Cybersecurity During Plant Operation

42 Annual Meeting Spanish Nuclear Society 28-30 September 2016 Page 1 out of 8

Cybersecurity During Plant Operation

Mithil Parekh1, 2

, Karl Waedt1, Antonio Ciriello

1, Yuan Gao

1, 2

1Company: AREVA GmbH

Address: Henri-Dunant-Str. 50, 91058, Erlangen, Germany Phone: +49 9131 900- {91898, 92588, 95660, 97920}

E-mail: {mithil.parekh, karl.waedt, antonio.ciriello, yuan.gao}@areva.com

2Company: Otto-von-Guericke-Universität Magdeburg

Address: Universitätsplatz 2, 39106 Magdeburg, Germany Phone: +49 391 67-58965

E-mail: {mithil.parekh, yuan.gao}@ovgu.de

Abstract – Safe operation of all types of power plants is a prerequisite for critical infrastructure with gradually more stringent requirements as global energy demand increases. In power plants, the safety of staff, the public and the environment require significant consideration but particularly in the case of Nuclear Power Plants (NPPs), cybersecurity has utmost importance. Accordingly, operators have to demonstrate that critical systems are safe.

Beyond the safety analyses and starting from existing security controls, like access control, the complete cybersecurity part can be modeled. Physical security related information (e.g. access control logging) can be combined with a Domain based Security (DBSy) model as a new perspective.

A tool is developed for abstracting new dynamic views of operational procedures and physical security related information. Furthermore, this tool is extended to support the relevant regulations and standards, security auditing (offline) as well as real-time monitoring (online). This will ensure safety and security requirements are fulfilled which avoid and mitigate future operating problems through safety analyses. The tool is equipped with support for 3D models, which enables visualization of relevant plant operation scenarios, e.g. identifying risks during NPP operation and implementing solutions to ensure the lowest possible risk. Security policies can be validated and optimized using this concept. When a security requirement is violated, the security experts can improve the security zone model or assignment of security controls accordingly. Therefore, reliable plant operation procedure established on a risk-based security model can be implemented to ensure increased safety, security and availability of NPPs.

1. INTRODUCTION

With analog technology in Nuclear Power Plants (NPPs) protective measures were typically performed by humans and only partially automated. Currently, the progress and coverage of digital technology includes activities involving physical and environmental protection, personnel security, system and information integrity, incident response, maintenance, attack mitigation, awareness and training. Due to an increase in complexity of Instrumentation and Control (I&C) and a wider attack surface, a variety of attack paths may exploit system vulnerabilities. A number of recent publications address different security events, such as a high number of security incidents in Korean nuclear power plants during the last five years.


On the other hand, in general, plant personnel are trained with considerable effort in order to effectively assume responsibilities related to nuclear safety. Therefore, a comprehensive, robust and resilient system of security management has become an essential part of every critical infrastructure related company, including power utilities [3]. For reliable and secured plant operations, it encompasses several types of controls and additionally can be categorized into three broad components: technical, operational, and management.

An approach to achieve the high assurance of adequate physical protection is to understand security controls implemented within the nuclear sector and other critical infrastructure sectors. The state-of-the-art methodology is to identify critical physical and digital assets in NPPs and then to develop appropriate defense-in-depth strategies. For new NPPs, from inception, this methodology has to be part of the secure development. This approach introduces additional layers of defense to assign and assist plant personnel. As a result, it helps to implement and monitor cybersecurity related activities.

2. CYBERSECURITY FOR NEW TURN-KEY NPPs

For new turn-key NPPs, the supplier, e.g. AREVA, will assure that cybersecurity is considered during all lifecycles.

Modern digital technology is being incorporated in NPPs for providing effective generation of energy. Therefore NPPs are becoming more and more complex in terms of Instrumentation and Control (I&C) systems. To incorporate security during development, more complex I&C systems may require more iterative development models.

