[en] t – Due to the fact that both forensic investigation and incident response are highly knowledge based, useful/effective ways to document and visualize this knowledge are needed. One example includes application security controls (ASCs), a semi-formalized and standardized format introduced by the ISO/IEC in the 27034 series of standards. We analyze the data format on forensic applicability, present extensions to the model, which are required within the nuclear context, and look at other related and already existing solutions and data formats that may be incorporated into the structure of ASCs. Additionally, we present the analysis results of an operational I&C server system, and develop, implement, and explain model-based examples. Examples will also incorporate information on associated assets and requirements. The result will be a set of ASCs that can detect and (optionally) prevent attacks on the considered system. Security content will be taken from existing hardening and best-practices guides that can be gradually adopted and improved to eventually cover all life-cycle phases of a critical product.

[en] A multitude of Human Machine Interfaces (HMIs) are installed in energy infrastructures around the world. These systems provide data processing, recording and remote human monitoring of real world processes and deal in some cases with safety-related functions. However, and as the technology of these utilities is advancing in a remarkable way, so is accessibility. Vulnerabilities of these critical assets and sensitive information are increasing as well, causing them to be more exposed and susceptible to computer related security risks. In this paper we will try to explore some of the major security aspects of these assets as well as the procedure to evaluate and improve their cybersecurity.

[en] Safe operation of all types of power plants is a prerequisite for critical infrastructure with gradually more stringent requirements as global energy demand increases. In power plants, the safety of staff, the public and the environment require significant consideration but particularly in the case of Nuclear Power Plants (NPPs), cybersecurity has utmost importance. Accordingly, operators have to demonstrate that critical systems are safe. Beyond the safety analyses and starting from existing security controls, like access control, the complete cybersecurity part can be modeled. Physical security related information (e.g. access control logging) can be combined with a Domain based Security (DBSy) model as a new perspective. A tool is developed for abstracting new dynamic views of operational procedures and physical security related information. Furthermore, this tool is extended to support the relevant regulations and standards, security auditing (offline) as well as real-time monitoring (online). This will ensure safety and security requirements are fulfilled which avoid and mitigate future operating problems through safety analyses. The tool is equipped with support for 3D models, which enables visualization of relevant plant operation scenarios, e.g. identifying risks during NPP operation and implementing solutions to ensure the lowest possible risk. Security policies can be validated and optimized using this concept. When a security requirement is violated, the security experts can improve the security zone model or assignment of security controls accordingly. Therefore, reliable plant operation procedure established on a risk-based security model can be implemented to ensure increased safety, security and availability of NPPs.

[en] Smart sensors and extensively configurable devices are gradually imposed by the automation market. Except for safety systems, they find their way into the next Instrumentation & Control (I&C) generation. The understanding and handling of these devices require an extensive Knowledge Management (KM). This will be outlined for security, testing and training. For legacy systems, security often relates to vetting and access control. For digital devices, a refined asset management is needed, e.g. down to board-level support chipsets. Firmware and system/application software have their own configurations, versions and patch levels. So, here, as a first step of the KM, a user needs to know the firmware configurability. Then, trainings can address when to apply patches, perform regression tests and on what to focus, based on accumulated experience. While assets are often addressed implicitly, this document justifies an explicit and semiformal representation of primary and supporting assets (the asset portfolio) and the establishment of an asset management system as a basis for a robust knowledge management. (author)

[en] Full text: Smart sensors and extensively configurable devices are gradually imposed by the automation market. Except for safety systems, they find their way into the next instrumentation and control (I&C) generation. The understanding and handling of these devices require an extensive knowledge management (KM). This will be outlined for security, testing and training. For legacy systems, security often relates to vetting and access control. For digital devices, a refined asset management is needed, e.g., down to board-level support chipsets. Firmware and system/application software have their own configurations, versions and patch levels. So, here, as a first step of the KM, a user needs to know the firmware configurability. Then, trainings can address when to apply patches, perform regression tests and on what to focus, based on accumulated experience. While assets are often addressed implicitly, this document justifies an explicit and semiformal representation of primary and supporting assets (the asset portfolio) and the establishment of an asset management system as a basis for a robust knowledge management. (author

