Deterring, Protective, Delaying And Detective Application .

International Conference on Physical Protectionof Nuclear Material and Nuclear Facilities13-17 November 2017, ViennaDeterring, Protective, Delaying AndDetective Application Security ControlsFor Nuclear FacilitiesMs. Deeksha GuptaAREVA GmbH, Erlangen, PhD CandidateMs. Xinxin LouBielefeld University, PhD CandidateMr. Mathias LangeMagdeburg-Stendal University of Applied Sciences,Institute of Electrical Engineering, MagdeburgDr. Karl WaedtAREVA GmbH, Erlangen

Our Main Projects.FINLANDRUSSIANovovoronesh II 1&2Leningrad II 1&2Olkiluoto 3GREAT BRITAINHinkley Point CFRANCEFlamanville 3SLOVAKIAMochovce 3&4CHINATaishan 1&2Tianwan 3&4Fuqing 5&6Incore Instrumentation forall CPR-1000 reactorsBRAZILAngra 3AREVA NPDeterring, Protective, Delaying and Detective Application SecurityControls for Nuclear Facilities– Deeksha Gupta– 2017-11-16 AREVAp. 2All rights are reserved, see liability notice.

Our Portfolio in Security. Monitoring Equipment,e.g. SIPLUG with newestIndustry 4.0 InteroperabilityOPC Unified Architecture Optical Data Diodes Customized Nuclear & Industrial Security OffersConsulting OPANASec protection for SCADAProducts & SolutionsISMS: ISO/IEC 27000Automation SecuritySecurity SimulationsApplication NormativeFrameworksAudit SupportServicesThreat AnalysisImplementation ofCountermeasuresPhysical ProtectionSystem HardeningAwareness TrainingsForensic ReadinessSurveillance & Tests Cybersecurity R&D AREVA NPDeterring, Protective, Delaying and Detective Application SecurityControls for Nuclear Facilities– Deeksha Gupta– 2017-11-16 AREVAp. 3All rights are reserved, see liability notice.

Outline1Introduction2Security Controls3Security Controls Model43D Modeling of Physical Components5SummaryAREVA NPDeterring, Protective, Delaying and Detective Application SecurityControls for Nuclear Facilities– Deeksha Gupta– 2017-11-16 AREVAp. 4All rights are reserved, see liability notice.

Introduction

IntroductionTypes of Security ControlsSecurity controls are applied: To meet the main focus of security: availability and integrity To minimize the risk of physical and cyberattack to the facilityMain types of security controls: Administrative e.g., risk management, personnel security, and training Technical hardware or software components Physical fencing, lightning, doors, locks and security guards etc.AREVA NPDeterring, Protective, Delaying and Detective Application SecurityControls for Nuclear Facilities– Deeksha Gupta– 2017-11-16 AREVAp. 6All rights are reserved, see liability notice.

IntroductionScope of Security ControlsPreventive Controls can be subdivided into: Deterring harder for attacker to come close to the target Protective strong protection, e.g., unidirectional security gateway (data diode) Delaying login protected with a password delay in second attempt of passwordDetective ControlsCorrective ControlsAREVA NPDeterring, Protective, Delaying and Detective Application SecurityControls for Nuclear Facilities– Deeksha Gupta– 2017-11-16 AREVAp. 7All rights are reserved, see liability notice.

Safety Defense-in-Depth (Safety DiD) andSecurity Defense-in-Depth (Security DiD)Safety DiD Derived from Nuclear Safety Objectives Traditionally considered in line with the Safety CultureSecurity DiD Derived from Physical Security and Cybersecurity Objectives Basis for the Security Zone Model and Grading of Security ControlsAREVA NPDeterring, Protective, Delaying and Detective Application SecurityControls for Nuclear Facilities– Deeksha Gupta– 2017-11-16 AREVAp. 8All rights are reserved, see liability notice.

