A New Approach to Nuclear Computer Security
Transkrypt
A New Approach to Nuclear Computer Security
A New Approach to Nuclear Computer Security ByGeorgeChamales Thecurrent,attack‐centricapproachtocomputersecurityisincapableofadequately defendingnuclearfacilities.Thispaperintroducesanewapproach,vulnerability‐ centricsecurity,whichenablesnuclearfacilityoperatorstopreventsuccessfulcyber‐ attackswhileenhancingtheday‐to‐dayoperationoftheirsystems. Understanding the Challenge Nuclearfacilitiesresponsibleforpowergeneration,enrichmentandstorageare complexcomputingenvironmentscomprisedofhundredstothousandsof individualdevices.Thosedevices,andthecomputersystemsthatmanagethem,are builtfromacombinationofcommon,off‐the‐shelfcomputingtechnologiesand custom,one‐of‐a‐kindhardware,softwareandnetworkingprotocols.Theonly commonalitybetweenthesefacilitiesisthatalargenumberoftheircriticalsystems tendtobebuiltonlegacytechnologies. Therelianceonlegacytechnologyisunderstandable:changingcomplexsystemsisa complexundertaking.Whenanupdateisnecessary,facilityoperatorsmusttacklea longlistofchallengesthatincludeworkingwithtightmarginsandsmallbudgets, maintainingcompatibilitywithone‐of‐a‐kindtechnologies(sometimesfrom companiesthatnolongerexist),meetingregulatoryrequirementsandlimiting serviceinterruptionallwhileensuringsafeoperationbefore,duringandafterthe changeismade.Thesechallengescreatesignificanthurdleswhentryingtokeep pacewiththefast‐movingworldofcomputerattacksandmanyfacilitiesstruggleto keepup. Thedifficultyofkeepingupdoesnotexcusenuclearfacilityoperatorsfrom maintainingastrongdefense;however,criticismofnuclearfacilitysecuritytendsto includeaninaccurateassumptionregardingwhatsystemoperatorsshoulddoto defendthemselves. Theassumptionis:ifnuclearfacilityoperatorsusedstandardcyber‐security technologies,theywouldbeprotectedfromcyber‐attacks. Thatisnottrue. Thecurrentapproachtocomputersecurityisbasedonanadhoccollectionoftools thatattempttodetectandblockcyber‐attacks.Thesetoolsfailwhennewattacksare created,andnewattacksarebeingcreatedatanincreasinglyfastpace.Asaresult, 1 nuclearfacilitieswillremainatthemercyofattackersandnewattacksthatbypass eventhemostup‐to‐dateattack‐centricdefenses. Effectivelydefendingnuclearfacilitiesrequiresapproachingsecurityfroma differentangle:preventingsuccessfulattacksbyproactivelyaddressingcomputer vulnerabilities.Thisvulnerability‐centricsecurityapproachisbasedonthree fundamentalprinciplesthatguidehowsecurityisselected,deployedandmanaged: 1. Increasesecuritybydecreasingvulnerabilities. 2. Decreasevulnerabilitiesusingdeterministicsystems. 3. Securityshouldenhanceoperations. Manyofthetechnologiesnecessarytoimplementvulnerability‐centricsecurityare availabletoday,andadditionalcapabilitiesareunderactivedevelopment.The appendixdescribesseveralofthesetechnologiesandhowtheycanbeappliedto nuclearfacilities. Thefollowingsectionsdiscusstheshortcomingsoftheattack‐centricsecurity approach,followedbyanintroductiontovulnerability‐centricsecurity,its underlyingprinciplesandstrategiesthatcanbeappliedtonuclearfacilities. The Shortcomings of Attack‐Centric Security Mostoftoday'scomputersecuritytechnologieswereoriginallybuiltinthelate 1980'sinanattempttostopthefirstwavesofcyberattacks.Theseattacks,made possibleinpartbytheriseofcomputernetworking,createdanattacker‐driven, attack‐centricpatternincomputersecurity:newattacksbypassexistingdefenses, newdefensesareputinplacetostopthoseattacks,andthecyclerepeats. Asaresult,theevolutionofmoderncomputersecuritytechnologycanbepresented