India-United States Cooperation on Global Security Summary of a Workshop on Technical Aspects of Civilian Nuclear Materials Security (2013) / Chapter Skim
Currently Skimming:
4 Cybersecurity at Civilian Nuclear Facilities
4 Cybersecurity at Civilian Nuclear Facilities
Pages 71-88
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 71... ...
Cybersecurity for a nuclear facility can be divided into two parts: instru ment and control security (ICS) , and facility network security (FNS)
|
From page 72... ...
An Indian Perspective on Cybersecurity R.M. Suresh Babu began by indicating that he would speak about cybersecurity in nuclear facilities in general, which is a broader area, a bigger picture, than speaking specifically about cybersecurity in civilian nuclear facilities.
|
From page 73... ...
Also, during the system development process, system verification should address security vulnerabilities, including insider threats such as an attempt to modify software in the development stages. Such scenarios should be considered during the development process.
|
From page 74... ...
Finally, the security controls have to be formally defined in a security plan document. This is absolutely necessary, Babu said, because only a plan document, reviewed by all parties involved, can ensure that all appropriate controls are put into place, including the management operational technique of controls (security assessment certification, training, physical protection, access control, audits, authentication, etc.)
|
From page 75... ...
As shown in Figuure 4-1, thee critical safetty system will most likely haave very few cconnections w with outsidee systems, and where there arre connectionss they can onlyy be in one direection. Two-way comm munications aree absolutely reemoved from tthis particular in on through tecchnical means.
|
From page 76... ...
SOURCE: S Babu,, 2012. The security controlss could be diffferent at differrent points durring the develoopment phase p and durin ng the operatio on phase.
|
From page 77... ...
The communication channels should be secured with the use of encryption methods or other methods to make sure that no one spoofs the system and no one attempts to take the data out of this particular network for malicious use. It should enforce established security policies.
|
From page 78... ...
SN NAS dynamicaally changes tthe rules off the firewalls, depending on the end-system m security stagge. As long as tthe systemm behaves propeerly, the firewaall will allow ccommunicationn with other syystems.
|
From page 79... ...
Now the NRC is training its inspectors to start inspecting the plants to ensure that they are in compliance with the appropriate rules and regulations. The NRC rule is only two pages long and requires the power plants to implement security controls to protect their assets from cyber attacks.
|
From page 80... ...
. Defense-in-dep D pth is multiple layers of defennse of a vital aarea for essenttial safety and security equipment, a protected areea for other ssystems that aare importaant to operatio ons.
|
From page 81... ...
If one is planning an attack against a fortified facility, what better way to defeat the digital physical security controls than through a cyber attack, rather than just a purely physical attack? This just illustrates that there are many attack vectors to get to assets that an attacker might want to reach.
|
From page 82... ...
Pack Rat stands for "physical and cyber risk assessment tool." It uses some of the quantative tools widely used for physical security risk assessments and adds a cyber component. Instead of just looking at the physical security pathways and the time delay provided to the defense force to counteract a physical attack, it also looks at the cyber pathway as well, of entering and attacking physical security systems, the time delay that those cybersecurity measures provide and integrates that with the physical security for a more coherent picture.
|
From page 83... ...
Would it not be subject to the same common requirement as a digital system for the most critical safety functions? In one sense, Indian regulatory guidelines and designs ensure that nothing catastrophic will happen in case of a cyber attack.
|
From page 84... ...
We are really just beginning to formulate some of the questions having to do with cyber attacks. The point about attribution cannot be overemphasized, and quite frankly, a standard mode of operation is for an attack to be perpetrated through another computer system, stated a workshop participant.
|
From page 85... ...
A participant asked Glantz to clarify the implementation of the NRC cybersecurity rule at U.S. power plants.
|
From page 86... ...
There is always that possiblity. A workshop participant asked Babu about a system as it is being developed.
|
From page 87... ...
All of the cybersecurity controls tend to have their draw backs. One of the controls is conducting intrusion detection, which is valuable, but then one has to think about communicating that intrustion detection information back to security specialists, which opens up potential new lines for security.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.