Computers and computerized information security at nuclear power plants represent real challenges. The reality is that while the main concern is malevolent cyber-attacks that threaten the security of nuclear power plants, at the same time non-malevolent activities including human errors could also jeopardize nuclear security of computers and computerized information.
Since 2005, the International Atomic Energy Agency (IAEA) has promoted computer and information security awareness with specific focus on nuclear material, other radioactive material and associated facilities or associated activities. This includes the development of technical resources, guidance documents and regional training courses to support the growing need for computer security awareness to combat information loss and cyber-attacks against nuclear facilities.
The objective of the IAEA’s Computer and Information Security Programme is to provide the guidance, technical expertise and outreach in supporting States in developing a comprehensive and resilient computer and information security programme. Further, it assists States in preventing computer acts that could directly or indirectly lead to:
- Unauthorized removal of nuclear/other radioactive material;
- Sabotage against nuclear material or of nuclear facilities; and
- Theft of nuclear sensitive information.
The good news is that advances in computer technologies, signal processing, analytical modeling, and the advent of wireless sensors have provided the nuclear industry with ample means to automate and optimize maintenance activities and improve safety, security, efficiency, and availability, while reducing costs and radiation exposure to maintenance personnel. Here is a graph which illustrates one generic categorization of nuclear power plant systems as they associate with Safety, Security and Emergency Preparedness (SSEP):We need to take into consideration that nuclear power plant data networks (NPPDNs) and their associated safety systems are being modernized to include many information technology (IT) networks and applications. Along with the advancement of plant data networks (PDNs), instrument and control (I&C) systems are being upgraded with modern digital, microprocessor-based systems. These systems provide a high degree of automation to enhance plant operation, reduce operator burden, and improve situational awareness during normal and off-normal conditions. However, these same systems introduce challenges for the nuclear power industry.Digital I&C systems, such as process control and safety systems, rely on the NPPDN—the essential backbone of a secure nuclear power plant (NPP) network design. Figure 1 displays a hypothetical NPP’s modern and integrated data and communications architecture. The NPPDN must be highly reliable, maintainable, and independent to ensure that all digital I&C systems will perform their particular missions. Additionally, that network must also support a necessary data bandwidth for conveying system-operational information to the user.
Many of the differences between NPPDN architectures and traditional information processing system architectures stem from the fact that logic executing on an NPPDN can have a direct effect on the physical world. These differing characteristics include the potential for significant risk to the health and safety of human lives, serious damage to the environment, and serious financial issues, such as production losses and negative impact to the nation’s economy.
Possible incidents an NPP may face include:
- Blocked or delayed flow of information through NPP networks, which could disrupt NPP operation;
- Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life;
- Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have various negative effects; and
- Interference with the operation of safety systems, which could endanger human life.
The trend toward integrating nuclear power I&C networks with business processing and corporate IT networks reduces isolation for the NPPDN from the outside world. Also, unlike typical information processing systems, the NPPDN’s security objectives follow the priority of network availability and reliability—a focus on safety and efficiency that may sometimes conflict with security in the design and operation of a more modern IT-based NPP.
Cyber security assessment consists of methods and procedures used to assess the effectiveness of cyber security controls in a digital system. In particular, the assessment methods and procedures are used to determine if the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the asset owner. Cyber security assessment is one of the most reliable methods of determining whether a system is configured and continues to be configured to the correct security controls and policy.
1. CYBER SECURITY ASSESSMENT:
Here are three main objectives of an assessment which were articulated by the Sandia National Laboratories (SNL):
- To fill the gap between the state of the art in NPPDN design and actual operation of these systems.
The justification is that no matter how well an NPPDN may have been developed, the nature of complex digital I&C systems with large volumes of code, complex internal interactions, interoperability with uncertain external components, unknown interdependencies coupled with cost and schedule pressures, means that exploitable flaws are present or will surface over time;
- To help understand, calibrate, and document the operational security posture of an NPP.
The justification is that aside from development of these digital I&C systems, operational and security demands must be met in a fast changing threat and vulnerability environment. Attempting to learn and repair the state of a network’s security during a major attack is very expensive in cost and reputation and is largely ineffective; and
- To serve as an essential component of improving the security posture of a network.
The justification is that NPPs that have an organized, systematic, comprehensive, ongoing, and priority-driven security testing regimen are in a much better position to make prudent investments to enhance the security posture of their NPPDN and digital I&C systems.
