System s (1) Fund (2) Requ (3) Form vendo (4) Full l (e) Operation (1) Acce (2) Data (3) Comm (4) Platfo (5) Syste (6) Com (7) Incid (8) Busin (9) Syste (f) Personne (1) Vettin (2) Train (3) Quali (4) Term nizational charts; onsible persons and reporting responsibilities; dic review and approval process. nagement: f all computer systems; f all computer systems applications; ork diagram, including all connections to external computer ms. nerability, and compliance assessment: ity plan review and reassessment periodicity; ssessment (including penetration testing procedures); t procedures and deficiency tracking and correction; latory and legislative compliance. ecurity design and configuration management: amental architecture and design principles; irements related to the different security levels; alization of computer security requirements for suppliers and rs; ife cycle security. al security procedures: ss control; security; unication security; rm and application security (e.g. hardening); m monitoring; puter security maintenance; ent handling; ess continuity; m backup. l management: g; ing; fication; ination/transfer. The above provides a framework for developing a CSP. Many references are available to fill out this framework, the main international references being ISO/IEC 27001 [2] for information security management systems, and ISO/IEC 27002 [3] for implementation recommendations. While the majority of components listed above are consistent across computer security plans for any business or industry, certain nuances do exist for its implementation within nuclear facilities. These components of the CSP are described in g assessment are Section 5.3. 5.2. INTERA As stated the framework computer secu protection, saf reviewed and u operational exp 5.2.1. Physic The phys Computerized electronic com protection func electronic and and of the CSP consistency of 5.2.2. Perso Besides handled within consistent com appropriate le procedures and between the co with key secu require a highe 25 reater detail in Section 7. Risk, vulnerability, and compliance addressed in Section 6. Asset analysis is further detailed in CTION WITH OTHER DOMAINS OF SECURITY in Section 2.3, the CSP should be operated and maintained within of the facility’s overall protection plan. The facility specific rity plan should be developed in close consultation with physical ety, operations and IT specialists. The CSP must be regularly pdated to reflect security events from any domain of security and erience from the site security system. al security ical security plan and the CSP should complement each other. assets have physical access control requirements and likewise, promise can lead to degradation or loss of certain physical tions. Attack scenarios may well include the coordination of both physical attack. The teams in charge of the physical security plan should inform each other and coordinate their efforts to ensure plans during the development and review process. nnel security awareness and training, other aspects of security — usually the domain of personnel security — are essential for instituting puter security. The necessary provisions for establishing an vel of vetting, confidentiality undertakings, and termination for defining required job competencies should be coordinated mputer and personnel security managements. In particular, staff rity responsibilities (system administrators, security team) may r level of vetting. 26 5.3. ASSET ANALYSIS AND MANAGEMENT Interaction between computer systems in nuclear facilities may affect security in non-obvious ways. It is therefore important that the security plan identifies all assets and includes a more comprehensive inventory of those assets critical to facility security and safety functions. The inventory could include data, computer systems, their interfaces and their owners. The follo (a) Relevant in order t (b) The inter (c) The relev related sy The comp A compr includes: — Functions systems; — Identifica — Dataflow and why; — Procedur protocols — Compute — Analysis — Ownersh — Correspo It is assu already be avai information inc 5.4. COMPUT As define computer syste sensing device Computer func wing methodology satisfies the above needs: information about existing computer systems should be compiled o create a complete list of assets; connection between the identified assets should be mapped out; ance to safety functions and identified safety systems, safety stems and security systems should be identified and evaluated. leteness of each step is a crucial prerequisite for the next steps. ehensive analysis of computer systems in a nuclear facility /tasks and operational modes of all existing computerized tion of relevant interconnections, including power supplies; analysis, to determine what communicates with what, and how es that initiate communication, frequency of communication and ; r systems and equipment location; of user groups; ip (for data and computerized systems); nding security level (see Section 5.5, graded approach). med that much of the information needed for the analysis would lable, but it should be collated and organized. Sources of relevant lude system specifications and documentation. ER SYSTEM CLASSIFICATION d in Section 1.6, in the context of this publication, computer and ms refer to computation, communication, instrumentation and s that make up