A New Approach to Nuclear Computer Security

A New Approach to Nuclear Computer Security ByGeorgeChamales
Thecurrent,attack‐centricapproachtocomputersecurityisincapableofadequately
defendingnuclearfacilities.Thispaperintroducesanewapproach,vulnerability‐
centricsecurity,whichenablesnuclearfacilityoperatorstopreventsuccessfulcyber‐
attackswhileenhancingtheday‐to‐dayoperationoftheirsystems.
Understanding the Challenge Nuclearfacilitiesresponsibleforpowergeneration,enrichmentandstorageare
complexcomputingenvironmentscomprisedofhundredstothousandsof
individualdevices.Thosedevices,andthecomputersystemsthatmanagethem,are
builtfromacombinationofcommon,off‐the‐shelfcomputingtechnologiesand
custom,one‐of‐a‐kindhardware,softwareandnetworkingprotocols.Theonly
commonalitybetweenthesefacilitiesisthatalargenumberoftheircriticalsystems
tendtobebuiltonlegacytechnologies.
Therelianceonlegacytechnologyisunderstandable:changingcomplexsystemsisa
complexundertaking.Whenanupdateisnecessary,facilityoperatorsmusttacklea
longlistofchallengesthatincludeworkingwithtightmarginsandsmallbudgets,
maintainingcompatibilitywithone‐of‐a‐kindtechnologies(sometimesfrom
companiesthatnolongerexist),meetingregulatoryrequirementsandlimiting
serviceinterruptionallwhileensuringsafeoperationbefore,duringandafterthe
changeismade.Thesechallengescreatesignificanthurdleswhentryingtokeep
pacewiththefast‐movingworldofcomputerattacksandmanyfacilitiesstruggleto
keepup.
Thedifficultyofkeepingupdoesnotexcusenuclearfacilityoperatorsfrom
maintainingastrongdefense;however,criticismofnuclearfacilitysecuritytendsto
includeaninaccurateassumptionregardingwhatsystemoperatorsshoulddoto
defendthemselves.
Theassumptionis:ifnuclearfacilityoperatorsusedstandardcyber‐security
technologies,theywouldbeprotectedfromcyber‐attacks.
Thatisnottrue.
Thecurrentapproachtocomputersecurityisbasedonanadhoccollectionoftools
thatattempttodetectandblockcyber‐attacks.Thesetoolsfailwhennewattacksare
created,andnewattacksarebeingcreatedatanincreasinglyfastpace.Asaresult,
1
nuclearfacilitieswillremainatthemercyofattackersandnewattacksthatbypass
eventhemostup‐to‐dateattack‐centricdefenses.
Effectivelydefendingnuclearfacilitiesrequiresapproachingsecurityfroma
differentangle:preventingsuccessfulattacksbyproactivelyaddressingcomputer
vulnerabilities.Thisvulnerability‐centricsecurityapproachisbasedonthree
fundamentalprinciplesthatguidehowsecurityisselected,deployedandmanaged:
1. Increasesecuritybydecreasingvulnerabilities.
2. Decreasevulnerabilitiesusingdeterministicsystems.
3. Securityshouldenhanceoperations.
Manyofthetechnologiesnecessarytoimplementvulnerability‐centricsecurityare
availabletoday,andadditionalcapabilitiesareunderactivedevelopment.The
appendixdescribesseveralofthesetechnologiesandhowtheycanbeappliedto
nuclearfacilities.
Thefollowingsectionsdiscusstheshortcomingsoftheattack‐centricsecurity
approach,followedbyanintroductiontovulnerability‐centricsecurity,its
underlyingprinciplesandstrategiesthatcanbeappliedtonuclearfacilities.
The Shortcomings of Attack‐Centric Security Mostoftoday'scomputersecuritytechnologieswereoriginallybuiltinthelate
1980'sinanattempttostopthefirstwavesofcyberattacks.Theseattacks,made
possibleinpartbytheriseofcomputernetworking,createdanattacker‐driven,
attack‐centricpatternincomputersecurity:newattacksbypassexistingdefenses,
newdefensesareputinplacetostopthoseattacks,andthecyclerepeats.