asaseriesofdefenderreactions: Computersareattackedacrossnewly‐formedglobalnetworks,sofirewallsare putinplacetoblockremoteaccess. Firewallsfailtostopviruses,deliveredinsideemailoronportablediskdrives,so anti‐virusprogramsarebuiltandinstalledoncomputers. Anti‐virussoftwarefailstostopnewviruses,wormsandothernovelexploits,so intrusiondetectionsystemsaredeployedoninternalnetworkstoraisealerts whencomputersarecompromised. Alertsfromintrusiondetectionsystemsdonotstopsuccessfulattacks,leadingto aseriesofincrementalderivationsofexistingtechnologies(e.g.,host‐based firewalls,host‐basedintrusiondetection,andnetwork‐basedanti‐virus)along 2 withtheproliferationofpenetrationtestingservices‐teamsofethicalhackers whochargetopdollartopointoutweaknessesinorganizations'cyber‐defense. Theattacker‐action,defender‐reactioncyclehasimportantramificationsforthe securityofnuclearfacilities,wheretheconstantevolutionofnewattacksforces defenderstoconstantlyupdatetheirdefenses.Thereactionaryapproachis incompatiblewiththeslow‐movingupgradecyclesatnuclearfacilities.Facility operatorswhohavemanagedtoinstallattack‐centricsecuritytechnologiesare justifiablyleeryoftheunintentionalconsequencesofnewsecurityupdates‐poorly writtenanti‐virusupdatesperiodicallyincapacitatethecomputerstheyareinstalled onandthesecurityproductsthemselvesmaycontainexploitablevulnerabilities. Nuclearfacilityoperatorsarenottheonlyoneswhostrugglewiththeconstantneed toupdatetheirdefenses.Bytheearly2010's,deployingsecuritytechnologieshad becomesocomplexthatthesecurityindustrywritlargedevelopedanewclassof producttohelporganizationsmakesenseofthedisparateconfigurations,updates, warningsandalertsgeneratedbytheirnumeroussecurityproducts.Theriseof theseproducts,namedSecurityInformationEventManagementsystems(SIEMs), markedanimportantturningpoint:fromthesecurityindustry'sperspective, securityincidentswerenolongersomethingtobestopped—theyweresomething tobe"managed." Thefocusonincidentresponseisjustifiableinsituationswheretheconsequencesof acyber‐attackarestrictlymonetary.Inthatcontext,themoneyspentonincident responsetechnologyappearstopayforitself:whenattack‐centricsecurity technologiesfail,incidentresponse“saves”organizationsmoneybecausetheylose lessofitandtheremaininglosses,whichregularlyexceedmillionsofdollars,canbe writtenoffasacostofdoingbusiness. Nuclearfacilitiesdonothavetheluxuryofwriting‐offcyber‐attacksbecausethe potentialconsequencesofafailurearenotjustfinancial,theycouldbephysical. Successfulattackscandestroymission‐criticalmachinery,disruptvitalservices,and costpeopletheirlives.Attackswhichresultinthelossofweapons‐usablenuclear materialoraradiologicalreleasewouldbeparticularlydangerous.Inthiscontext, dependingonineffectivesecuritytechnologiesand,whentheyfail,hopingforan efficientresponseisnotatenableposition.Whenitcomestonuclearcomputer security‐ifyou'reresponding,you'relosing. Nuclearfacilitiesarenottheonlyindustryonthelosing‐endofattack‐centric security–allcriticalinfrastructurefacilitiesandcorporatenetworksareinasimilar position.Theshortcomingsofthecurrent,attack‐centricapproachtocomputer securitystemfromtacklingtheproblemofinsecurityfromthewrongangle: focusingonattacksinsteadofthevulnerabilitiesthoseattacksexploit. 