functional elements of the nuclear facility. tions of prime concern are control and data processes associated with safety and support to thes or indirect effe Below is nuclear faciliti separately cla importance. B defining the a assessment ana both as safety a 5.4.1. Safety IAEA sa equipment acco Plant equipmen — Systems • Safety s — Prote used — Safet whic — Safet syste plant equipment items important to safetya items not important to safetya safety related itemsa safety systems a In this context, 27 security. Other computer functions may be a concern in terms of e functions, of possible compromise of security through secondary cts or of overall plant productivity. a non-exhaustive list of computer systems that can be found at es, and are relevant to the objectives of this guidance. They are ssified according to their safety importance and security oth of these classifications should be taken into account when ppropriate security level to apply (Section 5.5) and in the risk lysis (Section 6.2). Note also that some functions clearly overlap nd security concerns. importance fety standards (e.g. Refs [13–15]) categorize nuclear facility rding to their function, as illustrated in Fig. 4. t important to safety ystems ction systems: Instrumentation and control (I&C) systems that are for automatically initiated reactor and plant protection actions. y actuation systems: I&C systems that accomplish safety actions, h are initiated by the protection systems and by manual actuations. y system support features: I&C for emergency power supply ms. protection system safety actuation system safety system support features an ‘item’ is a structure, system or component. FIG. 4. Plant equipment in terms of safety function. 28 • Safety related systems — Process control systems: I&C systems for plant control. — Control room I&C including the alarm systems. — Process computer systems that collect and prepare information for the control room. — Fuel handling and storage I&C systems. — Fire — Acce — Voic — Systems • Control deminer Considera necessarily with Non-plant equi — Office au • Work pe of work • Enginee plant op • Configu plant co nuclear • Docume informa • Intranet technica normall — External • Email: A • Public w about th protection systems. ss control systems. e and data communication infrastructure. not important to safety systems for functions that are not important to safety (e.g. alization) tion should also be given to computer systems that are not in the scope of plant equipment but nevertheless can impact safety. pment tomation rmit and work order systems: Systems that provide coordination activities to provide a sound working environment. ring and maintenance systems: Systems that handle details of eration, maintenance and technical support. ration management systems: Systems intended to keep track of nfiguration including models, versions and parts installed at the facility. nt management systems: Systems used to store and retrieve plant tion, e.g. drawings, minutes of meetings. : System that allows access to all plant documentation — both l and administrative — on a need to know basis. The access is y read only. connectivity system that is used to transfer information to external parties. eb site: A system that is used to give Internet users information e facility. • Remote access/third party access: Systems that allow strictly controlled access from the outside to certain functions within a site. 5.4.2. Security or security related systems An established security classification for security systems comparable to the safety classification does not yet exist. Nevertheless, it should be an important part of the asse facility. The fo — Physical authorize perform; — Voice and — Security appropria informati — Security alarms on — Compute — Nuclear a 5.5. GRADED The secu where security of an attack. categorize com applied for eac zone. The assig based on their r risk assessmen graded approa 5.5.1. Secur Security protection requ graded approac 29 t analysis to compile such a classification for the systems in the llowing list may support such classification: access control systems: systems used to ensure that only d persons enter areas of a site appropriate to the function they data communication infrastructure; clearance database: used to ensure that persons hold the te security clearance to obtain access to a part of site or on held on the site; alarm monitoring and control systems: used to monitor all security the site and assist with assessment of the alarm; r and network security components; ccountancy and control systems. APPROACH TO COMPUTER SECURITY rity of computer systems should be based on a graded approach, measures are applied proportional to the potential consequences One practical implementation of the graded approach is to puter systems into zones, where graded protective principles are h zone based on the level of security requirement assigned to the nment of computer systems to different levels and zones should be elevance to safety and security (see Section 5.4). Nonetheless, the t process should be allowed to feed back into and influence the ch. ity levels levels are an abstraction that defines the degrees of security ired by various computer systems in a facility. Each level in a h will require different sets of protective measures to satisfy the 30 security requirements of that level. Some