Asaresult,theevolutionofmoderncomputersecuritytechnologycanbepresented
asaseriesofdefenderreactions:
 Computersareattackedacrossnewly‐formedglobalnetworks,sofirewallsare
putinplacetoblockremoteaccess.
 Firewallsfailtostopviruses,deliveredinsideemailoronportablediskdrives,so
anti‐virusprogramsarebuiltandinstalledoncomputers.
 Anti‐virussoftwarefailstostopnewviruses,wormsandothernovelexploits,so
intrusiondetectionsystemsaredeployedoninternalnetworkstoraisealerts
whencomputersarecompromised.
 Alertsfromintrusiondetectionsystemsdonotstopsuccessfulattacks,leadingto
aseriesofincrementalderivationsofexistingtechnologies(e.g.,host‐based
firewalls,host‐basedintrusiondetection,andnetwork‐basedanti‐virus)along
2
withtheproliferationofpenetrationtestingservices‐teamsofethicalhackers
whochargetopdollartopointoutweaknessesinorganizations'cyber‐defense.
Theattacker‐action,defender‐reactioncyclehasimportantramificationsforthe
securityofnuclearfacilities,wheretheconstantevolutionofnewattacksforces
defenderstoconstantlyupdatetheirdefenses.Thereactionaryapproachis
incompatiblewiththeslow‐movingupgradecyclesatnuclearfacilities.Facility
operatorswhohavemanagedtoinstallattack‐centricsecuritytechnologiesare
justifiablyleeryoftheunintentionalconsequencesofnewsecurityupdates‐poorly
writtenanti‐virusupdatesperiodicallyincapacitatethecomputerstheyareinstalled
onandthesecurityproductsthemselvesmaycontainexploitablevulnerabilities.
Nuclearfacilityoperatorsarenottheonlyoneswhostrugglewiththeconstantneed
toupdatetheirdefenses.Bytheearly2010's,deployingsecuritytechnologieshad
becomesocomplexthatthesecurityindustrywritlargedevelopedanewclassof
producttohelporganizationsmakesenseofthedisparateconfigurations,updates,
warningsandalertsgeneratedbytheirnumeroussecurityproducts.Theriseof
theseproducts,namedSecurityInformationEventManagementsystems(SIEMs),
markedanimportantturningpoint:fromthesecurityindustry'sperspective,
securityincidentswerenolongersomethingtobestopped—theyweresomething
tobe"managed."
Thefocusonincidentresponseisjustifiableinsituationswheretheconsequencesof
acyber‐attackarestrictlymonetary.Inthatcontext,themoneyspentonincident
responsetechnologyappearstopayforitself:whenattack‐centricsecurity
technologiesfail,incidentresponse“saves”organizationsmoneybecausetheylose
lessofitandtheremaininglosses,whichregularlyexceedmillionsofdollars,canbe
writtenoffasacostofdoingbusiness.
Nuclearfacilitiesdonothavetheluxuryofwriting‐offcyber‐attacksbecausethe
potentialconsequencesofafailurearenotjustfinancial,theycouldbephysical.
Successfulattackscandestroymission‐criticalmachinery,disruptvitalservices,and
costpeopletheirlives.Attackswhichresultinthelossofweapons‐usablenuclear
materialoraradiologicalreleasewouldbeparticularlydangerous.Inthiscontext,
dependingonineffectivesecuritytechnologiesand,whentheyfail,hopingforan
efficientresponseisnotatenableposition.Whenitcomestonuclearcomputer
security‐ifyou'reresponding,you'relosing.
Nuclearfacilitiesarenottheonlyindustryonthelosing‐endofattack‐centric
security–allcriticalinfrastructurefacilitiesandcorporatenetworksareinasimilar
position.Theshortcomingsofthecurrent,attack‐centricapproachtocomputer
securitystemfromtacklingtheproblemofinsecurityfromthewrongangle:
focusingonattacksinsteadofthevulnerabilitiesthoseattacksexploit.
3
A New Approach: Vulnerability‐Centric Security Anewapproachtocomputersecurityisneeded,onethatisbasedonsound
principlesandtechnologiesthatcanbeusedtoconstructeffectivedefenses.The
vulnerability‐centricsecurityapproachseekstoaddresstherootcauseofsystem
insecurity–systemvulnerabilities–andcreatestheopportunityforsecuritytobe
morethana“necessaryevil”.Securitycanbeanet‐positiveforoperations.