Safety Defense-in-DepthOverall Safety TargetAcceptanceCriteriaSevere AccidentsRisk Reduction LineMain LineReliability ClaimPreventive LineDesign Basis CategoriesDBC 1/2DBC 3/4DEC A/BSevereAccidentsDesign Basis and Design Extension ConditionsAREVA NPDeterring, Protective, Delaying and Detective Application SecurityControls for Nuclear Facilities– Deeksha Gupta– 2017-11-16 AREVAp. 9All rights are reserved, see liability notice.

Security Defense-in-DepthSecurity controls should be placed to provide a security defense-in-depth coordinated use of multiple security controls in a layered approachAREVA NPDeterring, Protective, Delaying and Detective Application SecurityControls for Nuclear Facilities– Deeksha Gupta– 2017-11-16 AREVAp. 10All rights are reserved, see liability notice.

Security defense-in-depthDomain Based Security (DBSy) GradingAREVA NPDeterring, Protective, Delaying and Detective Application SecurityControls for Nuclear Facilities– Deeksha Gupta– 2017-11-16 AREVAp. 11All rights are reserved, see liability notice.

Security Defense-in-DepthProtective: to assure the protection of an asset from an assumed specificPreventivesecurity threatDeterrence and delay: to avoid the attack or at least delay that for longenough to counter actDetection of attacks: initially those that were not deterred, but may includeDetectiveattempts at attacksAssessment of attacks: to find out the nature and severity of the attack.For e.g., the number of false passwords entryCommunication and notification: to make aware responsible authoritiesand/or computer systems from the attack in a timely mannerCorrective Network and system management play an important role in this workResponse to attacks: involves the actions by responsible authorities andcomputer systems to minimize the effect of an attack in a timely mannerAREVA NPDeterring, Protective, Delaying and Detective Application SecurityControls for Nuclear Facilities– Deeksha Gupta– 2017-11-16 AREVAp. 12All rights are reserved, see liability notice.

Security Controls

Preventive ControlsTo block an intruder from successful penetration of a physical securitycontrol of the facilityExample:security guard, security awareness training, video surveillance, firewall, Biometric accesscontrol, antivirus software, etc. Example of protective Control:(a) Data Diode (High Security to Low Security Zone)(b) Data Diode (Low Security to Higher Security Zone)AREVA NPDeterring, Protective, Delaying and Detective Application SecurityControls for Nuclear Facilities– Deeksha Gupta– 2017-11-16 AREVAp. 14All rights are reserved, see liability notice.

Detective ControlsTo increase the protection from any malicious act by monitoring theactivitiesDo not stop any malicious act to happenDetective Controls identify and log themEarly detection of a malicious act enables a quick responseEffectiveness of the security controls defined by probability of detectionExamples: Logging, e.g. card reader indication, video surveillance (assuming appropriate lighting), alarms, intrusion detection systems identifications, etc.AREVA NPDeterring, Protective, Delaying and Detective Application SecurityControls for Nuclear Facilities– Deeksha Gupta– 2017-11-16 AREVAp. 15All rights are reserved, see liability notice.

Security ControlsModel

Security Controls ModelSecurity Controlsreduces likelihoodof success ofDeterrent ControlThreat AgentInstalls &triggersDelaying ControlExploitpromptsmakesuse ofDetective ControldeterminesExposuresCritical AssethasValuehasVulnerabilityeliminatesProtective ControlmitigatesCorrective Controlresults inImpactsAREVA NPDeterring, Protective, Delaying and Detective Application SecurityControls for Nuclear Facilities– Deeksha Gupta– 2017-11-16 AREVAp. 17All rights are reserved, see liability notice.

3D Modeling of PhysicalComponents

Principle of 3D Modeling3D models represent virtual images with a internal hierarchical structureTo develop a 3D model, a modeling tool with a 3D engine is requiredThe 3D engine can manage multiple scenesA scene consists of one camera, a certain number of lights and severalmeshesThe meshes represent a 3D model3DEnginecan be hierarchical structuredScenesCameraLightsMeshesAREVA NPDeterring, Protective, Delaying and Detective Application SecurityControls for Nuclear Facilities– Deeksha Gupta– 2017-11-16 AREVAp. 19All rights are reserved, see liability notice.

