IAEA International Atomic Energy Agency

Computer Security as a Component of

Nuclear Security: Observations and Lessons Learned

11 May 2016

Donald D. Dudenhoeffer

IAEA

Computer Security in the Nuclear World

“Computers play an essential role in all aspects

of the management and safe and secure

operation of nuclear facilities, including

maintaining physical protection. It is vitally

important that all such systems are properly

secured against malicious intrusions.

Staff responsible for nuclear security should know how to repel cyber-

attacks and to limit the damage if systems are actually penetrated.

The IAEA is doing what it can to help governments, organizations, and

individuals adapt to evolving technology-driven threats from skilled cyber

adversaries.

I am confident that, by working together and sharing experience, all of us

can help to ensure computer security in the nuclear world.”

Remarks at International Conference on Computer

Security in a Nuclear World, Vienna Austria, 1 June 1 2015

by IAEA Director General Yukiya Amano 2

IAEA

Observation on CS in Nuclear Security

Discuss 4 observations on computer security

from developing programme guidance and

from working with Member States

3

IAEA

The Threat – Adversary – Bad Guy

4

Lone wolf? Dedicated group?

Trusted Employee?

Observation 1: Most people have a hard time

understanding the threat and thinking like the

adversary.

Who is the Adversary?

IAEA

Observation 1: Knowing thy Enemy

5

IAEA

Threat Profiles and Classification

Recreational Hackers

Hacktivist Social Activist

Rogue Warriors

Disgruntled Individuals

Employees

Contractors

Third Parties

Terrorist

Criminal Groups

Nation States

Motivation

Capability

Intention

Tactics

6

Targets

(People and Things)

External and Internal threats

IAEA

Nuclear Facilities (publically known attacks)

Multiple computer security incidents have impacted nuclear facilities

Monju NPP

(Japan) Compromise of

control room

computer and release

of information

(2014)

Korea Hydro and

Nuclear Power

(KHNP) Computer compromise

and release of NPP

documents

(2014)

7

Gundremmingen

NPP

(Germany) Computer virus found

on plant IT systems

and media.

(2016)

IAEA

Competent Authorities beware….

Facilities are not just the only targets of attack!

IAEA 2012 Compromise of an old

server resulted in the

release of email addresses

and other information

USNRC Victim of multiple

attacks that

compromised emails

and email accounts.

OPM Victim of persistent

attacks information

related to security

clearances including the

theft of over 4 million

fingerprint files.

8

IAEA

Fear

Observation 2: Fears are not always aligned

with the risk.

What do you fear in a cyber attack?

versus

What should you fear?

9

IAEA

Fear versus Risk

10

Which of these animals do you fear the most?

A.) Sharks

B.) Bees

C.) Spiders

D.) Dogs

E.) Snakes

Question asked during a Feb 2016 meeting on Cyber Threat:

The animals that are most likely to kill you Average annual animal-caused fatalities in the US 2001 - 2013

https://www.washingtonpost.com/news/wonk/wp/2015/06/16/chart-the-animals-that-are-most-likely-to-kill-you-this-summer/

0 10 20 30 40 50 60 70

Sharks

Alligators

Bears

Venomous Snakes and Lizards

Spiders

Non-Venomous Arthropods

Cows

Dogs

Other Mammals

Bees, Wasp, and Hornets

11

IAEA

Survey – What are your Cyber Fears?

12

Ref: 2015 Cyberthreat Defense Report:

North America & Europe

CyberEdge Group

IAEA

Complexity

Observation 3: Challenge of Understandability

13

Fog of Complexity

- Digital I&C Architectures

- The Threat

- Attack Impact

IAEA 14

Physical World – Well defined

Service history

In service 1949–present

Designer Mikhail Kalashnikov

Designed 1944–1947

Manufacturer Izhmash

Number built approximately 75 million AK-47

100 million AK-type rifles[

Specifications

Weight 4.78 kg (10.5 lb) with a loaded magazine

AKM weight with unloaded magazine 3.1 Kg.

