Assessment of Cyber Security Challenges in Nuclear Power ... · Assessment of Cyber Security Challenges in Nuclear Power Plants 1 1. Introduction Nuclear power plants (NPPs) are considered

Assessment of Cyber Security Challenges in Nuclear Power Plants

Security Incidents, Threats, and Initiatives

Rahat Masood*

August 15, 2016 Report GW-CSPRI-2016-03

*Current Affiliation: National University of Sciences & Technology (NUST), School of Electrical Engineering &Computer Sciences (SEECS), H-12 Islamabad, Pakistan. Email: [email protected]

Support for this work was provided by the Civilian Research & Development Foundation (CRDF) Global under the Nonproliferation studies scholarship program, and the Cyber Security and Privacy Research Institute (CSPRI) of the George Washington University (GWU). Any opinions, findings and conclusions or recommendations expressed in this material are those of the author and do not necessarily reflect the views of the CRDF, GWU, or CSPRI.

Assessment of Cyber Security Challenges in Nuclear Power Plants Security Incidents, Threats, and Initiatives

Rahat Masood

Abstract

Nuclear power plants play an important role in electricity production for many countries. Theysupplypower to industries,centers,government facilities,andresidentialareas.Yet,uponreview,several cases reveal that even a small-scale attack on a nuclear power plant could lead tocatastrophicconsequencesforacountry’scitizens,economy,infrastructure,andsecurity. Inrecentyears, there has been increased attention to the area of nuclear cybersecurity due to attacks orincidentsdesigned todisruptNPPoperations. In spiteof this riseofnuclear-relatedcyberattacks,the security for NPPs has not been holistically addressed. Literature review reveals the lack of acomprehensive information security framework to secure nuclear power plants from internal andexternalthreats.

ThisresearchhighlightsthesignificanceofperformingsecurityassessmentswithinNPPsasitrelatesto cyber defense. The contribution of this paper is twofold. First, it presents a detailed review ofcyberchallengesandsecurityincidentsthathaveoccurredwithinNPPs,followedbyadiscussiononthe initiatives takenby governments and regulatory bodies inmitigating such security challenges.Contextualbackground informationonCritical InfrastructureProtection,nuclearpowerplantsandinformationsecurityriskmanagementhasbeensuppliedtoaidreaderunderstanding.Additionally,this research posits that any kind of cyber incident on nuclear infrastructure may lead tocatastrophicresults,fromwhichrecoverymaybeimpossible.Therefore,there isasignificantneedtoperformdetailedthreatandvulnerabilityassessmentsthataddresseitherstand-aloneattacksorcoordinatedattacksagainsttheuseofcomputersystemsonNPPs.

Followingthisdiscussion,athreatmodellingispresentedusinganestablishedmethodology,whichidentifies possible threats to, vulnerabilities in, and adversaries of a generic Instrumentation andControl(I&C)systemofaNPPbyconsideringitscharacteristicsandarchitecture.Theanalysisrevealsthat NPPs are not fully armed against cyber attacks and identifies a significant need to conductsecurity assessments such as the Information Security Risk Assessment, which would providecomprehensiveandreliableriskanalysisfunctionalitytoNPPs.

Table of Contents

1. Introduction 1

2. Relevant Concepts/Background 2

2.1 Critical Infrastructures Protection 2

2.2 Nuclear Power Plants (NPPs) 5

2.2.1 Architecture of NPPs 6

3. Cyber Security and Cyber Warfare in the Nuclear Industry 8

3.1 Cyber Risk Scenarios 8

3.2 History of Nuclear Cybersecurity Incidents 9

3.3 Nuclear Cybersecurity Challenges 11

4. Industry and Government Responses on NPP Cybersecurity 14

5. Threat Modelling for NPPs 16

5.1 Security Requirements of a NPP 18

5.2 Security Vulnerabilities of a NPP 19

5.3 Classification of Adversaries 21

5.4 STRIDE Threat Modelling 24

5.4.1 Attack Trees 26

6. Conclusion 32

7. Acknowledgments 32

8. References 32

AssessmentofCyberSecurityChallengesinNuclearPowerPlants

1

1. Introduction Nuclear power plants (NPPs) are considered to be themajor sources of electricity and power formanycountries[1].However,thoughnuclearenergyprovidescountlessbenefits,NPPsposetheriskof potential disaster if left unattended or unguarded. The United States (U.S.), Russia, UnitedKingdom (UK), South Korea, and China have raised concerns about securing their facilities fromcatastrophicincidents.TheChernobylincidentof1986[2]andFukushimaDaiichinucleardisasterof2011 [3, 46] have also shown that a disastrous situation can occur when the proper safety andsecurity protocols are not followed. These events are indications of weak security and safetycontrols, resulting in reputation damage, loss of trust, reduction in shareholder value, financialfallout,andlossofhumanlives.

The security of the digital systems used inNPPs has been studied in recent years. A surge in theincreased use of information and communication devices, integration of digital control systemdevices, and interconnectedness among systems in NPPs has made cyber threats of increasedinterest to thenuclear and cybersecurity community.A recent analysisbyChathamHouseon thesecurity of civil nuclear facilities revealed that the nuclear industry is still struggling to overcomecyberthreats[4].Thisispartlyduetothenuclearsector’slateadoptionofdigitalsystemscomparedto other sectors. There have been a number of cyber attacks and incidents that indicate thepossibility of severe risks associatedwithNPPs [9].One such example is the Stuxnetworm. Thismaliciousprogrammakesitpossibletointerferewithsoftwareandphysicalequipmentdeployedinnuclearfacilities[5].

Onepracticethatmightbehurtingthenuclearindustryisitsincreaseduseofcommercial“off-the-shelf” software. This type of software does not provide an adequate level of protection fromexternal threats and is often viewed as a directwayof penetrating a facility network. The use ofsubparsoftware,combinedwithexecutive-levelunawarenessofsecurityrisks,createsaneasyrouteforanattackertoexploitassets.Managementoftenreferstonuclearfacilitiesasbeing“air-gapped”–completelyisolatedfromtheInternet–meaningthattheindustryissafefromcyberattacks.Thisisamisrepresentation.Muchcommercialsoftwareprovidesinternetconnectivityviavirtualprivatenetworks (VPNs) or Intranet. These connections often go unreported and remain neglectedwhiledeployingsoftwareorsettinguptemporary internetconnectionsforaproject. Inaddition,nuclearindustry regulations previously focused more on physical safety and protection rather than oncybersecurity controls. Therefore, very few developments have beenmade to reduce cyber risksthroughstandardizedcontrolandmeasures[4].Hence,allofthesefactorsdemandstepstosecureanuclearfacilitythroughproperpreventionanddetectionmechanisms.

The looming threats of ionized radiation release, espionage, and sabotage have triggered thedevelopmentofavastarrayofsecuritymeasuresandguidelinesdesignedtopreventcatastrophiceffects. Specifically, those measures are intended to combat loss of lives, health effects,infrastructure collapse, sensitive information exposure, and economic instability. The ChathamHousereportstronglysuggestsgoing further throughtheestablishmentofsecurity frameworks tomaintainthemomentumofnuclearplantsandtoprepareforpossibleupcomingsecurityattacks[4].The report also recommends the enforcement of standards and best practices to measure the


2

securityrisksinthenuclearindustry,whichwilleventuallyhelpimprovenotonlysecurity,butalsounderstandingofrisksattheexecutivemanagementlevel.

IndustryhasproposedvarioussolutionsandriskanalysismethodstoimprovethesecurityofNPPs.However, cyber securityofNPPs is still considered tobe inanearlyphaseofdevelopment.WhilecontemporaryresearchhasidentifiedtheneedtoprotectNPPsfromcyberattacks,thisinformationis very limited. It does not provide a comprehensive view onmanaging security threats. The keyproblemseemstobethelackofmethodsandframeworksforidentifyingthreatsandincorporatingthelatestsecuritytrends,whichcanholisticallycombatthecyberattacksthattargetsNPPs.

The existing literature on the security of NPPs is very limited. It is largely unstructured, andabstractlycoversthesecurityissuesofSCADA(supervisorycontrolanddataacquisition)systemsandcriticalinfrastructures(railway,supply-chain,andtransportation)--withonlyafewcoveringnuclearfacilities. Moreover, the existing literature focuses on very few security features, such asconfidentiality and authorization, and does not holistically cover all security mechanisms andrequirementsofthenuclearindustry.

ThisworkfocusesonthedevelopmentofstrongsecuritymeasuresforNPPsbyexploringthecurrentchallenges, assessing state-of-the-art initiatives, and conducting threat assessments on powerplants.Thecontributionof thepaper is twofold: i)aholistic reviewof the fundamentalaspectsofnuclearsecurityalongsidehistoricalsecurityincidentswithinNPPs,andii)threatmodellingofaNPPthroughattack trees to identify securityvulnerabilities.AmenazaSecurITree [91]wasused for thecreation of attack paths and attack trees. The STRIDE (Spoofing, Tampering, Repudiation,InformationDisclosure,DenialofService,andElevationofPrivilege)threatmodelwasalsousedtoformallycategorizethepossibleattacksidentifiedusingattacktrees.ThesecurityrequirementsandthreatmodellingserveasamotivationforanimprovedsecurityframeworkforNPPs.

The remaining sections cover the following:Section2provides thebackgroundofNPPs.Section3discusses cybersecurity in relation to NPPs and offers a historical perspective on cyber incidents.The recorded efforts of industry and governments to improveNPP cybersecurity are discussed insection4. Section5coversthreatmodelling.Thepaperconcludes inSection6withasummaryofthemaincontributionsandanoutlookonthefutureofsecurityinNPPs.

2. Relevant Concepts/Background ThissectionpresentscontextualinformationaboutCriticalInfrastructureProtection(CIP)andNPPstoassistthereader’sunderstanding.

2.1 Critical Infrastructures Protection Critical infrastructure protection (CIP) is of great concern to developed and developing countriesalike.Countrieshavedeployedanumberofcriticalsystemsforinfrastructuresectorsincluding,butnot limited to oil and gas, transportation, water treatment and distribution, emergency services,dams,electricpowergeneration,andnuclearpowerplants[6].Thesecriticalinfrastructuresperformcoreoperationalfunctionsfromdecision-makingandplanning,throughmonitoringandcontrolling,to information management. An appropriately designed infrastructure should be adaptable,autonomous,efficient,reliable,safe,andusable.


3

Industrial Control Systems (ICSs) are considered to be the most critical components of anyinfrastructureastheyareresponsibleformostofthecorefunctionalityandtheyprovidesupporttoother components. Typically, these systems collect information from sensors and field devices,processanddisplay the information, transmit itover thenetwork,andsendcontrolcommands toremote equipment [7]. In the electric power generation industry, an ICSmanages, transmits, anddistributestheelectricity.Thisprocessisimplementedintheactionsofopeningandclosingcircuitbreakers and setting threshold values. Similarly, in the oil and gas industry, an ICS performsrefinementoperationsand can remotelymonitor thepressureand flowof gaspipelines. Inwatermanagement,anICSremotelymonitorsthewelllevels,waterflow,andchemicalcomposition.Thus,anICSperformsfromsimpletocomplexoperations,suchasbeingusedtomonitorthetemperatureofabuildingortomanagethecriticalfunctionsofNPPs.

ICSsaredividedintotwomaintypes:i)DistributedControlSystems(DCS),whichareusedwithinasingle plant or a small geographic area and ii) SCADA (supervisory control and data acquisition)systems,whichareusedinlargefacilitiesandaregeographicallydispersed[8,13].ThecomponentsandarchitectureofanICSvarywitheachsector.Insomecases,thecomponentsoftheICSincludeacentral repository, supervisory control station (SCADA), monitoring station, sensors, and fielddevices. In order to receive information, sensors take readings from equipment. These readingsincludewaterlevel,heatingtemperature,voltageandcurrentvalues,etc.TheSCADAsystemissuescommandsorinstructionstofielddevices,e.g.turnontheswitch,increasethetemperature,turnoffthevalve,ordispensethechemical,etc.Theymayalsobeprogrammedtogeneratealarmswhenacertain level iscrossed.Themonitoringstationconsistsof twoormorehumanmachine interfaces(HMI),whichareusedbyanoperatortoremotelyview,update,ormanagetheotherparts.Inorderto exchange information and configure commands, the station is connected to other applicationserversandengineeringworkstationsviaacommunicationnetwork (internet,wireless,orapublicswitchedtelephonenetwork).

AnumberofindustrialsectorssuchasNPPsuseadditionalcomponentsthatcommunicatewiththemonitoring station. In those sectors, SCADA systems also include control servers, long and shortrange communication devices, Remote Terminal Units (RTUs), and/or Programmable LogicControllers(PLCs)[10].TheRTUsandPLCscontrolthefielddevicesandsenddatatocontrolservers.ThecontrolservergathersandprocessesdatafromtheRTUsandPLCs,andtransmits it tocentralsiteformonitoringandcontrollingpurposes.Thecollecteddataisviewedoncomputersatacentralsite by operators or automated supervisory tools, which issue commands to field devices. Thecommunicationdevices, suchasswitchesandrouters,allowthe informationtransferbetweenthecontrolserversandRTUs/PLCs.Figure1showsthegeneralarchitectureofanICS.Thecontrolcenterconsists of the control server and the communication devices. Other components may include aHMI,engineeringworkstations,andthedatabasesystem,allconnectedthroughalocalareanetwork(LAN) [10]. The control center collects data from the field devices, displays it to the HMI, andgeneratesfurtheractionsviathecontrolserver.Thefielddevicesperformcorefunctionalities.Theymay sense sensors’ values (such as temperature, humidity, speed, etc.), run equipment, and areoften connected remotely to the LAN. The ICS supports common protocols such as TCP/IP andindustry-specificprotocolssuchasModbusandradionetworks.

Despite thenumerousadvantagesofferedby the infrastructure, itsamalgamationwithcomputersand networks has introduced vulnerabilities and cyber threats to critical assets [11]. Critical


4

infrastructuresaretemptingtargetsforenemiessuchasnation-states,activists,terrorists,andcybercriminals; these enemies can plan strategic attacks on infrastructures without being physicallypresent.Thisdisruptioninsecuritytocriticalinfrastructuresmayleadtosignificantsocio-economiccrises, thereby causing negative political, geographical, and security consequences. The U.S.President’s Commission on Critical Infrastructure Protection states that “the widespread andincreasinguseofSCADAsystemsforcontrolofenergysystemsprovides increasingabilitytocauseserious damage and disruption by cyber means” [7]. Hundreds of cyber incidents have beenreportedoverthelastfewyears,resultingineconomycosts,deaths,andthecompletedestructionofinfrastructures[4,14].

Inordertoconfrontsuchattacks,anumberofmethodologiesandtoolsondeterrence,prevention,detection,response,anddamagecontrolhavebeen introduced[11].Thesetoolsandtechnologiescan exist at both technological and nationally strategic levels. The technical level focuses onsolutions to prevent and detect cyber attacks, using tools such as firewalls, intrusion detectionsystems, anti-virus programs, back-ups, authentication, and encryption. It also includes ways toidentifyvulnerabilitiesinasystem,thenseekssecuresolutionstoeliminatethosevulnerabilities.