3 A New Approach: Vulnerability‐Centric Security Anewapproachtocomputersecurityisneeded,onethatisbasedonsound principlesandtechnologiesthatcanbeusedtoconstructeffectivedefenses.The vulnerability‐centricsecurityapproachseekstoaddresstherootcauseofsystem insecurity–systemvulnerabilities–andcreatestheopportunityforsecuritytobe morethana“necessaryevil”.Securitycanbeanet‐positiveforoperations. Vulnerability‐centricsecurityisbasedonthreefundamentalprinciples: 1. Increasesecuritybydecreasingvulnerabilities:Facilityoperatorsfocus onaddressingalimitedsetofexploitablevulnerabilitiesintheirsystems insteadoftheever‐increasingnumberofattacks.Eliminatingavulnerability eliminatesallattacksagainstthatvulnerability. 2. Decreasevulnerabilitiesusingdeterministicsystems:Facilityoperators decreasevulnerabilitiesintheirsystemsbyapplyingtoolsandstrategiesthat ensuretheirsystemsdoonlywhattheyaresupposedtodo,insteadof deployingexpensive,hard‐to‐manage,attack‐detectiontechnologies. 3. Securityshouldenhanceoperations:Facilityoperatorsmanagetheirown defensesusingtoolsandtechniquesthatincreasetheirsystem’sreliabilityon aday‐to‐daybasis,insteadofrequiringdedicatedsecuritytechnologiesthat areonlyusefulwhenunderattack. Theseprinciplesserveasbothaheuristicforevaluatingtheeffectivenessofsecurity controlsandasafoundationonwhichtobuildmorespecializeddefensive strategies.Thefollowingsectionsdescribeeachoftheseprinciplesalongwith strategies(derivedfromthoseprinciples)thatcanbeappliedtonuclearfacilities. Principle 1: Increase Security by Decreasing Vulnerabilities Eliminatingavulnerabilitypreventsallpresentandfutureattacksagainstthat vulnerability.Thisisparticularlyimportantinaworldwherecomputervirusesand otherexploitsmutateinordertoavoiddetection.Asaresult,ananti‐virusprogram maybecapableofdetectingpermutation1‐17ofavirus,butfailstostop permutations18‐200(allofwhichmayalreadybeinusebyattackers).Byfinding andeliminatingvulnerabilities,itbecomespossibletosuccessfullystopevery permutationoftheattackswhichtargetthosevulnerabilities. Themostcommonvulnerabilityeliminationapproachiscomputersoftware patching,oftenseenintheformofcriticalsecurityupdates.Whilepatchingcanclose exploitablevulnerabilities,theprocesshassignificantlimitations.Manysoftware updatesareonlycreatedafteravulnerabilityhasbeenfoundandexploited.Evenif thevulnerabilitywaskeptquiet,attackerscanreverse‐engineerthesecuritypatch toidentifytheoriginalvulnerability,allowingthemtocraftattacksagainst 4 organizationswithunpatchedsystems,suchasslow‐to‐upgradeoperational environmentswithinnuclearfacilities.Inaddition,programpatchesmayhave unintendedside‐effectsthatcausethemtoaccidentallybreakcriticalsystem functionality.Morefundamentally,relianceonthepatchingprocessassumesthat thevulnerablesoftwareisstillsupportedbythemanufacturerandthatthe manufacturerisstillinbusiness–twoassumptionsthatcannotalwaysbemadefor legacysystemsrunbynuclearfacilityoperators. Successfullyincreasingsecurityrequirestheabilitytoeliminatevulnerabilities withoutknowingwheretheyareandwithoutrelyingonsystemmanufacturers.The followingarethreecomplementarystrategies: RemoveUnnecessaryFunctionality:Identifyinganddisablingunnecessary applicationfunctionalityeliminatestheriskthatvulnerabilitiesinthat functionalitycanbeexploited.Thisapproachdoesnotnecessarilyrequireany newtechnology.Forexample,removinganembeddeddevice'sunused administrativewebserverprotectsagainstcurrentandfuturevulnerabilitiesin thatwebserver.Asanoperationalbenefit,removingunnecessaryfunctionality duringdesignandtestingmakessystemseasiertomanage(sincethere'sless functionalitytodealwith)andhelpsstreamlinethedeploymentprocessfor systemupgrades(sinceupdatestotheremovedfunctionalitydonotneedtobe testedandverified). SegmentSoftwareComponents:Segmentingsoftwarelimitsprogramstoonly