27 information security.pptx [read-only] - sandia.gov · 27 - information security the...

27 - Information Security

The Twenty-Seventh International Training Course

27. In fo rmat ion Secur i ty

April 29 – May 18, 2018Albuquerque, New Mexico, USA

SAND2016-8421 TR

Sandia National Laboratories is a multimission laboratory managed and operated by National Technology and Engineering Solutionsof Sandia LLC, a wholly owned subsidiary of Honeywell International Inc. for the U.S. Department of Energy’s National NuclearSecurity Administration under contract DE-NA0003525.

Information Security

Learn ing Object ives

After completing this module, you should be able to:• Identify information systems associated with nuclear

materials, nuclear facilities, and physical protection systems

• Recognize threats against information systems including adversary goals and potential attack points

• State the process and guidelines for establishing computer and information security

2




IAEA Nuclear Secur i ty Ser ies 13 (NSS-13)

• 4.10 Computer based systems used for physical protection, nuclear safety and nuclear material accountancy and control should be protected against compromise (e.g. cyber attack, manipulation or falsification) consistent with the threat assessment or Design Basis Threat

3


Mot ivat ion

4

• Information “insecurity” Boeing Lockheed Martin Corporation Amazon Yahoo Target Ashley Madison JP Morgan HBO Hilton Hotel etc.

“There are two types of companies: those that have been hacked, and those who don't know they have been hacked.” - John Chambers




Types of Informat ion Systems

5

Systems where information is stored, used, or transmitted

Mode People Physical Cyber

Types

• Knowledge• Skills

• Paper• Equipment

• Networks• Communications• Stored Data• Digital Control Systems

Examples

• Where arematerials located

• How to handle nuclear materials

• Policies• Procedures• Entry control lists• Security plans• System design• Schedules (i.e.,

material movements)

• Sensor network systems• Entry control system• Material inventories• Safety control systems• Plant configuration• Smart cameras / motion

sensors


Information Age

6




What could go wrong?

Information Age Cyber-Physical System

Information Age Cyber-Physical Age

Cyber-Security Problems

7


Threat Trend• Cyber threat actors are increasingly expanding capabilities

to impact physical world with high-consequence results• Examples

2010 – Stuxnet, example of weaponized cyberwarfare 2012 – Shamoon, destructive malware that wiped 30,000 to

55,000 workstations of Saudi Aramco 2014 – Korea Hydro & Nuclear Power attacked, stole blueprints of

nuclear reactor, employee information 2015 and 2016 – Ukrainian Power Grid cyber attack, first known

examples of shutting down civil infrastructure• State-sponsored Advanced Persistent Threat (APT)• Cyberterrorism – Cyber-Physical System (CPS) enabled

kinetic attacks8




9

How Is Cyber-Phys ica l Threat Di fferent?

Information Age Cyber‐Physical Age

Propaganda Critical Infrastructure

Disruption to information, theft of intellectual property (i.e., Sony) and money

Disruption to critical infrastructure service, can result in significant loss of lives and physical assets

Terrorism enabled by moving “electrons”

Terrorism enabled by moving physical masses ‐ “cyber jihad”with airplanes, cars, and robots


Computer Systems in Nuclear Fac i l i t iesSafety Systems

• Protection systems for automatically initiated reactor and plant protection actions

• Safety actuation systems (initiated by protection systems)

• Emergency power

Safety-related Systems• Process control• Control room - controls and alarms• Fuel handling and storage• Fire protection systems

Non-Plant Equipment• Office automation• External connectivity

Security-related Systems• Access control systems• Voice and data communication• Clearance database• Alarm monitoring and control

Computer and network security• Nuclear accountancy• Heating, ventilation, and air

conditioning (HVAC)• Industrial control systems (ICS)

10




Cybersecur i ty and Phys ica l Secur i ty Risks

• Central servers and workstations Usually run Windows operating systems

current as of installation, rarely receive security updates, and are not always in protected zones

• Field panels Usually run embedded operating system,

rarely receive security updates, and may be physically accessible

• Communications network Moving almost exclusively to Ethernet and IP

(Internet Protocol)• Wide variety of attack tools already exist• Require little knowledge

How are these located and protected?

An attacker that gains access at any point can use well-known tools to manipulate or deny monitoring

11


Potent ia l Adversary Goals• Information gathering for planning further

malicious acts (reconnaissance)• Attack disabling or compromising

computers or security / safety control systems For example, adding an identity

• Compromise of computers or digital control systems combined with other modes of attack, such as physical intrusion For example, degrading a sensor sensitivity Remotely deny or enable access to physical

assets12




Contro ls for E lectr ic Power Distr ibut ion

13

A local electrical power supply is typically protected but it is only as reliable as the control signals

A distribution utility may not control or fully understand its telecommunications infrastructure

Remote, Protected Local, Protected?????????