Principle of 3D ModelingThe hierarchical structure helps to organize the 3D objects/ meshesAnd should base on a graph with parent-child relationships:Parent Each node has: one parent array of childrenChildChildChild Each child can be: a single 3D Object another node This structure is going to help us to identify security zones and to place thesecurity controls. (Later more)AREVA NPDeterring, Protective, Delaying and Detective Application SecurityControls for Nuclear Facilities– Deeksha Gupta– 2017-11-16 AREVAp. 20All rights are reserved, see liability notice.

1. Physical asset modeling: CabinetexampleRoot node with 2 childrengroups alldoor nodesCabinetcorpusRear doorLegend:NodeAREVA NPDeterring, Protective, Delaying and Detective Application SecurityControls for Nuclear Facilities– Deeksha Gupta– 2017-11-16 AREVAp. 21All rights are reserved, see liability notice.3DObject

2. Room modeling:I&C room exampleNew root nodewith 5 childrenRoomcorpus Cabinet structurewas modeledin the first stepAREVA NPDeterring, Protective, Delaying and Detective Application SecurityControls for Nuclear Facilities– Deeksha Gupta– 2017-11-16 AREVAp. 22All rights are reserved, see liability notice.

3. Floor - 4. Building - 5. Site/IslandModelingSite/Island level Building level Floor levelRoom levelSafeguardbuilding 1I&C Room(2. Floor)Safeguardbuilding 2FuelbuildingSafeguardbuilding 3Safeguardbuilding 4AREVA NPDeterring, Protective, Delaying and Detective Application SecurityControls for Nuclear Facilities– Deeksha Gupta– 2017-11-16 AREVAp. 23All rights are reserved, see liability notice.

AutomationMLThe 3D Model with the hierarchical structure must also be stored persistentlyAutomationML (IEC 62714-x) is a exchange format for plant engineeringinformation and allows to store:Data FormatStandardGeometry/ 3D dataCOLLADAcoming soonKinematic dataCOLLADAcoming soonLogic dataPLCopenIEC 61131-xCAEXIEC 62424Topology/ Hierarchicalstructureof single components or of a complete site.AutomationML supports the combination of physical models with logicalmodels(For example: To combine the physical zones with the logical zones)AREVA NPDeterring, Protective, Delaying and Detective Application SecurityControls for Nuclear Facilities– Deeksha Gupta– 2017-11-16 AREVAp. 24All rights are reserved, see liability notice.

Linking SecurityControlsThe security relevant assets should be protected by security controlsBy developing a 3D Model with a hierarchical structure, the securitycontrols can be placed at their effective position I&C roomAREVA NPDeterring, Protective, Delaying and Detective Application SecurityControls for Nuclear Facilities– Deeksha Gupta– 2017-11-16 AREVAp. 25All rights are reserved, see liability notice.

Linking SecurityControlsThe security relevant assets should be protected by security controlsBy developing a 3D Model with a hierarchical structure, the securitycontrols can be placed at their effective positionTo assure the correct implementation, the security controls are linked to thedescription and implementation guidance from IEC 62443-x-x and ISO/IEC27002:2013 I&C roomISO/IEC 27002:201311.1.2 Physical Entry Controlsb) Access to areas where confidential information is processed or stored should berestricted to authorized individuals only by implementing appropriate accesscontrols, e.g. by implementing a two-factor authentication mechanism such as anaccess card and secret PIN.AREVA NPDeterring, Protective, Delaying and Detective Application SecurityControls for Nuclear Facilities– Deeksha Gupta– 2017-11-16 AREVAp. 26All rights are reserved, see liability notice.