Vulnerability‐centricsecurityisbasedonthreefundamentalprinciples:
1. Increasesecuritybydecreasingvulnerabilities:Facilityoperatorsfocus
onaddressingalimitedsetofexploitablevulnerabilitiesintheirsystems
insteadoftheever‐increasingnumberofattacks.Eliminatingavulnerability
eliminatesallattacksagainstthatvulnerability.
2. Decreasevulnerabilitiesusingdeterministicsystems:Facilityoperators
decreasevulnerabilitiesintheirsystemsbyapplyingtoolsandstrategiesthat
ensuretheirsystemsdoonlywhattheyaresupposedtodo,insteadof
deployingexpensive,hard‐to‐manage,attack‐detectiontechnologies.
3. Securityshouldenhanceoperations:Facilityoperatorsmanagetheirown
defensesusingtoolsandtechniquesthatincreasetheirsystem’sreliabilityon
aday‐to‐daybasis,insteadofrequiringdedicatedsecuritytechnologiesthat
areonlyusefulwhenunderattack.
Theseprinciplesserveasbothaheuristicforevaluatingtheeffectivenessofsecurity
controlsandasafoundationonwhichtobuildmorespecializeddefensive
strategies.Thefollowingsectionsdescribeeachoftheseprinciplesalongwith
strategies(derivedfromthoseprinciples)thatcanbeappliedtonuclearfacilities.
Principle 1: Increase Security by Decreasing Vulnerabilities Eliminatingavulnerabilitypreventsallpresentandfutureattacksagainstthat
vulnerability.Thisisparticularlyimportantinaworldwherecomputervirusesand
otherexploitsmutateinordertoavoiddetection.Asaresult,ananti‐virusprogram
maybecapableofdetectingpermutation1‐17ofavirus,butfailstostop
permutations18‐200(allofwhichmayalreadybeinusebyattackers).Byfinding
andeliminatingvulnerabilities,itbecomespossibletosuccessfullystopevery
permutationoftheattackswhichtargetthosevulnerabilities.
Themostcommonvulnerabilityeliminationapproachiscomputersoftware
patching,oftenseenintheformofcriticalsecurityupdates.Whilepatchingcanclose
exploitablevulnerabilities,theprocesshassignificantlimitations.Manysoftware
updatesareonlycreatedafteravulnerabilityhasbeenfoundandexploited.Evenif
thevulnerabilitywaskeptquiet,attackerscanreverse‐engineerthesecuritypatch
toidentifytheoriginalvulnerability,allowingthemtocraftattacksagainst
4
organizationswithunpatchedsystems,suchasslow‐to‐upgradeoperational
environmentswithinnuclearfacilities.Inaddition,programpatchesmayhave
unintendedside‐effectsthatcausethemtoaccidentallybreakcriticalsystem
functionality.Morefundamentally,relianceonthepatchingprocessassumesthat
thevulnerablesoftwareisstillsupportedbythemanufacturerandthatthe
manufacturerisstillinbusiness–twoassumptionsthatcannotalwaysbemadefor
legacysystemsrunbynuclearfacilityoperators.
Successfullyincreasingsecurityrequirestheabilitytoeliminatevulnerabilities
withoutknowingwheretheyareandwithoutrelyingonsystemmanufacturers.The
followingarethreecomplementarystrategies:
 RemoveUnnecessaryFunctionality:Identifyinganddisablingunnecessary
applicationfunctionalityeliminatestheriskthatvulnerabilitiesinthat
functionalitycanbeexploited.Thisapproachdoesnotnecessarilyrequireany
newtechnology.Forexample,removinganembeddeddevice'sunused
administrativewebserverprotectsagainstcurrentandfuturevulnerabilitiesin
thatwebserver.Asanoperationalbenefit,removingunnecessaryfunctionality
duringdesignandtestingmakessystemseasiertomanage(sincethere'sless
functionalitytodealwith)andhelpsstreamlinethedeploymentprocessfor
systemupgrades(sinceupdatestotheremovedfunctionalitydonotneedtobe
testedandverified).
