Roadmap to Enhance Cyber Systems Security in the …resources.nei.org/documents/Roadmap.pdf · This Roadmap to Enhance Cyber Systems Security in the Nuclear Sector provides a vision

Roadmap to Enhance Cyber Systems Security in the Nuclear Sector i

Roadmap to Enhance Cyber Systems Security in the Nuclear Sector ii

Acknowledgements The development of this Roadmap to Enhance Cyber Systems Security in the Nuclear Sector was undertaken by the Nuclear Roadmap Steering Committee (RSC) in support of the Nuclear Sector Joint Cyber Council, Nuclear Sector Coordinating Council, and Nuclear Government Coordinating Council under the Critical Infrastructure Partnership Advisory Council (CIPAC) Framework and has been approved for release by these councils. The RSC would like to thank Bill Gross of the Nuclear Energy Institute, who served as Private Sector Co-Chair, and Rachel Liang from the U.S. Department of Homeland Security, who served as Public Sector Co-Chair, for their leadership in framing and driving the development process. Special thanks to the U.S. Department of Homeland Security’s Nuclear Sector-Specific Agency and the Nuclear Energy Institute, which provided the funds and meeting support needed to convene participants and facilitate the discussions necessary to develop the roadmap. Planning, facilitation, and document preparation was accomplished by David Martin, Nuclear Sector-Specific Agency/Energetics Incorporated; Katie Jereza and Melanie Seader, Energetics Incorporated; and Jack Eisenhauer of Nexight Group, LLC.

Roadmap to Enhance Cyber Systems Security in the Nuclear Sector iii

Message from the Nuclear Sector Roadmap Steering Committee This Roadmap to Enhance Cyber Systems Security in the Nuclear Sector provides a vision and framework for mitigating cybersecurity risks to the wide variety of systems critical to commercial nuclear power plant operations. It outlines specific goals, objectives, and time-based milestones for the next 15 years that will adequately protect commercial nuclear power from cyber threat so that the current functional reliability and resilience of the commercial nuclear power subsector of the Nuclear Sector1

This roadmap will enhance the sector’s already strong defensive posture. Since the inception of the U.S. commercial nuclear power industry, the Nation’s nuclear power plants have integrated safety-related equipment designed to provide reasonable assurance that public health and safety are protected from operating nuclear power plants. These plants have employed comprehensive and dynamic security systems and are continually improving their ability to respond to emerging threats including cyber threats. The roadmap leverages the collective insight of industry, academia, and government cybersecurity experts, and represents their ongoing commitment to proactively address the rapidly evolving cyber risk environment. The roadmap will be used to guide and align public and private efforts toward high-priority solutions to achieve a common vision of the future.

is maintained despite an evolving threat landscape.

Implementation of the strategies outlined in this roadmap hinges on the continued commitment of all members of the nuclear power reactor and cybersecurity communities. We encourage you to adopt the vision outlined in the roadmap and work collaboratively with us to achieve its goals.

All activities within this roadmap should be conducted in accordance with applicable law and policy and nothing in this roadmap restricts, supersedes, or otherwise replaces the legal authorities or regulatory responsibilities of any government agency or organization. The views expressed within this roadmap are those of the members of the Roadmap Steering Committee and do not constitute an official agency or organization position.

The Nuclear Sector Roadmap Steering Committee

Dave Altman Westinghouse Steve Batson Invensys Sandra Bittner Arizona Public Service Marc Brooks U.S. Department of Homeland Security, Nuclear Sector-Specific Agency Steve Carr NextEra Energy Mike Chandler Southern California Edison Matt Gibson Progress Energy Mike Glancy Constellation Energy William Gross (Private Sector Co-Chair) Nuclear Energy Institute Wade Kirschner Department of Homeland Security Office of Intelligence and Analysis

Lisa Kaiser U.S. Department of Homeland Security, National Cyber Security Division, Control System Security Program Rachel Liang (Public Sector Co-Chair) U.S. Department of Homeland Security, Nuclear Sector-Specific Agency David Martin U.S. Department of Homeland Security, Nuclear Sector-Specific Agency/Energetics Perry Pederson Nuclear Regulatory Commission Ernest Rakaczky Invensys William H. Sanders University of Illinois at Urbana-Champaign Graham Speake Yokogawa IA Global Marketing Center (USMK) Daniel Thanos GE Digital Energy Services Zach Tudor SRI International

1. The Department of Homeland Security identifies 18 critical infrastructure sectors, including the Nuclear Sector (see

the National Infrastructure Protection Plan at www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf). The Nuclear Sector generally comprises three subsectors: commercial nuclear power reactors, non-power or research and test rectors, and radioactive materials licensed for use in the United States.

Roadmap to Enhance Cyber Systems Security in the Nuclear Sector iv

Table of Contents Acknowledgements ............................................................................................................................................... ii

Message from the Nuclear Sector Roadmap Steering Committee .......................................................iii

Executive Summary .............................................................................................................................................. v

1. Introduction ........................................................................................................................................................ 1

National Context ................................................................................................................................................................ .. 1

Roadmap Purpose .............................................................................................................................................................. 2

Roadmap Scope ................................................................................................................................................................... 2

The Path Forward ............................................................................................................................................................... 2

2. Cyber Systems in the Nuclear Sector .......................................................................................................... 3

Commercial Nuclear Power Reactors......................................................................................................................... 3

Role of Cyber Systems ....................................................................................................................................................... 3

Drivers and Trends ............................................................................................................................................................ 4

3. Framework for Enhancing Cyber Systems Security in the Nuclear Sector ................................... 7

Vision ................................................................................................................................................................ ....................... 7

Guiding Principles .............................................................................................................................................................. 7

Goals ......................................................................................................................................................................................... 8

Strategies ................................................................................................................................................................ ................ 9

4. Roadmap Implementation .......................................................................................................................... 19

Next Steps ............................................................................................................................................................................ 21

Industry Activities ............................................................................................................................................................ 22

For More Information ..................................................................................................................................................... 24

Appendix A. Cyber Systems Landscape in the Nuclear Sector ............................................................ 25

Appendix B. National Context ........................................................................................................................ 33

Appendix C. Roadmap Development Process ........................................................................................... 34

Appendix D. Acronyms and Abbreviations ............................................................................................... 37

Roadmap to Enhance Cyber Systems Security in the Nuclear Sector v

Executive Summary The Nation’s nuclear power plants are among the safest and most secure industrial facilities in the United States. Multiple layers of physical security and cybersecurity, together with high levels of operational performance, protect plant workers, the public, and the environment. As U.S. commercial nuclear power plants become more advanced, they must meet and address evolving cybersecurity challenges.

Cybersecurity Challenges Cyber system risks are dynamic and multidimensional. Power plant owner-operators must not only understand the current risks to cyber systems, but also consider a constantly evolving field of potential adversaries and technologies. The growing number of nodes and access points also makes identifying vulnerabilities more complex.

To address these challenges, systems analysis capabilities must keep up with the increasing volume, complexity, speed, and connectedness of nuclear cyber systems. System designs must become more flexible as technology life cycles become shorter. As collaboration among public and private sector stakeholders increases, commonly understood terms, language, and frameworks are needed for baselining efforts and measuring progress. Highly skilled personnel with cybersecurity expertise are needed to ensure security technologies and practices continue to be effectively implemented across the sector.

The Vision This Roadmap to Enhance Cyber Systems Security in the Nuclear Sector builds upon an already strong foundation of cybersecurity practices across the sector and provides a strategic framework for public and private partners to further their efforts to achieve a common vision:

In 15 years, systems critical to plant operations will adequately protect commercial nuclear power from cyber threat so that the current functional reliability and resilience are maintained despite cyber attacks or incidents.

Two crosscutting principles underlie this vision and are inherently supportive of its realization:

A culture of security, in which functional reliability, security, and resilience become an integral part of the industry’s safety culture, supported by information sharing, training, and collaborative partnerships

A security-life-cycle approach, supported across the supply chain, in which security measures are integrated into the full life cycle of cyber system architectures and components as next-generation systems evolve

Implementation of these two principles will help to ensure that security practices, including security management and continuous security state monitoring, are reflexive, expected, and widely deployed, and that capabilities are optimized for minimizing, neutralizing, and eliminating system vulnerabilities and risks. These practices must include network monitoring and assessment capabilities to capture any anomalies or changes in baseline function and/or configuration not only during operation, but also when they are restored to service following an interruption. In addition, security states must be preserved, despite plant manipulation for forensic, diagnostic, and tracking purposes.

Nuclear cyber systems: The facilities, systems, equipment, services, and diagnostics that provide the functional control and/or monitoring capabilities necessary for the effective and reliable operation of Nuclear

Sector infrastructure.

Roadmap to Enhance Cyber Systems Security in the Nuclear Sector vi

The continued implementation and maintenance of effective cybersecurity programs at nuclear power plants will help to ensure that newly discovered applicable vulnerabilities or root causes are quickly and effectively addressed. An increasingly secure cyber future for nuclear power facilities will also include advanced critical systems that are capable of reporting changes in baseline function, both during operation and after restoration. Increasingly resilient architectures, components, and practices will ensure that operating systems are preserved during unavoidable interventions, such as plant diagnostic, forensic, or tracking procedures.

Roadmap Strategies

The path forward, outlined in the strategic framework shown in Table ES.1, is broad-based and comprehensive, and follows a timetable over the short (0–4 years), medium (5–9 years), and long (10–14 years) terms. It affirms the critical need to protect cyber systems from cyber attack, and recognizes that protecting against every potential intrusion is impossible. The focus is on building and implementing cyber systems with security built-in, enabling continued effective cybersecurity programs at nuclear power plants, and supporting the ability of nuclear power plant operators to provide high assurance that critical systems are (1) adequately protected from the cyber threats and (2) able to return to normal operations as quickly as possible in the face of a cyber incident or event.

Four strategies lend themselves to partnering in realizing this vision:

I. Measure and Assess Security Posture It is crucially important for an organization to have a thorough understanding of its cyber systems’ security posture at any given time. To gain this understanding, nuclear cyber systems personnel need effective security tools and practices that will continuously measure and assess the risks to both new and old systems. The near-term goal of this strategy is to begin development of agreed-upon methods, measures, and framework for characterizing risk, recognizing that there are different approaches to solving cybersecurity challenges, some of which are not risk based in a traditional sense. In the mid-term, these methods, measures, and frameworks must be refined, socialized, and broadly adopted in order to enable industry to develop tools for continuous security state monitoring and risk assessment. The long-term goal of this strategy is to provide owner-operators with automated, dynamic tools that adapt the security posture to changing threats.

II. Develop and Implement Protective Capabilities As security problems are identified or anticipated, nuclear cyber system personnel should incorporate proven practices and security tools to address risks. Defensive measures will offer a threshold of protection based upon known threats and vulnerabilities. A performance-based approach to protective capabilities is needed to proactively neutralize classes of threats and eliminate vulnerabilities. The near-term goal of this strategy is to develop measures to benchmark and compare protective capabilities. Once a protective capability approach is defined, mid-term goals are to establish a life-cycle framework that provides the structure for developing, implementing, and validating security solutions. For legacy systems, protective measures will

Roadmap Scope This roadmap focuses on

mitigating cyber system risks at the Nation’s 65 commercial

nuclear power plant sites. Systems utilized in nuclear power plant

operations that may be digitized include process monitoring and

control, communication networks, safety, emergency preparedness and response systems, security

systems, communication networks, and business enterprise

systems.