Supply Chain Attack Model

Attractive, targeted attacks

Specific attackspossible

Untargeted attacks possible

Component designers

FoundriesSuppliersSuppliersSuppliers

Contracted manufacturers

Designers

AssemblersPhysicalProduct

Integration & Testing

Firmware and software developers

Warehousing(Vendor or Contract)

Shipping & Cross Docking

Customer Installation

Contractors AdministratorsMfg Upgrades & Maintenance (Hardware or via Network)

Firmware/Software Storage & Mfg Installation Network

Existing installation

A generic supply chain is shown. Although an operating facility is the goal, supply chain attacks are possible during subcomponent

design, integration, testing, and installation 14




Computer Attack Phases

• Goal identification• Reconnaissance

• System access / compromise• Attack execution• Covering of tracks to maintain

deniability

15

Not within the awareness or control of the defender so active defense must anticipate adversary and limit information

Increasingly, control system attacks and tools are becoming more sophisticated


Attack Sophist icat ion Graph from NSS-17

16




Energy Companies Compromised • Dragonfly / Energetic Bear

Windows-based but targeted energy companies Successfully exploited thousands of power plants Install malware, steal data, run executable files

• Blackenergy In development since 2007! Trojan malware and root kit (gain foothold and download other

malware, such as KillDisk) Linked to wide-scale power outages in the Ukraine

• Nuclear Power Plant Target December 14, South Korea’s Korea Hydro and Nuclear Power (KHNP)

successfully hacked. Nuclear power plant design information stolen• Not New, Not Hypothetical!

17


Attacker Tools

• Attack tools can be purchased openly

• Malware targets control systems

• Agora Software – Offers “unpatched” vulnerabilities, not detectable by existing virus scanning or malware protection

18




S tuxnet – Advanced Attack Sophist icat ion

• Successful attack against the “closed” network of a nuclear facility

• Targeted specific machinery, so it was informed by insider reconnaissance

• Software used encrypted network traffic for external command and control

• Software passed standard trust policies (used driver signing keys of two companies)

• Self‐propagation ‐ infects additional hosts via 3 alternate paths

19


A Process for Improving Computer Secur i ty• Requirements

Follow national legal and regulatory requirements Apply relevant IAEA and other international guidance Use graded approach

• Ensure senior management support / adequate resources Identify interactions between computer security and facility

operation, nuclear safety, and other aspects of site security Perform risk assessment Create a computer security policy

• Define a computer security perimeter• Integrate computer security within the facility’s management system

(regularly audit, review and improve the system)• Select, design, implement protective computer security measures

• Anticipate threat (DBT) 20




Defense in Depth

• Protection requirements should reflect the concept of multiple layers and methods of protection (physical, technical, and administrative)

• Graded approach

21


Arch i tecture and Design Pr inc ip les

• Prevent loss of integrity• Maintain availability• Ensure confidentiality

22

Design Considerations• Protection levels• Access levels• External connectivity• System interfaces

• Zone borders enforced with decoupling mechanisms

• Prevents unauthorized access and error propagation

• Technical and administrative measures ensure decoupling




P rotect ion Measure Opt ions

• Administrative Controls Training Policies and procedures (example, password management) Principle of Least Privilege

• Physical Protection of Information System Assets Lock rooms or cabinets where computer systems or digital

control systems are located Limit access to areas where computer systems or network

components, particularly servers, are located, such as outdoor wiring cabinets

• Mitigation / Recovery Periodic backups made, protected at same level as original Recovery from backups is tested

23


Technica l Contro ls

• Network design and configuration management

• Detection and logging• Firewalls and routers• Zone enforcement with

firewalls, data diodes, or air gap

24

Virus Protection – For analyzing data for malicious signature

Encryption – For data in storage and during transport

Authentication – For knowing who is doing what and attribution

State of Health – Validating technical controls are functioning as expected




Key Takeaways

• Various types of information systems and cyber-physical systems exist and all of them need to be protected

• Adversaries can use a number of different cyber tools to attack a system

• Access to any part of the system can cause systems to not function as intended

• Create and use a graded approach to require different sets of protection measures to satisfy security requirements for information system at a given level

• Use DBT model to anticipate threat actors

25

27 information security.pptx [read-only] - sandia.gov · 27 - information security the...

Documents