 SegmentSoftwareComponents:Segmentingsoftwarelimitsprogramstoonly
accessthecomputingresourcestheyneed(processor,memory,disk,network,
etc.)toperformtheirfunction.Runningapplicationsinasoftware‐defined
sandboxoronvirtualizedhardwarecanpreventattackersfromusinga
compromisedapplicationtoaccessandattackotherprogramsornetworked
devicesthecomputerisconnectedto.Forfacilityoperators,applicationisolation
enablescomponent‐by‐componenttestingandupgradeswhilelimitingthe
impactthatattacksandnon‐maliciousprogramcrashescanhaveonother
programsrunningonthesamesystem.
 IntegrateSecurityFunctionality:Facilityoperatorscanproactivelyintegrate
securityintotheirsoftware.Theseprocessesincludesecurityscanningtoolsthat
searchthroughprogramstoidentifyunknownvulnerabilitiesandsecurity
instrumentationtechnologiesthataddsecurityfeaturestoexistingprograms.
Theaddedsecurityfeaturesmayincludetheabilitytodisableunnecessary
functionality,segmentsoftwarecomponentsandenableadvancedsecurity
monitoringandalerts.Manufacturerscanusescanningandinstrumentationto
preventsoftwarebugsduringdevelopmentandfacilityoperatorscanleverage
thesetoolsduringtheirtestingandstagingprocesses.Whentheinstrumented
programsareplacedinproduction,integratedsecurityfunctionalitycanprevent
successfulattacksbyeliminatingvulnerabilitiesandpreventpreviously
unknownfaultsfromcausingapplicationstocrash.
5
Deployingvulnerability‐centricsecurityprotectionsonproductionsystemscreates
anopportunitytodetectandaddresssystemsthatwerecompromisedpriorto
deployingthenewsecurityprotections.Thisismadepossiblebysimultaneously
increasinganattacker'sriskofdetectionwhiledecreasingtheiropportunitiestoact.
Forexample,removingunnecessaryfunctionalitycaneliminatehidingspotsusedby
attackersalreadyinsideasystem.Segmentingcomponentscanmitigatesomeofthe
threatsfromsupplychaincompromises,eliminateattackers’persistentaccessto
computingresourcesaswellasdetectandblockhiddencommunicationsbetween
compromisedprograms.Securityinstrumentationextendsthesebenefitsintothe
programsthemselves,creatingmoreopportunitiestoprevent,detectandalerton
maliciousmanipulationofprogramsatboththevendorandoperationallevel.
Increasingsecuritybydecreasingvulnerabilitiesdoesrequirethatthesenew
capabilitiesbeevaluated,testedanddeployed.Theseshort‐runimpactsonsystems
andpersonnelareoffsetbythelong‐runbenefits:thevulnerabilityreduction
processsimplifiessystems(bothprogramsandprocesses)makingthemeasierto
understand,use,manageandmaintain.Theprocessofreductionandsimplification
isessentialtoaddressingarootcauseofsysteminsecurity:unanticipatedsystem
behavior.
Principle 2: Decrease Vulnerabilities with Deterministic Systems Awell‐builtdeterministicsystemisonethatdoesexactlywhatitissupposedtodo
andnothingelse.Earlycontrolsystemswerebuiltusingacombinationofmanual
processesanddeterministiccomputingdevices.Theseearlydevices,manyofwhich
werecustom‐builtfromhundredsofelectricalcomponentsconnectedbythousands
ofmeticulouslyhand‐woundwires,couldbeverifiedforfunctionalcorrectness
usingacombinationofmechanicaltestingandmathematicalanalysis.The
deterministicnatureofthesesystemsmadethemextremelyreliable:theycould
operatecontinuouslyforyearswithoutanyinterventionand,evenwhentheyfailed,
theyweredesignedtofailsafely.
Overtime,thesehardwireddeviceshavebeenreplacedbyinexpensivecomputers
builtfromgeneral‐purposemicroprocessors.Unlikedeterministicsystems,a
microprocessor‐baseddevicecandoexactlywhatitissupposedtodoandmany
otherthings.Thismakesverifyingthefunctionalcorrectnessandfail‐safe
guaranteesofmicroprocessorprogramsextremelydifficult,andcreatesthe
possibilitythatsomefractionofthosemanyotherthingswillincludevulnerabilities
thatgiveattackerstheopportunitytocompromisethedeviceandsubvertits
operation.
