NSS No. 17-T (Rev. 1) Computer Security Techniques for Nuclear Facilities

Organizational responsibilities, for example different computer security zones for systems that are the responsibility of different departments;

The need to maintain separation, for example different computer security zones for redundant systems at the same computer security level performing the same facility function;

Zones already defined for other purposes, for example a computer security zone defined for simplicity to be the same as a zone already established for administrative or communication purposes.

Each facility function is assigned to a single computer security level.

Each computer security level may be applied to one or more facility functions.

Each facility function is ideally assigned to one system, where possible.⁵

Each system ideally performs one facility function, where possible.⁶

Each computer security level may be applied to one or more security zones.

Each computer security zone is assigned a single computer security level.

Each system is placed within a single computer security zone, where possible.⁷

Each computer security zone may consist of one or more systems.

Identification and listing of facility functions;

Assignment of facility functions to systems;

Development of systems;

Specification of requirements for computer security for different computer security levels based on a graded approach;

Establishment of logical and/or physical boundaries for computer security zones.

The example facility is associated with severe consequences in the event of unauthorized removal of material or sabotage.

The number of computer security levels is limited to five, with level 1 having the most stringent demands for protection and level 5 having the least.

Each system is placed within a computer security zone.

Each zone (including its systems) is assigned a computer security level.

One or more zones may be assigned the same computer security level.

The higher (more stringent) computer security levels are typically required for fewer functions (and consequently applied to fewer systems) than the lower security levels. In Fig. 2, security level 1 would apply to a minimal set of critical functions each ideally assigned to a single system, whereas security level 5 would allow for a single system to have many functions assigned to it.

The higher (more stringent) computer security levels are generally simpler (i.e. less complex) than the lower levels. In Fig. 2, zone Z_1A contains a single deterministic system whose logical and physical interactions with other zones (and systems) are minimized to the greatest extent possible, whereas zone Z_5B has very little restriction on interactions with other zones (and systems).

The complexity of zones is typically correlated with their physical and logical size. For example, in zone Z_1A, the physical locations of SDAs are likely to be restricted to a vital area, whereas in zone Z_3C, any digital assets might be anywhere within the protected area. The increase in physical area from vital area (Z_1A) to protected area (Z_3C) potentially increases both the number of access points and the number of authorized personnel requiring physical access and therefore having the potential to interact with the digital assets.

The logical size of a zone may be expressed as the number of addressable, installed digital assets within a system. For example, zone Z_3A might be logically scoped to have a smaller number of assignable addresses for a limited capacity of digital assets, whereas zone Z_5A might have a broader scope with more available logical addresses for current and future digital assets.

In these examples, the number of possible addressable digital assets increases in a manner similar to the example of physical zone size in para. 2.21(c). However, the installation of additional digital assets significantly affects the logical zone size but not the physical zone size.⁸ This means that the number of potential logical interactions increases only when additional digital assets are installed within a zone, thereby increasing the number and complexity of these interactions within the zone and its boundary.

To prevent, detect, delay and respond to criminal or other intentional unauthorized acts;

To mitigate the consequences of such acts;

To recover from the consequences of such acts.

To decrease the susceptibility of digital assets to malicious acts;

To prevent non‑malicious acts from degrading nuclear security.

They can be hidden.

Their execution can be delayed, condition based or remotely initiated.

Personnel (e.g. engineers, guards, operations and maintenance staff, contractors) can be deceived into unwittingly supporting the attack.

No consequence;

Negligible consequences;

Limited consequences (including safety consequences such as an anticipated operational occurrence, and operational effects such as plant performance);

Moderate consequences (e.g. degraded capabilities to prevent, detect and respond to nuclear security events);

High consequences (e.g. unauthorized disclosure or loss of sensitive information);

Severe consequences (e.g. unacceptable radiological consequences due to sabotage, unauthorized removal of nuclear or other radioactive material).

Control of reactivity;

Removal of heat from the reactor and from the fuel store;

Confinement of radioactive material, shielding against radiation and control of planned radioactive releases, as well as limitation of accidental radioactive releases.

