computer security as a component of nuclear...
TRANSCRIPT
![Page 1: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/1.jpg)
IAEA International Atomic Energy Agency
Computer Security as a Component of
Nuclear Security: Observations and Lessons Learned
11 May 2016
Donald D. Dudenhoeffer
![Page 2: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/2.jpg)
IAEA
Computer Security in the Nuclear World
“Computers play an essential role in all aspects
of the management and safe and secure
operation of nuclear facilities, including
maintaining physical protection. It is vitally
important that all such systems are properly
secured against malicious intrusions.
Staff responsible for nuclear security should know how to repel cyber-
attacks and to limit the damage if systems are actually penetrated.
The IAEA is doing what it can to help governments, organizations, and
individuals adapt to evolving technology-driven threats from skilled cyber
adversaries.
I am confident that, by working together and sharing experience, all of us
can help to ensure computer security in the nuclear world.”
Remarks at International Conference on Computer
Security in a Nuclear World, Vienna Austria, 1 June 1 2015
by IAEA Director General Yukiya Amano 2
![Page 3: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/3.jpg)
IAEA
Observation on CS in Nuclear Security
Discuss 4 observations on computer security
from developing programme guidance and
from working with Member States
3
![Page 4: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/4.jpg)
IAEA
The Threat – Adversary – Bad Guy
4
Lone wolf? Dedicated group?
Trusted Employee?
Observation 1: Most people have a hard time
understanding the threat and thinking like the
adversary.
Who is the Adversary?
![Page 5: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/5.jpg)
IAEA
Observation 1: Knowing thy Enemy
5
![Page 6: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/6.jpg)
IAEA
Threat Profiles and Classification
Recreational Hackers
Hacktivist Social Activist
Rogue Warriors
Disgruntled Individuals
Employees
Contractors
Third Parties
Terrorist
Criminal Groups
Nation States
Motivation
Capability
Intention
Tactics
6
Targets
(People and Things)
External and Internal threats
![Page 7: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/7.jpg)
IAEA
Nuclear Facilities (publically known attacks)
Multiple computer security incidents have impacted nuclear facilities
Monju NPP
(Japan) Compromise of
control room
computer and release
of information
(2014)
Korea Hydro and
Nuclear Power
(KHNP) Computer compromise
and release of NPP
documents
(2014)
7
Gundremmingen
NPP
(Germany) Computer virus found
on plant IT systems
and media.
(2016)
![Page 8: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/8.jpg)
IAEA
Competent Authorities beware….
Facilities are not just the only targets of attack!
IAEA 2012 Compromise of an old
server resulted in the
release of email addresses
and other information
USNRC Victim of multiple
attacks that
compromised emails
and email accounts.
OPM Victim of persistent
attacks information
related to security
clearances including the
theft of over 4 million
fingerprint files.
8
![Page 9: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/9.jpg)
IAEA
Fear
Observation 2: Fears are not always aligned
with the risk.
What do you fear in a cyber attack?
versus
What should you fear?
9
![Page 10: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/10.jpg)
IAEA
Fear versus Risk
10
Which of these animals do you fear the most?
A.) Sharks
B.) Bees
C.) Spiders
D.) Dogs
E.) Snakes
Question asked during a Feb 2016 meeting on Cyber Threat:
![Page 11: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/11.jpg)
The animals that are most likely to kill you Average annual animal-caused fatalities in the US 2001 - 2013
https://www.washingtonpost.com/news/wonk/wp/2015/06/16/chart-the-animals-that-are-most-likely-to-kill-you-this-summer/
0 10 20 30 40 50 60 70
Sharks
Alligators
Bears
Venomous Snakes and Lizards
Spiders
Non-Venomous Arthropods
Cows
Dogs
Other Mammals
Bees, Wasp, and Hornets
11
![Page 12: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/12.jpg)
IAEA
Survey – What are your Cyber Fears?
12
Ref: 2015 Cyberthreat Defense Report:
North America & Europe
CyberEdge Group
![Page 13: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/13.jpg)
IAEA
Complexity
Observation 3: Challenge of Understandability
13
Fog of Complexity
- Digital I&C Architectures
- The Threat
- Attack Impact
![Page 14: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/14.jpg)
IAEA 14
Physical World – Well defined
Service history
In service 1949–present
Designer Mikhail Kalashnikov
Designed 1944–1947
Manufacturer Izhmash
Number built approximately 75 million AK-47
100 million AK-type rifles[
Specifications
Weight 4.78 kg (10.5 lb) with a loaded magazine
AKM weight with unloaded magazine 3.1 Kg.