Cyber security assessment is a necessary aspect of secure network design and operation at an NPP. It is important that the NRC, NPP operators, and NPPDN administrators do not only invest in risk analysis, certification and accreditation (C&A), security architectures, and policy development, but also develop a cohesive, well-thought-out operational cyber security assessment program that is integrated throughout the system lifecycle, including development, maintenance, and retirement phases.
The system lifecycle includes the following phases:
- Phase 1: Concept;
- Phase 2: Requirements;
- Phase 3: Design;
- Phase 4: Implementation; and
- Phase 5: Test.
All results from a cyber-security assessment should be fed back into the system lifecycle to ensure that owners, operators, and administrators have a “big picture” view of their operating environment and how that environment may need to change to make assessment easier and to reduce exposures to vulnerabilities. The results of a cyber-security assessment can be used as:
- A reference point for corrective action in defining mitigation activities to address identified vulnerabilities; and
- A benchmark for tracing an organization’s progress in meeting security requirements:
- To assess the implementation status of system security requirements;
- To conduct cost/benefit analysis for improvements to system security; and
- To enhance other lifecycle activities, such as risk assessments, C&A, and performance improvement efforts.
In short, cyber security assessments can provide value to every stage of the system lifecycle and are necessary to secure network design, operation, and maintenance.
Although modern NPPDNs are being built using IT protocols and design practices, there are important differences between the two operational environments. These differences can impact both how security controls are implemented and how security is assessed. For example:
2. ASSESSMENT TOOLS AND TECHNIQUES:
There are several different types of cyber security assessments. The following graph (Figure: 03) illustrates nine different assessment techniques:
2.1 Network Scanning:
Network scanning involves using tools to identify all hosts connected to a network and determine the operating system and network services running on those hosts. The focus of the network scan should be on systems (rather than just devices) and should include programmable logic controllers (PLC), distributed control systems (DCS), supervisory control and data acquisition (SCADA) systems, and instrument-based systems that use a monitoring device, such as a human-machine-interface (HMI, in addition to printers, firewalls, switches, and routers. Assets that use a routable protocol or are dial-up accessible should also be documented.
Network scanning is typically accomplished using port scanners that identify active hosts in a user-specified address range. Once active hosts have been identified, they are scanned for open ports; port numbers are used to identify the network services that are likely operating on that host. As the cyber security assessment team identifies NPPDN assets, the information should be recorded in a standard format, creating a comprehensive list of every device that has a network address or is accessible from any other device in the IP address space scanned by the port-scanning tool. The cyber security team should review and update the NPPDN asset list annually, at least.
A number of network scanners support different scanning methods that have different strengths and weaknesses, which are usually explained in the scanner documentation. For example, certain tools are better suited for scans through firewalls and others are better suited for scans that are internal to the firewall. All basic scanners should identify active hosts and open ports, but some scanners provide additional information, such as target operating system, about the scanned hosts.
However, activities like operating system fingerprinting are not foolproof, because system administrators can configure their firewalls to block certain ports and types of traffic and configure their systems to respond in nonstandard ways that camouflage the true OS. Some network scanners will also assist in identifying the application running on a particular port by capturing banner information transmitted by remote hosts when clients connect to them. Once again, banner grabbing is not foolproof, because security conscious system administrators will configure banners such that they transmit misleading information.
Although the scanning process itself can be highly automated, the interpretation of scanned data is not. A relatively high level of human expertise is required to interpret the results of a thorough network scan. Network scanning should be conducted to:
- Check for unauthorized hosts connected to the NPPDN identify vulnerable services;
- Identify deviations from the allowed services defined in the NPP’s security policy;
- Prepare for penetration testing; and
- Assist in the configuration of an intrusion detection system (IDS) collect forensic evidence.
Network scanning results should be documented and any identified deficiencies corrected. The following corrective actions may be necessary as a result of network scanning:
- Investigate and disconnect unauthorized hosts;
- Disable or remove unnecessary and vulnerable services;
- Modify vulnerable hosts to restrict access to vulnerable services to a limited number of required hosts; and
- Modify NPPDN firewalls to restrict outside access to known vulnerable services.