Figure1:ArchitectureofICS


5

However,organizationscannotcompletelyprotecttheirinfrastructureswithouttheenforcementofsoundsecuritypoliciesdevelopedbypolicymakers.Atthatpoint,thestrategiclevelcomesintoplaywiththedevelopmentofcomprehensivepoliciesonprotectingcriticalinfrastructuresbytakingintoaccount social, economic, organizational, and political aspects. This development requires jointdiscussionsbetweenrepresentativesfromallconcerneddepartments,mainlythoseresponsibleforensuring security in the critical infrastructure industry1. A report by McAfee [12] shows thatcountries such as the U.S., Russia, China, UK, and France have established various cybersecuritydepartmentswith thepurposeofprotecting theirnational infrastructureanddevelopingdomesticcybercapabilities.

2.2 Nuclear Power Plants (NPPs) ThoughNPPsareusedtoproduceelectricity,thereexistsignificantdifferencesbetweennuclearandotherelectricalgeneratingplants.Themostcommonmethodtoproduceanddistributeelectricityisthroughan“electricalgenerator”[14].Itusesdifferenttypesofmechanicalforcessuchaswindandwater, or mechanical devices such as steam turbines, diesel engines, etc. In order to produceelectricity, a turbine and a generator are attached to each other; the kinetic energy of thewind,fallingwater,orsteamispushedagainstthefan-typebladesoftheturbine,whichcausestheturbineandrotoroftheelectricalgeneratortospinandproduceelectricity.

Anothertypeofplantisahydroelectricplantinwhichwatertravelsfromhigherelevationstolowerlevels through the metal blades of a water turbine [14]. As a result, the rotor of an electricalgenerator spins toproduceelectricity. Fossil fuelledpowerplantsuseheat fromburning coal, oil,and natural gas to convert water into steam,which is then piped into a turbine. The steam in aturbine passes through the blades and spins the electrical generator, which results in a flow ofelectricity.Thistypeofplantalsofollowsthereconversionprocesswheresteamisconvertedbackintowater inthecondenserandpumpedbacktotheboilertobereheatedandconvertedbacktosteam[14].

ThecomponentsofaNPParesimilartothoseinfossilfuelledplants,exceptthatthesteamboilerisreplacedbyaNuclearSteamSupplySystem(NSSS)[14].TheNSSSconsistsofanuclearreactorandtheequipmentusedtoproducehighpressuredsteam.Thesteamthenturnsturbinesforgeneratingelectricity.Anuclearreactorhasfourmainparts:theuraniumfuelassemblies,thecontrolrods,thecoolant/moderator, and the pressure vessel. The fuel assemblies, control rods, andcoolant/moderator make up what is known as the reactor core. The core is surrounded by thepressurevessel[14].

TheenergyinNPPscomesfromthefission(splitting)offuelatoms,i.e.U-235(uranium).MostofthereactorsuseU-235 for fuelbecause it canbemoreeasily splitduringa fissionprocess thanotherformsofuranium.Thefuelcycleforpowerreactorsbeginswiththeminingoftheuraniumandendswiththedisposalofthenuclearwaste,goingthroughthreemainphases.Inthefirstphase,thefuelisprepared;thesecondphaseistheserviceperiodinwhichfuelisusedtogenerateelectricity;andinthefinalphase,fueliseitherdisposedoforreprocessed[15].

1Theserepresentativesshouldbelongtogovernment,majorgoverningbodies,informationtechnologyandinformationsecuritysectors.


6

Therawuranium,minedfromoredeposits,cannotbeusedinpowerreactors;ithas99.3%ofU-238and0.7%ofU-235.However, the fissionprocess requiresU-235enriched toa levelof3–5% [15].Therefore,therawuraniummustbeprocessedthroughaseriesofstepstoproduceusablefuel.Theconcentration of U-235 is increased through the enrichment process, in which uranium gas isintroduced into fast-spinning cylinders and heavier isotopes are pushed to the cylinder.Once thefuelisenrichedwithU-235,itisfabricatedintoceramicpellets.Thepelletsareslendermetaltubes,typically8-15mm(0.314-0.59inches)indiameterand3.65meters(12feet)long.

Thepelletsarethenpressurizedwithheliumgas,afterwhichtheyarepackedinlongmetaltubestoformfuelrodsandarebundledtogetherinto“fuelassemblies”.Theassembliesarethenshippedtothepowerplant for introductiontothereactorvesselwherethecontrolledfissionprocessoccurs.FissionsplitstheU-235atomsandreleasesheatenergy,whichiseventuallyusedtoheatwaterandproducehighpressuresteam.Thefuelinthereactorisusedfor3to5years,andthenthereactorisloadedwithfreshfuel.Becausethespentfuelisveryhotandradioactive,itisstoredinwaterpoolstoprovidecoolingandshieldingfromradioactivity[15].Afterafewyears,thefuelissenttointerimstorage facilities, which have either wet storage, where spent fuel is kept in water pools, or drystorage, where it is kept in casks. If spent fuel needs to be reprocessed, it is sent back to aconversionfacilityandtheprocessisrepeated.Thespentfuelcontains1%plutonium,96%uraniumand 3%wastematerial. After the conversion and enrichment process, the spent uranium can bereusedinreactors.

2.2.1 Architecture of NPPs It is important to giveadescriptionof the typicalNPP InstrumentationandControl (I&C) systemsandtocharacterizethevariousmodules.IndigitalNPPs,I&Csystems,togetherwiththeoperationspersonnel,serveasthecentralnervoussystem.ThepurposeofanI&Csystemistosupportreliablepower generation. Ideally, a NPP should keep plant parameters such as power, power-density,temperature,pressure,andflowratebelowadesignlimit,whichisaccomplishedthroughthousandsof electromechanical components likemotors, pumps, or valves. The coordination between thesecomponentsiscontrolledbythedifferentelementsofI&Csystems;theysenseprocessparameters,calculate deviations/abruptions, monitor performance, integrate information, issue correctiveactionstofielddevices,andmakeautomaticadjustmentstoplantoperationsasnecessary[87].Theyalsosendalertsandresponsestoabnormaleventsorfailures,thusensuringgoalsofefficientpowerproductionandsafetyaremet.Moreover,anI&CsystemsendsandreceivesresponsesfromaHMIabout the status of plant parameters and their deviations. In short, an I&C system senses,communicates,monitors,displays, controls,and issuescommandsbetween theplant componentsand plant personnel. For this research, we have used the Evolutionary Pressurized Reactor (EPR)architecture (the U.S. version is called the Evolutionary Pressurized Reactor or US-EPR) [87].However,duetospacelimitations,wehavediscussedthearchitectureatanabstractlevel.TheEPRisdivided into threemain levels: i) Level 0, process interface level; ii) Level 1, systemautomationlevel;andiii)Level2,unitsupervisionandcontrollevel.Figure2displaysthesimplifiedarchitectureofagenericNPPI&Csystem.

Level 0 – Process Interface Level provides measurement and sensory capabilities to supportfunctions,suchasmonitoringorcontrollingdevicestoenableplantpersonneltoassessstatus.Thislevelconsistsof fielddevices,suchassensorsanddetectors,whicharedeployedat theplant,andsend signals through a communication system to the operators or to the decision-making


7

applications(analogorcomputer-based).Thesedeviceshelpmakeautomaticandmanualdecisions,both for control systems and operators, during normal and irregular situations. The parametersmeasured include plant temperature, pressure, flow rate, level, etc. Themeasurements are thensent to Level 1 systems (discussed below), which compare them with defined values and takecorrectiveactions,ifrequired.

Level1–SystemAutomationLevelismadeupofsystemsrelatedtotheprocessingandcontrollingofparametersandtothesafetyoftheplant.Thesesystemsautomaticallycontrolthedevicesofthemain plant and ancillary systems, based on the inputs received from sensors and detectors. Theautomation of power plant control reduces theworkload of operations staff, thus allowing themmoretimetomonitorplantbehaviourandevolvingconditions.Thislevelconsistsoftheprotectionsystem (PS), safety automation system (SAS), process automation system (PAS), priority actuationandcontrolsystem(PACS),andreactorcontrol,surveillance,andlimitation(RCSL)system.

Level2–UnitSupervisionandControlLevelbearsresponsibility for forming interactionsbetweenoperatorsandtherestoftheplantsystemsatlevels1and0.ItconsistsoftheHMIsandpanelsofthe main control room (MCR), remote shutdown station (RSS), technical support center (TSC),process information and control system (PICS), and safety information and control system (SICS).HMIs allocate and distribute tasks among workstations; select and prioritize alarms and theirintegrationwithothercomponents;displayplantstatuses,measurementsandvalues;etc.

Figure2:U.S.EvolutionaryPressurizedReactorinstrumentationandcontrolsarchitecture[87]


8

Moreover,the InternationalAtomicEnergyAgency(IAEA)hasdividedI&Csystemsintothreemainclasses:safety,safety-related,andnot-safetysystems[88].Eachlevel,discussedabove,maycontainbothsafety-relatedandnon-safety-relatedsystems.Thepurposeofsafetysystemsistoprotecttheplant and environment from natural hazardous or disastrous consequences that result from themalfunction of plant components. These systems perform automatic actions under abnormalconditions. It consistsofPACS,PS,SAS,andSICS,which further includeplantcomponents suchasreactor trip, emergency core cooling, decay heat removal, containment fission product removal,emergency power supply etc. Safety related systems do not directly protect the plant, but areotherwise importantforthesafeexecutionofplantoperationsthatcontrolreactorpower,controlpressure and temperature for heat removal, monitor radiation levels, measure and display plantstatus, etc. These systems consist of PAS, RCSL system, and PICS. Not-Safety systems are notnecessary tomaintain the plantwithin a safe environment. They are not covered in detail in thispaper.

3. Cyber Security and Cyber Warfare in the Nuclear Industry Concernsurroundingcyberwarfarehasgainedattentionintheinternationalcommunity,andnowithasbecomeamatterofconcernforthenuclearindustryaswell.Theconsequencesofacyberwararenolessthanthoseofatraditionalwarwiththelossofmoney,lives,infrastructure,andnationalstability. Thewar between Russia andGeorgia demonstrated that cyberwarfaremechanisms aremodernwarmechanisms[26].Similarly,theEstonianattackof2009provedthatunpreparednessforcyber incidentsmay leadtocatastrophicsituationsforgovernment,businesses,andmedia[27]. In2009, another large attack, “GhostNet”, was launched and able to steal confidential informationfrommore than a hundred governments and private organizations from various countries [28]. Itwasalsoreportedthatabotnetnamed“Patriot”wascreatedbyIsraelihacktivistsandlaunchedonthecomputersofnon-technicalactivists,runningasabackgroundprocessandawaitingordersfromthehacktivists’leaders[29].

Inthesamevein,thissectionfocusesoncyberchallengesandsecurityincidentsthatoccurredwithinNPPs,supportingtheassertionthatanykindofcyberincidentonanuclearinfrastructuremayleadto catastrophic results and fromwhich recoverywill not be possible. However, it is necessary tounderstand three basic cyber risk scenarios before going into the depth of security events andchallenges.

3.1 Cyber Risk Scenarios IAEAhasclearlyidentifiedthreepossibleriskscenariosinvolvingnuclearfacilities:i)“cyberattacks”,which corrupt nuclear command and control systems and remove radioactivematerial; ii) “cybersabotage”,whichaffects thenormaloperationsofanuclear facilityandcausesseriousdamage tonuclear equipment; and iii) “cyber espionage”, the collection of confidential information from anuclearfacilityanditsusageformaliciouspurposes[16].

CyberAttacks: It isdifficulttosuccessfullyexecutea“cyberattack”becauseofthe involvementofphysical as well as cyber actions. Such attacks can be executed if the facility has weak securitycontrols and policies, andwith the involvement of an insider. The sophistication of these attacksdemands identificationof vulnerabilities,expertise in ICS, and thecreationofmaliciousprograms.


9

Terroristgroupsareunlikelytohaveaccesstosuchexpertiseorresources,butmilitarynationstatesmighthavesuchcapabilitiestoexecuteattacksagainstanothercountry.

Cyber Sabotage: Cyber sabotage is another threatwhichNPPs have faced. Sabotage can come inmanyforms:itcouldcausephysicaldisruptiontonuclearequipment,introducevirusesormalwareinto a system, or even plant malware that could result in nuclear explosion. The supply chainmanagementcycleandprocurementof thirdpartysoftwarearealsoseriously threatened.Historyhas witnessed a number of incidents, in which intentional or unintentional acts of deployingmalicious software resulted in unrecoverable damage to a nation’s infrastructure [23]. Incidentswhich modified the Iranian vacuum pumps in 1990, planted explosive material in Iran’s nuclearequipment in2012,andalteredcoolingcomponents in Iran’snuclearpower reactor in2014areafewexamplesofcybersabotage[24,26].Stuxnet[5,34]isanotherexampleofcybersabotage,whichcausedsignificantdamagetoIraniancentrifugesandSCADAcontrolsystems.

CyberEspionage:Recentyearshave seena substantial increase in cyberespionageattacks.Cyberespionage is more common than sabotage since this type of attack does not require as muchtechnicalexpertise.Therearemanytools,suchaskeyloggersandspyware,freelyavailableontheinternet,which couldbe remotely installedona victim’s computer topenetrateatrustednetworkandaccess sensitive information.Thenuclear industryhasbeena targetof cyberespionage since1986; however, a new series of attacks began in 2005, when Chinese hackers penetrated U.S.militarysystemsfornuclearsecrets[17].In2006,IsraelisplantedaTrojanHorseonSyriancomputersystems and gained access to their secret nuclear program [18]. Similarly, in 2008, Russian forcescreatedamalwarenamedagent.btz tohack theU.S. classifiednetwork [21].Anumberofattackswerelaunchedfrom2011to2013onU.S.andIAEAsensitivefacilities.Duqu[21],Flame[21],Zeus[20], ShadyRAT [20] andmalwaresbyDeepPanda [22] are examplesof cyber espionage attacks,whichhavebeendesignedtogainintelligencefromcriticalinfrastructures.

3.2 History of Nuclear Cybersecurity Incidents Literature reports very few cybersecurity incidents in the nuclear industry. The reason is quiteobvious:governmentsdonotwanttopublishtheweaknessesoftheircriticalinfrastructuresorevenmakethegeneralpublicawarethatsuchvulnerabilitiesexist. However, inordertobetterprotectsystemsfromfutureattacks,oneneedstoanalysepreviouscyberincidentsonnuclearoranyothercriticalinfrastructure.TherehavebeenincidentswhicharenottheresultofcyberattacksonNPPs,but those incidentsdemonstrate similar impacts compared to thoseofa cyberattackona criticalinfrastructure.