Length 880 mm (35 in) fixed wooden stock
875 mm (34.4 in) folding stock extended
645 mm (25.4 in) stock folded
Barrel length 415 mm (16.3 in)
Cartridge 7.62×39mm M43/M67[
Action Gas-operated, rotating bolt
Rate of fire Cyclic rate of fire is 600 rounds/min[
Semi-auto rate of fire is 40 rounds/min[
Full-auto burst rate of fire is 100 rounds/min[
Muzzle velocity 715 m/s (2,350 ft/s)[
Effective range 350 metres (380 yd)
Feed system Standard magazine capacity is 30 rounds. There
are also 10, 20, 40, 75, or 100-round detachable
box and drum style magazines.
Sights Adjustable iron sights with a 378 mm (14.9 in) sight
radius:
AK-47 has 100–800 meter adjustments
AKM has 100–1000 meter adjustments
![Page 15: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/15.jpg)
IAEA 15
Impacts well understood
7.62×39mm
Specifications
Case type Rimless, bottleneck
Bullet diameter 7.92 mm (0.312 in)
Neck diameter 8.60 mm (0.339 in)
Shoulder diameter 10.07 mm (0.396 in)
Base diameter 11.35 mm (0.447 in)
Rim diameter 11.35 mm (0.447 in)
Rim thickness 1.50 mm (0.059 in)
Case length 38.70 mm (1.524 in)
Overall length 56.00 mm (2.205 in)
Case capacity 2.31 cm3 (0.0356 gr H2O)
Rifling twist 240 mm (1 in 9.45 in)
Primer type Boxer Large Rifle
Maximum pressure 355.00 MPa (51,488 psi)
Filling SSNF 50 powder
Filling weight 18.21 gr
Ballistic performance
Bullet weight/type Velocity Energy
123 gr (8 g) Full metal jacket 731.5 m/s (2,400 ft/s) 2,073.6 J (1,529.4 ft·lbf)
154 gr (10 g) Spitzer SP 641.3 m/s (2,104 ft/s) 2,056.3 J (1,516.6 ft·lbf)
123.5 gr (8 g) Full metal jacket 804.7 m/s (2,640 ft/s) 2,460 J (1,810 ft·lbf)
123 gr (8 g) Full metal jacket 738 m/s (2,420 ft/s) 2,179 J (1,607 ft·lbf)
Test barrel length: 415 mm
Source(s): Wolf Ammo[1] Omar [2] Sellier & Bellot [3]
![Page 16: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/16.jpg)
IAEA 16
The Cyber Threat
How does one characterize the threat?
Processor
Intel® Core™ i7-2640M Dual Core (2.80GHz,4M
cache,)
Operating System
Windows 7 Professional, No Media, 64-bit
Display
17.3" UltraSharp™ FHD(1920x1080) Wide View
Anti-Glare LED-backlit
Memory
4GB3 DDR3 SDRAM at 1333MHz
Hard Drive
750GB 7200rpm Hard Drive
Video Card
AMD® FirePro® M8900 Mobility Pro Graphics
with 2GB GDDR5
Optical Drive
8X DVD+/-RW
System Weight
7.77 lbs
We can talk about Operational
Characteristics of computers
![Page 17: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/17.jpg)
IAEA 17
The Cyber Threat
How does one characterize the threat?
But how does one characterize the range of attack vectors – targets
and methods, impacts?
![Page 18: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/18.jpg)
IAEA
Culture
Observation 4: Culture is key.
Security is a people issue, not just a technical issue
• Without good training, technology cannot be effective
• Attacks against organizational staff including directed
attacks are a common tactic by adversaries
• Over half of all computer security compromise results
from or are complicated by human error
• People can be the strongest asset or your weakest link in
security
18
![Page 19: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/19.jpg)
IAEA
Infection Vectors
19 Ref: ICS-CERT Monitor, Nov/Dec 2015
ICS-CERT responded to
295 reported incidents
involving critical
infrastructure (CI) in the
US. (Oct 2014 - Sept
2015).
“Unknown” – insufficient
forensic data available to
identify the initial intrusion
vector.
![Page 20: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/20.jpg)
IAEA
Placing a Man on the Moon
President John F. Kennedy was visiting NASA headquarters for the first
time, in 1961. While touring the facility, he introduced himself to a janitor
who was mopping the floor and asked him what he did at NASA.
The janitor replied, “I’m helping put a man on the moon!”
Obviously, the janitor understood the importance
of his contribution. He truly felt he was a valuable
part of something bigger than himself, and his
attitude created a feeling of self-confidence in
his mission. He wasn’t merely a janitor;
he was a member of the 1962 NASA Space Team!
How to we empower and motivate each
employee to be part of the Security Team.
Ref: http://www.tlnt.com/2012/06/07/company-goals-do-your-employees-have-a-line-of-sight-to-them/ 20
![Page 21: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/21.jpg)
IAEA
Trends for 2015 and Beyond
• Increase in the number of adversaries (state and cyber criminals)
with cyber capability.