2.2 Vulnerability Scanning:
Vulnerability scanning involves using a vulnerability scanner to identify out-of-date software versions, to identify applicable patches or system upgrades, and to validate compliance with, or deviations from, the security policy. Like a network scanner, a vulnerability scanner identifies open ports, operating systems, and major software applications running on hosts. However, vulnerability scanners also employ large databases of vulnerabilities and exposures to identify flaws associated with the identified aspects and potential mitigations for those flaws. In cases where the operator has administrative access to the vulnerable host, a vulnerability scanner can also automatically make corrections and fix certain discovered vulnerabilities. However, changes in configuration should always be tested in off-line development systems before integration with a production NPPDN.
Vulnerabilities have been classified into the following three categories:
- Policy and Procedure Vulnerabilities;
- Platform Vulnerabilities; and
- Network Vulnerabilities.
Vulnerability scanners may be network-based or host-based. Network-based scanners are used primarily for mapping an entire network and identifying open ports and related vulnerabilities. In most cases, these scanners are not limited by the OS of targeted systems. The scanners can be installed on a single system on the network and can quickly locate and test numerous hosts.
Host-based scanners have to be installed on each host to be tested and can provide a report of the applications that are resident, provide account profiles to determine who is allowed on the machines, and provide a list of processes or services running on the host. Because host-based scanners are able to detect vulnerabilities at a higher degree of detail than network-based scanners, they usually require not only local access but also administrative access. The results of a vulnerability scan should be reviewed by the cyber security team to determine if the system’s security profile is consistent with the security policy.
The following table gives a sampling of common vulnerability scanning tools:2.2.2 Techniques:
Vulnerability scanners provide system and network administrators with proactive tools that can be used to identify vulnerabilities before they are discovered and exploited by adversaries. The cyber security assessment team can conduct vulnerability scanning in order to:
- Identify active hosts on the network;
- Identify active and vulnerable services on hosts;
- Identify applications;
- Identify operating systems;
- Identify vulnerabilities associated with discovered operating systems and applications;
- Identify misconfigurations;
- Test compliance with host application usage and security policies; and
- Establish a foundation for penetration testing.
Cyber security teams should conduct vulnerability scanning to validate that OS and major applications are up-to-date on security patches and software versions (where possible). Vulnerability scanning is a somewhat labor-intensive activity that requires a high degree of human involvement to interpret the results.
Vulnerability scanning results should be documented and any discovered deficiencies should be corrected. The following corrective actions may be necessary as a result of vulnerability scanning:
- Upgrade or patch vulnerable systems to mitigate identified vulnerabilities as appropriate;
- Deploy mitigating measures (technical or procedural) if the system cannot be immediately patched (e.g., the system/software is safety-related or an OS upgrade will make the application running on top of the OS inoperable) to minimize the probability of this system being compromised;
- Improve the configuration management program and procedures to ensure that systems are upgraded routinely;
- Assign a staff member to monitor vulnerability alerts and mailing lists, examine their applicability to the NPPDN and its component digital I&C systems, and initiate appropriate system changes; and
- Modify security policies, system architecture records, and other documentation to ensure that security practices include timely system updates and upgrades.
Vulnerability scanning should be conducted at least quarterly. Highly critical systems, such as firewalls, edge routers, and other perimeter points of entry, should be scanned nearly continuously. It is also recommended that since no vulnerability scanner can detect all vulnerabilities, more than one should be used.
2.3 Password Cracking:
Password cracking is used to verify that users are employing passwords that are sufficiently strong and that comply with security policy. Passwords are generally stored and transmitted in an encrypted form called a hash. When a user logs on to a device or system and enters a password, a hash is generated and compared to a stored hash. If the entered and the stored hashes match, the user is authenticated.
Passwords hashes can be intercepted (using a network sniffer) when they are transmitted across the network or they can be retrieved from the target system, which generally requires administrative access. Once password hashes are obtained, an automated password cracker rapidly generates hashes until a match is found. If passwords are not encrypted in a hash, then brute-force and dictionary attacks can be used to attempt to guess the passwords.
The following actions should be taken if an unacceptably high number of passwords can be cracked:
- If the compromised passwords were selected according to security policy, then the policy should be modified to reduce the percentage of crackable passwords. If such policy modification would lead to passwords that hinder emergency response procedures during times of crisis or that are difficult to memorize, the organization should consider replacing password authentication with another form of authentication; and
- If the compromised passwords were not selected according to security policy, then the users should be educated on possible impacts of weak password selections. Many server platforms also allow the NPPDN administrator to set minimum password length and complexity.