AnumberofpoweroutagesoccurredduringAugustandSeptember2003inmajorcountriesliketheU.S.,Canada,England,Denmark,Sweden,andItaly[37].“TheNorthEastBlackout”poweroutageintheU.S.andCanadaaffectedaround55millionpeopleandresultedin11deaths[38].ThenotableChernobyl SCADA incident caused a catastrophic amount of damage [30]. This incident led to 56deathsandanestimated4000cancercases.Therecoveryprocesswasestimatedat$1.2billionandthe site will remain radioactive for an estimated 100,000 years. The 2011 incident of FukushimaDaiichiNPP,whichoccurredduetotheprecedingearthquakeandtsunami, isanothermajoreventwhich resulted indisastrous consequences. Around100,000peoplewereasked toevacuate theirhomes,anda largeagriculturalareawasdeclaredtobeuninhabitable for thousandsofyears.TheJapanesegovernmentisstillcopingwiththeeffectsofthereleasedradiation[40].Asimilarincident


10

wasreportedinJuly1999whenapipelinerupturedinWhatcomCreek,Washington,spilling237,000gallonsofgasoline.Thisignitedgasolineresultedinthreedeathsanddamageworthapproximately$45million.Analysisof thiseventshowsthat thepipelinecompanywasnotadequatelymanagingtheprotectionofitsSCADAsystem[41].

In 2003, the SQLSlammerworm breachedOhio’s Davis-Besse NPP through a contractor’s system.The worm crashed the safety parameter display system (SPDS) and monitoring systems of thenuclear plant [42]. SQLSlammer exploits a vulnerability in Microsoft SQL Server 2000 databasesoftware. The worm scans a system, and if it finds SQL Server 2000 running, then it infects thesystem and propagates to the next random IP address. The worm generated a large volume ofnetwork traffic. Fortunately,Ohio’sDavis-Besseplantwasnot inuseat the timeanddamagewasnotserious.Similarly,acomputerviruscalled“Sobig”shutdownatrainsignallingsysteminFlorida,U.S., in 2003 [43]. It shut down the signalling and dispatching of the systems deployed at CSXcorporation,whichcausedtraindelays.InAugust2006,theBrownsFerrynuclearplantinAlabama,U.S.,wasmanuallyshutdownbecauseofanoverloadofnetworktraffic,whichresultedinthefailureof reactor recirculation pumps and the condensate demineralizer controller [44]. Both of thesedevices transmitted data over an Ethernet network, which contained network vulnerabilitiesallowingirrelevanttraffictopassthroughtheplant.Thisincidentrevealstheimpactofthefailureofoneormoredevicesinaplant.

The Hatch NPP was shut down in March 2008, when an engineer’s computer connected to theplant’s business network. The computer was connected to the ICS and its system update wasdesignedtosynchronizethedatabetweentwodevices.However,whenthecomputerwasrestartedaftertheupdate,itresetallthedataofthecontrolsystemtozero.Theplantpersonnelincorrectlyinterpretedthezerovalueandthoughtthattherewasan inadequate levelofwater inthereactor[45].Thisshowsthatnuclearpersonnelhadinsufficienttrainingandknowledgeoftheincident,andthattheirunawarenesscausedmoreproblemsthantheoriginalone.Industrialespionagewasalsoreported in 2009, when Chinese and Russian spies penetrated the U.S. electrical power grid andinstalledmalicioussoftwareprograms[46].

In1992,atechnicianat IgnalinaNPP intentionally injectedavirus intothecontrolsystem.Thoughhispurposewastohighlightthevulnerabilitiesinaplant,itdemonstratedthedangersoftheinsiderthreat [47, 48]. In 2000, a disgruntled employee gained unauthorized access to the computerizedmanagement systemofhis company, and causedmillionsof litresof raw sewage to spill out intolocal parks and rivers [49]. The attacker installed the company’s software on his laptop andinfiltratedthecompany’snetworktocontrolwastemanagement.Anotherinsiderattackoccurredin2007 inCaliforniawhenaformerelectricalsupervisor installedunauthorizedsoftwareonaSCADAsystem,causingdamagetothecompany’sassets[50].

Amajorcybersecurityincidentoccurredin2010,whenIran’sNPPwashitwiththeStuxnetcomputerworm. Cybersecurity experts claim that thisworm is the first cyberweapon thatwas targeted toexploitSCADAsystems,damaging1,000centrifugesintheprocess[5].StuxnettargetedtheSiemenscontrolsystemsandhadtheabilitytoreprogramthePLC.Thewormwashighlysophisticated,asitexploited five zero-day vulnerabilities andwas initially spread from infectedUSB flashdrives. Thisrenders the claim of NPPs “being air gapped” as an ineffective security method. Stuxnetdemonstratestheeffectsofmaintainingunpatchedsystemsandallowingvulnerabilitiestoenterthe


11

facility. Thismalwareextracted thehard codedpassword from theSiemensdatabase (CVE-2010-2772) and acquired access to the SCADA system files. It then manipulated the frequency of thefrequencydrivers,which inturn,damagedthecentrifuges.Thevirus installationwasmadehiddenthroughtheuseofdriversigningkeys,whichhadbeenstolenfromRealTekandJMicron [51].Theattackwas launched by a nation-state targeting Iran’s nuclear technologies. The Stuxnet incidentmadenationsrealizethatcyberwarfare isaseriousconcernandthatpropersecurity isneededtoprotect their critical infrastructures. Iran reported the replacementof1,000-2,000centrifuges inafewmonths [52]. According to several published reports, Stuxnet also infected a Russian nuclearpower plant around 2010. The incident was revealed by Eugene Kaspersky, founder and CEO ofKaspersky Lab. ThoughStuxnetwas a very targetedattack, its unprecedented capabilities showedthatthiswormcouldalsobeusedformoredestructivepurposes.

In2011,McAfeereportedtheattacknamed“NightDragon”,launchedonfiveglobalenergyandoilfirms which were compromised using mechanisms such as phishing, Trojan Horses, Windowsexploits and social engineering [53]. There are many attacks which targeted the corporatecompaniesattachedtotheSCADAinfrastructures.AnincidentwasreportedonSouthKorea’sstate-runoperator,KoreaHydroandNuclearPowerCo.,inDecember2014.Theattackersgainedaccesstothe system by sending phishing emails to the employees. An employee’s accidental click on themaliciouslinkgivenintheemailallowedmalwaretodownload,infectingthecompanynetwork.Theattackspecificallytargetedtheblueprintsandelectricalflowchartsofnuclearreactors[54].

AnumberofattackshavebeenreportedonSCADAsystems.ItisdifficulttoidentifywhethertheseattacksarebecauseofITnetworkorSCADAsoftwarevulnerabilities.AccordingtoEricByres,from1982 to 2000, 70% of SCADA attacks were internal, i.e. due to disgruntled employees and theirmistakes, while 30% were external attacks from hackers and cyber terrorists [55]. Byres thenexplainedthatasurveyfor theyears2001to2003showedthat70%ofattackswereexternaland30% were internal. The complete reversal of statistics shows that industry is neither usingstandardized networking protocols, nor verifying the security of third-party software. This changedidnotoccurbecausetherearefewer internalattacks, rather, thenumberofexternalattackshasrisensomuchitcausedthereversalofthesefigures.

3.3 Nuclear Cybersecurity Challenges The abovementioned incidents have made cybersecurity an ever increasing concern for nuclearfacilities, including power plants and weapons facilities. This evolution in technology has alsointroducedvulnerabilitiesinandhackingattemptsonnuclearsystems.Softwarevulnerabilitieshavemadeiteasyforhackerstostealsensitiveinformation,spoofsystems,orpotentiallydamagecriticalnuclearfacilitiesandprocesses. Suchvulnerabilitiescouldbeintroducedthroughbugs insoftwareprogramsorzerodayexploits.

The researchperformedby theChathamHouseproject identifiedmajorchallenges incivilnuclearfacilities [4]. The report highlighted that infrequentdisclosureof incidents at nuclear facilitieshasmade it difficult for security analysts to analyse the extent of theproblem inorder to implementsecuritycontrols.Governmentsandnuclearauthoritiesdonotdisclosenuclearsecurityincidentsoutofconcernforreputationandtrustamongothercountries,whichleadstotheerroneousbeliefthatitisnearlyimpossibletoattackanuclearfacility.Nuclearpersonnelofteninterpretsecurityincidents


12

asmalfunctioningofhardwarebecause there isa lackofnuclear forensicsand logging techniquesthatcandeterminethecauseofincidents.

Inaddition,thereiscurrentlynomechanisminplacetofacilitatetheexchangeofinformationandtoenhance collaborationwithother industries that aremakingprogress in this field [4]. Thenuclearindustryisreluctanttoshareitsinformationandcollaboratewithotherindustriestolearnfromtheirexperiences.Thelackofsharingmeansthatthenuclearindustrycannotidentifytheattackpatternsdiscoveredbyothersectorsnorcanitapplyfool-proofsecuritycontrols.Therearealsoinsufficientcybersecurityregulatoryguidelinesandstandardswhichnuclearfacilitiescanfollowforcompliance.A few regulators have issued best practices guidelines; however, their guidelines do not coverenforcingsecuritycontrolsandmanagingcyberrisks[4].

It has also been observed that nuclear plant personnel and cybersecurity professionals have adifficulttimecommunicatingsecurityrequirementsandsuggestionstoeachother[4].Thereasonsseemtobe theoff-site locationof cyberprofessionalsand lackof information securityawarenessamongnuclearpersonnel.Nuclearplantpersonnelarenottrainedthroughcyberdrillsandtheylackpreparednessforlarge-scalecybersecurityincidents.Theirleveloftechnicaltrainingisinsufficient,in addition to it consisting of training material that is poorly written and leads to proceduralmisunderstanding.Manyemployees leave theirpersonal computersunattendedwith theiremails,simulationsoftware,andsensitivedocumentsrunning.Manytimestheemployeesareworkingwitharound 60-70 other employees, and any mistake could lead to an incident, which might beunrecoverable[4].

In traditional attacks, the attacker is known to everyone, however cyber attacks change thedimensionsofattacks,makingitnowpossibletodisrupt,paralyze,orevenphysicallydestroycriticalsystemsthroughsophisticatedcomputertoolsandtechnology[4]. It isnoweasyforanattackertofindInternet-connectedSCADAsystemsusingspecializedsearchenginessuchasShodan[30].Onceasystemisidentified,theattackercanscanthenetworkforvulnerabilitiesandopenportsoranalysetraffic to intercept passwords.Many software programs use default passwords such as “Admin”,“12345”,“Test”etc.,whichifleftunchanged,mayenableattackerstoeasilypenetratethenetworkandsystems.

The problem also stems from the myth that nuclear facilities are “air gapped” – or completelyisolatedfromthepublicinternet–andthatthisprotectsthemfromcyberattack[4].Manynuclearfacilities now have internet connectivity primarily because legitimate third parties, such as thevendors, owner-operators, and head officers are located off-site and need access to the datageneratedat theplant.Thedata is required toupdate thedeployedsoftware,check thestatusofthe plant functions, and rapidly diagnose plant malfunctions. Internet connectivity thus allowscorporatebusinessnetworks tocreateadirect linkwith the industrialcontrolsystemnetwork [4].TheDragonFlycyberespionagecampaignprovidesanexampleofhowmalware,particularlyaTrojanHorse,caninfectNPPfacilitiesviaasoftwareupdate[35].Facilitiesmaybeusingbasicrulesintheirfirewallsandintrusiondetectionsystems(IDS),yetitisrelativelyeasytobypassthesemechanismsby resetting themordisguising themalware as legitimate traffic. Sometimesplants areprotectedthroughVPNs;however,iftheyareinadequatelyconfigured,therecanstillbeattacks,asinthecaseof the Davis-Besse power plant [31]. Often, these nuclear facilities have undocumented internet


13

connections,whicharenotknowntoplantmanagers;these,too,canprovidearouteformalwaretoinfectthefacility.

Moreover,nuclear facilities lackstrongsecuritycontrolssuchasauthentication,authorization,andencryption services in their digital systems. Their software is ‘‘insecure by design’’ and does notintegratestrongsecurityfeaturesasdefensivemeasures[4].Additionally,vulnerabilitiesintypicalITsystemsextendtoSCADAsoftware.For instance,SCADAsystemsuseTCP/IPprotocols2toperformcertain functions [32]. However, these protocols have some known vulnerabilities such as IPspoofing,maninthemiddleattacks,SQLinjection,etc.,whichmayresultinsevereconsequencesifleftunattended.[33].

The existence of Stuxnet has enabled less-skilled hackers to copy the technique and developmalwareontheirownfordestructivepurposes.Thesemalwarescouldbeusedforattackingnuclearfacilities since the Stuxnet attacking logic is publically available now [4]. On the other hand, theincreasinguseofpenetrationtestingandexploitationtoolssuchas themetasploit framework[19]allows an attacker to execute a payload to exploit a system vulnerability. The framework wasoriginally designed for penetration testing, but hackers are also using it to fulfil their maliciousintentions.Theproblembecomesmoreseriouswhencompaniesingreymarketstrytosellzero-dayvulnerabilitiestonation-statesornon-statehackerswiththepurposeofobtainingmoney[4].

BringYourOwnDevice(BYOD)isanotherchallengewhichisanemergingfocus,notonlyfornuclearfacilities, but also for other sectors [4]. People (employees, contactors, and vendors) often bringtheirpersonaldevices(mobilephonesorlaptops)intosensitiveareasandconnecttothenetwork.Iftheirdevicesarealready infectedwithsomewormormalware, then it isprettyeasyto infect thefacility network and resources. Similarly, a few vendors and employees deploy temporaryconnections within a facility in order to perform their work, but then forget to remove theconnections. If they remain unattended, these connections can be utilized by an attacker to gainillegitimateaccess.

NPPsalsosometimesdonotfollowthe‘‘fail-safe’’principle3,andthereseemstobeareductionincreating backups of systems [4]. This practice hasmadeNPPs a single point of failure.Moreover,NPPs approach security using the ‘‘Security through Obscurity’’ principle, which does not remaineffective today [4].Much of the documentation on nuclear architecture, software, and protocolsused within nuclear facilities is available online. For example, documentation of NPP protocols,DistributedComponentObjectModels (DCOM),andRemoteProcedureCalls (RPC), isavailableontheinternet,whichmakesiteasyforanattackertounderstandtheoverallworkingmechanism,andthentofind(un)knownvulnerabilitiesintheseprotocols[36].

“Offtheshelf”softwareisoftennotuptodate,andit isnotfeasiblefornuclearpersonneltotakedownsystemsregularlytoapplypatches.ThisisbecausecomponentsofNPPsneedtobefunctional24hoursperday, sevendaysperweek.Thesameapplies tosoftwareandoperatingsystems (OS)hostingnuclearplants.Therefore,anattackonunpatchedsoftwarecouldbringdownorgiveaccess

2TCP/IPprotocolsareusedtotransferinformationoverthenetwork.3Afail-safeisapracticethat,intheeventofaspecifictypeoffailure,respondsorresultsinawaythatwillcausenoharm,oratleastminimizeharm,tootherdevicesortopersonnel[98].


14

to a network of NPPs. On the other hand, patching software can also introduce unknownvulnerabilitiesintothesystemsincetestingisusuallynotperformedbeforepatching[4].

