Verifying Operational Effectiveness For Physical www.sandia.gov Protection Systems Charlie Nickerson Nuclear Cyber Programs Idaho National Laboratory Janice Leach Physical Security Analysis Sandia National Laboratories November 2017
Let’s Set The Stage: What Are We Facing?
Managing Expectations & Security Concerns User’s Security “I’ll let the developer have access” Expectation “You’re a senior executive, of course you can.” Designer’s “We’ll patch that later.” Robustness Of Security Security “We’ll allow contractors thru the air gap.” Expectation “No means no…right?” EXPLOITATION GAP EXPECTATION GAP Security Implementation Reality Time Without Incident
Understanding Systemic Vulnerabilities 1. Errors 2. Vulnerabilities 3. Discovered Vulnerabilities 4. Disclosed Vulnerabilities 5. Patched Vulnerabilities
Analyzing The Vulnerability Life Cycle Design Errors Coding Errors Discovery Of Error </> Systems level errors Application level errors Error is discovered by and weaknesses and weaknesses white, black, or grey hat (architecture) (routines) Patch / Fix Release / Disclosure Weaponize Vulnerability is known
Applying Cyber Security Principles To PPS Lighting Edge Devices Access Control Cameras Interior Sensors Exterior Sensors EXTERNAL FACING NETWORK Level 5 Infrastructure CORPORATE WAN Field Distribution FDB FDB FDB Level 4 Power Box SITE LAN Infrastructure Level 3 Servers PLANT PROCESSES & CONTROL Level 2 Head End System (AC&D) FIELD DEVICES Client Workstations Level 1
Process Oriented Risk Reduction Computer Security Policies: PPS Life Cycle Analytics FAT Deployment & Supply Chain SAT Design Performance Configuration Analysis Management Performance Assets & Accepted Risk Consequences Threat Risks Vulnerabilities Mitigated Risk 7
Process Oriented Risk Reduction Requirements Document Functional/Pre-Testing At Site • • Cybersecurity and operational Random sample of delivered performance requirements should be equipment and repeat of FAT • integrated and clearly stated Quality Assurance • • This document can be used to define Not integrated into the overall network vendor expectations Black Box Testing • This includes clearly defined Site Acceptance Testing • Test simple actions a cyber METRICS!!!! • Systems level testing of the new threat would do to impact • These requirements become FAT components/sub-system(s) within the digital devices along the critical Metrics overall existing network path • This also includes user acceptance • Focuses on functional security Factory Acceptance Testing testing to ensure the personnel specifications of the specific • Verify that product meets contract operating the systems agree with device and/or subsystem defined security requirements performance and that it meets the • Create a set of exercises that • Functionality & Resiliency delivered system meets the design encompasses inputs and outputs • Verify functionality of human-machine requirements based on potential adversary • interactions & external interfaces Visual checks on installation actions • Software integration with other systems, etc.
Applying Security Controls People 1. Treat cybersecurity as a human issue, not a technology problem 2. Share as much information about lessons learned as permitted Tech 3. Deliberate security: Not security by accident and/or DIY Security 4. Make security references easier to understand 5. Create regulations that support implementation Process of cybersecurity; not just compliance
Recommend
More recommend