Thetransitionfromhardwiredtogeneral‐purpose,fromdeterminateto
indeterminate,isattherootofcomputersysteminsecurity.
6
Thatinsecuritycanbeaddressedbydrivinghardwareandsoftwareplatforms
towardsmoredeterministicbehavior.Doingsodoesnotrequirereplacingall
microprocessorsystemswiththeirhardwiredequivalentsorexpectingsoftware
makerstowriteperfect,bug‐freecode.Instead,itmeansfavoringopportunitiesthat
increaseasystem’sdeterministicbehavior.
Opportunitiestoleveragedeterministicstrategiesinclude:


MaintainCriticalHardwiredComponents:Deterministicsystemsusedat
criticalpointsthroughoutafacilitycanreducethepotentialforvulnerabilities
thatcouldimpactsystemoperation.Facilitiescanretainthebenefitsof
deterministicsystemsbycontinuingtosupporttheirexistinghardwireddevices
andbydeployingverifiablydeterministichardwarebasedoncustomintegrated
circuits.Thereliability,safetyandsecuritybenefitsofthesedeterministic
componentsmayprovideoperatorswithanadditionaljustificationforthe
continueddeploymentofhardwiredandhardcodedcomponents.
Read‐OnlyMonitoring:Microprocessor‐basedcapabilitiesthatprovide
networkingandremoteobservationsignificantlyenhanceoperational
awarenessthroughoutafacility,buttheircomplexitycreatesthepotentialfor
exploitablevulnerabilities.Insituationswheremonitoringsystemsare
necessary,devicesthatoperateinread‐onlymodecanbedeployed.Aread‐only
monitoringdevicecollectsimportantinformation(temperatures,switch
position,etc.)fromanexistingcontrollerwithoutmodifyingthedeterministic
behaviorofthemonitoredcontroller.Asaresult,operatorscanmaintainthe
functionalassurancesofcriticalsystemswhilereducingtheimpactof
vulnerabilitiesintheoverlaidmicroprocessorsystems.

UseVulnerability‐EliminatingSecurityStrategies:Asnotedearlier,the
securityofmicroprocessorsystemscanbeincreasedbyremovingunnecessary
functionality,segmentingcomponents,andintegratingsecurityprotections.
Thesestrategiesdecreasevulnerabilitiesbymakingmicroprocessordevicesand
programsmoredeterministic‐morelikelytodoexactlywhatthey'resupposed
todobyeliminatingsomeoftheirmanyotheruses.Thesestrategiescanbe
appliedtonewandpre‐existingmicroprocessorbasedsystemsaswellasto
read‐onlydevicesusedonexistinghardwiredsystems.
Thevariousopportunitiesforimplementingmoredeterministicbehaviorallow
operatorstoselectthestrategiesthatbestsuittheirneeds.Forexample,facilities
canretainnon‐networked,deterministichardware.Facilitiesthatarebeing
upgradedcandeploydeterministichardwareorread‐onlymonitoringthatwillhave
limitedimpactonsafety‐criticalcomponents.Facilitiesthatarealreadyusing
microprocessorsthroughouttheirenvironmentcanbelockeddownusing
deterministicsecuritytoolsandtechniques.Theresultisthatincreasingasystem's
deterministicbehaviorimprovesoperationsbymakingcriticalcomponentsmore
reliableandincreasessecuritybylimitingunexpectedvulnerabilities.
7
Principle 3: Security Should Enhance Operations Historically,theincentivesfordeployingsecuritytechnologieshavebeen
completelymisalignedwiththeoperationsteam,whohavebeenexpectedtospend
increasinglylargeportionsoftheiralreadylimitedbudgetsonsecurityhardware
andsoftwarethatareonlyusefulwhentheirfacilityisunderattack.Vulnerability‐
centricsecuritytakestheoppositeapproach:buildingandmaintainingastrong
cyber‐defenseisaccomplishedbyplacingtheresponsibilityforsecurityinthehands
oftheorganization'sexistingoperationsteamandincreasingtheireffectiveness
throughstrategiesthatbothincreasethefacility'sdefenseandenhanceday‐to‐day
operations.