Roadmap to Enhance Cyber Systems Security in the Nuclear Sector vii

incorporate proven best practices, security tools, and retrofit security technologies that do not degrade system performance. In the long-term, the goal of this strategy is centered on implementing critical infrastructure access controls for cyber devices and updating communication protocols with integrated security capabilities, such as secure links, device-to-device authentication, and effective protocols.

III. Manage Incidents Cybersecurity incident response methods may not be fast enough to respond to advanced persistent threats. As there is limited accommodation for automated response and isolation in existing response approaches, the near-term goal of this strategy is to develop capabilities to support and implement cyber attack response decisionmaking for control room operators. These operators would benefit from automated response and isolation capabilities, based on predictive measures, so personnel can effectively contain vulnerabilities and get affected systems back online. To improve post-incident analysis, a mid-term goal is to create and share lessons learned, develop forensics to implement short-term lessons learned, and develop systems that can simultaneously obtain forensic data and conduct post-incident analyses. Forensic capabilities should also be expanded so the sector can recognize cyber incidents by differentiating cyber problems from other hazards and identify periodic anomalies that may be cyber issues but manifest in a mechanical way. Long-term goals include new, unified capabilities for automated response to a cyber incident; rapidly returning to normal operations; and sharing incident response experience and lessons learned within the sector and across interdependent sectors. Achieving these goals will require the development and implementation of commercially available, regularly updated tools and capabilities that support enhanced decisionmaking. In addition, enhanced capabilities are needed to continue safe operations despite system faults.

IV. Sustain Security Improvements Responsibilities must be coordinated among stakeholders in several key areas, including sharing cybersecurity information across sectors, leveraging existing government and industry roadmap efforts, educating the industry about technology requirements, and establishing a proactive security capability that provides a core set of technologies and 24 x 7 monitoring. Collaborative partnerships are necessary to support a robust pipeline of research and development, ensure a well-trained and prepared workforce that can address current and future threats, and standardize and communicate best practices industry-wide. Achieving this goal will require that this roadmap be widely adopted in the near term by key stakeholder groups. To address the evolving risk environment, the roadmap will be updated regularly. The mid-term goals for this strategy are to create a framework of information-sharing and dialogue, create a common language of cybersecurity that every sector group can use and understand, and integrate cybersecurity training into periodic employee training programs. In the long term, best practices will be widely documented and shared.

Implementing the Roadmap Through these strategies, the Nuclear Sector will assess and implement practices that foster an enduring security culture that embodies the highest levels of organizational commitment to nuclear safety. However, the nuclear industry and government cannot do this alone. Implementing these strategies will require the collective commitment, collaboration, and resources of all relevant Nuclear Sector stakeholders, including industry and policymakers as well as researchers and digital equipment vendors. As Nuclear Sector partners align resources to pursue the strategies contained in the roadmap, they will continue to review, assess, and adjust the mix of activities that will continually enable Nuclear Sector cyber systems to achieve higher levels of performance in both operations and plant safety and security.

Roadmap to Enhance Cyber Systems Security in the Nuclear Sector viii

Table ES.1. Roadmap to Enhance Cyber Systems Security in the Nuclear Sector

Vision


• The operators of these plants must have a strong cybersecurity program to ensure that implemented security measures are continuously effective and newly discovered applicable vulnerabilities or root cause are effectively addressed.

• The program must include monitoring and assessment of networks to capture any anomalies or changes in baseline function/configuration while operating or when they are restored to service.

• Security states must be preserved despite plant manipulation for forensic, diagnostic, and tracking purposes. This vision is accomplished using a defense-in-depth approach that integrates resilient and trustworthy architectures, components, and practices with security features that are built-in, transparent, and validated throughout the life cycle.

Principles

A Culture Of Security, in which functional reliability, security, and resilience become an integral part of the industry’s safety culture, supported by information sharing, training, and collaborative partnerships

A Security-Life-Cycle approach, supported across the supply chain, in which security measures are increasingly integrated into the full life cycle of cyber system architectures and components as next-generation systems evolve

Major Barriers

• Risk profile is multidimensional and has a short window of relevancy • Changing technologies are incompatible with a deterministic approach • Complexity, volume, and speed of cyber systems hinders analysis • Lack of commonly understood terms, language, and frameworks • Attracting and retaining a ready workforce

Strategies 1. Measure and Assess Security Posture

2. Develop and Implement Protective Capabilities

3. Manage Incidents 4. Sustain Security Improvements

Near

-term

Mile

ston

es

(0–4

year

s)

1.1 Cybersecurity methods and framework for cyber systems initiated

2.1 Measures to benchmark and compare protective capabilities initiated

3.1 Capabilities to support and implement cyber attack response decisionmaking for control room operators commercially available

4.1 Field-proven best practices for cybersecurity integrated into new cyber system designs

4.2 Common language of cybersecurity culture understood by all stakeholders

4.3 Cybersecurity training and qualifications integrated into accredited training programs

Mid-

term

Mile

ston

es

(5–9

year

s)

1.2 Capabilities for continuous security state monitoring and cyber security assessment of cyber systems commercially available

2.2 Lifecycle framework for developing, implementing, and validating security solutions established

2.3 Capabilities to evaluate protective capabilities of cyber components and systems commercially available

3.2 Lessons learned from cyber incidents documented and shared throughout the Nuclear Sector

3.3 Capabilities to identify cyber incidents and conduct real-time forensics commercially available

4.4 Roadmap refreshed to address evolving risk environment

Long

-term

Mile

ston

es

(10–

14 ye

ars)

1.3 Dynamic tools that adapt cybersecurity assessment capabilities to changing threats commercially available

2.4 Scalable access control for cyber devices implemented and kept up to date

2.5 Communication protocols with integrated security capabilities implemented and kept up to date

3.4 Capabilities for automated response to cyber incidents, including best practices for implementing these capabilities available

3.5 Enhanced capabilities to continue safe operations despite system faults, implemented and kept up to date

4.5 Roadmap widely adopted by owner-operators, executives, researchers, vendors, educators, and regulators

Goals (15

years)

Capabilities for continuous security state monitoring and cybersecurity assessment of cyber systems widely employed and optimized within the context of each organization

Capabilities for neutralizing classes of threats and eliminating vulnerabilities widely employed and optimized within the context of each organization

Unified capabilities for mitigating a cyber incident, returning quickly to normal operations, and effective information sharing widely employed among all sector and interdependent sector stakeholders

Collaboration between industry, academia, and government maintains a robust research and development pipeline, ready workforce, and widely employed best practices

Roadmap to Enhance Cyber Systems Security in the Nuclear Sector 1

1. Introduction Nuclear power is a vital part of the Nation’s energy landscape. One-hundred and four operating power reactors at 65 sites currently generate 20 percent of the Nation’s electricity. Furthermore, as the primary energy source that does not emit greenhouse gases, nuclear power is expected to be a key pillar of U.S. energy policy for the foreseeable future.

For nearly 60 years, the nuclear power industry, as regulated by the NRC, has maintained the safety and security of U.S. power reactor facilities. Both industry and government have been proactive in identifying and mitigating emergent safety and security concerns since the industry’s inception.

Due to a variety of factors, cyber systems at nuclear power plants are often hybrid systems incorporating both analog and digital technologies. However, these systems are likely to become increasingly digitized as legacy systems are upgraded and as new reactors come online. Although the trend toward increased digitization will yield many benefits in terms of the safety, security, and performance of the reactors and reactor facilities, it may also create new vulnerabilities that must be mitigated.

The Roadmap to Enhance Cyber Systems Security in the Nuclear Sector provides a strategic framework for public and private partners to further their efforts to improve the functional reliability and resilience of cyber systems employed at U.S. commercial nuclear power plants. It is intended to inform the broad landscape of Nuclear Sector stakeholders, including industry, policymakers, regulators, government, academic, and private sector researchers, and digital equipment vendors.

National Context

Leaders from the Nation’s critical infrastructure sectors and associated Sector-Specific Agencies (SSAs)2 recognize the need to plan, coordinate, and focus ongoing efforts to improve cyber and control systems security. In 2007, the National Infrastructure Advisory Council recommended that the U.S. Department of Homeland Security (DHS) and the SSAs “collaborate with their respective owner-operator sector partners to develop sector-specific roadmaps using the 2006 Energy Sector Roadmap as a model.”3 Several critical infrastructure sectors, including the Energy (2006/2011), Water (2008), Chemical (2009), and Dams Sectors (2010), have already developed cyber systems security roadmaps.4

2. DHS identifies 18 critical infrastructure sectors, including the Nuclear Sector. Each CI sector has a partnership agency

within the Federal government called a Sector-Specific Agency (SSA), with which it is jointly responsible for developing critical infrastructure protection policy and practices in the sector. The SSA for the Nuclear Sector is DHS. See the National Infrastructure Protection Plan at www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf.

Activities outlined in these roadmaps help to facilitate effective public-private collaboration to create a national critical infrastructure protection and resilience strategy that reflects the needs and expectations of both government and industry. This roadmap builds on these

3. National Infrastructure Advisory Council, Convergence of Physical and Cyber Technologies and Related Security Management Challenges Working Group: Final Report and Recommendations by the Council Washington, D.C.: DHS, 2007, www.dhs.gov/xlibrary/assets/niac/niac_physicalcyberreport-011607.pdf.

4. Energetics Incorporated, Roadmap to Secure Control Systems in the Energy Sector, Washington, D.C.: DHS and the U.S. Department of Energy, 2006; Water Sector Coordinating Council Cyber Security Working Group, Roadmap to Secure Control Systems in the Water Sector, Washington, D.C.: DHS and the American Water Works Association, 2008.

Roadmap Benefits Align industry-government

cybersecurity efforts Focus resources on priority

needs of the Nuclear Sector Position the nuclear industry

for the widespread adoption of secure digital technologies

Highlight potential enhancements in technology and practices

Outline a process for extensive public-private collaboration


earlier roadmap efforts and the regulatory and best practices already in place across the Nuclear Sector.

Roadmap Purpose

This roadmap has four purposes:

1. To present a common vision and a supporting framework of goals and milestones to improve the functional reliability and resilience of cyber systems at commercial nuclear power reactors over the near (0–4 years), medium (5–9 years), and long term (10–15 years)

2. To present barriers and potential solutions for improving cyber incident preparedness, detection, response, and recovery in case of a cyber incident at a commercial nuclear power plant

3. To guide efforts by industry, academia, and government to plan, develop, and implement cybersecurity solutions for commercial power reactors

4. To identify existing efforts and enhance collaboration among stakeholders to accelerate cybersecurity advances in the Nuclear Sector and interdependent critical infrastructure sectors

Roadmap Scope

This roadmap focuses on mitigating cyber system risks at the Nation’s commercial nuclear power plants. Although it does not directly address research and test reactors, fuel cycle facilities, or facilities that use radioactive materials for medical, research, or industrial purposes, the potential solutions found within this roadmap may be used as a basis for these other Nuclear Sector facilities to enhance their cybersecurity posture, or to embark upon a roadmap process in the future.

Nuclear power plants use cyber systems throughout their facilities to varying degrees. Systems utilized in nuclear power plant operations that may be digitized include process monitoring and control, communication networks, safety, emergency preparedness and response systems, security systems, communication networks, and business enterprise systems.