For new NPP construction project, the very first starting point with regards to cybersecurity is the establishment of an Overall Cybersecurity Management Plan. Beyond following Security by Design principles during all development lifecycles (platforms, products, systems) a key aspect is the elaboration of an appropriate Security Architecture (network security architecture, zone model …), as indicated in the left part of Figure 1.

Figure 1. Initially missing cybersecurity architecture considerations for existing NPPs

As indicated in Figure 1 (with a different background colors), we need to distinguish between the security development process for new turn-key projects (including new comprehensive I&C and ES refurbishment projects) and the security posture of existing NPPs.


For new turn-key NPP construction project, the cybersecurity development will include different phases and each phase includes a minimum set of security tasks needed to effectively incorporate security in the system development process.

The platform development life cycle, e.g. in line with [6], [7] is a continuous process within a supplier organization, regardless of specific new-built or refurbishment projects. Accordingly the consideration of cybersecurity has to be integrated into this project [8] [1].

Additionally to the product and platform specific requirements project specific cybersecurity requirements have to be considered. These include constraints imposed by the Utility corporate policies, the Utility NPP site policies and applicable regulation (e.g. national or by the European Union) [20]. These have to be considered for an appropriate security assignment, critical asset identification, risk assessment, cybersecurity criticality analysis, defense-in-depth strategy, security zones etc. [9][5][14] To sum up, in a new turn-key project, it is assured that the Security Architecture and Security by Deign Principles assure an adequately protection against potential cyber-attacks, including the Advanced Persistent Threat (APT) [15].

3. CYBERSECURITY POSTURE OF EXISTING NPPs

During the development of an existing NPP, the current stringent security requirements were not yet in place. Accordingly, as indicated in Figure 2, it cannot be assumed that cybersecurity was addressed at the platforms, products and project level.

Similarly, there cannot be any reliance on security coverage during past development life cycles. Typically, a compressive Security Architecture is not in place or not explicitly documented. Security-by-Design principles were not yet followed.

Figure 2. Initially missing cybersecurity considerations at the components level [17]

In order to improve the security posture the legacy components, their functions, communication between components must be identified. For an existing NPP, as a first step the relevant assets have to be identified at the right level of detail, especially the Critical Systems and Critical Digital Assets. Then, the respective platforms and products have to be analyzed and secured in line with the new applicable regulation, as will be indicated in a subsequent section.

4. NUCLEAR IEC NWIP ON CYBERSECURITY CONTROLS

Safety I&C, Operational I&C and Electrical Systems (ES) are based on digital devices and communications networks [16][2]. The I&C architecture and the I&C systems meet the cybersecurity requirements through the application of preventive, detective and corrective security controls. Figure 3 illustrates the overall security process for effectively elaborating security


architecture (security degrees, security zone model …) and for selecting and assigning security controls.

Figure 3. Cybersecurity Process based on IEC NWIP

IEC 62645 [1] is the top level nuclear cybersecurity standard. It defines security controls for the nuclear specific Security Degrees, SD1 (most stringent requirements), SD2 and SD3 (less stringent requirements) as well as for security Baseline Requirements. This consider I&C systems of Safety Classes 1, 2, 3 and non-classified (NC) I&C systems [10], without requiring direct mapping between Security Degrees and Safety Classes.

Figure 4. Example Plant Operation related Security Control for a Legacy System


The security controls are structured in line with ISO/IEC 27002 [4]. In order to reflect the special nuclear I&C requirements like handling security of legacy topics, an additional nuclear I&C security specific New Work Item Proposal (NWIP) is introduced to extend the SC45A series of documents addressing cybersecurity. In future, this standard can also be used as a basis for refurbishment projects.

5. MODELING OF SECURITY DETAILS OF NEW AND EXSTING NPPS

A typical NPP contains hundreds of individual systems, especially Critical Digital Assets (CDAs) that contribute to the overall operation, safety, and security of the facility. To identify CDAs, one has to recognize the overall allocation and organization of plant systems, equipment, communication systems, and networks that are associated with the security controls or support systems that are associated with security functions [18].