Intrusion detection (including assessment) at a critical detection point;

Control of access of persons and equipment to Category I material or vital areas;

Communications to coordinate response forces during a nuclear security event.

Assess and manage aggregated computer security risks to facility functions for the whole facility. This will ensure that the operator performs a complete assessment of the facility and will provide the competent authority with the primary means to assess the overall effectiveness of CSRM at the facility. Section 4 provides guidance on performing facility CSRM.

Assess and manage risks associated with each system that performs or supports those facility functions. This will ensure that the operator performs a detailed assessment of each system that performs or supports a facility function. The competent authority may require the detailed assessments as a means to review the effectiveness of specific instances of CSRM at the facility. Section 5 provides guidance on performing system CSRM.

New information or important findings emerge that could invalidate assumptions stated in the current computer security policy, CSP, DCSA, site specific threat assessment.

A vulnerability is discovered that invalidates computer security measures or assumptions made in a system risk assessment.

A computer security incident occurs at the facility.

The national threat statement or DBT is modified (and the modifications are relevant to adversaries using cyber‑attacks or blended attacks). This might reflect new threats or enhanced adversary capabilities or resources that might increase the likelihood of successful cyber‑attacks.

There is a change to a facility function, system, SDA or computer security measure. This should include the introduction of any new equipment, software or procedures or any major change in skill sets of operating personnel. The level of effort to update the risk assessment can be informed by the assigned level of protection of the SDA (e.g. computer security level).

Regulatory requirements change.

A periodic review is due according to the continual improvement process to ensure that the assessment remains valid.

Facility CSRM:

System CSRM:

Definition of the scope of CSRM;

Characterization of the facility;

Characterization of the threats;

Specification of requirements;

Verification and validation;

Acceptance by the competent authority.

Definition of system boundaries;

Identification of digital assets (including SDAs);

System computer security requirements;

Verification.

The national threat statement or DBT, and associated analysis if available.

Applicable regulatory requirements and other documents. These may include the State’s information classification requirements.

The safety analysis for the computer systems of the facility. This safety analysis may be used in defining computer security requirements, but it is not sufficient for this purpose as it does not address all mal‑operations, notably those caused by malicious acts.

The site security plan [15]. The site security plan may be used in identifying the facility functions important or related to security and their significance in meeting the operator’s objectives. The site security plan may incorporate the facility’s CSP or aspects of it.

The facility computer security policy.

Current and previous facility CSP documents, including details of the assignment of facility functions to systems and the facility specific threat assessment.

Scope definition: Defining the scope of the risk assessment while taking account of the operator’s objectives for the facility (e.g. safety, security, operations, emergency preparedness), the physical and logical boundaries, and the stage of the lifetime of the facility. The prerequisites for and inputs to the assessment should be identified in this phase.

Facility characterization: Identifying facility functions and their interactions and interdependencies, identifying sensitive information that could be useful in planning an attack against the facility, and identifying targets on the basis of the identified facility functions and sensitive information.

Threat characterization: Analysing the national threat statement or DBT and any other relevant information or analysis of threats to identify specific tactics, techniques and procedures, along with adversaries’ skills, that could be used in cyber‑attacks (including blended attacks) on targets at the nuclear facility. The threat characterization is a model, developed through analysis of applicable aspects of the threat information, to generate a representation of adversaries who pose the greatest risk. This threat characterization phase bounds the range of credible attack scenarios.

Specification of computer security requirements: Generating facility level computer security requirements. The specification phase includes the following:

System CSRM: The CSP and the DCSA are applied to each system. System CSRM is described more fully in Section 5. Changes might be needed to the CSP and the DCSA in the light of the experience of implementing the CSP and the DCSA on each system.

Implementation of systems and their integration into the facility: This phase is not covered further in this publication. Changes may be needed to the DCSA and the CSP in the light of the practical engineering experience of implementation and systems integration.