The Path Forward

Cybersecurity regulations for power reactors were published by the U.S. Nuclear Regulatory Commission in March 2009. Efforts are currently underway to implement those requirements. These efforts build upon an already strong foundation of cybersecurity practices across the sector. Dynamic and increasingly persistent cyber threats will require the sector to stay vigilant and to adapt quickly to new developments as cyber events occur in seconds or minutes compared to traditional nuclear issues which can span months or years. The intent of this roadmap is to provide a long-term and overarching strategic perspective and plan for strengthening the reliability and resilience of cyber systems. The ability to continuously monitor and adjust to an evolving cyber threat and cyber system landscape is essential.

The path forward is clear. Success depends upon securing the necessary resources, leadership, and commitment from a wide variety of stakeholders and interdependent organizations to implement the vision articulated herein. Without this collaboration, Roadmap priorities and milestones will not translate into real-world projects, activities, products, and outcomes.


2. Cyber Systems in the Nuclear Sector

For the purposes of this roadmap, cyber systems are defined as the facilities, systems, equipment, services, and diagnostics that provide the functional control and/or monitoring capabilities necessary for the effective and reliable operation of infrastructure commercial power reactor. Many of the cyber systems used in power reactors today were designed for availability and reliability during an era when cybersecurity received low priority. In contrast, newer cyber systems are highly network-based and use common standards for communication such as the Internet, public-switched telephone networks, and cable and wireless networks designed for availability and reliability during an era when cyber threats are rising.

Commercial nuclear power plants are unusual among the Nation’s critical infrastructure because they have not integrated advanced digital technologies to the extent that many other sectors have. This is due to a variety of factors, including the highly regulated commercial nuclear landscape and the amount of time since the last commercial nuclear power reactor plant came online.5

Commercial Nuclear Power Reactors

Cyber systems at nuclear power plants are often hybrid systems incorporating both analog and digital technologies.

Because the Nation’s nuclear power plants were built at different times by numerous vendors using different plant designs, each reactor facility is unique. However, the following are some major components common to all current U.S. nuclear power plants and their functions:

Nuclear reactor cores use enriched uranium in the nuclear fission process to produce thermal energy to heat water. Heat transfer/working fluid loops transfer thermal energy from the reactor to electricity-generating components. Steam-driven turbines operate generators to produce electrical power. Generating transformers convert electricity into suitable voltage for transmission and consumption.

Reactor vessels house and provide for proper control of the reactor core. Containment structures and systems prevent release of radioactivity to the environment if the reactor coolant system and reactor core are damaged. Cooling pools store spent nuclear fuel near the reactor until the spent fuel is cool enough to move to dry storage.

Heat sinks (e.g., cooling tower, river, lake, ocean) and associated normal cooling water systems condense steam and cool plant equipment during normal operation.

Plant control room and reactor control systems allow for proper control of the reactor under normal and emergency conditions.

Role of Cyber Systems

Cyber systems in nuclear power facilities are designed to accomplish repeatable actions in sometimes extreme/harsh environments within fractions of seconds, often without direct human intervention. Their components include the following:

Sensors 5. Dudenhoeffer, Donald, et al., Instrumentation, Control, and Human-Machine Interface to Support DOE Advanced

Nuclear Energy Programs, Idaho Falls, ID: Idaho National Laboratory, 1997.

Nuclear cyber systems: The facilities, systems, equipment, services, and diagnostics that provide the functional control and/or monitoring capabilities necessary for the effective and reliable operation of Nuclear Sector infrastructure.


Control, regulation, and safety systems Communication systems Human-system interfaces Surveillance and diagnostic systems Actuators (e.g., valves and motors) Status indicators of actuators (indicating whether valves are open or closed, and whether

motors are on or off)

Drivers and Trends

Protecting nuclear cyber systems requires a comprehensive programmatic approach that addresses the security concerns of today’s systems allowing the program to evolve to address the needs of tomorrow. As cyber systems integrate more digital capabilities, they will rely more on the comprehensive cybersecurity program to address malevolent acts against the system so that challenges associated with use of such systems can be addressed with minimum attention to security to maintain the reliability of those systems. Asset owner-operators must understand the difference between reliability and security and how security is relied upon to protect reliable operation of the systems. They must also understand that cybersecurity must be flexible enough to address cyber threats to their legacy systems, apply security tools and practices, and consider new control system architectures.

Drivers

In 2009, the Nuclear Regulatory Commission (NRC) published a cybersecurity rule under 10 CFR 73.54 that requires commercial nuclear power plants to protect digital computer and communications systems and networks associated with safety, security, important to safety and emergency preparedness (SSEP) functions. Implementation of the cybersecurity plans required by the rule will take place over the next several years. These changes will afford both industry and government significant opportunities to plan and execute a wide range of activities to more efficiently and effectively achieve cyber system security and preparedness at the Nation’s nuclear power facilities.

In addition, government policy changes since the late 1990s are helping to pave the way for significant growth in nuclear capacity. Government and industry are working closely on approval for new plant designs and construction. Following a 30-year period in which no new commercial power reactors were built, it is expected that new units may come online in the future, the first of these resulting from 16 license applications to build 24 new nuclear reactors made since mid-2007. These new plants will be built with the latest digital instrumentation and control technologies, and will apply these technologies to a broader range of functions than has been the case in the Nation’s legacy plants. These new and more digitally sophisticated plants will present their owner-operators with both increased security challenges and opportunities.

Finally, cyber threats to critical infrastructure continue to become increasingly more common and sophisticated. Industrial control systems, similar to traditional business information systems, are targets for a variety of malicious cyber actors. Threat actors who target these systems may be intent on damaging equipment and facilities, disrupting services, stealing proprietary information, or accomplishing other malicious plans. With knowledge of and access to a control system’s network, malicious actors can seize control of the system or send corrupt information to plant operators, causing damage to plant systems and equipment. Furthermore, any individual with access to a plant’s control systems could unwittingly introduce malware into a system through the use of infected portable media or by falling victim to socially engineered communications, such as e-mail.


Security threats, whether physical or cyber, will always evolve along with the means to defend against them. However, many cybersecurity professionals believe that the Stuxnet malware discovered in June 2010 is a “game changer.” As one cybersecurity expert testified before Congress:

Stuxnet is a wake-up call to critical infrastructure systems around the world. This is the first publicly known threat to target industrial control systems and grants hackers vital control of critical infrastructure such as power plants, dams and chemical facilities. Stuxnet also represents the first of many milestones in malicious code history – it is the first to: exploit four zero-day vulnerabilities, compromise two digital certificates, and inject code into industrial control systems and hide the code from the operator – all in one threat.6

Stuxnet, and its subsequent spread, demonstrates that industrial control systems in particular are more vulnerable to cyber attacks than in the past for several reasons, including the increased sophistication of the attack methods used against them, as well as trends such as the increased connectivity of these systems to other systems and to the Internet. The path forward to mitigating these vulnerabilities must be broad-based, comprehensive, and support defense in depth, addressing the short, medium, and long terms. Therefore, this roadmap focuses on a comprehensive approach to cybersecurity.

Trends

The following trends present increasing challenges in securing cyber systems in industrial control environments:

Increasing connectivity. Businesses increasingly require information exchange between control systems and business systems. Therefore, technologies offered by cyber system vendors, which usually supply a wide range of markets beyond nuclear, often emphasize connectedness over security.

Changing supply chain. Specialized equipment is giving way to an increased use of off-the-shelf technology, which increases system vulnerabilities. Also, more systems are being produced internationally, creating technical challenges, such as systems testing, verification, and component interoperability.

Changing workforce. There is a need to cultivate a workforce with cybersecurity expertise to prevent the adoption of unsecure/inappropriate technologies and to promote the importance of each worker’s role in safeguarding cyber systems. Multiple types of training are needed, including university education, technical degree training, and onsite training. Nuclear cyber system operators need to be multidisciplinary and highly skilled.

Shorter technology life cycles. System designs need to be more flexible because security components become obsolete quickly.

Automated system functionalities. Nuclear sector SSEP functions are becoming increasingly automated as digital replacements do not always allow manual control. To be approved by regulators, new, automated functions must be reliable and resilient to cyber attack.

6. Securing Critical Infrastructure in the Age of Stuxnet: Hearing Before the United States Senate Committee on Homeland

Security and Governmental Affairs, 111th Cong. (November 17, 2010) (statement of Dean Turner, Director, Global Intelligence Network, Symantec Security Response, Symantec Corporation).


Characteristics of a More Secure Cyber Future

An increasingly secure cyber future for nuclear power facilities will employ increasingly resilient cyber systems with the ability to maintain control, self-heal, and perform their intended functions despite cyber attacks at the cyber-physical interface. Integrated, reliable, and transparent, these systems will not limit function or operation. The design of new systems must consider plant cybersecurity programs and their approach so that the system has the ability to rely on plants cybersecurity programs to address baseline vulnerabilities. This will ensure that reliability of the new system is not reduced by the increase in complexity of the design. In addition, this will allow owners of these plants to efficiently and effectively maintain a comprehensive cybersecurity program.

An increasingly secure cyber component supply chain is also a characteristic of a more secure cyber future for the Nuclear Sector. One challenge is that the small number of nuclear power facilities relative to other types of facilities that purchase cyber systems may not provide sufficient market strength to encourage vendors to build nuclear power plant-specific security requirements into their systems. Industry must work closely with the vendor community in order to ensure that they understand how nuclear cyber systems are deployed and to illuminate those areas where nuclear power plant requirements cross-cut with the larger market. Another element of improving supply chain security is the verification by vendors of system hardware and software through counterfeit and origin testing. Vendors must be aware of and responsible for insecurities that may be embedded in their products or systems, just as owner-operators must be responsible for developing strategies and methods to secure their systems once installed.

Why We Need this Roadmap

To meet the NRC’s 2009 cybersecurity requirements, nuclear power plant owner-operators must establish, implement, and maintain a cybersecurity plan that meets the criteria set forth in regulation. However, a focus on meeting the regulation alone will not produce long-term increases in cyber system resilience in the Nuclear Sector. Although regulations or standards can be used to raise security baselines, further elements such as technological innovation, cybersecurity education, and integrating a culture of security are also essential. Roadmaps can play an essential role in supporting such a strategy by articulating the sector-specific vision, guiding principles, and goals for cybersecurity improvements and by providing a framework for the integration of industry and government efforts to achieve the vision and goals.


3. Framework for Enhancing Cyber Systems Security in the Nuclear Sector As U.S. energy policy confronts challenges such as increasing demand for electricity and clean sources of electrical energy, securing the supply of safe, clean nuclear power is a priority not only for the Nuclear Sector, but also for the Nation. Advances in securing cyber systems used in nuclear power plants must go far beyond the pressing security concerns of today by taking a comprehensive approach that prepares for the needs of tomorrow. Nuclear power facilities will need to continue to understand and manage cyber system risks, secure their legacy systems, conduct vulnerability assessments, apply security tools and practices, and consider next-generation systems. As in all businesses, cyber systems security improvements beyond the level required by regulation must compete with other investment priorities, such as repairs, equipment upgrades, other safety or security needs, and workforce investments. Government also has a large stake in the process because nuclear power is an essential part of the Nation’s clean energy mix. A coordinated strategy that links and integrates the efforts of industry and government is needed to achieve mission-critical goals. This concept manifests itself in the Nuclear Sector’s vision statement, guiding principles, and goals.