Length 880 mm (35 in) fixed wooden stock

875 mm (34.4 in) folding stock extended

645 mm (25.4 in) stock folded

Barrel length 415 mm (16.3 in)

Cartridge 7.62×39mm M43/M67[

Action Gas-operated, rotating bolt

Rate of fire Cyclic rate of fire is 600 rounds/min[

Semi-auto rate of fire is 40 rounds/min[

Full-auto burst rate of fire is 100 rounds/min[

Muzzle velocity 715 m/s (2,350 ft/s)[

Effective range 350 metres (380 yd)

Feed system Standard magazine capacity is 30 rounds. There

are also 10, 20, 40, 75, or 100-round detachable

box and drum style magazines.

Sights Adjustable iron sights with a 378 mm (14.9 in) sight

radius:

AK-47 has 100–800 meter adjustments

AKM has 100–1000 meter adjustments

IAEA 15

Impacts well understood

7.62×39mm

Specifications

Case type Rimless, bottleneck

Bullet diameter 7.92 mm (0.312 in)

Neck diameter 8.60 mm (0.339 in)

Shoulder diameter 10.07 mm (0.396 in)

Base diameter 11.35 mm (0.447 in)

Rim diameter 11.35 mm (0.447 in)

Rim thickness 1.50 mm (0.059 in)

Case length 38.70 mm (1.524 in)

Overall length 56.00 mm (2.205 in)

Case capacity 2.31 cm3 (0.0356 gr H2O)

Rifling twist 240 mm (1 in 9.45 in)

Primer type Boxer Large Rifle

Maximum pressure 355.00 MPa (51,488 psi)

Filling SSNF 50 powder

Filling weight 18.21 gr

Ballistic performance

Bullet weight/type Velocity Energy

123 gr (8 g) Full metal jacket 731.5 m/s (2,400 ft/s) 2,073.6 J (1,529.4 ft·lbf)

154 gr (10 g) Spitzer SP 641.3 m/s (2,104 ft/s) 2,056.3 J (1,516.6 ft·lbf)

123.5 gr (8 g) Full metal jacket 804.7 m/s (2,640 ft/s) 2,460 J (1,810 ft·lbf)

123 gr (8 g) Full metal jacket 738 m/s (2,420 ft/s) 2,179 J (1,607 ft·lbf)

Test barrel length: 415 mm

Source(s): Wolf Ammo[1] Omar [2] Sellier & Bellot [3]

IAEA 16

The Cyber Threat

How does one characterize the threat?

Processor

Intel® Core™ i7-2640M Dual Core (2.80GHz,4M

cache,)

Operating System

Windows 7 Professional, No Media, 64-bit

Display

17.3" UltraSharp™ FHD(1920x1080) Wide View

Anti-Glare LED-backlit

Memory

4GB3 DDR3 SDRAM at 1333MHz

Hard Drive

750GB 7200rpm Hard Drive

Video Card

AMD® FirePro® M8900 Mobility Pro Graphics

with 2GB GDDR5

Optical Drive

8X DVD+/-RW

System Weight

7.77 lbs

We can talk about Operational

Characteristics of computers

IAEA 17

The Cyber Threat

How does one characterize the threat?

But how does one characterize the range of attack vectors – targets

and methods, impacts?

IAEA

Culture

Observation 4: Culture is key.

Security is a people issue, not just a technical issue

• Without good training, technology cannot be effective

• Attacks against organizational staff including directed

attacks are a common tactic by adversaries

• Over half of all computer security compromise results

from or are complicated by human error

• People can be the strongest asset or your weakest link in

security

18

IAEA

Infection Vectors

19 Ref: ICS-CERT Monitor, Nov/Dec 2015

ICS-CERT responded to

295 reported incidents

involving critical

infrastructure (CI) in the

US. (Oct 2014 - Sept

2015).

“Unknown” – insufficient

forensic data available to

identify the initial intrusion

vector.

IAEA

Placing a Man on the Moon

President John F. Kennedy was visiting NASA headquarters for the first

time, in 1961. While touring the facility, he introduced himself to a janitor

who was mopping the floor and asked him what he did at NASA.

The janitor replied, “I’m helping put a man on the moon!”

Obviously, the janitor understood the importance

of his contribution. He truly felt he was a valuable

part of something bigger than himself, and his

attitude created a feeling of self-confidence in

his mission. He wasn’t merely a janitor;

he was a member of the 1962 NASA Space Team!

How to we empower and motivate each

employee to be part of the Security Team.