Thusly,thenuclearpastislitteredwithexamplesofnearmissesandaccidents–manyofwhichcanbe either directly or indirectly launched through computers and software – and the ratio of suchattacksmayincreasewiththeintroductionofmoresophisticatedsystemsintothenuclearindustry.Whiletheprobabilityofacatastrophiceventsuchasthereleaseofradioactivematerialisrelativelylow,theconsequencescouldbesevere.Furthermore,allofthesefactorsindicatethelackofawell-defined cybersecurity risk management strategy for nuclear facilities. The nuclear industry is notinvestingasmuchastheyshouldbeincybersecurity.Additionally,developingcountriesareatmorerisk,sincetheyhavelowerbudgetsforsecurityenforcement.Statesareimplementingstrategiesandpoliciestopreventlargescalecyberattacks,butitistooearlytotellhowimpactfulthesewillbe.

4. Industry and Government Responses on NPP Cybersecurity The above section has highlighted vulnerabilities and security challenges in NPPs that posesignificant risks to the economy and to national security. There have been a number of attemptsmade by international organizations, regulatory and research institutes, and governments toestablishcybersecurityguidelines,standards,andframeworksforthesecurityofNPPs.

A number of international regulatory bodies such as IAEA, National Institute of Standards andTechnology(NIST),WorldInstituteforNuclearSecurity(WINS),andtheInstituteofElectronicsandElectronicsEngineers(IEEE)havepublisheddocuments[56–59]onsecuringnuclearfacilities.ThesedocumentsfocusonICSandSCADAsystems.NISThaspublishedawell-establishedriskmanagementframeworkinNISTSpecialPublications(SP)800-30[60],800-37[61],and800-39[62],whichanalysedifferent threat scenarios and evaluate the possibilities of attacks that can exploit systemvulnerabilities.However,theNISTriskassessmentframeworkdoesnotdefinespecificproceduresonhowacompanyshouldassessthequantificationofrisks,i.e.howandtowhatextentanattackcanaffectsystemconfidentiality,integrity,oravailability.In2008,NISTreleasedaguidelineonsecuringIndustrialControlSystems(ICS)[63].Thisspecialpublicationcomprehensivelydiscussedthesecurityof ICS systems, mainly covering SCADA architecture, distributed control systems (DCS), securesoftwaredevelopment,anddeploymentofcontrolstosecurenetworks.NISTalsoworkedwiththeIndustrialAutomation andControl Systems Security ISA99Committee to formulate a guidelineontheSecurityforIndustrialAutomationandControlSystems[64].

The IAEAandWINSareplaying themajor roles in thenuclear cyberdomain. Theyhavebegun toaddress cybersecurity concerns on a global scale. Currently, they are: i) publishing a number ofcybersecuritydocumentsonnuclearfacilitiesprotection, ii)offeringtechnicalandstrategicsecuritytraining to nuclear concerned officials of member countries, and iii) providing expert advice andcapacitybuilding toofficials and representatives. The IAEAhaspublishedNSS-17 [65] as technicalguidance for ensuring computer security at nuclear facilities. Likewise, the IAEA NSS-13 [66]recommends that all computer-based systems in nuclear facilities must be protected againstcompromiseandthataproperthreatassessmentmustbecarriedouttopreventattacks.Theserieshasidentifiedthreatsfromdifferentadversaries’perspectivesandhasalsoaddresseddetectionandpreventionmechanismsforcompromisesofNPPinformationsystems.


15

Anumberofotherorganizationshavealsoestablishedsetsofbestpracticesorguidelinestoaddressnuclear-related cyber issues. The IEEEproduced the SCADA cryptography standard in 2008,whichprovidesadetailedexplanationonhowtoestablishsecurecommunicationbetweenSCADAserversand workstations. Organizations can also achieve certification under this IEEE standard if theycomplywiththerequirements[67].TheInternationalOrganizationforStandardization(ISO)hasalsodevelopeda standard, ISO/IEC27002:2013,whichprovidesguidelines for initiating, implementing,maintaining, and improving information security management in organizations [68]. All of theseguides and standards offer security best practices and provide generic guidelines on performingsecurityassessmentswithinNPPs.

Whilethereareanumberofguidelinesforprotectingindustrialsystems,therearefewerstandardsthatdefinecompliance.Compliance is important since itprovides a securitybaseline to industriesandensurescontinuousprotectionofsystems.EffortsputforwardbyNISTin2004helpeddevelopthe System Protection Profile (SPP). This profile was designed to cover SCADA systems [69] andbriefly discussed cyber risks. There are a number of proprietary companies, which also offercertifications suchas theAchilles certificationprogram fromWurldtech Security Technologies andthe“Music”certificationfromMuDynamics[70].ThesecertificationsinvolveauditingbyanoutsidecompanytoensurethatI&Csystemsaremeetingsecurityrequirements.

Atthesametime,governmentorganizationsalsoplayavitalroleinimprovingthesecurityofcriticalinfrastructures. The U.S. DepartmentofHomelandSecurity (DHS) [71], Nuclear RegulatoryCommission (NRC) [72], Federal Energy Regulatory Commission (FERC) [73], and North AmericanElectric Reliability Corporation (NERC) [74] offer public-private partnerships to protect criticalinfrastructureandtoprovidecross-sectorstrategiccoordinationandinformationsharing. TheU.S.issuedthePresidentialDecisionDirective (PDD) in1998,whichhighlightedrisks tonationalcriticalsystemsandsolutionstosecurethem[75].

In2007,theNRCincludedcybersecurityaspartofDesignBasisThreat4,definedin10CFR,Section73.1. Subsequently, in 2009, the NRC issued 10 CFR Section 73.54, titled “Protection of DigitalComputerandCommunicationSystemsandNetworks,”whichrequiredalllicensed5NPPstoprovidehigh assurance that their computers and communication systems are protected against cyberattacks [76]. The protection must be assured for the following functions: i) safety-related andimportant-to-safetyfunctions;ii)securityfunctions;iii)emergencypreparednessfunctions,includingoffsitecommunications;andiv)supportsystemsandequipment.InNov2009,10CFR73.54requiredNPPauthoritiestosubmittheircybersecurityimplementationplanstotheNRC,describinghowtheNPPswould complywith theabove requirements. Inorder toassist the licensees, theNRC issuedformalcybersecurityregulatoryguide(RG)1.152[78]in2010.TheNRChasalsoissuedRG5.71[77]for enforcement of cybersecurity measures at NPPs. These regulations address securityvulnerabilities ineachof the followingphasesof thedigital safety system lifecycle: i)Concepts; ii)Requirements; iii) Design; iv) Implementation; v) Test; vi) Installation, Checkout, and Acceptance

4DBTisadescriptionoftheattributesandcharacteristicsofpotentialinsidersand/orexternaladversaries,whomightattemptsabotageorunauthorizedremovalofnuclearmaterial,againstwhichaphysicalprotectionsystemisdesignedandevaluated[66].5The“licensees”referredtointheCFRarethepeoplewhohavelicensestooperatetheNPPs,andthatrequiresthemtoprovideassurancethattheirplanthasacybersecurityplan.


16

Testing;vii)Operation;viii)Maintenance;andix)Retirement.Atthe2014NuclearSecuritySummit,theU.S.announceditsplanstomonitortheactivitiesofNPPoperators,andtocheckifcybersecurityprinciplesareproperlyfollowed.

BesidestheU.S.,othercountriessuchastheUK,Germany,Australia,Netherlands,China,Belgium,France,SouthKorea,Hungary,Canada,andtheCzechRepublichavealsoimplementedcybersecuritystrategies for protecting NPPs from cyber attacks [80-82]. The UK established the NationalInfrastructureSecurityCoordinationCentre(NISCC) in1999,theroleofwhichwastominimisetherisk to critical infrastructure from cyber attacks [79]. In 2007, the Centre for the Protection ofNationalInfrastructure(CPNI)wasestablishedbytheUKtoguidecompaniesandindividualsonhowto secure SCADA systems [83]. The CNPI published nine best practice documents, which cover adiverserangeofsecurityissues-fromthird-partyriskstofirewalldeployment.

Moreover, there have been a number of agreements between countries to establish confidencebuildingmeasuresincyberspace.Nation-statesareoftenreluctanttosharetheircyberexpertiseandskillswithothercountries.Thisleadstomistrustamongcountriesandhastetoimproveone’sowncybercapabilities. Inaneffort toaddress thisproblem,theU.S.andRussiamadeanagreement in2013[96].ThistreatyinvolvedinformationsharingbetweentheU.S.computeremergencyresponseteam (CERT)anditsRussiancounterpart, creationofworkinggroups,and theuseof thededicatednuclearhotline to communicate cyber crises. Similarly, abilateral agreementwas signedbetweentheU.S.andChinain2013,however,theagreementdidnotlastandendedinMay2014[85].TheEuropeanUnion(EU)isalsodoingnotableworkinpreventingandrespondingtonuclearattacksataglobal level. EU-CERT and theEuropeanNetwork andInformationSecurityAgencyprovide supporttogovernmentsduringcrisismanagementandalsoprovidetrainingtooperators[86].

Nevertheless,alloftheseeffortsareongoingandrequireindefinitetimetomature.Theguidelines,standards, and recommendations offered by governments and regulatory authorities requirecomprehensive review to ensure that they cover the latest risk assessment developments – forexample,cyberthreatinformationsharing,riskassessmentoftacitknowledge,disseminationofriskassessment results, etc. These features are required to keep NPP risk assessment up-to-date onadvancedcyberthreatsandtomanagecyberincidentsinanappropriateway.However,atpresent,the abovementioned guidelines do not provide enough detail on enforcing security controls andpreventingcyber risks.Our findingshavealso revealed thatnoneof theproposedguidelineshaveholisticallyprovideddetailedsecurityproceduresspecific tothearchitectureandworkingofNPPs.Threat and risk assessment of NPPs is necessary since it provides realistic insights into systemssecurityandhelpsinimplementingappropriatedefense-in-depthmeasures.

5. Threat Modelling for NPPs In theprevioussection,wehavehighlightedanumberofstandardsandguidancedocuments thathave been published to evaluate the security risks of IT or Instrumentation and Control (I&C)systems. However, these documents do not describe threat and vulnerability assessment of I&Csystems of NPPs. Design basis threat (DBT) profiles determine threat levels, develop securitypostures, and provide statements about the attributes of potential adversaries of NPPs [89];nevertheless, they focus more on physical safety of the plant than they do on cyber protection.There is a significant need to perform detailed threat and vulnerability assessments of NPPs that


17

considerbothstand-aloneattacksandcoordinatedattacksagainsttheuseofcomputersystems.Acoordinated attack is a carefully planned and executed offensive action in which the variouselements,suchassystemsandpersonnelareinvolvedinamannertoutilizetheirskillsasawhole;whereasastandaloneattackisanindividualefforttolaunchanoffensiveaction.

ThissectionpresentstheSTRIDE(Spoofing,Tampering,Repudiation,InformationDisclosure,DenialofService,andElevationofPrivileges)threatmodelofagenericNPP’sI&Csystembyconsideringitscharacteristicsandarchitecture.First,securityrequirementsforaNPPareidentified,followedbytheanalyses of security vulnerabilities in I&C systems. The identification of requirements andvulnerabilitiesfurtherledustothediscoveryofthreatsthatadversariesposeontheI&CsystemofaNPP.Asanext step,adversariesareclassifiedbasedonattackerprofilesgiven in the IAEANSS-17series[65]andIAEA-CN-228-54[90]conferencepublication.Finally,STRIDEmethodologyisusedtodevelopthreatmodels,followedbytheformulationofattacktreesusingAmenazaSecurITree[91].

Scopeof ThreatModelling: The scopeofour threatmodelling is limited toLevel 2 of I&C systemarchitecture,which is common toall typesofNPPs. Thereareanumberof reasons that limit thedevelopmentofacomplete threatmodel for the ICSsofNPPs. It isdifficult toaddress the ICSsofNPPs as awhole because of the depth and breadth of the nuclear power plant discipline. Firstly,every type of NPP has a different ICS architecture that varies significantly with the purpose andscope of the plant. Secondly, an ICS system of a NPP is composed of a variety of technologicalelements,suchasmodules,elements,components,sub-componentsystems,andsub-systems,thatareconnectedtoeachotherthroughanumberofpossibleways(datalink,LAN,WAN,Intranetetc.),dependingonthearchitectureoftheICSandthefunctionsoftheseelements.Finally,anICSsystemalso relies on other influencing factors, such as human actions, information management,simulation,softwareengineering,systemintegration,prognostics,andcybersecurity.Therefore,itisdifficulttocompletelycharacterizeaNPPandperformathreatmodelling.Therelatedgovernmentdepartments and nuclear authorities are ultimately responsible for performing a complete threatmodellingoneverynuclearfacility(realworld)andusingtheresultstomitigatehigh-levelattacks.

WehavechosenLevel2because ithasthemost interactionwiththeoutsideworldandtheplant.Externalandinternalthreatsbeginpropagatingfromthislevelsinceit isconnectedtotheInternetaswellastotheinternalnetwork.Humans,theweakestlinkofthesecuritychain,alsointeractfromthis level. The systems at Level 2 are the safety information and control system (SICS) and theprocessinformationandcontrolsystem(PICS).TheSICSplaysitspartwhenthePICSisunavailable:itmonitorsandcontrolscertainsafety-relatedsystems,suchasthecomponentcoolingwatersystem(CCWS)andventilation,forashort intervalundercertainconditions. Itconsistsofhumanmachineinterfaces (HMIs) and qualified display systems (QDSs). The PICSmonitors and controls the plantunder every condition. It consists of i) computers (HMIs) – for monitoring and control at theoperatorworkstationsinthemaincontrolroom(MCR)andtechnicalsupportcenter(TSC),ii)VisualDisplayUnits (VDUs)– fordisplaying theplantoverview in theMCRon large screens, and iii) softcontrols.BothofthesesystemshaveaccesstoLevel1and2systems.Moreover,PICSalsodisplaysalarms and provides guidance to the operators for corrective actions.Other details, including the


18

communication procedure6, are available in IAEA and U.S. Nuclear Regulatory Commissionpublications[87,88].

5.1 Security Requirements of a NPP Inordertoidentifythreats,it isfirstnecessarytodiscussthesecurityrequirementsofNPPs.TheserequirementsaregenericsuchthatanyNPPcanimplementsecuritymeasuresbasedonthem.

1. MutualAuthentication:Thevariouscomponents,systems,andsub-systemsofaNPPmustbe mutually authenticated with each other during their interactions. This is required toensure that only authenticated entities can interact with and access critical or sensitiveinformationfromtherelevantcomponents.Forexample,remoteshutdownstations(RSS)orworkstations at the MCR must authenticate systems at Level 2 before exchanginginformation, and vice versa. Also, the operator sending control commands or requestingdatafordisplaymustbeauthenticatedusingtwo-factorauthenticationateveryworkstation.Inreturn,theworkstationmustbeauthenticatedbythecontrollerfromwhichitisfetchingdata.ThismutualauthenticationwillhelpinpreventingspoofingandmasqueradingattacksonNPPcomponentsaswellaspersonnel.