Vision


The operators of these plants must have a strong cybersecurity program to ensure that implemented security measures are continuously effective and newly discovered applicable vulnerabilities or root cause are effectively addressed.

The program must include monitoring and assessment of networks to capture any anomalies or changes in baseline function/configuration while operating or when they are restored to service.

Security states must be preserved despite plant manipulation for forensic, diagnostic, and tracking purposes.

This vision is accomplished using a defense-in-depth approach that integrates resilient and trustworthy architectures, components, and practices with security features that are built-in, transparent, and validated throughout the life cycle.

Guiding Principles

Two crosscutting principles underlie the vision:

A culture of security, in which functional reliability, security, and resilience become an integral part of the industry’s safety culture, supported by information sharing, training, and collaborative partnerships

A security-life-cycle approach, supported across the supply chain, in which security measures are increasingly integrated into the full life cycle of cyber system architectures and components as next-generation systems evolve

A culture of security is one in which security has parity with safety in daily, mid-term, and long-term operations. Security training is coupled to annual staff performance reviews, and all sector stakeholders, managers, and employees understand and contribute to the success of security


initiatives, embracing concepts such as creating and protecting stronger passwords. Likewise, visitors are briefed on security requirements as well as safety requirements before they are allowed entrance into operational areas of the plant. A culture of security is also supported by information sharing and collaborative partnerships that enhance knowledge and solutions development within the sector and across dependent and interdependent sectors. The commercial power reactors and other appropriate sector representatives exchange information and ideas with, and also receive cyber threat reporting from, the DHS Office of Intelligence and Analysis (I&A) and the NRC’s Intelligence Liaison and Threat Assessment Branch (ILTAB). The sector also receives advisories, alerts, warnings, and best practices from DHS’s U.S. Computer Emergency Readiness Team (US-CERT) and Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), as well as the DHS Control Systems Security Program (CSSP), which help the sector better understand and prepare for ongoing and emerging control systems cybersecurity issues, vulnerabilities, and mitigation strategies. A security-life-cycle approach recognizes that from the very start the full life cycle of cyber system components security needs to be considered. This means that the design of new systems needs to consider the plant cybersecurity program and its approach so that the system has capabilities to rely on the plants’ cybersecurity program to address baseline vulnerabilities. This will ensure that reliability of the new system is not reduced by the increase in complexity of the design. In addition, this will allow owner-operators of these plants to efficiently and effectively maintain a comprehensive cybersecurity program. As a result, the procurement requirements of these systems need to consider how the acquired systems will be integrated into the cybersecurity program. These security considerations may affect procurement decisions. Certifications may help vendors demonstrate understanding and conformance with certain security principles and standards, but the certification requirements are not so arduous as to discourage companies from participating in the power reactor cyber component market. With security by design, a fundamental understanding of security occurs across the entire supply chain—from the universities that train students to write secure code, to the organizations that practice secure development life-cycles—ensuring that formal verification and traceability are maintained throughout the design and operating process.

Goals

Achieving secure cyber systems for critical applications within 15 years is a daunting challenge for any sector, but particularly so for Nuclear. Because some cyber system improvements will require NRC review and approval, change may take time. Many cyber system improvements will require the power reactor to be shut-down for maintenance or refueling in order to be implemented. Planned shut-downs of these types occur only once per 18-24 months, potentially extending further the timeframe for implementation of cyber system security improvements. Taking these constraints into account, nuclear power reactor stakeholders must still pursue an aggressive timetable of milestones and deliverables for Roadmap implementation. Fixing current security problems is not enough. New cyber threats are emerging at an accelerating pace, requiring an integrated strategy for securing systems into the future. The industry will realize its vision through the pursuit of four key goals:

Measuring and assessing security posture. Capabilities for continuous security state monitoring and risk assessment of cyber systems will be widely employed and optimized within the context of each organization.


Developing and implementing protective capabilities. Capabilities for neutralizing classes of threats and eliminating vulnerabilities will be widely employed and optimized within the context of each organization.

Managing incidents. Unified capabilities for mitigating a cyber incident, returning quickly to normal operations, and effective information sharing will be widely employed among all sector and interdependent sector stakeholders.

Sustaining security improvements. Collaboration between industry, academia, and government will maintain a robust research and development (R&D) pipeline, ready workforce, and widely employed best practices.

Strategies

These four goals provide a framework and strategies for organizing the collective efforts of industry, government, and other key stakeholders to realize the roadmap vision. These strategies include developing tools for better measuring and assessing cyber system security, integrating protective measures, detecting and responding to intrusions, and continuously improving systems to sustain security as new threats surface. To be successful, however, projects, activities, and initiatives that result from the roadmap should be tied to the milestones shown in Table 3.1.


Table 3.1 Roadmap to Enhance Cyber Systems Security in the Nuclear Sector

Vision

In 15 years, systems critical to plant operations adequately protect commercial nuclear power from cyber threat so that the current functional reliability and resilience are maintained despite cyber attacks or incidents.

• The operators of these plants must have a strong cybersecurity program to ensure that implemented security measures are continuously effective and newly discovered applicable vulnerabilities or root cause are effectively addressed.

• The program must include monitoring and assessment of networks to capture any anomalies or changes in baseline function/configuration while operating or when they are restored to service.

• Security states must be preserved despite plant manipulation for forensic, diagnostic, and tracking purposes. This vision is accomplished using a defense-in-depth approach that integrates resilient and trustworthy architectures, components, and practices with security features that are built-in, transparent, and validated throughout the life cycle.

Principles

A Culture Of Security, in which functional reliability, security, and resilience become an integral part of the industry’s safety culture, supported by information sharing, training, and collaborative partnerships

A Security-Life-Cycle Approach, supported across the supply chain, in which security measures are increasingly integrated into the full life cycle of cyber system architectures and components as next-generation systems evolve

Major Barriers

• Risk profile is multidimensional and has a short window of relevancy • Changing technologies are incompatible with a deterministic approach • Complexity, volume, and speed of cyber systems hinders analysis • Lack of commonly understood terms, language, and frameworks presents challenges • Attracting and retaining a ready workforce is difficult

Strategies 1. Measure and Assess Security Posture

2. Develop and Implement Protective Capabilities

3. Manage Incidents 4. Sustain Security Improvements

Near

-term

Mile

ston

es

(0–4

year

s)

1.1 Cybersecurity methods and framework for cyber systems initiated

2.1 Measures to benchmark and compare protective capabilities initiated

3.1 Capabilities to support and implement cyber attack response decisionmaking for control room operators commercially available

4.1 Field-proven best practices for cybersecurity integrated into new cyber system designs

4.2 Common language of cybersecurity culture understood by all stakeholders

4.3 Cybersecurity training and qualifications integrated into accredited training programs

Mid-

term

Mile

ston

es

(5–9

year

s)

1.2 Capabilities for continuous security state monitoring and risk assessment of cyber systems commercially available

2.2 Lifecycle framework for developing, implementing, and validating security solutions established




4.4 Roadmap refreshed to address evolving risk environment

Long

-term

Mile

ston

es

(10–

14 ye

ars)

1.3 Dynamic tools that adapt risk assessment capabilities to changing threats commercially available




3.5 Enhanced capabilities to continue safe operations despite system faults, implemented and kept up to date

4.5 Roadmap widely adopted by owner-operators, executives, researchers, vendors, educators, and regulators

Goals (15

years)

Capabilities for continuous security state monitoring and risk assessment of cyber systems widely employed and optimized within the context of each organization

Capabilities for neutralizing classes of threats and eliminating vulnerabilities widely employed and optimized within the context of each organization

Unified capabilities for mitigating a cyber incident, returning quickly to normal operations, and effective information sharing widely employed among all sector and interdependent sector stakeholders

Collaboration between industry, academia, and government maintains a robust research and development pipeline, ready workforce, and widely employed best practices


Measure and Assess Security Posture Protecting nuclear cyber systems begins with a thorough understanding of the sector’s current security posture. To gain this understanding, reliable and widely implemented tools, techniques, and methodologies are needed for measuring and assessing cyber system vulnerabilities and consequences. Because of the unique configurations of cyber systems, owner-operators need a cybersecurity framework and, eventually, automated, continuous security state monitoring tools that adapt risk assessment capabilities to changing threats. Measurement and assessment of the emerging threat environment is also necessary to characterize a risk profile that is multidimensional and rapidly changing. Nuclear cyber system personnel need security tools and practices that will continuously address risks to both new and old systems. These systems will benefit from the use of best practices, risk informed security procedures for plant personnel and contractors, secure communications protocols, intrusion detection tools, and security event management, all of which will help baseline cyber systems security for measurement and assessment over time. It is also important for the measures and criteria applied for measuring and assessing cyber security postures to be consistent with and complimentary to cyber systems and other nuclear power reactor regulatory requirements. These goals can best be addressed throughout the commercial power industry. In addition to laying the groundwork for this framework, the ultimate goal of this first key strategy is to ensure that nuclear infrastructure asset owner-operators have established and maintain a comprehensive cybersecurity program that includes the capabilities for continuous security state monitoring. An overview of the barriers, milestones, and needs for measuring and assessing security posture is shown in Table 3.2.

Barriers Currently, it is difficult for Nuclear Sector asset owner-operators to have adequate understanding of the risks of a cyber attack due to rapid change, uncertainty, and ambiguity. The growing number of nodes and access points has made identifying vulnerabilities more complex. Widely implemented industry standards, consistent measures, and reliable measuring tools are essential to assessing the security/risk of these increasingly complex cyber systems and all of their components and links; however, these tools are not readily available.

Needs The Nuclear Sector needs a cybersecurity framework that will be broadly adopted and reflects consensus on how to define critical challenges and match them with appropriate solutions. Methods must withstand scientific scrutiny and evaluation for appropriateness in a nuclear context. Owner-operators also need the tools to perform self-assessments of their security postures, which should be accompanied by the development of risk assessment tools that assess vulnerabilities, help prioritize protective measures, and justify the costs of remediation in the mid-term. Also, in the mid-term, clear and consistent cyber systems security measures are needed. These capabilities will help the industry shift from meeting current baselines for complying with existing standards in the near- and mid-term, to addressing the need for continuous security state monitoring in the long term. In addition, the sector needs systems that automate security-state monitoring and remediation, similar to the way in which the energy sector currently automates and manages energy operations.