In order to achieve conclusions regarding the resilience against cybersecurity attacks at the power plant unit level, the modeling has to be extended accordingly. For that, the respective artefacts at different abstraction level and associated CDAs must be considered in the model [19].

Figure 5. Gradually refined modeling at the right level of detail for security analyses

Plant Level: this includes plant areas, buildings, rooms, access ways and organizational procedures which serve as security controls for conditionally accessing the areas.

Process Engineering Level: this includes the main physical and electrical aggregates that are in the loop between sensors and actuators, e.g. pumps, valves etc. This will allow the analysis of possible manipulation paths, e.g. whether an I&C component has an impact on an aggregate.

I&C and ES (Electrical Systems) specification: This includes the configuration of automation devices, embedded software, firmware, CPLDs, FPGAs and network protocols. The relations of ESs result from both of their roles, first as supporting asset for I&C, HVAC etc. and second, as interface towards the electrical grid, like transformers with their own digital protection devices.

Figure 6. Modeling based on Data Representation and Exchange Industry Standards

Plant level, process engineering and high-level I&C aspects can be described e.g. by using AutomationML, see Figure. The primary purpose of AutomationML is the integration of process and


automation data for cost reduction [11]. However, this new and integrated description can also be used to effectively and efficiently perform security analyses.

6. IMPLEMENTATION OF APPLICATION SECURITY CONTROLS (ASCs)

An initial consequence analysis of plant aggregates, digital equipment and communication networks is needed to determine the potential of being compromised due to external and internal threats. For the support systems or equipment not directly associated with security controls, it is required to perform a dependency analysis to determine whether cyber compromised components of systems or equipment could adversely impact security functions.

Figure 7. Principle of Selection and Mapping of Application Security Controls

Security controls apply to diverse scopes during the project lifecycle and during plant operation. A major challenge is the optimal assignment of Application Security Controls (ASCs) to digital and hardware assets. The generic part can be formalized, e.g. per platform, via an Organization Normative Framework and then applied via an Application Normative Framework [12]. Figure 7 indicates how ASCs can be applied.

6.1. Mapping of Application Security Controls

Cybersecurity controls can be planned according to a general standard, e.g. ISO/IEC 27002:2013 [4] and refined according to domain specific guidance. In a small project, e.g. with a single automation device, the representation of the mapping between security controls and the assets they apply to is rather straight forward. In a table or list of all applicable controls the applied countermeasures are directly described, including annotations like needed security tests and further technical details. This approach (1:1 mapping) is not applicable for multiple assets, especially if they must meet different security requirements.

For more complex projects a semi-formal description of Security Controls is needed. Therefore, preferably, Application Security Controls (ASCs) should be used, already starting at the modeling level. Additionally to the textual descriptions ASCs provide all needed cybersecurity details, like Security Degrees, assignments of responsibilities (RACI charts), relevant deadlines (e.g. for implementation, testing, auditing) and procedures (e.g. for validation and testing) [13].

As a general principle, in AutomationML all assets must have unique IDs. Internally, assets are identified by a sequence of BrowseNames, which concatenated must result in a unique identifier. While the primary purpose is to identify resources during all lifecycle phases, it can be used for the mapping to security controls, as indicated in Figure 8.


Figure 8. Example Mapping of Application Security Controls

The structured mapping of countermeasures at the appropriate level of detail of assets supports an analysis of the expected effect on devices and aggregates.

7. CONCLUSION

For new turn-key NPPs cybersecurity is considered at all levels, from the top-level security architecture down to the security of individual platform components and products.