2. Confidentiality involves securing data at rest as well as the data being shared duringcommunications.Thedatabeingexchangedamongthesystemsoflayers0,1,and2,aswellasbetweentheplantpersonnelandlayer2systems,mustbesecuredanddisclosedonlytothesystemsthathavetoperformcertainfunctionsonthedata.Ifsystemsatdifferentlayersarehostedondifferentnetworks,thenthedataexchangebetweenthemshouldbesecure.Forexample,safetyautomationsystems(SAS)andprotectionsystems(PS)at layer1mustsend encrypted messages to workstations at MCR and RSS. Secure data communicationensuresprotectionagainstexternalattemptstoleakdataandtoexposecriticalinformationregardingplantstatusanditsparameters.Thedataatrest,suchasthatstoredindatabasesandonworkstations,alsoneedstobesecuredusingencryptionmechanismsforpreventingunauthorizedorillegalaccesstocriticalresources.

3. Authorization: Physical access control has already been implemented at NPPs. However,softwarebasedaccesscontrolisanothermajorsecurityprocesswhichmustbevalidated.Itis necessary that only authorized employees and systems are able to access relevantinformation about plant equipment and their parameters. “Least Privilege Principle” and“Separation of Duties Principle” must be present in access controls to ensure that anoperator/employee will only get data on a need-to-know basis. For example, the datadisplay at VDUs andworkstations of operatorsmust be filtered as per the access controlpolicyandthenpresented.

4. DataIntegrity:ThedatareceivedfromLevel0(i.e.sensors,actuators),Level1(PS,SAS),andLevel 2 (Workstations) must be accurate. The readings of temperature, pressure, etc.,

6ThecommunicationsystemprovidesinformationanddataexchangeamongvariouscomponentsoftheICSandplant.Itusesanumberofprotocolsandmediumstoperformitsfunctions.Themediumscouldbewires, fibreoptics,PROFIBUS,fieldbus,wirelessorwirednetwork,etc.,whileprotocolsdependontherequirementsofaplantbutmainlyincludeTCP/IP,MODBUS,etc.MostdigitalpowerplantsaroundtheworldarelimitedtoLANorintranet.


19

received from sensorsmust be correct; similarly, commands received from the controllermust be verified as being the same commands the operator issued. This requirement isensuredthroughdataintegrity,usingeitherencryptionorhashingtechniques,suchasSHAorMD5, to verify data was not corrupted in transit. Misleading or erroneous data couldresultindisastrouseffectsfortheplantandtheenvironment.

5. Non-repudiationisanimportantrequirementforeverysystemwithintheplantarchitectureinordertoensurethatthedataorcommandreceivedisactuallyfromtheauthorizedsystemorpersonitclaims.Forexample,thecommandissuedbyanoperatortoincreasethespeedof centrifuges or to send information about water level must be sent with the digitalsignatureofthatoperator.Similarly,thecommandsissuedbycontrollersatLevel2needtobetrackedforauditingpurposestotrackfailuresormalfunctioningofspecificcomponents.

6. SystemsSecurityCapabilityMonitoring:Thecomponentsandsystemsateverylayershouldbecertifiedbyatrustedthirdpartytoensurereliableandsecurebehaviour.Inthecaseofreplacement for any system or component, the systemmust be recertified to guaranteerobustness.

7. Auditing: All operations (such as modify temperature, increase speed, display data, etc.)beingperformedbythesystemsandcomponentsmustbeloggedforfuturereference.Thisrequirementwill also help forensics investigations by providing evidence of anymaliciousattempt by an adversary. For example, if any system or component is compromised orspoofed,leadingtosomemaliciousactivitywithinaplant,thenauditingwillhelptracethemaliciouscomponentthatbreachessecurityandviolatesrules.Ifproperlylogged,activitiesand taskscanhelpgatherevidenceagainst theenemy,aswellaskeepacheckonsystemactivitiesinreal-time,preventingseriousdamagetotheplant.

8. Availability:ThisisthemostimportantrequirementforanNPP.TheI&CsystemofanNPPhas a dependent architecture, where components require inputs from other componentsdeployedat different layers. Theunavailability of one componentwithout abackupcouldresultindisastrouseffects.Componentssuchassensors,detectors,PS,SAS,etc.,shouldbeavailableaspertheirrequirements.

5.2 Security Vulnerabilities of a NPP Having identified the security requirements for a NPP, we now thoroughly analyse the securityvulnerabilities of the I&C system components which may result in system breakdowns or plantshutdown.Thisfurtherhelpsustoidentifythreatsthatresultfromtheexploitationofoneormorevulnerabilities.Table1displaysthecategoriesofvulnerabilitiesthatcouldoccurintheI&CsystemsofaNPP,alongwiththelistsofthreatsandvulnerablecomponents.ThesevulnerabilitycategoriesarebasedonaU.S.ICS-CERTdocumentforIndustrialControlSystems[92].Inthissub-section,onlymajorvulnerabilitiesofaNPPareexplained.


20

Table1:VulnerabilityCategoriesandAssociatedThreatsinNPPs

VulnerabilityCategory Attacks VulnerableModulesNoorIncorrectInputValidation

Bufferoverflow;cross-sitescripting;SQLinjection;commandinjection.

WorkstationsatMCR,RSS;PICS;SICS;HMIs.

ImproperAuthorization Datatampering;Escalationofprivileges.

WorkstationsatMCR,RSS;PICS;SICS;HMIs,SAS,PS,PAS.

ImproperAuthentication Networkeavesdropping;Bruteforceattacks;Dictionaryattacks;Credentialtheft;Cookiereplay;IdentitySpoofing.

AllI&Csystems,sub-systemsandcomponents

UnencryptedSensitiveData

Dataexposure;Datatampering;NetworkEavesdropping;Credentialtheft;Man-in-the-Middle.


ImproperSoftwareConfigurationsandManagement

Accesstodefaultaccounts;Exploitunpatchedflaws,unprotectedfilesanddirectories,etc.;InstallMalware/Botnets

WorkstationsatMCR,RSS;PICS;SICS;HMIs,SAS,PS,PAS.

LackofBackupFacilities Interruptplantoperations;Shutdownplant;destroyplantequipment.

SAS,PS,PAS,Sensors,Actuators,PICS,SICS.

LackofAuditandAccountability

Repudiation;Notracesofnetworkattackpatterns;Notracesofinstallationofmalicioussoftware.


1. Noor Incorrect InputValidation: Services and scriptswrittenby I&Cvendorsoften sufferfrombadcodingpracticesthatallowattackerstosendmaliciousrequestsandthuslymodifyprogramexecution.Similarly,theuseofinsecureprotocolsfornetworkingisalsovulnerableto malformed packets. Vulnerabilities in these protocols and services make an attackercapable ofmanipulating plant components, i.e. viewing andmodifying values, usingwell-knownattacks. In the architecturediscussed above, sensors receive all requests fromSASandPS,whichinturnreceiverequestsfromworkstationsattheMCR,whichmightbevictimtosuchattemptsbyanattacker.Theattacksthatcouldoccurthroughthisvulnerabilityarebufferoverflows,commandinjections,SQLinjections,crosssitescripting,etc.

2. Improper Authorization: Access control mechanisms are implemented in the system orwithinanumberofintegratedsystemstoallowonlyauthorizedentitiestoaccessresourcesanddata. Lackoforweakmechanismscanbeexploitedbyattackers togain illegalaccessandtotamperwithI&Csystemcomponents.Ifsoftwareinstalledatoperatorworkstations,PAS,SAS,sensors,etc.,doesnotperformorincorrectlyperformsaccesscontrolchecks,thenattackersareabletoperformunauthorizedactions.EverycomponentofanI&Csystemmustfirstcheckwhethertherequestingmoduleisauthorizedtoaccesstheresource.Escalationofprivilegeisoneoftheattacksthatcouldbeexecutedusingauthorizationvulnerabilities.


21

3. ImproperAuthentication: Improperauthenticationcreatesvulnerabilities in I&Cprotocols,

networkpackets,products,anddatabases.ThenetworkprotocolsdeployedwithintheI&Csystemarchitectureforcommunicationoftenhaveweakauthenticationtoverifytheidentityof the packet as well as the user. The weak authentication security enables attackers toeavesdroponnetworkcommunicationsandcapture the identitycredentialsof legalusers,resulting in unauthorized privilege. The components of I&C also do not perform mutualauthenticationbeforesendingorreceivingdata.IfI&Cprotocolsandsoftwaredonotverifythe origin or authenticity of data, it may result in the allowing of malicious data intocomponents,credentialtheft,authenticationbypass,etc.Moreover,thecredentialsstored

in databases can also be exploited if not properly protected using an encryptionmechanism7. Many times, I&Cvendors forget to removeauthenticationdetails fromtheirproductcodeordocumentation,whichcanbeeasilyaccessed.Weakpasswordsareanotherimportantvulnerabilityforwhichtomonitor.

4. UnencryptedSensitiveData:Dataatrestandintransit isoftenunencrypted,whichmakesthissensitive informationvulnerabletodisclosure. Inaddition,networkpacketsexchangedbetweenvariouscomponentsofI&Careinplaintextform,whichcanalsoleadtoexposureofproductsourcecode,topology,legitimateusercredentials,etc.

5. ImproperSoftwareConfigurationsandManagement:MisconfigurationsorvulnerabilitiesinI&C software lead to security breaches and exploitations of plant operations. Thesevulnerabilities occur because of poor patchmanagement, poormaintenance, and built-inflaws in I&C products. Moreover, incorrect installations of applications also provideattackersadoorofopportunity. Administratorsoftenoverlookavailable security featuresandusethedefaultsecurityoptionsthroughouttheI&Csystemarchitecture.

6. Lack of Backup Facilities:Anumber ofNPP I&C systems do not have backup and restorefacilitiesfordatabasesandsoftware.TheNPPsthathavebackupfacilitiesstorethemoffsite,andtheyarerarelyexercisedandtested.ANPPneedstobeoperated24/7;therefore,intheeventofanincident,thelackofabackupfeaturecanresultindisastrouseffects.

7. LackofAuditandAccountability:Mostattacksarelaunchedinastealthymannerandthusare difficult to detect. The absence of auditing and logging features enables attackers tocovertheirtracksafterattacks.ItisverynecessarytostoreactivitylogsofI&CcomponentsandoperatoractionstotraceattackpatternsandalsotopreventrepudiationthreatsfromplantpersonnelaswellasI&Ccomponentsandsystems.

5.3 Classification of Adversaries TheIAEANSS-17serieshascategorizedadversariesintoeightclassesthatcanposeseriousthreattoNPPs.Thecategoriesareas follows: covertagents,disgruntledcurrentemployees,disgruntledex-

7Here,weassumethateveryuserisproperlyauthenticatedbeforeaccessingtheHMI.


22

employees,recreationalhackers/hobbyists/scriptkiddies,militantopponentstonuclearpower,non-state hackers (cyber criminals/organized crime), nation-state hackers (governments & militaries),andterrorists(non-statearmedgroups).AnattackerprofilematrixhasalreadybeenprovidedintheNSS-17series;therefore,thissub-sectionbrieflypresentsmotivationsandpotentialobjectivesoftheattackers.Thedescriptioncouldthenhelpidentifythreatsfromeachattacker(threatmodelling).

a. Covert Agent

Acovertagent isan individualwho iseitherretiredfromorapresentemployeeofan intelligenceagency,andwhoseidentityishiddenfromrestoftheworld.Thepurposeoftheagent’shiringistosteal sensitivebusiness information,nuclear secrets, andpersonal informationofopponents.At apersonal level, a covert agent can blackmail nuclear and government agencies formoney or anyother incentive. In order to gain information, a covert agent may need system access anddocumentation, or use a social engineering technique. Moreover, a covert agent must have aknowledgeof programmingand systemarchitecture, for example, insertionof backdoors/Trojans,password extraction, etc. The time to compromise a target varies depending on the type ofmotivation,butitcouldtakeonlyhours.

b. Disgruntled Current Employees

Adisgruntledemployeeisonewhoisnotsatisfiedwithhisorherjobandwantstocompromiseabigtarget through illegal methods. The reasons for being disgruntled vary, but the most commonmotivationsaretotakerevenge,createchaos,embarrassone’semployer,degradenuclearsecurity’simage, or steal information for economic gain. This type of attacker needsmedium to high levelresources to execute an attack (e.g. systems access, documentation access, expertise of specificoperations).Inaddition,anemployeemusthavesomelevelofprivilegesonprocessesandsystems,knowledgeofprogrammingandsystemarchitecture,possibleknowledgeofexistingpasswords,andanabilitytoinsert“kiddie”toolsorscripts.Thetimetoperformanattackvariesdependingonthetargettoachieve.

c. Disgruntled Ex-Employee

Themotivationforthistypeofattackeristhesameasthatofadisgruntledemployeestillathisorherjob.Heorshemaywanttotakerevengeontheemployer,sellsensitivenuclearinformationtoenemies for economic gain, or disclose confidential information to the public to embarrass theemployeror todegrade itspublic image. This typeof attacker is sometimesassociatedwith largegroupofpeopleattemptingtogetresources.Beingaformeremployee,heorshemaystillpossesssensitivedocumentation,access to facility resources, andpossible ties toworkingemployees.Thetimetoprepareandlaunchanattackdependsontheassociatedgroupofpeople.Inordertolaunchan effective attack, a disgruntled employee should have information about systems passwords,accesstosystems,andbackdoorscreatedthroughsocialengineeringtechniques.

d. Recreational Hackers/Hobbyists/Script Kiddies

Hobbyistsorscriptkiddiesoftenhacksystemsforfunorforachallenge.Theywantto learnaboutnew vulnerabilities and exploits by trying themhands-on in the realworld. These attackers oftendownloadandusefreescriptsandtoolsfromtheInternet.Theirintentionsareharmless;however,their mechanisms to learn things are dangerous. Their inquisitive natures could prove to be


23

destructivetoNPPsifdeployedsafeguardsarenotsufficient.FrameworkssuchasMetasploitofferSCADA-specific exploits,which couldbeusedby script kiddies to launch an attackwithout havingadvanced knowledge and hacking skills. However, hobbyists do not have the funding to buyexpensivetoolsandexploitationcodesthataresoldunderground.Theyalsohavelimitedknowledgeofcomputingandprogramming.Suchattackerscouldeasilybeblockedbyenforcingbestpracticessuchaspatchmanagement,policyenforcement,andadequateuseofantivirus,intrusiondetectionsystems(IDS),andfirewallswithintheorganization.

e. Militant Opponent to Nuclear Power

This type of attacker considers himself a saviour of the world. He has strong public opinions onspecific nuclear issues, and often impedes nuclear business operations. These attackers arefinanciallysupportedthroughsecretchannelsoragencies[65].However,theyhavelittleknowledgeof the system outside of public information. They are patient, but determined in achieving theiraims. Moreover, they have plenty of time to launch an attack and usually target during certainknowneventssuchaselections.Militantopponentsmayormaynothavecomputerskills;however,theycangetsupportfromthehackercommunitytolaunchacyberattack.

f. Non-State Hackers (Cyber Criminals/Organized Crime)

Non-statehackersaregroupsorindividualswiththemainintentionofobtainingmoneybystealingnuclearmaterialorconfidentialinformationbelongingtoanuclearfacilityandthenblackmailingthefacility intopayinga ransom.Theyholda facilityorgovernmenthostageby threatening toexploitvulnerabilities in their SCADA systems. Therefore, their main purpose is financial gain. Thesecriminals do have funds and canhire skilled hackers or purchase hacking tools to attack systems.ThereareanumberofSCADA-targetedautomatedattack tools in the formofMetasploitadd-onsthat can help launch attacks on industrial control systems. Sometimes, these actors also hireformer/current employees of a facility or perform social engineering to extract information. Thetimetoprepareanattackvaries,butisusuallyshort-term.

g. Nation-State Hackers (Governments & Militaries)

Nation-state hackers are individuals hired by a government to perform cyber operations(inter)nationally. Currently, the frequency of state attacks is low, but if properly planned andconducted on SCADA systems, an attack’s impact would be disastrous. State hackers deface andblock websites, and perform industrial espionage to steal a country’s sensitive information.Furthermore,statehackersarethemostdangerousthreatstoSCADAsystems,asthesehackersgetalloftheirresourcesandfundsfromthegovernment.Thegovernmentcanhirethebesthackersandprovidethemthemoney,infrastructure,andfacilitiestocreatezero-dayexploits,whichcanbeusedagainstanenemycountryfortheftofnucleartechnology,intelligencecollection,etc.Thoughzero-day attacks are single-useweapons, they can cause terrible damage to a country’s infrastructure,economy,andsystems,evenwhenusedsingly.

h. Terrorist (Non-state Armed Groups)

Aterroristisawidely-knowntypeofattacker.Lookingintothehistoryofcyberattacks,noevidencecanbe foundofa terroristattackonSCADAsystems;however, thesituationwillnot remain so infuture.According to formerU.S.PresidentGeorgeW.Bush, terroristscanget intoanetworkwith


24

the intent to attackanuclear facility, and the consequencesof getting into thenetwork couldbeunbearable [97]. The motivations of terrorists vary: sometimes they want to collect intelligence,build access points in facility for later use, spread fear among the public, or take revenge on thegovernment. Theymay use scripts and home-grown tools to execute an attack, andmay employformer/currentemployeestogetinsideinformation.Moreover,someterroristgroupshaveacquiredsignificantcapabilitiestousesocialmediaasameansofhiringpeopleforhacking.