Table 3.2. Strategy: Measure and Assess Security Posture

15-YEAR GOAL: Capabilities for continuous security state monitoring and risk assessment of cyber systems widely employed and optimized within the context of each organization

Milestones Near Term (0–4 years) Mid Term (5–9 years) Long Term (10–14 years) 1.1. Cybersecurity methods and framework for

cyber systems initiated 1.2. Capabilities for continuous security state

monitoring and risk assessment of cyber systems commercially available

1.3. Dynamic tools that adapt risk assessment capabilities to changing threats commercially available

Barriers

• Risk profile is multidimensional and has a short window of relevancy due to the rapid pace of change in threat vectors and vulnerabilities

• Cyber attack risk is often not adequately known or understood as threats, vulnerabilities, and consequences are uncertain and ambiguous

• Interdependencies are not well understood • Physical impacts are not well understood • Difficult to provide actionable and timely information of

security posture from vast quantities of disparate data from a variety of sources and levels of granularity

• Lack of a quantifiable, repeatable methods and framework for measuring and assessing overall security risk

• Lack of agreed measures and criteria for measuring and assessing security posture

• Interpreting requirements and activities to measure and assess security posture is difficult and variable

• Existing standards lack meaningful and measureable specifications relating to cybersecurity

• Insufficient numbers of technically trained assessors

Needs

Cybersecurity Framework • Develop, make commercially available, and widely

adopt cybersecurity methods and framework for cyber systems that: o have broad support o can be enhanced over time to incorporate changes in

threat and vulnerability landscape o measure security capability and effectiveness, with the

ability to use quantitative analysis, such as regression analysis, or forward looking analysis

o cover a continuous domain o can be used to identify areas of needed improvement,

make decisions, evaluate the quality of options, evaluate susceptibility, and justify actions

o can withstand scrutiny o are measureable to enable comparison of different

organizations o consider organizational context and scalable to their

capacity • Take into account the relevant sector environment in order

to establish security framework that goes beyond NRC regulations

• Determine threshold of reasonableness and set boundaries for analysis according to the unique capabilities and requirements of the organization

• Create and scientifically vet assessment methods that establish measurable comprehensive cybersecurity postures

• Create and scientifically vet for repeatability, methods that clearly weigh, compare and map cybersecurity measures to the threshold of defensive capability they provide

Security Monitoring • Incorporate continuous monitoring with help from

outside the sector in addition to compliance requirements through:

• The development and integration of consistent methods into practical and cost-efficient assessment tools for repeatable results that can be compared over time

• Development of a dynamic capability to adapt to changing cyber threats

• Development of solutions to better converge cyber-physical model to enhance understanding of physical impacts

• Consideration of information assurance capability models that assist in measuring progress

• Traceable access to security postures to enable timely identification of supply chain threats

• The statement and recognition of scope of control • Development of requirements and expectations for audit

teams

Bolded text indicates the top priority activities identified by participants at the January 2011 Roadmap Workshop


Develop and Implement Protective Capabilities This key strategy focuses on developing and implementing the security tools and practices that personnel need to address risks as security problems are identified or anticipated. Defensive measures will offer a threshold of protection based upon known threats and vulnerabilities. A performance-based approach to protective capabilities supports a security-life-cycle approach to proactively neutralize classes of threats and eliminate vulnerabilities. For legacy systems, protective measures will incorporate the application of proven best practices and security tools, procedures and patches for fixing known security flaws, training programs for staff at all levels, and retrofit security technologies that do not degrade system performance. This strategy also focuses on critical infrastructure access controls and communications. Communication between remote devices and control centers and between business systems and control systems is a common security concern that requires secure links, device-to-device authentication, and effective protocols. However, the most comprehensive security improvements are realized with the development and adoption of next-generation cyber system architectures. Nuclear cyber system architectures are widely distributed within the plant, and are complex. Complexity increases exponentially with an increase in the number of nodes, widespread and continuous connectivity, and remote access by multiple parties and devices. Scalable access control for cyber devices and communications protocols with integrated security capabilities must be widely employed and kept current. An overview of the barriers, milestones, and needs for developing and implementing protective capabilities is shown in Table 3.3.

Barriers The current Nuclear Sector infrastructure is characterized by aging, legacy, and hybrid systems that may not include effective security measures and are difficult to integrate with new technologies. Older operating platforms may have limited or no vendor service support, thus limiting their ability to secure the systems. Today’s cyber systems are increasingly interconnected and operate on open software platforms that increase vulnerabilities and risks when improperly implemented. Open protocols subject to peer reviews can find and eliminate more errors than proprietary efforts. Poorly designed connections between cyber systems and enterprise networks may also increase risks. Security improvements for legacy systems are limited by the existing equipment and architectures that may not be able to accept security upgrades without degrading performance. New architectures must be designed to address potential threats that have not yet surfaced and to accommodate the exceptionally large number of nodes and access points that increase security concerns.

Needs Once a protective capability approach is defined, a life-cycle framework can be developed using basic security principles drawn from best practices common across many industries. This framework should be used to develop consistent security requirements that cover all life-cycle aspects (e.g., system development, operations management), be implemented internationally (using a common lexicon), and build upon fundamentals already established. This framework should provide the structure for developing, implementing, and validating security solutions. In addition, next-generation access control for digital systems and components needs to be validated, communications could be improved by creating a critical infrastructure domain that limits access to appropriate stakeholders, and a “travelers list” of common threats can be developed to help identify potential issues when visiting a new environment.


Table 3.3. Strategy: Develop and Implement Protective Capabilities

15-YEAR GOAL: Capabilities for neutralizing classes of threats and eliminating vulnerabilities widely employed and optimized within the context of each organization

Milestones Near Term (0–4 years) Mid Term (5–9 years) Long Term (10–14 years) 2.1 Measures to benchmark and compare

protective capabilities initiated

2.2 Life-cycle framework for developing, implementing, and validating security solutions established




Barriers

• Solution Validation and Acceptance Testing o Limited vetting of existing security solutions o Lack of non-biased validation testing capability o Lack of repeatable, quantifiable vendor framework

on protective capabilities o Lack of consensus on protective/defensive

capabilities o Difficulty in avoiding disruptions when testing or

implementing new solutions on real-time operations • Managing Change o Lack of awareness of available security products o Knowing the most effective solution o Keeping basic security principles from getting lost o Developing easy-to-use risk-mitigation products o Burden of implementing and maintaining password

protected devices

• Evolving Landscape o Aging systems; older operating systems may have limited

or no support o Uncertainty in threats make anticipating problems difficult o Changing technology (e.g., cloud-based computing)

incompatible with deterministic approach o Lack of efficiency in cyber programs to date o National laboratories are not funded and authorized to

address unique needs of the Nuclear Sector o System architectures are increasingly more distributed and

complex, increasing potential cyber attack opportunities • Lack of capabilities to identify and reduce unknown threats

and vulnerabilities o Limited knowledge of operations can make implementing

existing cybersecurity solutions more challenging o Hardwiring security solutions may ruin component

warranties o Commercial off-the-shelf products may not be configured

properly, and basic security features may not be enabled Needs

Protective Framework • Widely implement cybersecurity methods and

framework for cyber systems that: • Enumerate basic security principles drawn from best

practices common across every industry and describe how to implement them; these principles should: o have an appropriate lexicon (terms and language) and

framework for security assurance o be implemented internationally o cover all lifecycle aspects, such as system development

and operations management o build upon established fundamentals

• Embrace and adopt common criteria for protective capability • In some cases, slow down implementation of security

solutions; faster is not always better

Access Control/Secure Communications • Develop “travelers list” of common threats to help identify

potential issues when visiting a new environment

Access Control/Secure Communications (continued) • Develop approach to authenticate more devices to enhance

understanding of what is on the network • Develop tools, techniques, and capabilities to validate next-

generation components and systems • Develop scalable security solutions that consider current

security capabilities • Design out old technologies to make interoperability issues

irrelevant • Keep software up to date • Engage with vendors on advancing large data set analytics

for security event management; such as application whitelisting

• Develop light-weight encryption • Clean strip environment when developing code • Create a critical infrastructure domain (e.g., supernet) that

is anonymous and limits access to appropriate stakeholders



Manage Incidents Because protective measures, no matter how proactive, may fail to prevent a cyber incident, agile detection, remediation, recovery, and restoration capabilities are needed to minimize the impact of incidents when they occur. Increasingly complex cyber systems offer the sector a pathway toward better incident management, but the complexity of the systems also presents new challenges that must be overcome to ensure timely response, recovery, and forensic analysis. To fully leverage the potential offered by these systems, the sector needs new, unified capabilities for mitigating cyber incidents that enable rapid return to normal operations, and sharing incident response experience and lessons learned, both within the sector and across interdependent sectors. Achieving this goal will require the development and implementation of commercially available, regularly updated tools and capabilities that support enhanced decisionmaking, incident detection, automated incident response, threat isolation, and real-time forensics. The development and implementation of these capabilities must be supported by widespread documentation and sharing of lessons learned from cyber incidents. An overview of the barriers, milestones, and needs for managing incidents is shown in Table 3.4.

Barriers Traditional cybersecurity incident response methods may be slow, hampered by rigid cybersecurity measures and the improper application of traditional information technology solutions. There is little accommodation for automated response and isolation in existing response approaches. Post-incident analysis is inhibited by the lack of clear cybersecurity incident response methods for industrial control systems. Routine security log analyses (and resulting changes) are of limited value because of an inability to tie log analysis to industrial control system threats. Cyber systems operate faster than humans can manually analyze them. In addition, industrial control systems often include limited logging and analysis capabilities, making it possible for attack evidence to be lost.

Needs The sector would benefit from the development of automated response and isolation systems based on predictive measures in order to improve response and isolation capabilities. This would allow personnel to effectively contain vulnerabilities and get affected systems back online. To improve post-incident analysis and the creation and sharing of lessons learned, the sector should work to draw actionable information from security log analysis, maintain records to assist with discovering incidents after the fact, develop just-in-time forensics to implement short-term lessons learned, and develop systems that can simultaneously obtain forensic data and conduct post-incident analyses. Forensic capabilities should be expanded so the sector can differentiate cyber problems from other hazards, and identify instances in which a physical process anomaly is reflective of an underlying cyber system incident. A value proposition for the application of forensic data in the decisionmaking process should also be established, and the industry should evaluate the feasibility of using backup systems that can be swapped in for corrupted systems after an incident so that the corrupted systems can be subjected to forensic analysis (presuming that real-time forensics is limited or unavailable).


Table 3.4. Strategy: Manage Incidents

15-YEAR GOAL: Unified capabilities for mitigating a cyber incident, returning quickly to normal operations, and effective information sharing widely employed among all sector and interdependent sector stakeholders

Milestones Near Term (0–4 years) Mid Term (5–9 years) Long Term (10–14 years) 3.1 Capabilities to support and

implement cyber attack response decisionmaking for control room operators commercially available




3.5 Enhanced capabilities to continue safe operations despite system faults implemented and kept up to date

Barriers

• Roles and responsibilities vary, and rate, and speed among stakeholders differs, when under attack

• Complexity is a challenge to safety and security • Cybersecurity measures may negatively impact rapid

response to emergencies • Lack of accommodation for automated response and

isolation • Traditional response methods may be too slow

• Complexity, volume, and speed of cyber systems hinders manual analysis by humans

• Forensic systems are not as fast as attack systems • Improper application of traditional information

technology solutions can disable or shut down operation • Periodic and appropriate reviews of security logs and

resulting change management often receive limited attention

• Short shelf life of existing detection methods (e.g., virus signatures); old data is replaced by new, which can result in forensic data being lost in memory

Needs

Response and Recovery • Develop capability to prevent an exploited vulnerability

from affecting operations and becoming an incident • Develop automated response and isolation capability to

quickly get affected system back online • Develop solution that simultaneously obtains sufficient

forensic data and conducts post-incident analysis • Develop lessons-learned by drawing actionable

information from security log analysis • Establish predictive measures • Develop automated isolation mechanisms based on

predictive measures

Forensics • Develop the capability to recognize a cyber incident by

differentiating cyber problems from other hazards • Develop the capability to identify periodic anomalies that

might be cyber-related, but manifest themselves in a mechanical way

• Develop a value proposition for (and time function of) forensic data as it relates to decisionmaking processes

• Develop just-in-time forensics to implement short-term lessons learned

• Develop the processes and technologies to facilitate replacement of corrupted systems with backup systems, in order to use corrupted systems for forensic analysis (mirror drive as security log)


Sustain Security Improvements A rapidly evolving risk environment requires owner-operators to implement long-term strategies characterized by vigilance and the ability to proactively and dynamically respond to changes in the risk landscape. This roadmap, in laying out a framework and key strategies, is intended to play an integral part in achieving this goal. To do so, it must be widely embraced across the relevant stakeholder groups –including industry, vendors, government, and research and development organizations—and regularly updated to address the evolving risk environment.