Ref: http://www.tlnt.com/2012/06/07/company-goals-do-your-employees-have-a-line-of-sight-to-them/ 20

IAEA

Trends for 2015 and Beyond

• Increase in the number of adversaries (state and cyber criminals)

with cyber capability.

• Cybercrime-as-a-service is likely to increase reducing the barriers

for entry for cybercriminals.

• Sophistication of the current cyber adversaries will increase, making

detection and response more difficult.

• Spear phishing will continue to be popular with adversaries, and the

use of watering-hole techniques will increase.

• Ransomware will continue to be prominent.

• Increase in the number of cyber adversaries with a destructive

capability and, possibly, the number of incidents with a destructive

element.

• Increase in electronic graffiti, such as web defacements and social

media hijacking, which is designed to grab a headline.

21

Ref: Australian Cyber Security Centre

2015 Threat Report

IAEA

Survey – Inhibitors to Effective CS

22

Ref: 2015 Cyberthreat Defense Report:

North America & Europe

CyberEdge Group

IAEA

NSNS Computer Security Programme Plan

Directs

Informs

Implements

Member States

• NSGC

• INSSPS

• Expert

Meetings

23

IAEA

NSNS Computer Security Programme Plan

2016 Priority Action Items

• NSS guidance development

• Coordinated research in computer security

incident response

• Development of hands-on training curriculums

to support specialized computer security

training for the protection ICS

• Investigation of an information sharing for

computer security incident information, security

notices on system vulnerabilities and threats

relevant for nuclear security.

• Expert meetings to support global information

exchange and training.

24

IAEA

2016 Priority Action Items

1. Revision and development of NSS guidance.

2. Coordinated Research Project to technologies and

processes that support computer security incident

response at nuclear facilities.

3. Investigation of information sharing for sharing computer

security incident and notices relevant for nuclear security.

4. Expert meetings to support global information exchange.

5. Development of hands-on training to support specialized

computer security training for the protection of systems

used for nuclear safety, nuclear security, NMAC.

25

IAEA

2016 IAEA Security Conference

• Submission of Synopsis by 13 May 2016

• Grant Applications by 13 May 2016

• Notification of authors – July 2016

• Submission of full papers – October 2016

• Full Programme available – November 2016

• Ministerial Segment – 5 December 2016

• Conference – 5-9 December 2016

Planned Technical Sessions:

• National legislative and regulatory framework for

nuclear security;

• Regulatory oversight for nuclear security;

• Threat and risk assessment;

Information security and computer security;

• Physical protection of nuclear material and

nuclear facilities.

Conference website:

http://www-pub.iaea.org/iaeameetings/50809/International-Conference-on-

Nuclear-Security-Commitments-and-Actions 26

IAEA

Conclusions

Greater awareness and understanding of computer

security is needed at all levels

• Cyber adversaries continue to advance at a rapid pace

• Attack methods may be sophisticated, but also they often

take advantage of human failure

• Competent Authorities, Facilities, and Third Parties are all

targets of attack

• Security, including computer security, is a processes that

must continue to evolve and improve

27

IAEA

Questions

Donald D. Dudenhoeffer

Nuclear Security Information Officer

International Atomic Energy Agency

Vienna International Centre

A-1400 Wien

Austria

Tel: +43 (1) 2600-26424

Fax: +43 (1) 2600-29299

d.dudenhoeffer@iaea.org

28

IAEA

Fundamentals: • NSS No. 20 - Objective and Essential Elements of a State’s Nuclear Security Regime

Recommendations: • NSS No. 13 - Physical Protection of Nuclear Material and Nuclear Facilities

(INFCIRC/225/Revision 5)

• NSS No. 14 - Radioactive Material and Associated Facilities

• NSS No. 15 - Nuclear and Other Radioactive Material out of Regulatory Control

Implementing Guides: • NSS No. 10 Development, Use and Maintenance of the Design

Basis Threat (Update pending)

• NSS No. 23-G Security of Nuclear Information

• NST045 Computer Security for Nuclear Security

Technical Guidance: • NSS No. 17 Computer Security for Nuclear Facilities

• NST036 Computer Security of Nuclear I&C Systems

• NST047 Computer Security Methods for Nuclear Facilities

Computer Security in the Nuclear Security Series

29

Non-serial publications: • NST037 Conducting Computer Security Assessments

• NST038Computer Security Incident Response Planning