Thestrategiesusedtoimplementvulnerability‐centricsecuritycanenhance
operationsinthefollowingways:
 IncreaseSystemReliability:Removingunnecessarysystemfunctionality,
usingread‐onlymonitoringandcontinuingtosupporttime‐testedhardwired
componentsreducesthepotentialforprogrammingerrorsthatcanimpact
systemoperation.Segmentingsystemcomponentsthroughsandboxingand
virtualizationcanpreventcascadingfailuresbycontainingtheconsequences
ofanunexpectedapplicationcrash.Integratingsecurityfunctionalitycan
alertdevelopersandoperatorsofmaliciousattacksandaccidentalsoftware
bugsenablingthemtoidentifyandpreventprogramfailuresduringdesign,
development,testingandinproduction.
 StreamlineSystemManagement:Sandboxingandvirtualization
technologiesenablesegmentedapplicationstobeconfigured,tested,
packagedanddeployedintoproductionenvironments.Removingunused
systemfunctionalityanddeployingdeterministichardwareandread‐only
devicesreducestheneedforongoingsupport,testing,trainingandupgrades
tothosecomponents.Securityinstrumentationcanbeintegratedwith
existingapplicationdevelopment,testing,verificationanddeployment
processes.
 ReducetheNeedforDedicatedSecurityTechnologies:Thetoolsand
techniquesusedtoimplementvulnerability‐centricsecuritycanbemanaged
andmaintainedbyafacility’soperationsteam.Deployingvulnerability‐
centricsecuritytechnologiesthatbothincreaseanorganization'sdefenses
andenhancethesystem'sday‐to‐dayoperationallowsfacilitypersonnelto
concentrateontheirtoppriority–ensuringtheongoingrobustnessand
reliabilityofthesystemstheymaintain.
Therewillneverbeenoughsecurityprofessionalstosupportattack‐centric
computersecuritybecauseattack‐centricsecuritydoesnotscale:throwingmore
people,timeandmoneyatineffectivesecuritytechnologieswillnotmakethem
effective.
8
Thecurrentpushbyacademia,governments,andbusinessestoincreasethenumber
ofsecurityprofessionalswilldolittletobenefitthenuclearsecuritycommunity.
ConventionalITsecurityspecialistshiredbynuclearsystemoperatorswillarrive
trainedinthe(incompatible)attack‐centricsecuritymodel,willnotunderstandthe
constraintsoftheuniqueenvironmentinwhichtheyareworking,andwillcontinue
tobehiredawaybyindustrieswithbiggersecuritybudgetsandhighersalaries.
Placingtheresponsibilityforcomputersecurityinthehandsoftheoperationsteam
addressesmanyoftheseconcerns:thepersonnelareavailable,familiarwiththe
uniquesystembeingdefended,andhaveanestablishedcommitmenttothesuccess
oftheoperation.Organizationswithanexistingsafetyteamcanreceiveanumberof
benefitsfromintegratingcomputersecuritywiththatgroup.Combiningsafetyand
securityallowsthesystem‐wideunderstandingofthesafetyteamtobeusedin
architectingarobustdefensethatutilizesexistingprocessesfortrackingsafety
requirements.Oncethoserequirementsaredefined,theirimplementationcanbe
integratedwithexistingsafetyproceduresandexercisestoensurethatsecurity
toolsandtechnologiessupportthesystem'ssafetyrequirements.
Overtime,increasingafacility’ssecurityandreliabilityshoulddecreasetheoverall
workloadofpersonnel.Asanaddedbenefit,operations‐enhancingsecurity
technologycanbedeployedusinganorganization'sexistingprocessesfor
introducingsystemmaintenance,providinganestablishedpathfornewsecurity
technologiestobeselected,tested,placedintooperationandmaintainedovertime.