As with network and vulnerability scanning, consideration should be given to the impact that active password cracking may have on operational production systems. Password cracking can be conducted off-line by first harvesting password hashes and then performing assessment activities on a system that is not critical to the NPPDN reliability and availability. Password cracking should be performed on a host that is completely stand-alone. This recommendation is based on the fact that the system, if successful in cracking hashes, will contain particularly sensitive security information, and the origin of many password cracking tools is questionable. Outsourcing password cracking to a reputable third-party with specialized expertise is also an option, but to do so requires a secure password hash transfer mechanism.
2.4 Log Review and Analysis:
Log review and analysis involves auditing various system logs in order to identify deviations from the security policy. Logs that should be reviewed include firewall logs, intrusion detection/prevention system (IDS/IPS) logs, server logs, and any other logs that are collecting audit data on process control and safety systems and all NPPDN devices. Log review and analysis provides a dynamic picture of ongoing system activities that can be compared with the intent and content of the security policy.
Because manual audit log review can be extremely cumbersome and time consuming, automated audit tools can significantly reduce the required review time and generate reports that summarize the log contents to a set of specific activities. However, it is critical that any filters applied to the logs only filter out what is unwanted and pass everything else.
The following table gives a sampling of common log review and analysis tools:
Log reviews should be conducted very frequently, if not daily, on critical process control and safety systems and perimeter devices. For the specific purpose of confirming required security configurations, monthly assessments may be sufficient with the exception of on-demand reviews resulting from major system upgrades that require validation.
The following actions should be taken if a system is not configured according to organizational security policies:
- Remove vulnerable services if they are not needed. Limit access to them if they are needed;
- Reconfigure the system as required to reduce the chance of compromise;
- Change the firewall policy to limit access to the vulnerable system or service; and
- Change the firewall policy to limit accesses from the IP subnet that is the source of compromise.
Device configurations that ensure logging of events should be tested in non-production, development networks to ensure reliable log collection and storage prior to integration into the operational NPPDN. Log review and analysis should be conducted off-line to prevent degradation of NPPDN communications. Logs can be automatically harvested and stored in a central server for later analysis and correlation.
2.5 File Integrity Checking:
Checking the integrity of files involves computing a checksum for every guarded file and storing that file checksum in a database for later recall. File integrity checkers are a tool for the system administrator to recognize changes to files, particularly unauthorized changes. Stored checksums should be recomputed regularly to test the current value against the stored value to identify any file modifications. A file integrity checker capability is usually included with any commercial host-based IDS.
The following table gives a sampling of common file integrity checking tools:2.5.2 Techniques:
NIST recommends that file integrity checkers be run daily on select system files that would be most likely to be affected by a compromise. However, even if the integrity checker is run only once (when the system is first installed), it can still be a useful activity for determining which files have been modified and the extent of possible damage in the case of a suspected compromise. If an integrity checker detects unauthorized system file modifications, the possibility of a security incident should be considered and investigated according to incident response and reporting policy and procedures.
Although integrity checking tools do not require a high degree of human interaction, they must be used carefully to ensure their effectiveness. A known-good system must be used to create the initial reference database. Otherwise, cryptographic hashes of a compromised system may be stored inadvertently. Additionally, the reference database should be stored off-line so that it is not accessible to potential attackers. Finally, in order to decrease the number of false positive alarms, the checksum database must be updated following each file update and system configuration change (e.g., patch implementation).
2.6 Malware Detection:
Malware detection involves using software to detect viruses, worms, Trojan horses, back-doors, keystroke loggers, root kits, or spyware on information processing systems, no matter the source of infection. Although the overwhelming majority of malware attacks are not associated with energy production and control systems, these systems are becoming increasingly interconnected with IP networks and, therefore, are more susceptible to Internet threats.
The following table gives a sampling of common Malware Detection tools:2.6.2 Techniques:
The most important aspect of malware detection software is frequent regular updates of malware definition files and on-demand updates when a major virus or other variant of malware is known to be spreading throughout the Internet. NIST recommends the following preliminary steps in order to minimize the chances of a major infection:
- Malware definition files should be updated at least weekly and whenever a major outbreak of a new malware variant occurs;
- The anti-malware software should be configured to run continuously in the background and use heuristics, if available, to identify malicious software; and
- After the malware definition files are updated, a full system scan should be performed.