[en] All nuclear facilities have to comply with stringent nuclear safety requirements. In this paper a part of the cybersecurity threat to nuclear safety will be analyzed. Assuring cybersecurity is usually broken down into enforcing security confidentiality, integrity and availability (CIA), with a strong focus on availability and integrity. In order to meet these security targets security controls are applied. At a high level these are typically subdivided into preventive, detective and corrective security controls, as e.g., applied by Draft IEC 63096. Corrective security controls can be broken down according to the phases of the security incident management, e.g., security response (immediate procedures to be followed by on-site staff etc.) and recovery (e.g. based on software backups). These are the last parts in the Security Defense-in-Depth (Security DiD) approach. In this paper, we will focus on the first parts of the Security DiD which includes deterring, protective, delaying and detective security controls. Safety Defense-in Depth (Safety DiD) is traditionally considered in all Instrumentation and Control (I&C), Electrical Systems (ES) and Physical Protection architecture designs. However, the Security DiD is different from the Safety DiD. The Safety DiD is achieved by including different independent systems, each composed of redundant subsystems, into the different architectures. The Security DiD addresses a sequence of security countermeasures that complement each other. This paper will provide a comprehensive view of the first layers of a Security DiD approach, while analyzing—how these can be represented and enforced for support towards an effective Attack Tree Analysis with regard to Nuclear Safety [IAEA NSS 13]. The primary assets (potential attack targets) must be protected while considering the coordination of safety and security [IEC 62859]. Part of this work is done in the context of “Enhancing Computer Security Incident Analysis and Response Planning at Nuclear Facilities”—IAEA CRP J02008 project. (author)

[en] Nuclear facilities are cyber-physical systems that are characterized by the tight integration of Information and Communications Technology (ICT) together with control systems that manage physical processes. In complex environments, such as nuclear facilities, it is of utmost importance from a safety perspective to understand unsafe interactions and constrain the system behaviour to prevent hazards. On the other hand, from a security perspective, it is also necessary to identify system vulnerabilities or flaws, which could allow cyber-attackers to exploit them and trigger unsafe actions that could lead to system hazards. In this work, we apply the STPA-SafeSec method – a hazard analysis technique that accounts for cyber security concerns – and provide guidelines on how to include general nuclear facility security context information to generate attack trees, based on identified system vulnerabilities and flaws. (author)

[en] Critical industry infrastructures like nuclear power plants (NPPs) are facing fast increase of cyber attack threats. The deployments of real-time or “non-interruptible” systems challenge the static security plans. Digital Instrumentation & Control (I&C) systems bring more features while the increased complexity makes fully understanding the system security status more difficult. Considering the long time span from the design/deployment phase to the operation phase, low risk threats can turn to be critical at any time as the attacker’s capacity could increase due to the rapid evolution of technologies. Meanwhile, the long life cycle of NPPs brings the refurbishment pressure. Moreover, considering the time and budget limit, commercial-off-the shelf (COTS) hardware/software might be involved. In contrast to dedicated equipment, vulnerabilities for COTS are widespread. However, compared to these challenges, state-of-the-art security models and risk assessments are designed based on static systems which can hardly model the component changes as well as their effects towards the system. Furthermore, Security standards are applied individually without considering their inheritance relations. Risk assessments performed on a critical infrastructure are conducted by security experts with limited IT-support. In previous work, we proposed a gradually refined security model covering different security measures. We extend this model in this paper by modelling security testing results as well as countermeasures to reflect system changes. Meanwhile, security controls that come from international/domestic security standards are modelled accordingly. These new extensions provide security experts a more relevant input to perform risk assessments as well as enable computer assisted security analyses while considering system’s improvements. Furthermore, attack vectors are modelled within the same context. With the help of attack trees, cyber-attacks and associated countermeasures can be demonstrated in a new developed simulation environment. The attack modelling defines the time/condition constraints which take effect in a cyber-attack, especially appropriate for modelling advanced persistent threats (APTs) like “Stuxnet”. A software prototype is developed using modern web frameworks. It can represent the hierarchical structure of security objects on different granularities. According to the design principle of Automation Markup Language (AutomationML), various features of a security object can be further modelled using concrete data formats (e.g. COLLADA and PLCopen).Furthermore, it is possible to integrate conceptual entities in standards (like security zones in IEC 62645 or the zone-conduit model in IEC 62443-3-2) as well as other attributes which can be used in quantification analyses into the same security model. (author)