For existing NPPs, AREVA proposes the gradual consideration of international and national nuclear cybersecurity regulation. The presented approach is especially suited for existing NPPs. Based on a modeling at the right level of detail for a security analyses, Application Security Controls are assigned and adapted to achieve a maximum protection. The modeling allows a balanced and overall efficient assignment of appropriate Application Security Controls, prior to implementation and testing.

A timely consideration and compliance with nuclear cybersecurity requirements has multiple benefits, including higher assurance of plant availability, maintaining a good corporate reputation and a solid basis for security incident response and training.

ACKNOWLEDGEMENTS

Some of the above described cybersecurity concepts are being elaborated as part of participation in the “SMARTEST” Cybersecurity Testing R&D with three German University partners, partially funded by German Ministry BMWi.

REFERENCES

[1] IEC 62645:2014 - NPPs - I&C Systems – Req. for Sec. Prog. for Computer-based Systems

[2] IEC 62859:2016 [Draft] - NPPs - I&C systems - Req. for coordinating safety and cybersecurity

[3] ISO/IEC 27001:2013 - IT – Sec. techniques - Information sec. management sys. - Req.

[4] ISO/IEC 27002:2013 - IT – Sec. techniques - Code of practice for information security controls.

[5] ISO/IEC 27005:2011 - IT – Sec. techniques - Information security risk management


[6] IEC 60880:2006 - Nuclear power plants - Instrumentation and control systems important to safety - Software aspects for computer-based systems performing category A functions

[7] IEC 62138:2004 - NPPs – I&C important for safety - Software aspects for computer-based systems performing category B or C functions

[8] ISO/IEC/IEEE 29119-1:2013 - SW and sys. eng. - SW testing - Part 1: Concepts and definitions

[9] HMG IA Standard No. 1:2009, Technical Risk Assessment, Issue No. 3.51, 2009

[10] IEC 61513:2011 - NPPs – I&C important to safety - General req. for systems

[11] IEC 62714-1:2014 - Engineering data exchange format for use in industrial automation systems engineering - Autom. markup language - Architecture a. general requirements.

[12] ISO/IEC 27034-1:2011 - IT - Sec. techniques - Application sec. - Overview and concepts.

[13] ISO/IEC 27034-2:2015 - IT –Sec. techniques - Application sec. - Org. normative framework.

[14] IEC 62443-3-3:2013 - Industrial communication networks – Network and system security – System security requirements and security levels.

[15] P. Zavarsky, K. Waedt, A. Kuskov: High Assurance Cybersecurity Controls against Persistent and Targeted Attacks on I&C Systems in Nuclear Facilities, 9th Int. Conf. on Nuclear Plant Instrumentation, Control & HMI Technologies (NPIC & HMIT 2015), Charlotte, 2015.

[16] K. Waedt, Y. Ding: Safety and Cybersecurity Aspects in the Safety I&C Design for Nuclear Power Plants, The 3rd China (Int.) Conf. on Nuclear Power I&C Technology, Shanghai, 2015-04

[17] E. Lillo, K. Waedt - Challenges in Considering National and International Cybersecurity Requirements and Performing a Criticality Analysis - IAEA Conf., Vienna, 2015-06.

[18] K. Waedt, Y. Ding, Y. Gao, X. Xie - I&C Modeling for Cybersecurity Analyses - 1st TÜV Rheinland China Symposium - Shanghai, 2015-10.

[19] K. Waedt, M. Parekh, X. Tong, Y. Gao, Y. Ding, X. Xie - Nuclear Safety and Risk-based Cybersecurity Testing - 47

th Annual Meeting on Nuclear Technology - Hamburg, 2016-05.

[20] SEWD-Richtlinie IT, Richtlinie für den Schutz von IT-Systemen in kerntechnischen Anlagen und Einrichtungen der Sicherheitskategorien I und II gegen Störmaßnahmen oder sonstige Einwirkungen Dritter, VS NfD, Bundesamt für Umwelt, Naturschutz und Reaktorsicherheit, 2013.

Documents

Cybersecurity During Plant Operation