The cyber security team must determine if malware detection software can be actively installed on NPP systems responsible for the operation, control, and status of energy productions assets. This determination requires both confirmation of vendor licensing agreements and a deep understanding of the software packages interaction with the underlying system. Additionally, use case analysis must determine if adding malware detection capabilities will require a re-validation of the NPPDN after any update of the software. If there is a need for re-validation of system operations, this could severely restrict operations of the NPPDN. Finally, all malware detection tools should be tested in an off-line, development network to determine the impact of active scanning on NPPDN communications and process control and safety system performance.
2.7 War Dialing:
Historically, modems have always been part of legacy energy production and utility infrastructure. However, even in modern NPPDNs, modems are still used for engineering support to remotely access field devices (e.g., RTUs and protective relays located at substations) for remote configuration and status reporting. Equipment vendors also use modems to reach field devices for maintenance or upgrade activities covered under licensing agreements. Modems are normally unsophisticated devices that provide ingress to the secure network, have limited default security, and many times are overlooked in cyber security plans.
It is important to understand all potential insertion points into the NPPDN. Modems can be connected in two primary ways:
- Via a dedicated line configuration that allows for a preconfigured circuit switch connecting through the utility’s telecommunication network; or
- Through the public switched telephone network (PSTN) via a dial-up connection to the modem’s telephone number. In most organizations, firewalls and RASs are the main perimeter access points. However, improperly secured modems can allow a penetration of the NPPDN by bypassing the access control points.
There are several software packages available that allow attackers and network administrators to conduct a war dialing assessment. The following table gives a sampling of common war dialing tools:2.7.2 Techniques:
NIST recommends that war dialing be conducted at least annually and performed after-hours to limit potential disruption to employees and the NPP’s phone system; however, this must be balanced with the possibility that some modems may be turned off after hours and, therefore, will not be detected. The check should include all numbers that belong to the NPP, except those that could be impacted negatively by receiving a large number of calls (e.g., 24-hour operation centers, emergency numbers, etc.). In particular, care should be taken with sensitive field devices without redundant failover. Most war dialing software allows the tester to exempt particular numbers from the calling list.
If any unauthorized modems are identified, they should be investigated and removed, if appropriate. Generally, the Private Branch Exchange (PBX) administrator can identify the user to whom the number was assigned. If removal is not possible, the PBX should be configured to block inbound calls to the modem. If inbound calls are required, strong authentication should be employed.
2.8 Wireless Testing:
Wireless technology is a rapidly growing area of networking. The use of wireless communications in energy production and utility infrastructure has traditionally been associated with the connection of distant substations through radio, microwave, or sometimes satellite to provide distant reach back. With the introduction of substation automation, the use of wireless applications is expanding. Wireless local area networks (WLANs) are rapidly replacing unauthorized modems as the most popular back door into networks, because they may provide attackers the means to bypass firewalls and IDSs if the access point is placed within the security perimeter.
The most popular wireless protocol is 802.11, which has serious flaws in its implementation of the Wired Equivalent Privacy (WEP) protocol, making it vulnerable to insertion attacks, interception and monitoring of wireless traffic, DoS attacks, and client-to-client attacks. Additional security risks in wireless networks result when access points are configured in the least secure mode out of the box. For example, wireless access points by default send out beacon frames to announce themselves so clients can find them and initiate a connection.
Because the access point service set identifier (SSID) is sent out in the clear, it is easy for unauthorized clients to attempt access to the WLAN. These default configurations make installation easier, but put the responsibility for security on the network administration or user installing the wireless network—a particular problem when users add unauthorized wireless access points in their own work spaces.
During assessments, mobile wireless and intrusion detection prevention sensors, scanners, and other similar tools should be used to search for rogue WLANs within the security perimeter. Creating one or more portable computers with wireless network cards and testing tools for detecting WLANs will assist in this effort.
The following table gives a sampling of common wireless testing tools:2.8.2 Techniques:
NIST recommends that WLAN security assessments be performed at least annually, but as frequently as every quarter if continuous monitoring is not collecting all of the necessary information about WLAN attacks and vulnerabilities. NPP with high risks and threats should test for unauthorized or misconfigured WLANs on at least a monthly basis. Randomized audit schedules are also recommended for discouraging users that may consider temporarily connecting an unauthorized wireless access point to the NPPDN infrastructure.