Assurance activities: These are not strictly a phase of facility CSRM but rather a set of continuous activities that are also performed in each system CSRM process. Three types of assurance activity are used:

Facility CSRM outputs: These outputs comprise the (revised) CSP, the DCSA, the site specific threat assessment and the facility CSRM compliance report.Some or all of these documents will be subject to review for acceptance by the competent authority. The output from CSRM may be an input to the further development by the State of its regulatory requirements.

Developing and documenting a CSP;

Recommending any necessary amendments to the computer security policy;

Assigning the identified facility functions to computer security levels;

Creating or amending requirements for the DCSA.

This phase may include applying analysis techniques (e.g. vulnerability assessment, threat assessment) and evaluation methods (see para. 4.98) to develop requirements from the facility characterization and threat characterization phases, and from regulatory requirements.

Evaluation of compliance with computer security requirements;

Verification of each phase of CSRM;

Validation of the computer security of the facility.

Scenarios are a vital part of evaluation, verification and validation activities.

Intrinsic significance: The importance of the facility function to nuclear security and nuclear safety and the potential consequences for the facility if the function is not performed correctly.²³ This is the primary characteristic.

Potential effects of compromise: The manners in which the facility function could fail to be performed correctly.

Interdependencies between functions: The significance of a facility function might arise from other functions that depend on it.

The timeliness and accuracy with which the facility function needs to be performed.

The performance of the facility function is indeterminate. This means that the function might be altered in any manner without the initial compromise being detected.

The performance of the facility function changes in unexpected ways (and other actions can be performed), but these anomalies are observable to the operator.

The performance of the facility function fails.

The performance of the facility function is as expected, meaning the compromise does not adversely affect the facility function (i.e. the system is fault tolerant).

Information dependency: A facility function provides information to another facility function. Examples of mal‑operation include the following:

Engineering or physical resource dependency: A facility function provides a physical resource to another facility function. This includes resources needed to sustain the other facility function directly and resources needed to sustain those resources. Examples of mal‑operation include the following:

Policy or procedural dependency: A change to one facility function necessitates a change to another facility function. For example, if policy demands that primary and secondary heat sink functions be provided when a reactor is critical, then if one of those heat sinks becomes unavailable, the reactor has to be put into a subcritical state.

Proximity effects: The effects on a facility function of mal‑operation or physical failure of other systems physically near to those that perform the facility function.

Interruption of the automated control instructions for a facility process;

Compromise of alarms provided to security officers;

Display of incorrect plant monitoring information to operating personnel;

Failure to provide information for emergency responders or nuclear security officers;

Loss or manipulation of procedures or instructions, or of records that document the results of these procedures.

Interruption of the provision of water or power;

Unanticipated ambient environmental conditions;

Failure to schedule preventive maintenance tasks;

Failure of physical protection systems (e.g. access controls, intrusion detection).

Availability of information implies that, for example, alerts provided by one facility function are provided promptly to allow other facility functions such as assessing the alert and responding to the alert to be performed.

Integrity of information implies that, for example, a facility function provides accurate data on environmental variables (e.g. temperature, pressure, frequency, level) on which other facility functions depend.

The State’s assessment of threats and the development and maintenance of the national threat statement or DBT using intelligence sources;

The facility specific threat assessment, taking account of analysis of facility specific information and information on specific adversaries.

The operator performs a facility computer security risk assessment. This may sometimes be a less intensive analysis to check the previous analysis and assumptions.

The competent authority issues a new DBT or national threat statement.

The operator receives information that potentially invalidates assumptions made in the current analysis.

Passive insider: An insider with the motivation to enable but not initiate malicious acts. The computer security measures to counter a passive insider might rely on preventive measures, including having a strong security culture. Typically, a passive insider will not be deterred by detection measures, because their access to information and systems is legitimate, but will seek to avoid being identified as acting maliciously.

Active insider: An insider with the motivation to initiate malicious acts. There are likely to be fewer active insiders than passive insiders. The computer security controls to counter an active insider need to be more comprehensive than those to counter a passive insider and should include protective measures such as separation of duties and compartmentalization of information, physical access or system privileges.