As cyber systems becoming increasingly complex, these stakeholder groups must coordinate and collaborate. Collaborative partnerships are necessary to support a robust pipeline of research and development, ensure a well-trained and prepared workforce that can address current and future threats, and standardize and communicate best practices industry wide. In addition, a common language of cybersecurity for the sector must be created and promoted among all stakeholder groups, cybersecurity training must be integrated into periodic employee training programs, and best practices must be widely documented and shared. An overview of the barriers, milestones, and needs for sustaining security improvements is shown in Table 3.5.

Barriers Competitive and intellectual property concerns sometimes limit the amount of vulnerability and vulnerability mitigation information that stakeholders share. Furthermore, information not shared in a timely manner quickly loses its usefulness. In addition, the industry is facing a major human resource crisis characterized by a high rate of retirements, lack of information transfer from more experienced workers to newer industry recruits, and the potential stagnation of the critical skills required to respond to cyber system incidents. Although part of this challenge is inherent in demographic trends, it is partially caused by the lack of economic or other hard data to convince executives of the importance of investing in cyber systems and cyber training over the long term. These human resource trends become even more worrisome as the trend toward increasing attack sophistication continues. All of these challenges must be met to ensure the nuclear workforce continues to be prepared to deal with increasingly complex and harmful threats. Nuclear cyber system personnel also lack a way to assess risk of technical innovation in such products prior to implementation.

Needs Responsibilities must be coordinated among stakeholders in several key areas, including sharing cybersecurity information across sectors, leveraging existing government and industry roadmap efforts, educating the industry about technology requirements, and establishing a proactive security capability that provides a core set of technologies and 24 x 7 monitoring.

To ensure a ready workforce, employee training programs should be updated to incorporate cybersecurity training and qualifications, and undergraduate and technical/training school curricula should be updated to teach cybersecurity principles and techniques. Changes in the industry cultural environment can also help reshape the industry to appeal to younger workers.

To create a framework of information sharing and dialogue, a common language that every sector group can use and understand must be generated. Sector-specific messages should be developed that motivate awareness of and attention to cyber systems, much like organizations have successfully created safety messaging and a safety culture in the workplace. Finally, there is a need for improved revenue models for vendors to encourage the creation of products tailored to specific industry security needs or to create a range of products to address a particular industry issues.


Table 3.5. Strategy: Sustain Security Improvements

15-YEAR GOAL: Collaboration between industry, academia, and government maintains a robust R&D pipeline, ready workforce, and widely employed best practices

Milestones Near Term (0–4 years) Mid Term (5–9 years) Long Term (10–14 years) 4.1 Field-proven best practices for cybersecurity

integrated into new cyber system designs 4.2 Common language of cybersecurity culture

understood by all stakeholders 4.3 Cybersecurity training and qualifications

integrated into accredited programs

4.4 Roadmap updated to address evolving risk environment

4.5 Roadmap widely adopted by operators, executives, researchers, vendors, educators, and regulators

Barriers

• Information sharing is hampered or slowed by institutional concerns over the disclosure of security-related or intellectual property information; older threat information is less useful for developing today’s security solutions

• The industry lacks an integrated strategy for enhancing cyber systems and achieving a global understanding of incidents

• There is no entity or individual responsible for finding synergies among the various sector roadmaps and driving the Nuclear Sector’s cyber strategy

• Revenue pressures lead to “one-size-fits-all” solutions

• Maintaining a skilled, robust workforce is difficult in the face of retirements, public perception of the industry, and stagnation of skills

• Executives lack a clear, compelling business case that could drive change and create an ongoing culture of cyber systems investment and accountability

• There are no technical models that can help businesses understand the security risks of operational innovations

• An appropriate reinforcing regulatory framework that aligns with roadmap priorities is lacking; existing regulations slow solution development and limit asset owners’ actions

Needs

Collaboration-Driven R&D Pipeline • Create mechanisms to ensure roadmap information is

shared across sectors • Leverage existing government and roadmap efforts • Develop appropriate incentives or disincentives for all

stakeholder groups to share information Ready Workforce

• Integrate cybersecurity training and qualifications periodic employee training programs

• Create industry specific teams who know nuclear and target sets that can be affected: o Experienced in other sectors o Possibly the Nuclear Energy Institute

• Integrate cybersecurity training into undergraduate programs (e.g., utility specific) and develop technical training programs o Community college o DHS cybersecurity programs, industry, and NRC feed

the content • Change industry cultural environment to be more

compatible with next-generation workforce

Best Practices • Institute a change management plan and

organizational accountability for cybersecurity o Evaluated, good practices, etc.

• Proactive security capability throughcore technologies and 24 x 7 monitoring

• Common language that every sector and stakeholder group uses and understands

• Ensure that the sector has consistent message on what it needs

• Implement the security in the same way as the safety culture

• Bring together cybersecurity vendors and other IT vendors (Microsoft, CISCO) to educate the sector on technology requirements, thereby encouraging vendors to own the problem

• Develop sector-specific training for managers and operators on cybersecurity—function-specific, refreshed

• Develop strategy for “mass knowledge transfer” • Recruit DOE partner to help with a public relations effort

on behalf of cybersecurity in nuclear power • Bring in expertise to help and be ready to endure

disagreements



4. Roadmap Implementation This roadmap contains a structured set of priorities that address specific cybersecurity needs over the next 15 years. The Nuclear Sector will pursue a focused, coordinated approach that aligns current activities to roadmap goals and milestones; initiates specific projects to address critical challenges; and provides a mechanism for collaboration, project management, oversight, and information sharing among sector stakeholders. The objective of this coordinated approach is to accomplish clearly defined activities, projects, and initiatives that contain time-based deliverables tied to roadmap goals and milestones. Cyber systems security is a shared responsibility among asset owners and operators, government, vendors, and other stakeholders who contribute to the safe and secure use of cyber systems to control processes and manage and govern critical infrastructure. The cyber systems stakeholder community also includes government agencies, industry organizations, commercial entities, R&D organizations, and universities, each of which brings specialized skills and capabilities for improving cyber systems security and protecting critical infrastructure. Over the long term, each of these groups can make significant contributions toward achieving enhanced cyber systems security in the Nuclear Sector:

• Asset owner-operators will continue to improve the reliability and resilience of cyber systems by making the appropriate investments, reporting threat information to the government and industry partners, and implementing protective practices and procedures

• Federal, State, local, tribal, and territorial agencies will continue to appropriately share threat information and collaborate with industry to identify and fund challenges in cyber systems security research, development, and testing efforts

• Industry organizations will provide ongoing coordination and leadership to help address important barriers, form partnerships, and help to develop standards and guidelines specific to the needs of the commercial power reactor community

• Vendors such as system and software developers and system integrators will increase their collaboration with industry in the development and delivery of cyber systems products and services to meet the security needs of asset owner-operators

• R&D organizations, funded by government and industry, will increase their collaboration with industry stakeholders, explore long-term security solutions, develop new tools, and address solutions for cyber system vulnerabilities, hardware, and software

• Universities and colleges, chartered to provide education for future generations, will expand the number of courses and degrees that satisfy the needs and requests of industry

This roadmap encourages this broad range of stakeholder organizations to participate in ways that will best capitalize on their distinct skills, capabilities, and resources for improving the security of cyber systems in the Nuclear Sector. This affords them the flexibility to pursue projects that correspond with their special interests. Near-term action is required to achieve the roadmap’s goals and realize the outcomes listed above. The rest of this section outlines the minimum efforts needed to effectively implement this roadmap, with an emphasis on near-term actions.


Next Steps

Immediate action will be required to publicize the roadmap, gather feedback, and begin identifying and tracking key projects that will help realize its goals and milestones. The following are potential next steps for roadmap implementation: Establish a working group to obtain roadmap feedback and coordinate, develop a roadmap implementation plan, and identify, track, and resolve roadmap implementation issues. Implementing the roadmap will require the commitment and resources of multiple organizations with diverse missions, business objectives, and assets. A Nuclear Sector Roadmap Implementation Working Group or similar entity, with similar composition to that of the Roadmap Steering committee, will be established to provide the necessary leadership and management to sustain the Nuclear Sector’s momentum. The working group will solicit and respond to feedback on the roadmap and coordinate, develop a roadmap implementation plan identify, and track, and resolve roadmap implementation challenges. The group will engage stakeholders to resolve technical concerns, provide transition guidance, assist organizations that have program management challenges, and act as a monitor and central clearinghouse for the actions and milestones discussed in this roadmap. It may also assist with subject matter review of research and development proposals and develop future implementation strategies, as requested. Create and maintain a central repository on an online portal for the roadmap. The security landscape is constantly evolving, and new products, best practices, and events will be launched to address the evolving threat. A forum, portal, or other interactive, online repository will be of primary importance in providing a single source of current information about progress toward roadmap goals. Such a Web site or other repository can also play a key role in a roadmap communications strategy, helping to promote the roadmap, and monitor, survey, and track progress toward its goals. Provide regular communications with sector members about roadmap progress. Diverse sector stakeholders will need to stay abreast of new developments, be able to engage in meaningful dialogue about best practices and notable challenges, and uncover potential gaps or cross-cutting problems that must be addressed. Periodic regional roadmap implementation workshops or similar events can be used to inform the sector about the roadmap’s goals and milestones, provide awareness training, and solicit new ideas for activities directed toward meeting the milestones. Encourage alignment of government and industry resources to support roadmap goals. Stakeholders have numerous, varied, and often competing priorities. To focus the sector’s efforts to meet roadmap goals, it will be necessary to eliminate potentially overlapping or redundant efforts and identify opportunities for organizations to work together on joint areas of concern. This includes an active industry role in encouraging government agencies to align R&D resources and establish funding priorities based on the elements outlined within this roadmap and improving technology transfer by providing operational sites for field testing and validation of new technologies. Government funding plays a key role in supporting necessary, long-term R&D that offers incentive for business investment. On a periodic basis, the alignment of government and industry resources should be reviewed, assessed, and realigned as necessary to support the achievement of roadmap goals.


