When it comes to securing a typical IT system, data confidentiality and integrity are typically the primary concerns. But for the systems that control critical infrastructure, like nuclear power plants, public health and safety come first. The personnel responsible for operating, securing and maintaining these systems must understand the important link between safety and security, because any security measure (or lack of one) that impairs safety is unacceptable.
Nuclear Power in the United States
The U.S. Department of Homeland Security breaks down critical infrastructure into 16 segments, which includes nuclear reactors, materials and waste. According to the U.S. Energy Information Administration, there are 60 commercially operating nuclear power plants with 98 nuclear reactors in 30 U.S. states.
Nuclear power facilities have among the most complex set of security requirements around. The overall control sets are similar in size, scope and complexity to national security system (NSS) programs. The automation and interconnectedness of modern critical infrastructure makes them more vulnerable to cyberattacks, increasing the need for cybersecurity professionals who have advanced skills.
But before we delve what it takes to be successful, let’s first address two elements of the Governance, Risk and Compliance (GRC) triangle.
Risk and Cybersecurity
Security at its core is a function of risk management – all the efforts contained within a greater security program are designed to limit either the impact or probability of an event. The U.S. Department of Homeland Security and the Federal Bureau of Investigation rank the threat of nuclear cyberattacks as urgent amber – the second-highest level – making cybersecurity at nuclear power plants critical.
To make the situation even more serious, threats in this space are primarily advanced persistent threats (APT) – typically nation-state actors who are sophisticated, patient and well trained in almost all aspects of not just hacking or other offensive security acts, but also in outright cyberwarfare.
Adding to the complexity is the nature and prevalence of industrial control systems (ICS) in the power sector. Within a nuclear power plant, ICS control the physical world and IT systems manage the data. ICS have many characteristics that differ from traditional IT systems, including different risks and priorities. Some of these include significant risk to the health and safety of human lives, serious damage to the environment, financial issues, such as production losses, and negative impact to the nation’s economy.
ICS also have different performance and reliability requirements and use operating systems and applications that may be considered unconventional. Therefore, security protections must be implemented in a way that maintain system integrity during normal operations as well as during times of cyber-attack.
The IT pros who manage ICS operating systems and control networks require different skill sets, experience and levels of expertise than traditional IT systems, and disregarding these differences can have disastrous consequences. To properly address security in an ICS-heavy environment, it is essential for a cross-functional cybersecurity team to share their varied domain knowledge and experience to evaluate and mitigate risk to the ICS.
Regulatory Compliance and Nuclear Power
Nuclear power plants exist under an umbrella with numerous regulatory compliance obligations, including the North American Electric Reliability Corporation (NERC) and the U.S. Nuclear Regulatory Commission (NRC).
The NERC Critical Infrastructure Protection (CIP) plan is a set of requirements designed to secure the assets required for operating North America's bulk electric system. And the NRC licenses and regulates nuclear power plants in the United States. The controls outlined in its established security requirements, including 10 CFR 73.54, Protection of Digital Computer and Communication Systems and Networks, dictate what a cybersecurity professional does on a day-to-day basis.
Cybersecurity officials working on critical infrastructure such as nuclear power plants need to be aware of the associated regulatory compliance and how it relates to technology.
Cybersecurity and Industrial Control Systems (ICS)
Effectively integrating security into an ICS requires defining and executing a comprehensive program that addresses all aspects of security, ranging from identifying cybersecurity objectives to day-to-day operation and ongoing auditing for compliance and improvement. Here are just a few things that need to be considered.
Establishing Cybersecurity Policies and Procedures
Management support of security policy and procedures is the cornerstone of any security program. Vulnerabilities and predisposing conditions are often introduced into the ICS because of incomplete, inappropriate or nonexistent security policy, including its documentation, implementation guides (e.g., procedures) and enforcement.
Developing policies, procedures, training and educational material that apply specifically to the ICS can reduce vulnerabilities, by mandating and enforcing proper conduct, and inform staff and stakeholders of decisions about behavior that is beneficial to the organization.
From this perspective, policy is an educational and instructive way to reduce vulnerabilities. And enforcement is partner to policy, encouraging people to do the right thing.
Managing Change and Vulnerabilities
Unpatched software represents one of the greatest vulnerabilities to a system. Software updates on IT systems, including security patches, are typically applied in a timely fashion based on appropriate security policy and procedures, which are often automated.
But software updates on an ICS cannot always be implemented on a timely basis, making the networking controls that restrict data flow essential. The change management process, when applied to ICS, requires careful assessment by ICS experts working in conjunction with security and IT operations.