Unwitting insider: An insider without the motivation to commit a malicious act and who is unaware of their exploitation by an adversary. For example, in a cyber‑attack, an unwitting insider might not be aware that certain actions can provide information or authenticated access to an adversary, such as by clicking a malicious link in an email disguised as being from a trusted source.

Organizational roles and responsibilities;

Risk, vulnerability and compliance assessment;

Organizational security procedures;

System security design and management;

Asset and configuration management;

Personnel management.

A statement that indicates the level of computer security protection to be provided for each computer security level. This statement could be qualitative or quantitative, but should be verifiable.

A requirement to perform and document periodic computer security reviews and risk assessments in each stage of the lifetime of the facility.

A definition of the roles and responsibilities needed to support computer security.

A specification for the DCSA, combining the computer security requirements derived from the operator’s application of a risk informed approach and any such requirements imposed on the facility by national law or regulations. The DCSA specifications should include the following:

A record of the functional scenarios or other evaluation methods used in the analysis to develop requirements. It is important that other scenarios be developed independently to provide greater assurance in the requirements (i.e. increased confidence). Use of scenarios for raising confidence in the output of the specification phase is described in more detail in paras 4.116‑4.122.

The requirements for applying a graded approach (e.g. the number of computer security levels);

The requirements for defence in depth;

Any additional requirements (e.g. for authenticity, non‑repudiation and traceability) necessary to meet the necessary level of protection for each computer security level;

Requirements that will provide and maintain the capability to prevent, detect, delay, mitigate the effects of and recover from cyber‑attacks;

The specific requirements for computer security measures for each computer security level to be applied to the respective computer security zones.

The number of computer security levels and the requirements for their associated computer security measures;

The ordered list of facility functions, indicating how the functions have been assigned to computer security levels.

Personnel trustworthiness (i.e. protection against insider threats) [6];

Sensitive (i.e. classified) information protection (e.g. Bell–LaPadula³¹);

Integrity protection (e.g. Biba, Clark–Wilson³²).

The facility CSRM or facility safety analysis is revised.

The system cannot fully comply with requirements identified in the facility CSRM output.

System modifications are made that have the potential to affect facility CSRM.

Relevant security events or incidents occur.

New or changed threats or vulnerabilities are identified.

A risk showing a clear pattern of increasing towards or beyond the unacceptable risk threshold. In this case, consideration should be given to ways to prevent the risk threshold being exceeded.

A risk reaching or exceeding the threshold. In this case, appropriate actions will need to be taken (e.g. reporting to the competent authority, implementing compensatory measures consistent with the urgency identified from risk trend data).

Evaluation, which provides confidence in the outputs of phases where verification is not possible (e.g. the threat characterization and computer security requirement specification phases). Owing to the nature of the information on which the computer security requirements are developed (e.g. estimations of the threat, assumptions about facility function failure modes due to compromise of systems), the operator cannot be certain that the requirements are correct. Therefore, evaluation is needed to give the operator confidence in the outputs of the computer security requirement specification phase, namely the CSP and the DCSA.

Verification, which provides confirmation that the results of a phase meet the objectives and requirements defined for that phase. Where possible, verification activities occur between successive phases of facility and system CSRM. This may involve a number of performance based methods or analyses to verify the outputs of each phase prior to their use as input in a subsequent phase.

Validation, which is the process of determining whether the computer security of the facility provides appropriate protection against the threat (as defined in the threat characterization) and complies with regulatory requirements.

Identification and assignment of functions to computer security levels;

Assignment of computer security measures to those levels;

Specifications for computer security measures.

Attack tree analysis (also referred to as ‘attack vector analysis’ and ‘attack graph analysis’). This involves postulating a set of different possible adversary paths to determine whether there is high assurance that each attack will fail (i.e. that the adversary can be prevented from following the path) or be detected and responded to before the adversary reaches the objective. Attack tree analysis can be used, with the threat characterization, to assess whether the measures based on the CSP and the DCSA are effective in eliminating or minimizing the potential for an adversary to make the postulated attacks successfully.