5.4 STRIDE Threat Modelling Thissub-sectionperformsthreatmodellingontheI&CsystemsofaNPPbasedonthevulnerabilitiesdiscussed above. Microsoft's STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure,Denial of Service, and Elevation of Privilege) methodology, which describes an adversary'sobjectives, is used for threat modelling [93]. Table 2 explains threat categories, along with thecorrespondingvulnerabilitiesand the typesofadversaries thatcan transformtheparticular threatintoanattack.

Table2:Threatcategorieswithcorrespondingattackertypesandvulnerabilitycategories

ThreatCategory Definition AttackerType VulnerabilityCategorySpoofing

The attacker gets illegal access to the I&Csystems or any specific module, with thepurpose to misuse or disrupt them, either byspoofing identityorauthentication informationoftheoperatorsorthesystems.Ifspoofed,thesystems performing critical functions, such asSAS, PACS, and PS, which control the plantequipment,cancausetheworstdamage.

• CovertAgent• Disgruntled

Ex-Employee• Non-State

Hacker• Terrorist

• NoorIncorrectInputvalidation

• ImproperAuthentication

• ImproperAuthorization

Tampering(Integritythreat)

This refers to theunauthorizedmodificationofdata, i.e.databeingexchanged (authenticationcredentials, status or parameter values, issuedcommands, sensor values, etc.), data stored indatabases (operator information, plantequipment status, operation status, etc.), ordata being processed or generated at variouspoints by the equipment (temperature,feedback,waterlevel,speed,etc.)

• MilitantOpponent

• RecreationalHacker

• Terrorist



• ImproperSoftwareConfiguration&Management

Repudiation An operator or a spoofed system may denyperforming certain actions or operations onplantsystems,e.g.aplantoperatorchangesthevaluesoftemperatureandwaterlevelofaplantbutlaterdeniesit.

• DisgruntledCurrentEmployee

• Auditingandlogging

InformationDisclosure

Critical plant information may be maliciouslyreleased,suchassystemlogindetailsandplantworkflow or documentation, through theexploitationofcertainvulnerabilities.

• CovertAgent• DisgruntledCurrentEmployee

• Non-StateHacker• DisgruntledEx-Employee

• SensitiveData• ImproperAuthentication


• ImproperSoftwareConfiguration&


25

• MilitantOpponent

Management

DenialofService(DoS)

Theattackermayoverwhelm I&Csystemswithrepetitive similar requests, resulting in a DoSattack due to the unavailability of requiredcomponents,e.g.targetsensorsoractuatorsatLevel 0, by sending them many requests toprovidesenseddata.Therequestcanbesentbymaliciously installed malware or by a systemconnected through a hidden internetconnection. This could result in serviceunavailability.

• RecreationalHacker

• Terrorist

• ImproperSoftwareConfiguration&Management

• NoorIncorrectInputValidation

• LackofBackupFacilities

ElevationofPrivilege

A malicious insider (disgruntled employee)obtains illegalaccesstooperationsthatcontrolcore plant equipment by exploitingvulnerabilities that exist in the plant systems.An attackermay stop core functions or deleteormodifyparameter valuesusing theelevatedprivileges of a higher security level useraccount.

• DisgruntledCurrentEmployee



Figure4 shows thehierarchyof threats thatexists in I&Csystems,and that couldbe transformedinto attacks if vulnerabilities are exploited. NPP threats are broken down into the followingcategoriesusingSTRIDEmethodology:

• ‘Spoofing’isathreatinwhichanattackeroramaliciousprogramdisguisesitselfasalegitimateentity, therebygainingan illegitimateadvantage. In the caseof aNPP,this illegal access can result in disruption or misuse of I&C systems. Spoofing isfurther sub-categorized into ‘system’ and ‘personnel’ spoofing. While the formerfocusesonspoofing thecredentialsofan I&Csystem, the latter is concernedwithgaining access to personnel credentials such as passwords and tokens, and thenmasquerading as a known person. There are a number of ways to achieve thesetypes of spoofing. Session hijacking is common for personnel spoofing, where anattacker intercepts an on-going session and tries to connect to the receiver as alegitimateentity.Injectingmaliciouscodeintheformofscriptsintoawebbrowserisawell-knownmethodofsystemspoofing.Otherwaystospoofcredentialsincludesocial engineering (observing and/or manipulating user or system behaviour andactivities)andincorrectinput(SQLinjection).

• ‘Tampering’ involves changing legitimate data, thus compromising the integrity ofthesystem.Thedatacanbetamperedwithonline(intransit)oroffline(atrest).Anattackercaneasilycompromisedataintegrityifhefindsanyimproperconfigurationtogetherwithalackofintegritycheckingwithinasystem.

• ‘Repudiation’ is caused when a system lacks proper auditing and loggingmechanisms. An attacker can bypass logging mechanisms, steal keys via social


26

engineering,orcreatefakedigitalsignaturestodenytheillegitimateactions.Asanexample, an operator or a spoofed system at a NPP can deny performing certainactionsoroperationsonplantsystems,e.g.aplantoperatorchangesthevaluesoftemperatureandwaterlevelofaplant,butlaterdeniesdoingso.

• ‘Information disclosure’ occurs when information is not properly protected. Theinformation can be of any form – for example, system/user credentials, networkpackets, source code, files, or a database. Through this threat, critical plantinformation can bemaliciously released through the exploitation of vulnerabilitiessuch as improper software configurations, authorization mechanisms, orauthenticationmechanisms.

• In a ‘Denial of Service (DoS)’, an attacker can overwhelm I&C systems withthousands of repetitive requests, resulting in the unavailability of requiredcomponents. The requests can be sent by maliciously installed malware or by asystem connected through a hidden internet connection. DoS commonly occurswhenasystemlacksabackupfacilityandhasnoinputvalidationmethods.

• An ‘elevationofprivileges’ isathreatwhichcouldresult in theabuseof legitimateaccess. A malicious insider (disgruntled employee) having legitimate access toresourcesoroperationsmaymodifyhisaccountpermissionstoallowhimadditionalaccesses to systems to which he might not normally have access. He could thenabusehisprivilegesbystoppingcore functionsordeletingormodifyingparametervalues.Thehierarchyisfurtherexplainedviaattacktreesmentionedbelow.

Figure3:NPPI&CSystemsThreatsHierarchy

5.4.1 Attack Trees Thereareanumberofattackgraphingtoolsthatcanbeusedtomodelattacks[94-96].Attacktreesaresuitableforseveralreasons:i)theydescribethestepsofasuccessfulattackinamorestructuredwaythannaturallanguage;ii)themodelofanattacktreeiseasytounderstand,evenforbeginners;and iii) attack trees follow a hierarchical representation, in which higher-level attack goals arebrokendownintosub-goals,untilthedesiredrefinementlevelisachieved.


27

InordertoperformathreatmodellingonI&CsystemsofaNPP,AmenazaSecurITree[91]isusedforcreatingattackpathsand trees,usingSTRIDE.TheSecurITreeapplicationprovidesa tool toassessthreats fromanadversary'sperspective. Itusesanattack treemethod forassessinghowanassetcanbeattackedbyanattacker,whatharmheorshedoeswithanattack,andwhatmeasuresneedtobetakentobecomeimmunetothatattack.Theattacktrees(Figures5-10)givenbelow,illustratehowanattackcanpossiblybelaunchedthroughaseriesofsteps,beginningwithasmallattackgoalorvulnerability.Thusly,eachcategoryofthreatsidentifiedintheabovesectioncanbeexecutedasattacksthroughanumberofsteps,i.e.exploitinganumberofpossiblevulnerabilities.InFigures5-10,thegreenshape(widecurve)represents“OR”,blue(flat-bottomedcurve)represents“AND”,andgrey(rectangular)representstheleafnodes.

1. Spoofing: Figure 5 shows the ways an attacker can spoof a NPP personnel identity toperform malicious activities, such as issuing commands to decrease the water level ortemperature, to increase thespeedofcentrifuges, to shutdowntheplant, to turnoff theprotectionandalarmsystems,etc.Similarly,sensorsoractuatorscouldalsobespoofedtosend incorrect parameter values to PACS and RCSL about temperature, water level, andspeedof theplant. The spoofing couldbeperformedby stealingpersonnel credentials. Inaddition, anattacker canexploit thevulnerabilityof incorrect inputvalidation to steal theunique request IDs assigned to operators and I&C systems, using brute force or networkeavesdropping techniques and then reusing the eavesdropped parameters to issue fakerequests.

Figure4:AttackTreeofSpoofingThreatinNPPI&CSystems

2. Tampering: Tampering is the unauthorizedmodification of data, which could be done byalteringdataflow,parameters,datasentandreceivedfromoperatorsorsystems,ordataatrest. Data flowing between different I&C systems is vulnerable to manipulation byadversaries. The adversaries could capture the parameters being exchanged betweenvarious I&C systems, which are critical for plant operations. These parameters, such asspeed, water level, and temperature, are provided by sensors or actuators to the PACS,


28

whichinturnsendsthemtotheHMIswheretheycouldbemodifiedbytheattackerwhenintransit.Similarly,commands issuedbycontrollersoroperatorscouldbetamperedwithbyinsertingincorrectvaluesintothenetworkpacket.TheseactionscouldbedoneiftheHMIs,PACS, or sensors havemisconfigured software installations or improper authentication orauthorization. An attacker can perform man-in-the-middle attacks to exploit thesevulnerabilities.Thedatastoredinthesystemdatabasecouldalsobemodifiedthroughthesame vulnerabilities, or additionally, by insertingmalware to corrupt the data. The attacktreeisillustratedinFigure6.

Figure5:AttackTreeofTamperingThreatinNPPI&CSystems

3. Repudiation:Asalreadymentioned,repudiationreferstotheabilityofusers, legitimateorotherwise, to deny that they performed specific actions. An adversary can easily denyperformingmaliciousactionsonaNPPduetotheabsenceofaudit informationanddigitalsignatures. Thus, it becomes difficult to counter the repudiation attack. As a result, anattackercouldinsertfalseinformationintoanetworkpacket,suchasanincorrectparametervalue,orsenda fakecommandtostartorcancelaspecificplantservice.Anattacktree isgiveninFigure7.VulnerabilitiesininternetprotocolssuchasHTTPorTCP/IPmightallowanattacker to inject a malicious script within I&C system module or components. Thevulnerability could be lack of input validation,which an attacker could exploitwith a SQLinjectionattack.Successfulexecutionofthisattackwillallowanattackertohijacksensitivesystem credentials such as passwords or tokens. Once an attacker has access to thesecredentials, he or she can easily bypass deployed authentication and authorization


29

mechanisms8. Illegitimate access to I&C systems via legitimate credentials means that anattacker can send any kind or type of commands to NPP components such as sensors ortemperaturemodulesatLevel0.Thereisnowaytocheckifthecommandordataisreallysentbyaspoofedorarealperson.Similarly,thereisnomethodtodetectrepudiationwhenadisgruntledemployeesendsarequesttochangethevaluesofNPPequipment.

Figure6:AttackTreeofRepudiationThreatinNPPI&CSystems

4. Information Disclosure: Information disclosure is the undesired exposure of the sensitivedataofanyapplication,service,orsoftware.Apersonwithnoorlowprivilegescanviewthesensitive information or analyse the data flowing over the network. Figure 8 shows theattack tree for informationdisclosure. Informationwithin the system is generally exposedthrough various ways; for example, the data is usually added by programmers in hiddenfieldsofforms,whichcaneasilybeviewedandmanipulatedbyanattacker.Commentsareusuallyaddedwithinthewebpagecode,whichrevealinformationaboutthesystemandthefunctionsitisperforming.Thesecommentscouldleadtotherevealingofcriticalinformationregardingmodules,systemexceptionhandlingmechanisms,etc.,whichcouldbeveryusefulfortheattacker.Moreover,cookiescouldalsobeaccessedthroughtheinspectionofURLsaswellasmonitoringofdataflowbetweenwebpagesthroughnetworkeavesdropping.Hiddenparameters in web pages could be viewed by inspecting the web page code. Also, usercredentials could be accessed by eavesdropping. Similarly, data request or commandparameters could be viewed as well, since URLs as proper filtering mechanisms are not

8Themostdeployedauthenticationandauthorizationmethodssuchasrole-basedaccesscontrols,attribute-based access controls (ABAC), password-based authentication, etc., have no way of detecting the spoofedcredentials.


30

implemented in I&C systems. The software used by I&C systems has no suchmechanismthatcouldguaranteethepreventionofsuchaninvoluntaryexposureofinformation.

Figure7:AttackTreeofInformationDisclosureThreatinNPPI&CSystems

5. Denial of Service (DoS): The most important security feature for a NPP is constantavailabilityofall servicesrunningwithinandbetweensystems.This featurehelpsthecoreoperations of a NPP to smoothly produce electricity. Therefore, DoS attacks can have adisastrouseffectonNPPoperationsaswellastheNPPsurroundings.Figure9illustratestheattack tree for a DoS attack. Such attacks could be launched on a NPP by flooding I&Csystemswithrequestsusingbots thatgenerateautomatedrequests.Anattackermayalsoinsertmaliciouscodethattakescontrolofallsystems.Similarly,PSorSAScouldbespoofedtosendalargenumberofrequests,whichwouldoverwhelmthesensorsandactuators.Thiscouldagainbeaccomplishedbyinstallingbotswithinthenetwork.TheDoSattackcouldalsobedonebytamperingwithparameters,suchasincreasingthewaterlevel,temperature,orspeed of the centrifuges. This tampering might exhaust the equipment and eventuallyshutdown the plant. An attacker could also perform SQL injection attacks and cross sitescriptingattackstoinsertmaliciousdataanddisrupttheplant’soperation.