The following tasks should also be performed to protect against exploits:
- Disabling all unused ports and services
- Tracking and monitoring audit metrics
- Using security controls, such as antivirus software and file integrity checking software, to mitigate malware
Detecting Security Events
Early detection can help defenders break the attack chain before attackers attain their objectives. This includes the capability to detect failed ICS components, unavailable services and exhausted resources that are important to provide proper and safe functioning of the ICS.
Disaster Recovery and Business Continuity
The ICS should be designed so that each critical component has a redundant counterpart. Additionally, if a component fails, it should fail in a manner that does not generate unnecessary traffic on the ICS or other networks or does not cause another problem elsewhere, such as a cascading event.
The ICS should also allow for graceful degradation, such as decreasing the amount of automation and increasing manual control during an emergency.
A major characteristic of a good security program is how quickly the system can be recovered after an incident has occurred. Tests should be conducted annually and formally documented as part of the disaster recovery and business continuity program.
Network segmentation is one of the most effective architectural concepts that an organization can implement to protect its ICS. The aim is to minimize access to sensitive information for those systems and people who don’t need it while ensuring that the organization can continue to operate. Appropriate segmentation can make it significantly more difficult for malicious adversaries to penetrate the system and also contain the effects of (non-malicious) errors and accidents.
Partitioning may be based on the following factors, but teams should analyze what makes the most sense for their networks:
- Management authority
- Uniform policy and level of trust
- Functional criticality
- Amount of communications traffic that crosses the domain boundary
The ICS network should, at a minimum, be logically and physically separated from the corporate network, and the network topology should have multiple layers, with the most critical communications occurring in the most secure and reliable layer.
Access to the ICS must be restricted, both logically and physically. Not all users with corporate network access need access to the ICS, so cybersecurity teams should establish roles-based access control, where the role is configured based on the principle of least privilege.
The following techniques can be used to restrict network access:
- Unidirectional gateways
- Demilitarized zone (DMZ) with firewalls to prevent network traffic from passing directly between the corporate and ICS networks
- Separate authentication mechanisms and credentials for users of the corporate and ICS networks
Lastly, a combination of physical access controls should also be used, such as locks, card readers and/or guards.
4 Keys to Defense in Depth
When it comes to defense in depth, four common themes can provide for good network segmentation and segregation:
- Apply technologies at more than just the network layer. Each system and network should be segmented and segregated, where possible, from the data link layer up to and including the application layer.
- Use the principles of least privilege and need‐to‐know. If a system doesn’t need to communicate with another system, it should not be allowed to. If systems need to talk, only use a specific port or protocol and nothing else.
- Separate information and infrastructure based on security requirements. This may include using different hardware or platforms based on different threat and risk environments in which each system or network segment operates. The most critical components require more strict isolation. This could be accomplished through network separation or virtualization.
- Implement whitelisting instead of blacklisting. That is, grant access to the known good, rather than denying access to the known bad. The set of applications that run in ICS is essentially static, making whitelisting more practical. This will also improve an organization’s capacity to analyze log files.
How to Get This Cool Cybersecurity Job
Developing and maintaining a security program that meets these objectives takes highly specialized security personnel. They need the education, experience and certifications specifically tailored to the job at hand. If you aspire to do cybersecurity in a critical infrastructure environment, start by truly understanding the fundamentals of IT infrastructure and network, and build a solid foundation of cybersecurity knowledge as you advance in your career.
The certifications along the CompTIA Cybersecurity Career Pathway build upon each other and cover the skills needed in cybersecurity jobs. CompTIA Advanced Security Professional (CASP) covers not just the theory, but the practical application of these skills. Combining CASP with other certifications, advanced education and years of experience, builds the foundation to be successful in even the most rigorous security environments – and it doesn’t get more rigorous then the critical infrastructure found in nuclear power plants.
If you have at least five years of hands-on security experience and want to advance your cybersecurity career, download the exam objectives for CASP or check out the Official CASP Study Guide to begin preparing to get certified.
Steve Slawson has been a security professional since 2004 and currently manages a small boutique security firm – Stonewatch Security, based in the greater Austin, Texas, area. He has been a cybersecurity professional since 2004 and in IT since 1996. When not working with clients to develop robust security operations, he spends his time participating in CompTIA Subject Matter Expert (SME) workshops and writing about the challenges in the greater field.
Patrick Lane also contributed to this article. He is a director of product management for CompTIA. He manages IT workforce skills certifications, including CompTIA Cybersecurity Analyst (CySA+), CompTIA PenTest+ and CompTIA Advanced Security Professional (CASP).