Industry Activities

Activities undertaken in support of the roadmap can build on existing efforts to enhance cyber systems security in the Nuclear sector. Prior to the publication of the Nuclear Regulatory Commission’s (NRC’s) cybersecurity rule in 10 CFR 73.54, two security-related NRC orders issued in the wake of the September 11, 2001, attacks required that nuclear power plant owner-operators enhance the cybersecurity of their digital systems. To facilitate the implementation of these orders, the NRC developed and issued a technical report in the NUREG-series on methods for performing a cybersecurity self-assessment at U.S. nuclear power plants. The report provided guidance on how to systematically identify cyber vulnerabilities at their facilities; assess their relative (security) risk significance; and institute cost-effective mitigating measures. Using this NRC report as a foundation, an industry task force organized by the Nuclear Energy Institute (NEI) developed comprehensive guidance (NEI 04-04) that nuclear power plant owner-operators could use to develop and manage an effective cybersecurity program. In December 2005, the NRC staff endorsed this NEI guidance as an acceptable method for establishing and maintaining a cybersecurity program at nuclear power plants pending issuance of the 2009 cybersecurity requirements under 10 CFR 73.54 discussed above.

Nuclear Information Technology Strategic Leadership The Nuclear Information Technology Strategic Leadership (NITSL) is an organization that brings to together the leaders in the nuclear utility industry and regulatory agencies to address the issues involved with information technology used in nuclear-powered utilities. NITSL maintains an awareness of industry information-technology-related initiatives and events, and communicates those events to the membership.

Exhibit 4.1. Roadmap Implementation Process


American Society of Mechanical Engineers The American Society of Mechanical Engineers (ASME) is a not-for-profit membership organization that enables collaboration, knowledge sharing, career enrichment, and skills development across all engineering disciplines. ASME provides quality programs in continuing education, training and professional development, codes and standards, research, conferences and publications, government relations and other forms of outreach. The ASME Systems, Structures and Components Design and Analysis Technical Committee strives to institute an environment conducive to promoting excellence in areas of design, structural integrity, engineering, reliability, instrumentation & control, and materials analysis for nuclear reactor facilities. Among other objectives, the Committee works to facilitate the dissemination of knowledge in the fields related to instrumentation & control systems, which include analog & digital instrumentation and control systems, cyber security, integrated control rooms, human machine interface technologies, and online monitoring. ASME moderates/leads all technical professional societies with respect to Nuclear Sector cyber security.

Association for Computing Machinery The Association for Computing Machinery (ACM) is widely recognized as the premier membership organization for computing professionals, delivering resources that advance computing as a science and a profession; enable professional development; and promote policies and research that benefit society. ACM hosts the computing industry's leading Digital Library and serves its global members and the computing profession with journals and magazines, conferences, workshops, electronic forums, and the Learning Center. ACM’s Special Interest Group on Security, Audit and Control (SIGSAC) sponsors research conferences and workshops on information, computer, and communications security that address all aspects of information and system security, encompassing security technologies, secure systems, security applications, and security policies.

Institute of Electrical and Electronic Engineers The Institute of Electrical and Electronic Engineers (IEEE) is the world’s largest professional association dedicated to advancing technological innovation and excellence for the benefit of humanity. IEEE and its members inspire a global community through IEEE's highly cited publications, conferences, technology standards, and professional and educational activities. IEEE has authored hundreds of standards relating to the efficient operation and design of utility equipment, including several control system cyber security standards for power systems. IEEE is also working to develop standards in emerging areas such as wireless communication.

International Society of Automation The International Society of Automation (ISA) is a leading, global, nonprofit organization that is setting the standard for automation by helping more than 30,000 worldwide members and other professionals solve difficult technical problems while enhancing their leadership and personal career capabilities. ISA has been working to develop cybersecurity standards via the ISA-99 committee on industrial automation and cyber systems security. This committee has produced several technical reports and standards. Members of the Nuclear Sector are encouraged to participate in ISA cybersecurity activities.


For More Information

For more information about the Roadmap to Enhance Cyber Systems in the Nuclear Sector, please contact: Nuclear Sector-Specific Agency: [email protected] Nuclear Energy Institute: [email protected]

mailto:[email protected]�


Appendix A. Cyber Systems Landscape in the Nuclear Sector For the purposes of this roadmap, cyber systems are defined as the facilities, systems, equipment, services, and diagnostics that provide the functional control or monitoring capabilities necessary for the effective and reliable operation of Nuclear Sector infrastructure. Cyber systems perform various functions and exist at different stages of evolution throughout the Nation’s critical infrastructure. Many of the cyber systems used today were designed for availability and reliability during an era when cybersecurity received low priority. These systems operated in fairly isolated environments and typically relied on proprietary software, hardware, and communications technologies. Infiltrating and compromising these systems often required specific knowledge of individual system architectures and physical access to system components.

In contrast, newer cyber systems are highly network-based and use common standards for communication protocols. Many controllers are Internet Protocol addressable. Asset owners and operators have gained immediate benefits by extending the connectivity of their cyber systems. They have increasingly adopted commercial off-the-shelf (COTS) technologies that provide the greater levels of interoperability required among today’s modern infrastructure. The systems necessary to safely operate the plant are isolated from external networks and other systems. However, standard operating systems such as Windows or UNIX are increasingly used in other areas of plant operations. These may be connected to remote systems via private networks provided by telecommunications companies. Common telecommunications technologies such as the Internet, public-switched telephone networks, or cable or wireless networks may be used.

Commercial Nuclear Power Reactors

Commercial nuclear power plants are unusual among the Nation’s critical infrastructure in that they currently have not integrated advanced digital cyber technologies to the extent that many other sectors have. This is due to a variety of factors, including the highly regulated power reactor landscape and the amount of time since the last commercial nuclear power reactor plant came online.7

Industrial control systems (ICS) in nuclear power plants affect every aspect of plant operation. Their components and functions include the following:

Instead, control systems at nuclear power plants are often hybrid systems incorporating both analog and digital cyber technologies.

Sensors interfacing with the physical processes within a plant and continuously taking measurements of plant variables such as neutron flux, temperature, pressure, and flow.

Control, regulation, and safety systems that process measurement data to manage plant operations, optimize plant performance, and keep the plant in a safe operating envelope.

Communication systems for data and information transfer through wires, fiber optics, wireless networks, or digital data protocols.

Human-system interfaces to provide information and allow interaction with plant operating personnel.

Surveillance and diagnostic systems that monitor sensor signals for abnormalities. Actuators (e.g., valves and motors) operated by the control and safety systems to adjust the

plant’s physical processes. Status indicators of actuators (e.g., whether valves are open or closed, and whether motors

are on or off) providing signals for automatic and manual control. 7. Dudenhoeffer, Donald, et al., Instrumentation, Control, and Human-Machine Interface to Support DOE Advanced

Nuclear Energy Programs, Idaho Falls, ID: Idaho National Laboratory, 1997.


In the control room, ICS and plant operators meet at the human-system interface. Although no two configurations will be identical, Figure 1 illustrates how these systems fit together within the context of reactor system operations.

Figure 1. Components of Typical Industrial Control Systems in Commercial Nuclear Power Plants8

Successful integration of digital ICS into the U.S. commercial nuclear power fleet faces a number of technical and regulatory challenges. Although the transition to digital systems may increase the potential for future vulnerabilities, digital systems also have the potential to enhance other elements of plant security, including material accountability and access control, such as intrusion detection, and anomaly and change detection. Furthermore, there is the potential for next-generation ICS architectures to include a security-life-cycle approach, which will increasingly address pre-existing potential vulnerabilities.

Cybersecurity Requirements for Commercial Nuclear Power Reactors In 2009, the Nuclear Regulatory Commission (NRC) published a cybersecurity rule under 10 CFR 73.54 that requires commercial nuclear power plants to protect digital computer and communications systems and networks associated with the following safety, security, and emergency preparedness functions:

Safety-related and important-to-safety functions;

8. Adapted from National Resource Council, Digital Instrumentation and Control Systems in Nuclear Power Plants,

Washington, D.C.: National Academy Press, 1997.


Security functions; Emergency preparedness functions, including offsite communications; and Support systems and equipment which, if compromised, would adversely impact safety,

security, or emergency preparedness functions. U.S. commercial power reactor owners/operators must provide high assurance that these digital computer and communication systems and networks are adequately protected against cyber attacks that aim to:

Modify, destroy, or compromise the integrity or confidentiality of data or software;

Deny access to systems, services, or data; or

Impact the operation of systems, networks, and equipment.

To meet the requirement, these owners/operators must establish, implement, and maintain a cybersecurity plan. In accordance with the new requirements, all 65 nuclear power plant owners/operators submitted their cybersecurity plans to the NRC for review and approval by November 23, 2009.

The NRC has approved a guidance document, Regulatory Guide 5.71, “Cyber Security for Nuclear Facilities,” in order to assist in implementing the requirements. These documents provide assistance to new power reactor license applicants and current owners/operators on satisfying the requirements of the cybersecurity rule. They describe methods acceptable for establishing, implementing, and maintaining a cybersecurity program to comply with these regulations. The information contained within the guide represents the results of research and experience gained concerning cybersecurity program development and embodies findings by standards organizations and agencies, such as the International Society of Automation, the Institute of Electrical and Electronics Engineers, and the National Institute of Standards and Technology, as well as guidance from DHS. The NRC also found industry’s NEI-08-09, Revision 6 acceptable for use pending formal NRC endorsement.

The cyber security programs are centered on a defensive architecture that establishes security levels for critical digital assets (CDAs) separated by security boundaries such as firewalls and deterministic isolation devices, at which digital communications are monitored and restricted. CDAs are defined as those assets associated with safety or important to safety and security functions, as well as support systems and equipment that, if compromised, would adversely impact safety, security, or emergency preparedness functions.

CDAs associated with safety-related functions are allocated to the highest defensive level and are protected from all lower levels. Defensive boundaries between levels focus on eliminating or severely restricting data communications from lower levels to higher levels. This accomplished through the use of deterministic isolation devices, or through devices that enforce security policy.

In order to create and maintain a defensive architecture, owners/operators implement technical, operational, and management controls in order to protect CDAs against cyber attacks. They must also create a cybersecurity team.

Technical Controls Technical controls are safeguards or protective measures that are executed through nonhuman mechanisms contained within the hardware, firmware, operating systems, or application software. The attributes within this class include access controls, audit and accountability, system and communications protection, and identification and authentication. With technical controls, actions


are preplanned or preprogrammed and automatically execute in response to a triggering event or are configured to provide electronic enforcement of policy. These actions generally do not require human intervention.

Operational Controls Operational controls are protective measures typically performed by humans rather than by automated means. The attributes within this class include activities involving media protection, physical and environmental protection, personnel security, system and information integrity, contingency planning, incident response, maintenance, attack mitigation, continuity of functions, awareness and training, and configuration management. Operational controls are documented in procedures to ensure accountability of actions by plant personnel and contractors.

Management Controls Management controls are those that concentrate on the management of risk and the security policy environment. The attributes within this class cover activities involving system or service acquisitions, security assessments and risk management, and the addition and modification of digital assets.