accessthecomputingresourcestheyneed(processor,memory,disk,network, etc.)toperformtheirfunction.Runningapplicationsinasoftware‐defined sandboxoronvirtualizedhardwarecanpreventattackersfromusinga compromisedapplicationtoaccessandattackotherprogramsornetworked devicesthecomputerisconnectedto.Forfacilityoperators,applicationisolation enablescomponent‐by‐componenttestingandupgradeswhilelimitingthe impactthatattacksandnon‐maliciousprogramcrashescanhaveonother programsrunningonthesamesystem. IntegrateSecurityFunctionality:Facilityoperatorscanproactivelyintegrate securityintotheirsoftware.Theseprocessesincludesecurityscanningtoolsthat searchthroughprogramstoidentifyunknownvulnerabilitiesandsecurity instrumentationtechnologiesthataddsecurityfeaturestoexistingprograms. Theaddedsecurityfeaturesmayincludetheabilitytodisableunnecessary functionality,segmentsoftwarecomponentsandenableadvancedsecurity monitoringandalerts.Manufacturerscanusescanningandinstrumentationto preventsoftwarebugsduringdevelopmentandfacilityoperatorscanleverage thesetoolsduringtheirtestingandstagingprocesses.Whentheinstrumented programsareplacedinproduction,integratedsecurityfunctionalitycanprevent successfulattacksbyeliminatingvulnerabilitiesandpreventpreviously unknownfaultsfromcausingapplicationstocrash. 5 Deployingvulnerability‐centricsecurityprotectionsonproductionsystemscreates anopportunitytodetectandaddresssystemsthatwerecompromisedpriorto deployingthenewsecurityprotections.Thisismadepossiblebysimultaneously increasinganattacker'sriskofdetectionwhiledecreasingtheiropportunitiestoact. Forexample,removingunnecessaryfunctionalitycaneliminatehidingspotsusedby attackersalreadyinsideasystem.Segmentingcomponentscanmitigatesomeofthe threatsfromsupplychaincompromises,eliminateattackers’persistentaccessto computingresourcesaswellasdetectandblockhiddencommunicationsbetween compromisedprograms.Securityinstrumentationextendsthesebenefitsintothe programsthemselves,creatingmoreopportunitiestoprevent,detectandalerton maliciousmanipulationofprogramsatboththevendorandoperationallevel. Increasingsecuritybydecreasingvulnerabilitiesdoesrequirethatthesenew capabilitiesbeevaluated,testedanddeployed.Theseshort‐runimpactsonsystems andpersonnelareoffsetbythelong‐runbenefits:thevulnerabilityreduction processsimplifiessystems(bothprogramsandprocesses)makingthemeasierto understand,use,manageandmaintain.Theprocessofreductionandsimplification isessentialtoaddressingarootcauseofsysteminsecurity:unanticipatedsystem behavior. Principle 2: Decrease Vulnerabilities with Deterministic Systems Awell‐builtdeterministicsystemisonethatdoesexactlywhatitissupposedtodo andnothingelse.Earlycontrolsystemswerebuiltusingacombinationofmanual processesanddeterministiccomputingdevices.Theseearlydevices,manyofwhich werecustom‐builtfromhundredsofelectricalcomponentsconnectedbythousands ofmeticulouslyhand‐woundwires,couldbeverifiedforfunctionalcorrectness usingacombinationofmechanicaltestingandmathematicalanalysis.The deterministicnatureofthesesystemsmadethemextremelyreliable:theycould operatecontinuouslyforyearswithoutanyinterventionand,evenwhentheyfailed, theyweredesignedtofailsafely. Overtime,thesehardwireddeviceshavebeenreplacedbyinexpensivecomputers builtfromgeneral‐purposemicroprocessors.Unlikedeterministicsystems,a microprocessor‐baseddevicecandoexactlywhatitissupposedtodoandmany otherthings.Thismakesverifyingthefunctionalcorrectnessandfail‐safe guaranteesofmicroprocessorprogramsextremelydifficult,andcreatesthe possibilitythatsomefractionofthosemanyotherthingswillincludevulnerabilities thatgiveattackerstheopportunitytocompromisethedeviceandsubvertits operation. Thetransitionfromhardwiredtogeneral‐purpose,fromdeterminateto indeterminate,isattherootofcomputersysteminsecurity. 