protective measures apply to all computer systems in all levels, while others are specific to certain level(s). The security level model allows easier assignment of protective measures to various computer systems, based on the categorisation of the system (assigning it to a level) and the definition of the set of protective measures appropriate to that level. The levels and their associated protective measures should be appropriately documented in 5.5.2. Zones Zones are administration, model allows c secure operatio application of p The app guidelines: — Each zon for the fa — Systems measures — Different internal c — Zone bor dependen — Zones ca Because importance for indicating the p zone. However level may hav same degree of systems, while The zone an overview of crossings and a the CSP. a logical and physical concept for grouping computer systems for communication and application of protective measures. The zone omputers with the same or similar importance concerning safe and n of the plant to be grouped together for administration and rotective measures. lication of a zone model should comply with the following e comprises systems that have the same or comparable importance cility’s security and safety; belonging to one zone have similar demands for protective ; computer systems belonging to one zone build a trusted area for ommunication within that zone; ders require decoupling mechanisms for data flow built on zone t policies; n be partitioned into subzones to improve the configuration. zones are comprised of systems with the same or comparable facility safety and security, each zone can have a level assigned, rotective measures to be applied for all computer systems in that , the relationship between zones and levels is not one-to-one; a e multiple zones assigned to it when multiple zones require the protection. Zones are a logical and physical grouping of computer levels represent the degree of protection required. model should be appropriately documented in the CSP, to include all computer systems, all relevant communication lines, all zone ll external connections. 5.5.3. Exam An exam below. This is j choice of leve according to t dedicated secu In this im — Generic l — Security protection — The meas may be re Generic level For appli be applied: — Policies a — Security 31 ple of the application of a security level model ple of security measures applied at different levels is presented ust one possible implementation of the graded approach; the exact ls and their constitutive security measures should be tailored he considered environment, the facility specificities, and the rity risk analysis. plementation: evel measures should apply to all computer systems. levels range from level 5 (least protection needed) to level 1 (most needed), as illustrated in Fig. 5. ures corresponding to each level are not cumulative (thus, there petitions). cable systems and levels, the following generic measures should nd practices are defined for each level. operating procedures are written for and read by all users. FIG. 5. Level of security/strength of measures. 32 — Staff permitted access to the system must be suitably qualified and experienced and security cleared where necessary. — Users are given access only to those functions on those systems that they require for carrying out their jobs. — Appropriate access control and user authentication are in place. — Anomaly detection systems or procedures are in place. — Application and system vulnerabilities are monitored, and appropriate measures — System v — Removab procedure — Compute — Compute intrusion network ( — Appropri — Physical functions Level 1 In additio used for syste require the high — No netwo from syst systems. this kind integrity also that t even wi discourag supported 1 A virtual means to connec authorized users c 2 Transmis 3 Some Me are taken. ulnerability assessments are undertaken periodically. le media must be controlled in accordance with security operating s. r and network security components should be strictly maintained. r and network security components (e.g. security gateways, detection systems, intrusion prevention systems, virtual private VPN)1 servers) are strictly logged and monitored. ate backup/recovery procedures are in place. access to components and systems is restricted according to their . n to the generic measures, level 1 protective measures should be ms, e.g. protection systems, which are vital to the facility and est level of security. These measures may include the following: rked data flow of any kind (e.g. acknowledgment, signalization) ems in weaker security levels should be authorized to enter level 1 Only strictly outward communication should be possible. Note that of strict one-way communication does not ensure reliability and natively (redundancy/error corrections may be considered). Note his excludes any sort of ‘handshake’ protocols (including TCP/IP2), th controlled connection directions. Exceptions are strongly ed and may only be considered on a strict case by case basis and if by a complete justification and security risk analysis.3 private network (VPN) is a network constructed using public communication t nodes, with encryption and other security mechanisms to ensure that only an access the network and that the data cannot be intercepted. sion Control Protocol/Internet Protocol — data transmission protocols. mber States feel strongly that exceptions should not be allowed in any case. — Measures to ensure the integrity and availability of the systems are typically explained as a part of the safety cases. — No remote maintenance access is allowed. — Physical access to systems is strictly controlled. — The number of staff given access to the systems is limited to an absolute minimum. — The two person rule is applied to any approved modifications made within the comp — All activi — Every da basis. — Strict or modificat modificat Level 2 In additio used for system security. These — Only an o to level 3 signal me TCP/IP). — Remote m a defined measures — The num a precise — Physical — All reaso systems h — Vulnerab or proces beds, spa outages. 