The following are additional factors that should be considered when planning the frequency and breadth of WLAN security assessments:
- The location of the facility being scanned, because the physical proximity of a building to a public area (e.g., streets and public common areas) or its location in a busy metropolitan area may increase the risk of WLAN threats;
- The sensitivity and security level of the data to be transmitted on the WLAN;
- The threat level faced by the NPP organizational control over NPPDN resources (e.g., an organization with tight central control over the network may need to test less often than one with a very decentralized network support structure); and
- How often WLAN client devices connect to and disconnect from the environment and the typical traffic levels for these devices (e.g., occasional activity or fairly constant activity), because only active WLAN client devices are discoverable during a WLAN scan.
2.9 Penetration Testing:
Penetration testing is an assessment methodology in which evaluators (e.g., the cyber security team or approved contractors) attempt to circumvent the security features of a system based on their understanding of the system design and implementation. It is an iterative process wherein testers attempt to leverage minimal access to gain greater access. The purpose of penetration testing is to identify methods of gaining unauthorized access to a system by using tools and techniques commonly used by attackers.
Penetration testing can be overt or covert. Overt penetration testing involves performing testing with the knowledge and consent of the NPP’s IT staff. On the other hand, covert penetration testing involves testing without the knowledge of the IT staff, but with the full knowledge and permission of the NPP’s upper management. This type of penetration test is useful for testing not only NPPDN security, but also the IT staff’s response to perceived security incidents and their knowledge and implementation of the cyber security policy.
The following table gives a sampling of common penetration testing tools: 2.9.2 Techniques:
Penetration testing should only be performed after careful consideration, planning, and notification. Although penetration testing can be an invaluable asset to the cyber security program, it is a very labor-intensive activity and requires great expertise to minimize the risk to targeted systems. At a minimum, it may slow NPPDN response time due to network scanning and vulnerability scanning. Furthermore, the possibility exists for process control and safety systems to be damaged in the course of penetration testing and rendered inoperable. Although this risk is mitigated by the use of experienced penetration testers, it can never be fully eliminated.
Since penetration testing is design to simulate an attack and use tools and techniques that may be restricted by law, it is imperative to get formal permission for conducting penetration testing prior to starting. This permission, often called the rules of engagement, should include:
- Specific IP addresses and ranges to be tested;
- Any restricted hosts (e.g., process control and safety systems) not to be tested;
- A list of acceptable testing techniques (e.g., social engineering, DoS, etc.) and tools (e.g., password crackers, vulnerability scanners, etc.);
- Times when testing is to be conducted (i.e., during or after business hours);
- Identification of a finite period for testing;
- IP addresses of the machines from which penetration testing will be conducted (so that administrators can differentiate the legitimate penetration testing attacks from actual malicious attacks);
- Points of contact for the penetration testing team, the targeted systems, and the networks;
- Measures to prevent law enforcement being called with false alarms (created by testing); and
- Handling of information collected by the penetration testing team.
Penetration testing is important for determining how vulnerable a network is and the level of damage the can occur if the network is compromised. Of that two types of penetration tests, overt penetration testing is the least expensive and most frequently used. Because of stealth requirements, covert penetration testing requires more time and expense. To operate in a stealth environment, a penetration testing team will need to slow its network and vulnerability scans to move below the threshold of the IDS, IPS, and firewalls’ capability to detect such activities. However, covert penetration testing provides a better indication of everyday security of the NPPDN since network administrators will not be on heightened awareness. Because of the high cost and potential impact, annual penetration testing may be sufficient.
NPP owners and NPPDN administrators should conduct less labor-intensive and expensive assessment activities on a regular basis to ensure that the required security posture is maintained. If other tests (e.g., network scanning and vulnerability scanning) are performed regularly between penetration testing exercises and discovered deficiencies are corrected, the NPPDN and its component systems will be well prepared for the next penetration testing exercise and for a real attack.
Sandia National Laboratories recommended that:
- The assessment tools and techniques described in this chapter be considered by nuclear power plants owners, operators, and network administrators in keeping their systems operationally secure and as resistant as possible to attack; and
- US Nuclear Regulatory Commission (NRC) staff should use the techniques to evaluate secure network designs using industry standards, regulatory guidelines, and the technical guidance and acceptance criteria.
These assessment activities, if made part of standard system and network administration and assessment, can be highly cost-effective in preventing incidents and uncovering vulnerabilities.
- IAEA Nuclear Security – Achievements 2002 – 2012;
- NRC Regulatory Guide 5.71 – Cyber Security Programs for Nuclear Facilities; and
- Sandia National Laboratories – Cyber Security Assessment Tools and Methodologies for the Evaluation of Secure Network Design at Nuclear Power Plants.