6 Thatinsecuritycanbeaddressedbydrivinghardwareandsoftwareplatforms towardsmoredeterministicbehavior.Doingsodoesnotrequirereplacingall microprocessorsystemswiththeirhardwiredequivalentsorexpectingsoftware makerstowriteperfect,bug‐freecode.Instead,itmeansfavoringopportunitiesthat increaseasystem’sdeterministicbehavior. Opportunitiestoleveragedeterministicstrategiesinclude: MaintainCriticalHardwiredComponents:Deterministicsystemsusedat criticalpointsthroughoutafacilitycanreducethepotentialforvulnerabilities thatcouldimpactsystemoperation.Facilitiescanretainthebenefitsof deterministicsystemsbycontinuingtosupporttheirexistinghardwireddevices andbydeployingverifiablydeterministichardwarebasedoncustomintegrated circuits.Thereliability,safetyandsecuritybenefitsofthesedeterministic componentsmayprovideoperatorswithanadditionaljustificationforthe continueddeploymentofhardwiredandhardcodedcomponents. Read‐OnlyMonitoring:Microprocessor‐basedcapabilitiesthatprovide networkingandremoteobservationsignificantlyenhanceoperational awarenessthroughoutafacility,buttheircomplexitycreatesthepotentialfor exploitablevulnerabilities.Insituationswheremonitoringsystemsare necessary,devicesthatoperateinread‐onlymodecanbedeployed.Aread‐only monitoringdevicecollectsimportantinformation(temperatures,switch position,etc.)fromanexistingcontrollerwithoutmodifyingthedeterministic behaviorofthemonitoredcontroller.Asaresult,operatorscanmaintainthe functionalassurancesofcriticalsystemswhilereducingtheimpactof vulnerabilitiesintheoverlaidmicroprocessorsystems. UseVulnerability‐EliminatingSecurityStrategies:Asnotedearlier,the securityofmicroprocessorsystemscanbeincreasedbyremovingunnecessary functionality,segmentingcomponents,andintegratingsecurityprotections. Thesestrategiesdecreasevulnerabilitiesbymakingmicroprocessordevicesand programsmoredeterministic‐morelikelytodoexactlywhatthey'resupposed todobyeliminatingsomeoftheirmanyotheruses.Thesestrategiescanbe appliedtonewandpre‐existingmicroprocessorbasedsystemsaswellasto read‐onlydevicesusedonexistinghardwiredsystems. Thevariousopportunitiesforimplementingmoredeterministicbehaviorallow operatorstoselectthestrategiesthatbestsuittheirneeds.Forexample,facilities canretainnon‐networked,deterministichardware.Facilitiesthatarebeing upgradedcandeploydeterministichardwareorread‐onlymonitoringthatwillhave limitedimpactonsafety‐criticalcomponents.Facilitiesthatarealreadyusing microprocessorsthroughouttheirenvironmentcanbelockeddownusing deterministicsecuritytoolsandtechniques.Theresultisthatincreasingasystem's deterministicbehaviorimprovesoperationsbymakingcriticalcomponentsmore reliableandincreasessecuritybylimitingunexpectedvulnerabilities. 