• Cybercrime-as-a-service is likely to increase reducing the barriers
for entry for cybercriminals.
• Sophistication of the current cyber adversaries will increase, making
detection and response more difficult.
• Spear phishing will continue to be popular with adversaries, and the
use of watering-hole techniques will increase.
• Ransomware will continue to be prominent.
• Increase in the number of cyber adversaries with a destructive
capability and, possibly, the number of incidents with a destructive
element.
• Increase in electronic graffiti, such as web defacements and social
media hijacking, which is designed to grab a headline.
21
Ref: Australian Cyber Security Centre
2015 Threat Report
![Page 22: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/22.jpg)
IAEA
Survey – Inhibitors to Effective CS
22
Ref: 2015 Cyberthreat Defense Report:
North America & Europe
CyberEdge Group
![Page 23: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/23.jpg)
IAEA
NSNS Computer Security Programme Plan
Directs
Informs
Implements
Member States
• NSGC
• INSSPS
• Expert
Meetings
23
![Page 24: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/24.jpg)
IAEA
NSNS Computer Security Programme Plan
2016 Priority Action Items
• NSS guidance development
• Coordinated research in computer security
incident response
• Development of hands-on training curriculums
to support specialized computer security
training for the protection ICS
• Investigation of an information sharing for
computer security incident information, security
notices on system vulnerabilities and threats
relevant for nuclear security.
• Expert meetings to support global information
exchange and training.
24
![Page 25: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/25.jpg)
IAEA
2016 Priority Action Items
1. Revision and development of NSS guidance.
2. Coordinated Research Project to technologies and
processes that support computer security incident
response at nuclear facilities.
3. Investigation of information sharing for sharing computer
security incident and notices relevant for nuclear security.
4. Expert meetings to support global information exchange.
5. Development of hands-on training to support specialized
computer security training for the protection of systems
used for nuclear safety, nuclear security, NMAC.
25
![Page 26: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/26.jpg)
IAEA
2016 IAEA Security Conference
• Submission of Synopsis by 13 May 2016
• Grant Applications by 13 May 2016
• Notification of authors – July 2016
• Submission of full papers – October 2016
• Full Programme available – November 2016
• Ministerial Segment – 5 December 2016
• Conference – 5-9 December 2016
Planned Technical Sessions:
• National legislative and regulatory framework for
nuclear security;
• Regulatory oversight for nuclear security;
• Threat and risk assessment;
Information security and computer security;
• Physical protection of nuclear material and
nuclear facilities.
Conference website:
http://www-pub.iaea.org/iaeameetings/50809/International-Conference-on-
Nuclear-Security-Commitments-and-Actions 26
![Page 27: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/27.jpg)
IAEA
Conclusions
Greater awareness and understanding of computer
security is needed at all levels
• Cyber adversaries continue to advance at a rapid pace
• Attack methods may be sophisticated, but also they often
take advantage of human failure
• Competent Authorities, Facilities, and Third Parties are all
targets of attack
• Security, including computer security, is a processes that
must continue to evolve and improve
27
![Page 28: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/28.jpg)
IAEA
Questions
Donald D. Dudenhoeffer
Nuclear Security Information Officer
International Atomic Energy Agency
Vienna International Centre
A-1400 Wien
Austria
Tel: +43 (1) 2600-26424
Fax: +43 (1) 2600-29299
28
![Page 29: Computer Security as a Component of Nuclear …csnsecurityconference.org/presentations/may-11-2016/DDudenhoeffer.pdfComputer Security as a Component of Nuclear Security: ... Rate of](https://reader031.vdocument.in/reader031/viewer/2022030619/5ae4c72e7f8b9a29048b5a2b/html5/thumbnails/29.jpg)
IAEA
Fundamentals: • NSS No. 20 - Objective and Essential Elements of a State’s Nuclear Security Regime
Recommendations: • NSS No. 13 - Physical Protection of Nuclear Material and Nuclear Facilities
(INFCIRC/225/Revision 5)
• NSS No. 14 - Radioactive Material and Associated Facilities
• NSS No. 15 - Nuclear and Other Radioactive Material out of Regulatory Control
Implementing Guides: • NSS No. 10 Development, Use and Maintenance of the Design
Basis Threat (Update pending)
• NSS No. 23-G Security of Nuclear Information
• NST045 Computer Security for Nuclear Security
Technical Guidance: • NSS No. 17 Computer Security for Nuclear Facilities
• NST036 Computer Security of Nuclear I&C Systems
• NST047 Computer Security Methods for Nuclear Facilities
Computer Security in the Nuclear Security Series
29
Non-serial publications: • NST037 Conducting Computer Security Assessments
• NST038Computer Security Incident Response Planning