A Path Forward Thevulnerability‐centricapproachpresentsanopportunityfornuclearsystem
operatorstopreventsuccessfulcyber‐attacks.Insteadofconstantlyreactingto
attackerinnovations,operatorsincreasetheirsecuritybycuttingdownontheir
system'svulnerabilities.Themechanismbywhichvulnerabilitiesarereducedcan
beclearlyarticulated,verifiedandimplementedusingdeterministictechniquesthat
ensuresystemcomponentsonlydowhattheyaresupposedtodo‐makingthe
overallsystemmorestable,robustandsecure.
Whileattack‐centricsecuritydegradesasnewattacksaredeveloped,thebenefitsof
vulnerability‐centricsecurityaccumulateasthenumberofsystemvulnerabilities
decreases.Thosebenefitsaccumulatefastestonsystemsthatchangeslowly,
allowingnuclearfacilityoperatorstosimultaneouslydrivetheirsystem's
vulnerabilitiestowardszerowhileincreasingitsoverallreliability.
Inaworldofcomplexcomputingenvironments,tightbudgetsandthepotentialfor
dangerousconsequences,vulnerability‐centricsecurityenablesnuclearfacility
operatorstobuildandmaintainastrongcyber‐defensewhileenhancingtheday‐to‐
dayoperationoftheirsystems.
9
Appendix: Vulnerability‐Centric Security Technologies Technologiestoimplementvulnerability‐centricsecuritystrategiesareavailable
todayandmoreareunderactivedevelopment.Whilethereisnosingletechnology
thatcaneliminateeveryvulnerabilityoneverysystem,thegoalindevelopingalist
ofvulnerability‐centricsecuritytechnologiesistoprovideastartingpointfor
operatorstoidentifyandbuildstrategiesthatcanbeappliedtotheirfacilities.
Identifyingopportunitiestoimplementvulnerability‐centricsecuritydoesrequire
anunderstandingoftheavailabletechnologiesinordertojudgetheirapplicability
toagivenfacility.Thisknowledgemayalreadybeavailabletoexistingpersonnelin
situationswherecurrently‐deployedtechnologiescanbeextendedtoprovide
vulnerabilitymitigation.Informationonnewtechnologiesandapproachesto
identifyandeliminatevulnerabilitiesmaybeobtainedbypersonnelthrough
ongoingskillsdevelopmentprovidedbynuclearindustryandsecurity
organizations.
Thefollowinglistbrieflydescribesaselectionoftechnologiesthatdecrease
vulnerabilities,increasedeterministicbehaviorandenhanceoperations.
HardwareVirtualization
Virtualizationenhancesoperationsbyprovidingnewwaystomonitor,maintain,
migrate,testanddeploycriticalsoftwarewhilereducingtherelianceonexpensive,
outdatedhardware.Thisapproachincreasessystemsecuritybyreducingthe
unexpectedbehaviorofphysicalcomputersystemsandeliminatingunused
functionality(suchasphysicalports)andreplacingpotentiallyvulnerablelegacy
hardwareandfirmwarewithextensivelytestedvirtualequivalents.
Hardwarevirtualizationtechnologyhasbecomeanestablishedpartofenterprise
infrastructuresandistheunderlyingtechnologybehindtheriseofcloudcomputing.
Muchoftheworkonvirtualizationtechnologyhasfocusedonvirtualizing
commodityhardware,suchasthoseusedtoruntheWindowsoperatingsystem.
Newvirtualizationtechnologycanbedevelopedtovirtualizemorespecialized
hardware,suchasthosefoundinembeddeddevices.
ApplicationSandboxing
Sandboxingallowsanapplicationtoruninasegmentedsoftwareenvironment
createdspecificallyforthatapplication.Thiscanbeperformedbypackagingthe
applicationinsideitsownself‐containedenvironment(containerization)orusing
configurableoperatingsystem‐levelrestrictionsthatuseasecuritypolicyto
describetheresources(disk,CPU,memory,network)theapplicationisallowedto
access.Sandboxisolationpreventsunexpectedapplicationcrashes(bothintentional
andunintentional)fromimpactingotherapplicationsonthecomputingdevice
whileprovidingsystemoperatorswithenhancedauditingcapabilitiesalertingthem
whenunexpectedbehaviorhasbeencontained.