7 Principle 3: Security Should Enhance Operations Historically,theincentivesfordeployingsecuritytechnologieshavebeen completelymisalignedwiththeoperationsteam,whohavebeenexpectedtospend increasinglylargeportionsoftheiralreadylimitedbudgetsonsecurityhardware andsoftwarethatareonlyusefulwhentheirfacilityisunderattack.Vulnerability‐ centricsecuritytakestheoppositeapproach:buildingandmaintainingastrong cyber‐defenseisaccomplishedbyplacingtheresponsibilityforsecurityinthehands oftheorganization'sexistingoperationsteamandincreasingtheireffectiveness throughstrategiesthatbothincreasethefacility'sdefenseandenhanceday‐to‐day operations. Thestrategiesusedtoimplementvulnerability‐centricsecuritycanenhance operationsinthefollowingways: IncreaseSystemReliability:Removingunnecessarysystemfunctionality, usingread‐onlymonitoringandcontinuingtosupporttime‐testedhardwired componentsreducesthepotentialforprogrammingerrorsthatcanimpact systemoperation.Segmentingsystemcomponentsthroughsandboxingand virtualizationcanpreventcascadingfailuresbycontainingtheconsequences ofanunexpectedapplicationcrash.Integratingsecurityfunctionalitycan alertdevelopersandoperatorsofmaliciousattacksandaccidentalsoftware bugsenablingthemtoidentifyandpreventprogramfailuresduringdesign, development,testingandinproduction. StreamlineSystemManagement:Sandboxingandvirtualization technologiesenablesegmentedapplicationstobeconfigured,tested, packagedanddeployedintoproductionenvironments.Removingunused systemfunctionalityanddeployingdeterministichardwareandread‐only devicesreducestheneedforongoingsupport,testing,trainingandupgrades tothosecomponents.Securityinstrumentationcanbeintegratedwith existingapplicationdevelopment,testing,verificationanddeployment processes. ReducetheNeedforDedicatedSecurityTechnologies:Thetoolsand techniquesusedtoimplementvulnerability‐centricsecuritycanbemanaged andmaintainedbyafacility’soperationsteam.Deployingvulnerability‐ centricsecuritytechnologiesthatbothincreaseanorganization'sdefenses andenhancethesystem'sday‐to‐dayoperationallowsfacilitypersonnelto concentrateontheirtoppriority–ensuringtheongoingrobustnessand reliabilityofthesystemstheymaintain. Therewillneverbeenoughsecurityprofessionalstosupportattack‐centric computersecuritybecauseattack‐centricsecuritydoesnotscale:throwingmore people,timeandmoneyatineffectivesecuritytechnologieswillnotmakethem effective. 8 Thecurrentpushbyacademia,governments,andbusinessestoincreasethenumber ofsecurityprofessionalswilldolittletobenefitthenuclearsecuritycommunity. ConventionalITsecurityspecialistshiredbynuclearsystemoperatorswillarrive trainedinthe(incompatible)attack‐centricsecuritymodel,willnotunderstandthe constraintsoftheuniqueenvironmentinwhichtheyareworking,andwillcontinue tobehiredawaybyindustrieswithbiggersecuritybudgetsandhighersalaries. Placingtheresponsibilityforcomputersecurityinthehandsoftheoperationsteam addressesmanyoftheseconcerns:thepersonnelareavailable,familiarwiththe uniquesystembeingdefended,andhaveanestablishedcommitmenttothesuccess oftheoperation.Organizationswithanexistingsafetyteamcanreceiveanumberof benefitsfromintegratingcomputersecuritywiththatgroup.Combiningsafetyand securityallowsthesystem‐wideunderstandingofthesafetyteamtobeusedin architectingarobustdefensethatutilizesexistingprocessesfortrackingsafety requirements.Oncethoserequirementsaredefined,theirimplementationcanbe integratedwithexistingsafetyproceduresandexercisestoensurethatsecurity toolsandtechnologiessupportthesystem'ssafetyrequirements. Overtime,increasingafacility’ssecurityandreliabilityshoulddecreasetheoverall workloadofpersonnel.Asanaddedbenefit,operations‐enhancingsecurity technologycanbedeployedusinganorganization'sexistingprocessesfor introducingsystemmaintenance,providinganestablishedpathfornewsecurity technologiestobeselected,tested,placedintooperationandmaintainedovertime. A Path Forward Thevulnerability‐centricapproachpresentsanopportunityfornuclearsystem operatorstopreventsuccessfulcyber‐attacks.Insteadofconstantlyreactingto