33 uter systems. ties should be logged and monitored. ta entry to the systems is approved and verified on a case by case ganizational and administrative procedures apply to any ions, including hardware maintenance, updates and software ions. n to the generic measures, level 2 protective measures should be s, e.g. operational control systems, which require a high level of measures may include the following: utward, one way networked flow of data is allowed from level 2 systems. Only necessary acknowledgment messages or controlled ssages can be accepted in the opposite (inward) direction (e.g. for aintenance access may be allowed on a case by case basis, and for working period. When used, it must be protected with strong , and users must respect a defined security policy (contractual). ber of staff given access to the systems is kept to a minimum, with distinction between users and administrative staff. connections to the systems should be strictly controlled. nable measures to ensure the integrity and availability of the ave been taken. ility assessment involving actions on the systems may lead to plant s instability, and should therefore only be considered using test re systems, during factory acceptance tests or during long planned 34 Level 3 In addition to the generic measures, level 3 protective measures should be used for supervision real time systems not required for operations, e.g. process real time supervision systems in a control room, which have a medium severity level for various cyber threats. These protective measures may include the following: — Access to — Logging — Security traffic fro — Physical — Remote m it is robu defined s — System f mechanis this princ by other m Level 4 In additio technical data management r specification fo management), Level 4 measur — Only app systems. — Access to adequate — Security traffic fr activities — Physical — Remote m and user controlled the Internet from level 3 systems is not allowed. and audit trails for key resources are monitored. gateways are implemented to protect this level from uncontrolled m level 4 systems, and to allow only specific and limited activity. connections to systems should be controlled. aintenance access is allowed on a case by case basis provided that stly controlled; the remote computer and user must respect a ecurity policy, contractually specified. unctions available to users are controlled by access control ms, and based on the ‘need to know’ principle. Any exception to iple has to be carefully studied and protection should be ensured eans (e.g. physical access). n to the generic measures, level 4 measures should be used for management systems used for maintenance or operation activity elated to components or systems required by the technical r operation (e.g. work permit, work order, tag out, documentation which have moderate severity level for various cyber threats. es include the following: roved and qualified users are allowed to make modifications to the the Internet from level 4 systems may be given to users provided protective measures are applied. gateways are implemented to protect this level from uncontrolled om external company or site networks, and to allow specific which are controlled. connections to systems should be controlled. aintenance access is allowed and controlled; the remote computer must respect a defined security policy, contractually specified and . — System functions available to users are controlled by access control mechanisms. Any exception to this principle has to be carefully studied and protection should be ensured by other means. — Remote external access is allowed for approved users provided that appropriate access control mechanisms are in place. Level 5 Level 5 technical contr have low sever following: — Only app systems. — Access to protective — Remote appropria 5.5.4. Decou Zone bor prevent unauth zone with lowe Technica have to be ge connecting pas 6 The secti computer syste systems life cy Section 6.2 of 35 measures should be used for systems not directly important to ol or operational purposes, e.g. office automation systems, which ity level for various cyber threats. Level 5 measures include the roved and qualified users are allowed to make modifications to the the Internet from level 5 systems is allowed provided adequate measures are applied. external access is allowed for authorized users provided that te controls are in place. pling zones ders require decoupling mechanisms for data flow in order to orized access and also to prevent errors from propagating from a r protection requirements to a zone with higher ones. l and administrative measures ensuring the decoupling of zones ared to the individual demands of protective levels. A direct sage through several zones should not be allowed. . THREATS, VULNERABILITIES AND RISK MANAGEMENT on below presents the basic concepts used in risk management for ms. Risk management is relevant at all stages of the facility's cle, including design, development, operations and maintenance. fers an overview of the steps needed in a comprehensive risk 36 management methodology. Sections 6.3 and 6.4 focus on stages where the nuclear industry presents specific features. 