31

Figure8:AttackTreeofDenialofServiceThreatinNPPI&CSystems

6. ElevationofPrivileges:Elevationofprivilegeoccurswhenauserwithlimitedprivilegesgainsunauthorizedaccesstoasystemorresourcesviaillegalmethods.AnattacktreeisshowninFigure10,whichillustratesthatanattackercanmaliciouslyaccesshigherprivilegestotakecontrol of a highly sensitive component or amodule by inserting amalicious script or byspoofingthesystemalreadydeployed.Brute-forceisawell-knownattackwhereapowerfulsoftwarecouldbeusedtogeneratealargenumberofconsecutiveguessestogainaccesstothesystemortothesystemcredentials.Man-in-the-Middle(MitM)isanothertypeofattackwhichcaninterceptnetworktraffictostealsensitiveinformation,foruselaterinbypassingauthenticationandauthorizationmechanisms.Thesuccesschancesofthistypeofattackaregoodwhentrafficisnotencryptedandissentinplaintextform.

Figure9:AttackTreeofElevationofPrivilegeThreatinNPPI&CSystems


32

6. Conclusion Nuclear regulatory authorities are still trying to understand cyber risks and are looking formechanisms to adequately prevent attacks on security. This research work has initially exploredmany unanswered questionswhile demystifying cybersecurity challenges forNPPs, i.e. how cyberevolutionhascreatedvulnerabilitiesinnuclearfacilities,whichhavebeenasubjectofcyber-nuclearsabotage. Following this, threatmodellingwas performedon a generic I&C architecture of aNPPusing STRIDE methodology to analyse possible threats and vulnerabilities from the adversary'sperspective.Thepresentedthreatmethodology isalsoenhancedthroughthe identificationofNPPsecurityrequirementsandvulnerabilities,alongwiththediscussiononNPPattackers’profiles.

Thework presented in this paper can go in various future research directions. The threatmodeldiscussedinsection5doesnotreflectarealNPPscenario.Therefore,thereisaneedtoformulatethreatmodelsthroughSTRIDEorarelatedthreatmethodologyinarealNPPscenario.Moreover,weplan to propose a holistic Information Security RiskManagement (ISRM) taxonomy for NPPs andthentoevaluateexistingNPPISRMmethodsusingthattaxonomy.ThepurposeoffocusingonISRMis tohelp theNPP industry select themost suitable ISRMmethod for their security requirements,and also to identify areas that have not been addressed but may still be important for NPPs.Therefore,ISRMisoneofthewaysthroughwhichNPPscandetectandfixsecurityloopholespriortoanycyberattacksonafacility.

7. Acknowledgments Iam incrediblygrateful forall thefundingandfinancialassistanceprovidedbyCivilianResearch&DevelopmentFoundation(CRDF)GlobalundertheNonproliferationStudiesScholarshipProgram.AspecialthankstomysupervisoratTheGeorgeWashingtonUniversity,ProfessorLanceHoffman,forhis continuous support in the researchwork. Dr. Hoffmanwas always there to listen and to giveadvice.He taughtmehowtoexpressmy ideasandalsoshowedmedifferentways toapproacharesearchproblem. I also thankmyother twosupervisors fromSandiaNational Laboratories (SNL),EricAndrewWallaceandAdrianeC.Littlefieldwithwhom Iexplored the ideas, requirements,anddevelopment of threat models. I would also like to pay my gratitude to National University ofSciences & Technology (NUST) and NUST School of Electrical Engineering & Computer Science(SEECS)tograntfivemonthsleaveandallowmetoworkwithGWUandSNLasavisitingscholar.

I thank GeorgeWashington University (GWU) and its School of Engineering and Applied Science(SEAS)forhostingandfacilitatingmeintheadministrationprocess.MyspecialthanksisextendedtoGWU’s Cyber Security Policy and Research Institute (CSPRI) for providing technical guidance,valuablefeedback,andconstantencouragementduringthecourseofthisresearch.Lastbutnottheleast,IwouldliketothankMs.JaniceRosadoforherinvaluablesuggestionsonpaperstructuringandalsoproofreadingthepaperineveryiteration.

8. References [1]Holt,Mark,andAnthonyAndrews.NuclearPowerPlantSecurityandVulnerabilities(CRSReportNo.RL34331).Washington,DC:CongressionalResearchService,2014.LastaccessedJuly31,2016.https://www.fas.org/sgp/crs/homesec/RL34331.pdf


33

[2] Berger, Eva M. “The Chernobyl Disaster, Concern about the Environment, and LifeSatisfaction.”Kyklos63,no.1(February2010):1-8.doi:10.1111/j.1467-6435.2010.00457.x.

[3]Ohnishi,Takeo.“TheDisasteratJapan'sFukushima-DaiichiNuclearPowerPlantaftertheMarch11, 2011 Earthquake and Tsunami, and the Resulting Spread of Radioisotope Contamination.”RadiationResearch177,no.1(January2012):1-14.doi:10.1667/RR2830.1

[4] Baylon, Caroline, Roger Brunt, andDavid Livingstone.Cyber Security at Civil Nuclear Facilities:UnderstandingtheRisks.London:TheRoyalInstituteofInternationalAffairs,ChathamHouse,2015.LastaccessedJuly31,2016.https://www.chathamhouse.org/sites/files/chathamhouse/field/field_document/20151005CyberSecurityNuclearBaylonBruntLivingstone.pdf

[5] Falliere, Nicolas, Liam O Murchu, and Eric Chien. “W32. stuxnet dossier.” Symantec Corp.February11,2011.LastaccessedJuly31,2016.https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf.

[6] Ellefsen, Ian, and Sebastiaan Von Solms. “Critical Information Infrastructure Protection in theDevelopingWorld.”InCriticalInfrastructureProtectionIV,editedbyTylerMooreandSujeetShenoi,29-40.Berlin,Germany:SpringerBerlinHeidelberg,2010.doi:10.1007/978-3-642-16806-2_3.

[7] Dacey, Robert F. Critical Infrastructure Protection: Challenges and Efforts to Secure ControlSystems. (GAO-04-628T). Washington, DC: U.S. Government Accountability Office, 2004. LastaccessedJuly31,2016.http://www.gao.gov/products/GAO-04-628T

[8] Control Systems Security Program, National Cyber Security Division. Recommended Practice:Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies.Washington,DC: Department of Homeland Security, 2009. Last accessed July 31, 2016. https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/Defense_in_Depth_Oct09.pdf

[9]Miller,BillandDaleRowe.“AsurveySCADAofandcritical infrastructure incidents.” InRIIT ’12Proceedingsofthe1stAnnualconferenceonResearchin informationtechnology,51-56.NewYork:ACM,2012.doi:10.1145/2380790.2380805.

[10] Nicholson, Andrew, Stuart Webber, Shaun Dyer, Tanuja Patel, and Helge Janicke. “ SCADAsecurity in the lightofCyber-Warfare.”Computers&Security 31,no. 4 (June2012): 418-436.doi:10.1016/j.cose.2012.02.009.[11]Tabansky,Lior.“CriticalInfrastructureProtectionagainstCyberThreats.”MilitaryandStrategicAffairs3,no.2(November2011):61-78.LastaccessedJanuary3,2016.http://www.inss.org.il/uploadimages/Import/(FILE)1326273687.pdf

[12]Baker,Stewart,ShaunWaterman,andGeorgeIvanov.“IntheCrossfire:CriticalInfrastructureintheAgeofCyberWar.”McAfee.2010.LastaccessedJanuary3,2016.https://resources2.secureforms.mcafee.com/LP=2733


34

[13]Stouffer,Keith,JoeFalco,andKarenScarfone.GuidetoIndustrialControlSystems(ICS)Security(NIST800-82).Washington,DC:NationalInstituteofStandardsandTechnology,2011.LastaccessedJanuary3,2016.http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf

[14]USNRCTechnicalTrainingCenter.“NuclearPowerforElectricalGeneration.”ReactorConceptsManual.Washington,DC:U.S.NuclearRegulatoryCommission,2012.LastaccessedJanuary3,2016.http://www.nrc.gov/reading-rm/basic-ref/students/for-educators/01.pdf

[15] Nuclear Fuel Cycle Information System: A Directory of Nuclear Fuel Cycle Facilities (IAEA-TECDOC-1613).Vienna,Austria:InternationalAtomicEnergyAgency,2009.LastaccessedJanuary3,2016.http://www-pub.iaea.org/mtcd/publications/pdf/te_1613_web.pdf

[16] Dudenhoeffer, Donald.“IAEA Information and Computer Security.” OfficeofNuclearCyberSecurityProgramme, International Atomic Energy Agency. May 21,2013. Last accessedJanuary 3, 2016. https://www.iaea.org/NuclearPower/Downloadable/Meetings/2013/2013-05-22-05-24-TWG-NPE/day-2/4.cyber_security_introduction.pdf

[17]Hagestad II,William.21stCenturyChineseCyberwarfare. Cambridgeshire,UnitedKingdom: ITGovernanceLtd.2012.LastaccessedJanuary25,2016.http://www.itgovernance.co.uk/shop/p-319-21st-century-chinese-cyberwarfare.aspx

[18]Follarth,ErichandHolgerStark.“TheStoryofOperationOrchard:HowIsraelDestroyedSyria’sAl Kibar Nuclear Reactor.” Spiegel Online 11, November 2, 2009. Last accessed January 3, 2016.http://www.spiegel.de/international/world/the-storyof-operation-orchard-how-israel-destroyed-syria-s-al-kibar-nuclear-reactor-a-658663.html

[19]O'Gorman, Jim,DevonKearns, andMati Aharoni.Metasploit: The Penetration Tester'sGuide.SanFrancisco,USA:NoStarchPress.pp.328July25,2011.https://www.nostarch.com/metasploit

[20] Nortan-Taylor, Richard and Julian Borger. “Chinese Cyber-Spies Penetrate Foreign OfficeComputers.” The Guardian 4, February 5, 2011. Last accessed January 3, 2016.http://www.theguardian.com/world/2011/feb/04/chinese-super-spies-foreign-officecomputers

[21]Morton,Chris. “Stuxnet,FlameandDuqu– theOlympicGames.”AFierceDomain:Conflict inCyberspace 1986 to 2012. Edited by Jason Healey, 219-221. Arlington, VA: Cyber Conflict StudiesAssociation,2013.

[22]RussiaToday.“U.S.NuclearWeaponsResearchersTargetedwithInternetExplorerVirus.”May7,2013.LastaccessedJanuary3,2016.http://rt.com/usa/attack-department-nuclear-internet-955/

[23]Farnsworth,Timothy.“StudyseescyberriskforU.S.arsenal.”ArmsControlAssociation,April2,2013. Last accessed January 3, 2016. http://www.armscontrol.org/act/2013_04/Study-Sees-Cyber-Risk-for-US-Arsenal

[24] Sanger,DavidE.ConfrontandConceal:Obama’s SecretWarsandSurprisingUseofAmericanPower.RandomHouse,NewYork:BroadwayBooks,2013.

[25] The Associated Press. “Iran says nuclear equipment was sabotaged.” New York Times,September22,2012,LastaccessedJanuary3,2016.


35

http://www.nytimes.com/2012/09/23/world/middleeast/iran-says-siemens-tried-to-sabotage-its-nuclear-program.html?_r=0

[26] Futter, Andrew. “Hacking the Bomb: Nuclear Weapons in the Cyber Age.” In InternationalStudies Annual Conference, New Orleans: ISA February 2015. Last accessed January 3, 2016.http://www2.le.ac.uk/departments/politics/people/afutter/copy_of_AFutterHackingtheBombISAPaper2015.pdf

[27]VirtualCriminologyReport2009.VirtuallyHere:TheAgeofCyberWarfare.SantaCarla,UnitedStates of America: McAfee. 2009. Last accessed January 3, 2016.http://img.en25.com/Web/McAfee/VCR_2009_EN_VIRTUAL_CRIMINOLOGY_RPT_NOREG.pdf[28]BBCNews.“MajorCyberSpyNetworkUncovered.”March29,2009. LastaccessedJanuary3,2016.http://news.bbc.co.uk/1/hi/7970471.stm[29]Barlow,Jeffery.InsideCyberWarfare:MappingtheCyberUnderworld.UnitedStatesofAmerica:O'ReillyMedia,2ndEdition,2011.http://shop.oreilly.com/product/0636920021490.do[30]Shodan.LastaccessedJan4,2016.https://www.shodan.io/[31]Kesler,Bent.“TheVulnerabilityofNuclearFacilitiestoCyberAttack.”StrategicInsights10,no.1,(2011),15–25.http://calhoun.nps.edu/handle/10945/25465[32]MottaPires,PauloSandLuizAffonsoH.G.Oliveira.“SecurityAspectsofSCADAandCorporateNetworkInterconnection:AnOverview.”In:InternationalConferenceonDependabilityofComputerSystems,SzklarskaPoreba:IEEE,May2006.p.127-134.doi:10.1109/DEPCOS-RELCOMEX.2006.46[33] Myers, Robbie. “Attacks on TCP/IP Protocols.” Last accessed Jan 4, 2016.http://www.utc.edu/center-information-security-assurance/pdfs/course-paper-5620-attacktcpip.pdf[34]Shubert,Atika. “Cyberwarfare:ADifferentWay toAttack Iran’sReactors.”CNN,November8,2011.LastaccessedJuly30,2016.http://edition.cnn.com/2011/11/08/tech/iran-stuxnet/[35] Symantec. “Dragonfly: Cyber Espionage Attacks Against Energy Suppliers.” Symantec Corp.version 1.21. Mountain View, California. July 7, 2014. Last accessed July 31, 2016.https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf[36] O’Shea, Kevin. “Examining the RPC DCOM Vulnerability: Developing a Vulnerability-ExploitCycle.” SANS Institute. September 3, 2003. https://www.sans.org/reading-room/whitepapers/threats/examining-rpc-dcom-vulnerability-developing-vulnerability-exploit-cycle-1220[37] Fernandez, John D. and Andres E. Fernandez. “SCADA Systems: Vulnerabilities andRemediation.” Journal of Computing Sciences 20, no. 4 (April 2005): 160-168.http://dl.acm.org/citation.cfm?id=1047872[38]Abraham. “Final reporton theAugust14thblackout in theUnitedStatesandCanada.”2003.LastaccessedJuly30,2016.https://reports.energy.gov/BlackoutFinalWeb.pdf