attackerinnovations,operatorsincreasetheirsecuritybycuttingdownontheir system'svulnerabilities.Themechanismbywhichvulnerabilitiesarereducedcan beclearlyarticulated,verifiedandimplementedusingdeterministictechniquesthat ensuresystemcomponentsonlydowhattheyaresupposedtodo‐makingthe overallsystemmorestable,robustandsecure. Whileattack‐centricsecuritydegradesasnewattacksaredeveloped,thebenefitsof vulnerability‐centricsecurityaccumulateasthenumberofsystemvulnerabilities decreases.Thosebenefitsaccumulatefastestonsystemsthatchangeslowly, allowingnuclearfacilityoperatorstosimultaneouslydrivetheirsystem's vulnerabilitiestowardszerowhileincreasingitsoverallreliability. Inaworldofcomplexcomputingenvironments,tightbudgetsandthepotentialfor dangerousconsequences,vulnerability‐centricsecurityenablesnuclearfacility operatorstobuildandmaintainastrongcyber‐defensewhileenhancingtheday‐to‐ dayoperationoftheirsystems. 9 Appendix: Vulnerability‐Centric Security Technologies Technologiestoimplementvulnerability‐centricsecuritystrategiesareavailable todayandmoreareunderactivedevelopment.Whilethereisnosingletechnology thatcaneliminateeveryvulnerabilityoneverysystem,thegoalindevelopingalist ofvulnerability‐centricsecuritytechnologiesistoprovideastartingpointfor operatorstoidentifyandbuildstrategiesthatcanbeappliedtotheirfacilities. Identifyingopportunitiestoimplementvulnerability‐centricsecuritydoesrequire anunderstandingoftheavailabletechnologiesinordertojudgetheirapplicability toagivenfacility.Thisknowledgemayalreadybeavailabletoexistingpersonnelin situationswherecurrently‐deployedtechnologiescanbeextendedtoprovide vulnerabilitymitigation.Informationonnewtechnologiesandapproachesto identifyandeliminatevulnerabilitiesmaybeobtainedbypersonnelthrough ongoingskillsdevelopmentprovidedbynuclearindustryandsecurity organizations. Thefollowinglistbrieflydescribesaselectionoftechnologiesthatdecrease vulnerabilities,increasedeterministicbehaviorandenhanceoperations. HardwareVirtualization Virtualizationenhancesoperationsbyprovidingnewwaystomonitor,maintain, migrate,testanddeploycriticalsoftwarewhilereducingtherelianceonexpensive, outdatedhardware.Thisapproachincreasessystemsecuritybyreducingthe unexpectedbehaviorofphysicalcomputersystemsandeliminatingunused functionality(suchasphysicalports)andreplacingpotentiallyvulnerablelegacy hardwareandfirmwarewithextensivelytestedvirtualequivalents. Hardwarevirtualizationtechnologyhasbecomeanestablishedpartofenterprise infrastructuresandistheunderlyingtechnologybehindtheriseofcloudcomputing. Muchoftheworkonvirtualizationtechnologyhasfocusedonvirtualizing commodityhardware,suchasthoseusedtoruntheWindowsoperatingsystem. Newvirtualizationtechnologycanbedevelopedtovirtualizemorespecialized hardware,suchasthosefoundinembeddeddevices. ApplicationSandboxing Sandboxingallowsanapplicationtoruninasegmentedsoftwareenvironment createdspecificallyforthatapplication.Thiscanbeperformedbypackagingthe applicationinsideitsownself‐containedenvironment(containerization)orusing configurableoperatingsystem‐levelrestrictionsthatuseasecuritypolicyto describetheresources(disk,CPU,memory,network)theapplicationisallowedto access.Sandboxisolationpreventsunexpectedapplicationcrashes(bothintentional andunintentional)fromimpactingotherapplicationsonthecomputingdevice whileprovidingsystemoperatorswithenhancedauditingcapabilitiesalertingthem whenunexpectedbehaviorhasbeencontained. 