6.1. BASIC CONCEPTS AND RELATIONSHIPS Risk in the computer security context is the potential that a given threat will exploit vulnera organization. I event and the s Figure 6 concepts of thr 6.2. RISK AS Risk asse allocate resour their exploitati It is a pro impact are ide devised. The th the countermea against comput FIG. 6. Sec bilities of an asset or group of assets and thereby cause harm to the t is measured in terms of a combination of the likelihood of an everity of its consequences. is a flow chart showing the multiple interconnections between the eat, vulnerability and risk [16]. SESSMENT AND MANAGEMENT ssment is an important tool for determining the best location to ces and effort in addressing vulnerabilities and the likelihood of on. cess by which particular combinations of threat, vulnerability and ntified and documented, and appropriate protective controls are reat and vulnerability assessment provides the basis for preparing sures required to prevent or mitigate the consequences of attacks er systems. urity concepts and relationship (adapted from ISO 13335-1 2004 [16]). The basic steps of a risk assessment and management methodology are: — Perimeter and context definition; — Threat identification and characterization; — Vulnerability assessment; — Attack scenario elaborations; — Likelihood of successful exploitation; — Evaluatio — Counterm In order assessment, a w has to be used tools have reac have met with common conce — Information methodology is assessment me their own. An intere undertaken by Agency), whic The nece frequency of up terms of their conducting a n occur. The int change in opera threats and vul interconnected When it i use of best prac 6.3. THREAT Figure 7 sophistication Computer secu that covers a ve 37 n of level of risk; easure definition. to implement a systematic and consistent risk analysis and ell defined process that can comply with the existing standards . Numerous risk assessment or management methodologies and hed maturity and can structure such a process efficiently, and thus acceptance by a broad audience. Most of them are based on pts and logic. The current international standard is ISO/IEC 27005 Security Risk Management [4]. Another specific example of a given in Annex II. National authorities may require a specific risk thodology or policy to be used and facilities may additionally have sting panorama of risk assessment methods and tools has been ENISA (the European Network and Information Security h devoted a special web page for this survey [17]. ssity of evaluating systems, the depth of the assessment and the dating risk analyses depend upon the importance of the system in safety and security function. Consideration must be given to ew analysis or at least a review when modifications to the system roduction of new equipment, software, procedures, or a major tor skill sets may all fulfil this condition. The number of potential nerabilities usually increases as with progress from stand-alone to systems. s impractical to perform a risk analysis against specific threats, the tices and good engineering principles is recommended. IDENTIFICATION AND CHARACTERIZATION highlights the continuous trend towards growing attack and decreasing knowledge required to launch such an attack. rity programmes should strive to maintain a level of assessment ry broad range of possible attack scenarios. 38 Publicatio found at major picture of the s additional awa recently starte Response Team security comm weaknesses. 4 Therefo initial steps in understanding scenarios. A p listing credible profile matrix following subs 6.3.1. Design An impor for developing statement abou 4 LIPSON Policy Issues, Spe Pa Disabling Audits Sweepers Distributed Attack Tools Denial of Service GUI Network Management Diagnostics Automated Probes/Scans WWW Attacks “Stealth”/Advanced Scanning Techniques 1980 In tr ud er K no w le dg e High Low Back Doors Zombies BOTS Morphing Malicious Code A tta ck S op hi st ic at io n Pa Disabling Audits Sweepers Distributed Attack Tools Denial of ServiceDenial of Service GUIGUI Network Management Diagnostics Automated Probes/Scans WWW Attacks “Stealth”/Advanced Scanning Techniques 1980 In tr ud er K no w le dg e High Low Back Doors Zombies BOTS Morphing Malicious Code A tta ck S op hi st ic at io n FIG. ns about industrial control system vulnerability are regularly hackers events. Considering that they generally give a delayed tate of the art of real hackers’ skills and interests, this should be an reness raising factor. Moreover, ICS software vulnerabilities have d to be published by national CERTs (Computer Emergency s), reinforcing exposure to the public opinion and the computer unity, and focusing interest in such solutions and product re, after having established
Compartilhar