36

[39]TheHitchhiker'sGuidetotheGalaxy.“TheChernobylDisaster.”January25,2006.LastaccessedJuly30,2016.http://h2g2.com/edited_entry/A2922103[40]Breidthardt,Annika,AndreasRinkeandHans-EdzardBusemann. “GermanGovernmentwantsNuclear Exit by 2022 at latest.” Reuters, May 29, 2011. Last accessed July 30, 2016.http://www.reuters.com/article/germany-nuclear-idUSLDE74T00A20110530[41] National Transportation Safety Board. Pipeline Rupture and Subsequent Fire in Bellingham,Washington(NTSB/PAR-02/02).WashingtonDC:PipelineIncidentReport. 1999.LastaccessedJuly30,2016.http://www.ntsb.gov/investigations/AccidentReports/Reports/PAR0202.pdf[42]Poulsen,Kevin.“SlammerWormCrashedOhioNukePlantNet.”TheRegister,August20,2003.LastaccessedJuly30,2016.http://www.theregister.co.uk/2003/08/20/slammer_worm_crashed_ohio_nuke[43]Niland,M.“ComputerVirusbringsdownTrainSignals.”InformationWeek,August20,2003.Lastaccessed July 30, 2016. http://www.informationweek.com/computer-virus-brings-down-train-signals/d/d-id/1020446?[44]NuclearRegulatoryCommission.NRC InformationNotice: 2007e15: Effects of Ethernet-based,Non-Safety related Controls on the Safe and Continued Operation of Nuclear Power Stations.Washington DC: Office of Nuclear Reactor Regulation, 2007. Last accessed July 30, 2016.http://www.nrc.gov/reading-rm/doc-collections/gen-comm/info-notices/2007/in200715.pdf[45]Krebs,Brian.“CyberIncidentBlamedforNuclearPowerPlantShutdown.”TheWashingtonPost,June 5, 2008. Last accessed July 30, 2016. http://www.washingtonpost.com/wp-dyn/content/article/2008/06/05/AR2008060501958.html[46]Gorman,Siobhan.“ElectricityGridinU.S.PenetratedbySpies.”TheWallStreetJournal,April8,2009.LastaccessedJuly30,2016.http://online.wsj.com/article/SB123914805204099085.html[47]Bukharin,Oleg.“UpgradingSecurityatNuclearPowerPlantsintheNewlyIndependentStates.”TheNonproliferationReview4,no.2,(1997):Taylor&Francis,28-39.doi:10.1080/10736709708436663[48]NuclearThreat Initiative.“RussianWarnsofCyberTerrorAgainstNuclearSites.”November9,2006. Last accessed July 30, 2016. http://www.nti.org/gsn/article/russian-warns-of-cyber-terror-against-nuclear-sites/[49]Smith,Tony.“HackerJailedforRevengeSewageAttacks.”TheRegister,October21,2001.LastaccessedJuly30,2016.http://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/[50] Goodin, Dan. “Elecrical Supe Chargedwith Damaging California Canal System.” The Register,November30,2007.LastaccessedJuly30,2016.http://www.theregister.co.uk/2007/11/30/canal_system_hack/[51]Matrosov, Aleksandr, Eugene Rodionov, David Harley, and JurajMalcho. “Stuxnet under theMicroscope.”ESETLLC.September2010.LastaccessedJuly30,2016.http://www.welivesecurity.com/media_files/white-papers/Stuxnet_Under_the_Microscope.pdf


37

[52] Zetter, Kim. “How Digital Detectives Deciphered Stuxnet, The Most Menacing Malware inHistory.”WIRED,November7,2011.LastaccessedJuly30,2016.http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1[53]Leyden,John.“ChineseCyberspies’TargetEnergyGiants.”TheRegister,February10,2011.LastaccessedJuly30,2016.http://www.theregister.co.uk/2011/02/10/night_dragon_cyberespionage/[54] Kim, Sohee andMeeyoung Cho. “South Korea Prosecutors Investigate Data Leak at NuclearPower Plants.” Reuters, December 21, 2014. Last accessed July 30, 2016.http://www.reuters.com/article/us-southkorea-nuclear-idUSKBN0JZ05120141221[55] Iversen,Wes. “Hackers Step Up Scada Attacks.” AutomationWorld. October 12, 2004. LastaccessedJuly30,2016.http://www.automationworld.com/webonly-898[56]InternationalAtomicEnergyAgency(IAEA).LastaccessedJuly30,2016.https://www.iaea.org/[57] National Institute of Standards and Technology (NIST). Last accessed July 30, 2016.www.nist.gov[58]WorldInstituteforNuclearSecurity(WINS).LastaccessedJuly30,2016.https://www.wins.org/[59] “Radiation Effects.” IEEE Nuclear & Plasma Sciences Society. Last accessed July 30, 2016.http://ieee-npss.org/technical-committees/radiation-effects/[60]Stoneburner,Gary.,AliceY.Goguen,andAlexisFeringa.SP800-30.RiskManagementGuideforInformation Technology Systems. Technical Report. Gaithersburg, MD, United States: NationalInstituteofStandards&Technology.2002.http://dl.acm.org/citation.cfm?id=2206240[61]Ross,Ron.GuidefortheSecurityCertificationandAccreditationofFederalInformationSystems.DianePubCo,2004.http://dl.acm.org/citation.cfm?id=1204602[62] Aroms, Emmanuel. NIST Special Publication 800-39 Managing Information Security Risk.Paramount, California: National Institute of Standards and Technology (NIST), 2012.http://dl.acm.org/citation.cfm?id=2331278[63]Stouffer,Keith,SuzanneLightman,VictoriaPillitteri,MarshallAbrams,andAdamHahn.“Guideto IndustrialControl Systems (ICS)Security.”NISTSpecialPublication 800,no.82,Revision2Draft(May2014).http://www.gocs.com.de/pages/fachberichte/archiv/164-sp800_82_r2_draft.pdf[64] NIST Cybersecurity Framework: ISA99 Response to Request for Information. North Carolina:International Society of Automation (ISA), April 5, 2013. Last accessed July 30, 2016.http://csrc.nist.gov/cyberframework/rfi_comments/040513_international_society_automation.pdf[65] IAEANuclear Security Series No. 17.Computer Security at Nuclear Facilities.Vienna, Austria:International Atomic Energy Agency (IAEA). 2011. Last accessed July 30, 2016. http://www-pub.iaea.org/MTCD/Publications/PDF/Pub1527_web.pdf

[66]IAEANuclearSecuritySeriesNo.13.NuclearSecurityRecommendationsonPhysicalProtectionofNuclearMaterial andNuclear Facilities (INFCIRC/225/Revision 5).Vienna, Austria: InternationalAtomic Energy Agency (IAEA), 2011. Last accessed July 30, 2016. http://www-pub.iaea.org/MTCD/publications/PDF/Pub1481_web.pdf


38

[67]“IEEETrialUseStandardforScadaSerialLinkCryptographicModulesandProtocol.”IEEE.March21,2011.LastaccessedJuly30,2016.http://grouper.ieee.org/groups/sub/wgc6/documents/drafts/P1711%20Draft%203%202008-08-16.pdf[68] ISO/IEC 27002:2013. Information Technology - Security Techniques - Code of Practice forInformationSecurityControls.InternationalOrganizationforStandardization(ISO)andInternationalElectrotechnicalCommission(IEC).LastaccessedJuly30,2016.https://www.iso.org/obp/ui/#iso:std:iso-iec:27002:ed-2:v1:en

[69] Melton, Ron, Terry Fletcher, and Matt Earley. System Protection Profile: Industrial ControlSystems (NISTIR 7176). Gaithersburg, MD: U.S. Department of Commerce. October 2004.https://scadahacker.com/library/Documents/Standards/NIST%20-%20System%20Protection%20Profile%20Industrial%20Control%20Systems.pdf[70]Gold,S.“LookafteryourSCADAHeart.”January1,2009.LastaccessedJuly30,2016.http://www.infosecurity-us.com/view/659/look-after-yourscada-heart/[71]U.S.DepartmentofHomelandSecurity(DHS).LastaccessedJuly30,2016.www.dhs.gov

[72]NuclearRegulatoryCommission(NRC).LastaccessedJuly30,2016.www.nrc.gov

[73]FederalEnergyRegulatoryCommission(FERC).LastaccessedJuly30,2016.www.ferc.gov

[74]NorthAmericanElectricReliabilityCorporation(NERC).LastaccessedJuly30,2016.www.nerc.com

[75]“CriticalInfrastructureProtection.”TheWhiteHouse.Washington:May22,1998.LastaccessedJuly30,2016.http://www.fas.org/irp/offdocs/pdd/pdd-63.htm[76]UnitedStatesNuclearRegulatoryCommission(NRC).73.54ProtectionofDigitalComputerandCommunicationSystemsandNetworks.OfficeofNuclearRegulatoryResearch.December02,2015.Last accessed July 30, 2016. http://www.nrc.gov/reading-rm/doc-collections/cfr/part073/part073-0054.html

[77] United States Nuclear Regulatory Commission (NRC). Cyber Security Programs for NuclearFacilities.RegulatoryGuide5.71.OfficeofNuclearRegulatoryResearch.January2010.LastaccessedJuly30,2016.http://www.nrc.gov/docs/ML0903/ML090340159.pdf

[78] United States Nuclear Regulatory Commission (NRC).Criteria for Use of Digital Computers inSafety Systems of Nuclear Power Plants. Regulatory Guide 1.152. Office of Nuclear RegulatoryResearch.July2011.LastaccessedJuly30,2016.http://www.nrc.gov/docs/ML0903/ML090340159.pdf

[79] “Supervisory Control and Data Acquisition (SCADA).” Centre for the Protection of NationalInfrastructure(CNPI).2008.LastaccessedJuly30,2016.https://www.cpni.gov.uk/scada/

[80] Cann, Michelle, Kelsey Davenport and Sarah Williams. “An Arms Control Association andPartnership for Global Security Report.” The Nuclear Security Summit: Assessment of JointStatements.March2015.LastaccessedJuly30,2016.


39

http://www.fmwg.org/acapgs/ACA_NSS_Report_2015.pdf

[81] Abreu, David and David Slungaard. “Highlights from National Progress Reports.”2014NuclearSecuritySummit. Partnership forGlobal Security.March 24, 2015. Last accessed July30,2016.https://pgstest.files.wordpress.com/2015/03/2014-progress-reports-highlights.pdf

[82] Ogilvie-White, TanyaandDavid Santoro. Preventing Nuclear Terrorism: Australia’s LeadershipRole.SpecialReport.Canberra:AustralianStrategicPolicyInstitute,January2014.LastaccessedJuly30, 2016. https://www.aspi.org.au/publications/preventing-nuclear-terrorism-australias-leadership-role/SR63_prevent_nuclear_terrorism.pdf

[83]ProcessControlandSCADASecurity:AGoodPracticeGuide.Centre forProtectionofNationalInfrastructure (CNPI), 2008. Last accessed July 30, 2016.http://www.cpni.gov.uk/Documents/Publications/2008/2008031-GPG_SCADA_Security_Good_Practice.pdf

[84]Nakashima, Ellen. “U.S.andRussiaSignPacttoCreateCommunicationLinkonCyberSecurity.”TheWashingtonPost.June17,2013.LastaccessedJuly30,2016.https://www.washingtonpost.com/world/national-security/us-and-russia-sign-pact-to-create-communication-link-on-cyber-security/2013/06/17/ca57ea04-d788-11e2-9df4-895344c13c30_story.html

[85]Pennington,Matthew.“U.S.SeeksResumptionofCyberSecurityGroupSuspendedbyChina.”Washington:TheAssociatedPress,June27,2014.LastaccessedJuly30,2016.http://www.theglobeandmail.com/news/world/us-seeks-resumption-of-cyber-working-group-suspended-by-china/article19357546/

[86]Abousahl, S., S. Klement,W.Rudischhauser, S. Tsalas, andE.Maier. EUEfforts to StrengthenNuclear Security. In International Conference on Nuclear Security: Enhancing Global Efforts.Proceedings of the Interational Conference. Vienna, Austria: International Atomic Energy Agency(IAEA).2014.ReferenceNo.IAEA-CN--203/149

[87] Korsah, K. et al. Instrumentation and Controls in Nuclear Power Plants: An EmergingTechnologiesUpdate(NUREG/CR-6992).WashingtonDC:U.S.NuclearRegulatoryCommission,OfficeofNuclearRegulatoryResearch.October2009.LastaccessedJuly30,2016.http://www.nrc.gov/docs/ML0929/ML092950511.pdf

[88] IAEA Nuclear Energy Series No. NP-T-3.12. Core Knowledge on Instrumentation and ControlSystems in Nuclear Power Plants. Technical Report. Vienna, Austria: International Atomic EnergyAgency(IAEA).2011.LastaccessedJuly30,2016.http://www.pub.iaea.org/mtcd/publications/pdf/pub1495_web.pdf

[89] IAEANuclear Security SeriesNo. 10. Development,Use andMaintenance of theDesign BasisThreat.ImplementingGuide.Vienna,Austria:InternationalAtomicEnergyAgency(IAEA).2009.LastaccessedJuly30,2016.http://www-pub.iaea.org/MTCD/publications/PDF/Pub1386_web.pdf

[90]McCrory,MitchF,RaymondC.Parks,andRobertL.Hutchinson.“AnAdversary’sViewofYourDigital System (IAEA-CN-228-54)”, In IAEA International Conference on Computer Security in a


40

NuclearWorld:ExpertDiscussionandExchange.Vienna,Austria:InternationalAtomicEnergyAgency(IAEA).June2015.LastaccessedJuly30,2016.https://conferences.iaea.org/indico/event/65/session/6/contribution/54/material/paper/0.pdf

[91] “SecurITree - Attack Tree-based ThreatModeling Software”, Amenaza Technologies Limited,LastaccessedJuly30,2016.http://www.amenaza.com/

[92] Nelso, Trent and M Chaffin. “Common Cybersecurity Vulnerabilities in Industrial ControlSystems.” Control Systems Security Program. Washington DC: Department of Homeland Security(DHS),NationalCyberSecurityDivision.May2011. Lastaccessed July30,2016.https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/DHS_Common_Cybersecurity_Vulnerabilities_ICS_2010.pdf

[93] “The STRIDE Threat Model.” Microsoft Developer Network. Last accessed July 30, 2016.http://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx

[94]Ou,Xinming,SudhakarGovindavajhala,andAndrewW.Appel. “MulVAL:ALogic-based,Data-Driven Enterprise Security Analyser.” In 14th UNSENIX Security Symposium. Baltimore, Maryland,U.S.A:August2005.http://people.cs.ksu.edu/~xou/publications/mulval_sec05.pdf

[95]WinGraphviz.LastaccessedJanuary4,2016.http://wingraphviz.sourceforge.net/wingraphviz/.

[96] “TANAT - Threat And Attack TreeModeling plus Simulation.” Last accessed January 4, 2016.http://www13.informatik.tu-muenchen.de:8080/tanat/

[97]CFR.orgEditorialStaff.“TargetsforTerrorism:NuclearFacilities.”CouncilonForeignRelations.January 1, 2006. Last accessed January 4, 2016. http://www.cfr.org/homeland-security/targets-terrorism-nuclear-facilities/p10213

[98] Gilb, Tom, and Susannah Finzi. Principles of Software Engineering Management. Vol. 11.Reading,MA:Addison-Wesley,1988.