10 Rule‐basedapplicationsandboxingsystemshavebeensupportedbymajor operatingsystems,suchasLinux,forthepastfifteenyearsandhasbeenadoptedby newersystemssuchastheAndroidandiOSmobileoperatingsystems.Container‐ basedsandboxingisarelativelynewerapproachandcommercialproductsexist thatimplementthesecapabilitiesonmainstreamcomputeroperatingsystems includingWindowsandLinux. SoftwareScanning Softwarescanningidentifiesbugsinaprogrambysearchingforerrorsin applicationcodeandmonitoringprogramsindevelopmentandtesting.Issues detectedbysoftwarescanningcanincludeexploitablesecurityvulnerabilitiesas wellasotherprogrammingbugsthatcouldleadtounexpectedsystembehavior suchasprogramcrashes. Softwarescanningtechnologyisalmostasoldassoftwareitself,andinrecentyears therehasbeenanincreasingfocusonrefiningthesetechniquestoidentifysecurity issues.Vulnerability‐centricscanningtoolsandservicesareavailablefrom numerousvendors,and,whilethescanningprocessdoesnotresolvesoftware problems,theissuesdetectedbythescanningprocesscanbefedbackto manufacturersforremediationorproactivelyresolvedusingsecurity instrumentationtechniques. SecurityInstrumentation Securityinstrumentationmakesitpossibletopreventandmitigatevulnerabilitiesin programsbyinsertingsecurityfunctionalityduringdevelopment(e.g.capabilities programming)orafterthecodehasbeenwritten(wheretheinstrumentationis performedbytheenduser).Thesecurity‐enhancedprogramwillrunexactlyasits originalform,howeverunexpectedbehavior,suchasanattemptedcompromiseora programcrash,canbeidentifiedwhilestillallowingtheprogramtocontinue operating. Thesetechnologiesarerelativelynewandhavelimitedavailability.Capabilities programminghasbeenresearchedforthepastdecadeandhasrecentlybeen deployedincommercialapplicationsandintegratedintooperatingsystems.The processofinstrumentingexistingprogramstoincludesecurityfunctionalityisan areaofongoingresearchanddevelopmentincludingtheDARPACyberGrand Challenge. DeterministicHardware Thereliability,safetyandsecuritybenefitsofexistinghardwiredcomponentscanbe recreatedusingcustom‐builtintegratedcircuits.Theseintegrateddevicesdonot relyoncomplexoperatingsystemsandsoftware.Insteadtheyprovideonlythe hardcodedfunctionalitynecessarytocompletethedevice’stask.Thesecomponents canbecraftedtosegmentcriticalfunctionsfromoneanother,designedtobeeasily reproducible,andcanutilizenumerousapproachestoprovetheybehaveas 11 expected.Currentdesignandmanufacturingtechniquesmakeitpossibleforthese componentstobeusedascost‐effectivereplacementstointernalcomponentsof legacyhardwiredsystemsorinplaceofmicroprocessor‐baseddevicesrunning complexsoftware. DeterministichardwaresuchasFPGAshavebeenextensivelyusedintheaerospace, automotiveandmedicalindustries.Inrecentyears,thesetechnologieshavebeen thefocusofincreasinginterestinthenuclearspace,includingthepublicationofIEC 62566whichoffersguidanceforthedesignanduseofthesecomponentsforsafety systemsinnuclearpowerplants. Cryptography Cryptographicprotectionscanprovidemathematicalguaranteesthatoperatorsand systemapplicationsareonlycapableofperformingauthorizedactivities.Thisis madepossiblethroughprotectionsatmultiplepointsinafacilityincluding cryptographicauthenticationofusers,encryptingnetworktrafficandintegrity checkingofbothprogramsandnetworkcommunications. Manyoftheprotectionsmadepossiblebycryptographyarealreadyavailableinthe formofpublicalgorithms,protocolspecificationsandfunctionalitybuiltinto mainstreamoperatingsystems.Theopportunitiesforcryptographicprotections maybelimitedinsomeenvironmentsbytheprocessingpowerandnetwork bandwidthnecessarytoimplementtheiroperation. 12