10
Rule‐basedapplicationsandboxingsystemshavebeensupportedbymajor
operatingsystems,suchasLinux,forthepastfifteenyearsandhasbeenadoptedby
newersystemssuchastheAndroidandiOSmobileoperatingsystems.Container‐
basedsandboxingisarelativelynewerapproachandcommercialproductsexist
thatimplementthesecapabilitiesonmainstreamcomputeroperatingsystems
includingWindowsandLinux.
SoftwareScanning
Softwarescanningidentifiesbugsinaprogrambysearchingforerrorsin
applicationcodeandmonitoringprogramsindevelopmentandtesting.Issues
detectedbysoftwarescanningcanincludeexploitablesecurityvulnerabilitiesas
wellasotherprogrammingbugsthatcouldleadtounexpectedsystembehavior
suchasprogramcrashes.
Softwarescanningtechnologyisalmostasoldassoftwareitself,andinrecentyears
therehasbeenanincreasingfocusonrefiningthesetechniquestoidentifysecurity
issues.Vulnerability‐centricscanningtoolsandservicesareavailablefrom
numerousvendors,and,whilethescanningprocessdoesnotresolvesoftware
problems,theissuesdetectedbythescanningprocesscanbefedbackto
manufacturersforremediationorproactivelyresolvedusingsecurity
instrumentationtechniques.
SecurityInstrumentation
Securityinstrumentationmakesitpossibletopreventandmitigatevulnerabilitiesin
programsbyinsertingsecurityfunctionalityduringdevelopment(e.g.capabilities
programming)orafterthecodehasbeenwritten(wheretheinstrumentationis
performedbytheenduser).Thesecurity‐enhancedprogramwillrunexactlyasits
originalform,howeverunexpectedbehavior,suchasanattemptedcompromiseora
programcrash,canbeidentifiedwhilestillallowingtheprogramtocontinue
operating.
Thesetechnologiesarerelativelynewandhavelimitedavailability.Capabilities
programminghasbeenresearchedforthepastdecadeandhasrecentlybeen
deployedincommercialapplicationsandintegratedintooperatingsystems.The
processofinstrumentingexistingprogramstoincludesecurityfunctionalityisan
areaofongoingresearchanddevelopmentincludingtheDARPACyberGrand
Challenge.
DeterministicHardware
Thereliability,safetyandsecuritybenefitsofexistinghardwiredcomponentscanbe
recreatedusingcustom‐builtintegratedcircuits.Theseintegrateddevicesdonot
relyoncomplexoperatingsystemsandsoftware.Insteadtheyprovideonlythe
hardcodedfunctionalitynecessarytocompletethedevice’stask.Thesecomponents
canbecraftedtosegmentcriticalfunctionsfromoneanother,designedtobeeasily
reproducible,andcanutilizenumerousapproachestoprovetheybehaveas
11
expected.Currentdesignandmanufacturingtechniquesmakeitpossibleforthese
componentstobeusedascost‐effectivereplacementstointernalcomponentsof
legacyhardwiredsystemsorinplaceofmicroprocessor‐baseddevicesrunning
complexsoftware.
DeterministichardwaresuchasFPGAshavebeenextensivelyusedintheaerospace,
automotiveandmedicalindustries.Inrecentyears,thesetechnologieshavebeen
thefocusofincreasinginterestinthenuclearspace,includingthepublicationofIEC
62566whichoffersguidanceforthedesignanduseofthesecomponentsforsafety
systemsinnuclearpowerplants.
Cryptography
Cryptographicprotectionscanprovidemathematicalguaranteesthatoperatorsand
systemapplicationsareonlycapableofperformingauthorizedactivities.Thisis
madepossiblethroughprotectionsatmultiplepointsinafacilityincluding
cryptographicauthenticationofusers,encryptingnetworktrafficandintegrity
checkingofbothprogramsandnetworkcommunications.
Manyoftheprotectionsmadepossiblebycryptographyarealreadyavailableinthe
formofpublicalgorithms,protocolspecificationsandfunctionalitybuiltinto
mainstreamoperatingsystems.Theopportunitiesforcryptographicprotections
maybelimitedinsomeenvironmentsbytheprocessingpowerandnetwork
bandwidthnecessarytoimplementtheiroperation.
12