Cybersecurity Team – Roles and Responsibilities The cybersecurity program is created and maintained by a cybersecurity team with defined and documented roles, responsibilities, authorities, and functional relationships. The team might include several categories of individuals:

A cybersecurity program sponsor who is a member of senior site management (executive or officer level) and has overall responsibility and accountability for the cybersecurity program and provides the necessary resources for its development, implementation, or maintenance

A cybersecurity program manager who is responsible for the following: o Overseeing cybersecurity operations o Functioning as the single point of contact for all issues related to cybersecurity; o Providing oversight and direction on issues regarding cybersecurity o Initiating and coordinating cybersecurity incident response team (CSIRT) functions,

as required o Coordinating with the NRC, DHS, U.S. Department of Energy, and Federal Bureau of

Investigation, as required, during and after cybersecurity incidents and events o Overseeing and approving the development and implementation of a cybersecurity

plan, policies, and procedures o Ensuring and approving cybersecurity education, awareness, and training activities

Cybersecurity specialists who are responsible for the following: o Protecting CDAs from cyber threats o Understanding the cybersecurity aspects of the overall architecture of plant

networks operating systems, hardware platforms, software platforms, operating systems, and applications; plant-specific applications; and the services and protocols upon which those applications rely

o Performing cybersecurity evaluations of digital systems o Conducting security audits, vulnerability assessments, network scans, and

penetration tests against CDAs o Conducting cybersecurity investigations following the compromise of CDAs o Preserving forensic evidence collected during cybersecurity and investigations to

prevent loss of evidentiary value


o Maintaining expert skill and knowledge in the area of cybersecurity CSIRT is composed of individuals from organizations, including security, operations,

engineering, emergency preparedness, and other support organizations, as required, which is responsible for the following:

o Initiating appropriate response and actions to protect CDAs from compromise during a known or suspected security incident and assisting with recovery of compromised systems

o Containing and mitigating security incidents involving CDAs and ensuring that compromised systems are properly restored following an incident

Auxiliary staff, including operations personnel, engineers, technicians, user contractors, and vendor representatives, who operate, maintain, or design digital systems.

The basic elements of the cybersecurity program are:

1. Creating and defining roles and responsibilities for a site cyber security team

2. Analyzing digital computer and communications systems to determine which components are CDAs

3. Reviewing and confirming the direct and indirect connectivity of each CDA, and identifying pathways to CDAs

4. Creating a “Defense-in-Depth” architecture through system configuration and the implementation of security controls

The cyber security program maintains the “security lifecycle” depicted in Figure 4.

Figure 4: The Security Lifecycle


Research and Test Reactors

Research and test reactors (RTRs) are typically licensed by the NRC according to the total thermal (heat) energy produced by the reactor. These facilities range in size from 0.10 watt to 20 megawatts-thermal. In contrast, a typical commercial nuclear power reactor is rated at 3,000 megawatts-thermal. Because of this large difference in thermal power, the consequence of an accident at a research and test reactor is limited when compared to a commercial power reactor. For this reason, emergency planning and security requirements at RTRs are less extensive than the requirements placed on commercial nuclear power reactors.

Despite these differences, the cyber systems in the typical RTR are similar to those in commercial nuclear power reactors in the context to which they control reactor operations. They also include similar human-machine control room interfaces. However, with the lower thermal output and the absence of transmission and distribution systems, RTR control systems are somewhat simpler than those in commercial power plants.

There are currently no regulations governing cybersecurity at RTRs. However, because most RTRs are at universities or other research institutions, they may fall under the cybersecurity rules of their host institution. Figure 5 shows a simplified research reactor control system block diagram for a type of research reactor common in the United States.

Figure 5. Simplified Research Reactor Control System Block Diagram9

9. General Atomics Electronic Systems Web page, “Instrumentation and Control Systems,” www.ga-

esi.com/triga/products/control_systems.php.


Fuel Cycle Facilities

Fuel cycle facilities are those facilities involved in the production cycle of fuel for U.S. commercial power reactors. They include facilities that mill uranium, convert, enrich, and fabricate it into fuel, and process the depleted uranium hexafluoride for disposal. The NRC regulates fuel cycle facilities through a combination of regulatory requirements, licensing, safety oversight (including inspection, assessment of performance, and enforcement), evaluation of operational experience, and regulatory support activities. Although their production processes depend on cyber systems, fuel cycle facilities are not required to adhere to the cybersecurity requirements imposed upon commercial nuclear reactors. However, fuel cycle facilities do need to meet certain DOE requirements.

Other Nuclear Sector Assets

Radioactive materials are used thousands of times daily in medical and industrial settings. Many of the devices that use the materials, such as blood irradiators and medical diagnostic equipment, rely on software for system functioning. Although these systems generally include built-in security protocols, such as passwords and keys, a cybersecurity vulnerability exists whenever the software provides the opportunity for unauthorized access. The failure to properly address these vulnerabilities could result in an adverse effect on patient care. Although many of these machines could simply be disconnected from the network to mitigate a primary attack vector, this could prevent the efficient transfer of information, which also could negatively impact patient care.

In response to some of these concerns, the Federal Drug Administration (FDA) released guidance in 2005 for medical device manufacturers to reduce cyber vulnerabilities. Although not specific to devices which use radioactive materials, the guidance is applicable to many of these devices. The guidance outlines general principles the FDA considers to be applicable to software maintenance actions required to address cybersecurity vulnerabilities for networked medical devices—specifically, those that incorporate COTS software. The FDA recommends that device manufacturers maintain formal business relationships with their COTS software vendors to ensure timely receipt of information concerning quality problems and recommended corrective and preventive actions. Due to the frequency of cybersecurity patches, the FDA recommends that manufacturers develop a single cybersecurity maintenance plan to address compliance with the FDA quality system regulations and the concerns discussed in the guidance document.


Appendix B. National Context In 1988, Presidential Decision Directive NSC-63 (PDD-63), “Critical Infrastructure Protection,” was issued recognizing the need for enhanced security of the cyber aspects of the Nation’s critical infrastructure. Although directed specifically at information systems, it recognized the interdependencies within the critical infrastructure sectors and the reliance of that infrastructure on automated cyber systems. The directive called for voluntary private-public partnerships of the type later formalized in the National Infrastructure Protection Plan (NIPP) and included the assignment of government agencies as lead sector agencies.

The Homeland Security Act of 2002 and the National Strategy for Homeland Security created the policy and institutional framework for homeland security following the attacks of 9/11, including the creation of DHS. In early 2003, the National Strategy to Secure Cyberspace outlined priorities for protecting against cyber threats and the damage they can cause. It called for DHS and the Department of Energy to work in partnership with industry to develop best practices and new technology to increase the security of cyber systems, to determine the most critical cyber systems-related sites, and to develop a prioritized plan for short-term cybersecurity improvements at those sites. The Cyber Security Research and Development Act of 2002 allocated funding to National Institute of Standards and Technology and the National Science Foundation for the purpose of facilitating increased research and development (R&D) for computer network security and supporting research fellowships and training. The act establishes a means of enhancing basic R&D related to improving the cybersecurity of critical infrastructure.

The NIPP and Homeland Security Presidential Directive-7 establish a partnership model for collaboration on critical infrastructure protection and resilience that consists of a Sector Coordinating Council (SCC), a Government Coordinating Council, and an assigned Federal Sector-Specific Agency (SSA) for each sector. The SSA, among its other roles, collaborates with Federal, State, local, tribal, territorial and private sector partners to encourage the development of information sharing and analysis mechanisms. It also facilitates the sharing of information about physical and cyber threats, vulnerabilities, incidents, potential protective measures, and accepted industry practices. SCCs are self-organized, self-run, and self-governed industry organizations that represent a spectrum of key stakeholders within a sector. SCCs serve as the government’s principal point of entry into each sector for developing and coordinating a wide range of critical infrastructure protection and resilience activities.

In the Nuclear Reactors, Materials and Waste Sector, the Nuclear Government Coordinating Council (NGCC) and Nuclear Sector Coordinating Council (NSCC) have established a joint Cyber Subcouncil as a means to coordinate and collaborate on cyber matters in the Nuclear Sector. This roadmap was sponsored and facilitated by the DHS Office of Infrastructure Protection as the SSA for the Nuclear Sector. The content was developed as a collaborative effort of NGCC and NSCC members of the joint Cyber Subcouncil in the Nuclear Sector, including representatives from the DHS National Cyber Security Division Control Systems Security Program. Roadmap development also included the collaboration of subject matter experts from relevant public and private agencies and organizations not part of the NSCC or NGCC.


Appendix C. Roadmap Development Process

Strategic Imperative

The 2009 U.S. Nuclear Regulatory Commission rule 10 CFR 73.54 provided a solid foundation for the necessity of this roadmap. The nuclear industry independently recognized the need to develop a long-term, collaborative approach to stay ahead of potential cyber threats. The Nuclear Sector determined that development of this roadmap key to streamline planning among its members and develop its ability to respond to increasingly sophisticated cyber attacks.

Strategic Partners

The roadmap was sponsored and facilitated by the DHS Office of Infrastructure Protection as the Sector-Specific Agency for the Nuclear Sector. The content was developed as a collaborative effort of Nuclear Government Coordinating Council (NGCC) and Nuclear Sector Coordinating Council (NSCC)’s joint Cyber Subcouncil, including representatives from the DHS National Cyber Security Division Control Systems Security Program. Roadmap development also included the collaboration of subject matter experts from relevant public and private agencies and organizations not part of the NSCC or NGCC.

Step 1. Planning the Roadmap

The initial planning meeting for the roadmap was held on November 5, 2010, at the Nuclear Energy Institute in Washington, D.C.

Step 2. Establishing the Roadmap Steering Committee

The Roadmap Steering Committee (RSC) held its first teleconference on November 10, 2010. The RSC discussed the purpose and scope of the roadmap and the progress made to date. The team then discussed the process for developing the roadmap, reviewed the proposed charter, and previewed the next steps in the roadmap advancement. The RSC held a series of teleconferences over the following months to develop the vision, key principles, and strategies for the roadmap in preparation for the formal roadmap workshop.

Step 3. Conducting the Roadmap Workshop

The RSC sponsored a facilitated workshop at the Constellation Energy offices in Baltimore on January 27, 2011. This workshop brought together a diverse cross-section of public- and private-sector nuclear and cybersecurity experts to accomplish the following:

• Further the development of roadmap milestones and goals • Identify and prioritize challenges • Identify and prioritize needs and potential solutions to challenges • Brainstorm measures of roadmap progress and success • Recognize major existing government and industry cybersecurity programs


Step 4. Preparing, Reviewing, and Publishing the Roadmap

The workshop results were synthesized and crafted into the foundation of the roadmap. The draft roadmap was distributed to experts in the nuclear and cybersecurity communities for comments. These comments have been integrated into the final draft of the roadmap.


Appendix D. Acronyms and Abbreviations CDA critical digital assets

COTS commercial off-the-shelf

CSIRT cybersecurity incident response team

CSSP Control Systems Security Program

CST cybersecurity team

DHS U.S. Department of Homeland Security

FDA Food and Drug Administration

I&A DHS Office of Intelligence and Analysis

ICS industrial control systems

ICS-CERT Industrial Control Systems Cyber Emergency Response Team

ISA International Society of Automation

NEI Nuclear Energy Institute

NGCC Nuclear Government Coordinating Council

NIPP National Infrastructure Protection Plan

NITSL Nuclear Information Technology Strategic Leadership

NRC Nuclear Regulatory Commission

NSCC Nuclear Sector Coordinating Council

PR public relations

R&D research and development

RSC Roadmap Steering Committee

RTR research and test reactors

SCC Sector Coordinating Council

SSA Sector-Specific Agency

SSEP safety, security, and emergency preparedness

US-CERT U.S. Computer Emergency Readiness Team

Documents

Roadmap to Enhance Cyber Systems Security in the …resources.nei.org/documents/Roadmap.pdf · This Roadmap to Enhance Cyber Systems Security in the Nuclear Sector provides a vision