Simulation. This includes computer based simulations of elements of the CSP (including the DCSA) and tabletop exercises that allow consideration of security and contingency plans as well as decision making by the adversary and computer security incident responders. These tools are used to judge the overall performance of the CSP, taking all measures into account. For example, tabletop exercises might assist in determining the opportunities available to an adversary on the basis of their capabilities and characteristics (e.g. whether they are insiders), or the vulnerabilities of the function.

Exercises. These can include both facility level and system level performance testing (e.g. penetration tests) as well as force‑on‑force exercises (e.g. for blended attacks) in either field conditions or test conditions. These exercises can address the effectiveness of the CSP in providing protection to the entire facility, parts of the facility, specific sets of systems or sets of measures against a simulated adversary attack. In this evaluation activity, data concerning the performance of computer security measures are collected and used to evaluate the overall effectiveness of the CSP.

Addressing any deficiencies in design or implementation of computer security measures to meet the requirements;

Identifying, analysing and implementing upgrades that might be necessary to address identified deficiencies and improve performance.

Functional scenarios, which are scenarios based on the threat assessments and which reflect the potential effects on facility functions of the compromise of systems performing those functions. These scenarios include those involving sabotage resulting in unacceptable radiological consequences and unauthorized removal of nuclear material. Functional scenarios can also be used to identify critical dependencies between functions or systems.

Technical scenarios, which are scenarios based on the specific technical implementation of computer security measures and which involve detailed information about the actual or potential implementation of digital assets. These scenarios can be assessed through performance based or tabletop exercises, typically as part of the verification and validation of both the facility and the system CSRM outputs.

When the national threat statement or DBT is updated;

When significant modification of the facility is undertaken;

When changes are made to security processes, critical countermeasures and architectures;

When new credible attack routes are identified;

When new regulatory requirements are introduced;

When new critical vulnerabilities³⁴ become known, especially those involving important computer security measures;

When the threat characterization changes.

Assessing each facility function, the systems assigned to perform the function and the computer security level applied to those systems — taking account of other facility functions that have interactions and interdependencies identified in the facility characterization phase of facility CSRM — to define the functional boundaries of the systems.

Identifying the scope of each system, including those systems that support other facility functions that interact with and depend on the function performed by the system. This can include analysis of the overall system architecture to identify the locations, boundaries, interfaces and communication paths of systems containing digital assets, including SDAs.

Identifying (and creating an inventory of) digital assets within those systems.

Defining and establishing computer security zones on the basis of the requirements identified in the facility CSP and the DCSA.

Identifying SDAs and other digital assets within the zone boundaries by asset analysis, which is an assessment of the digital assets to determine whether they are vital to the performance of the facility function.

Assigning digital assets, including SDAs, to the computer security level assigned in the facility CSRM output to their facility security or safety function.

Applying to the whole zone the most stringent computer security level assigned to any of the functions provided by digital assets within the zone, and assigning all of the digital assets within the zone to that level.

Applying baseline computer security measures (see paras 4.58 and 4.68) and additional computer security measures to the SDAs and other digital assets (including at the zone boundaries), taking into account the specificities of the identified systems to meet the requirements of the assigned computer security levels.

Providing a process to determine the technical control measures, administrative control measures or physical control measures that can be applied to meet the baseline computer security measures.

Analysing specific attack routes, scenarios and vulnerabilities to verify the effectiveness of the applied computer security measures.

If the analysis shows that a system is not sufficiently protected by the baseline computer security measures, applying additional or compensatory measures to reduce the risk to an acceptable level.

Developing a system CSRM report for the identified system.

When a facility is first constructed (for every system);

When a facility is modified (for every system);

When a new system or digital asset is deployed (for every affected system);

When a system or digital asset is modified (for every affected system);

When the facility CSRM process is revised (for every system).

Facility CSRM outputs (e.g. the CSP and DCSA specifications);

The safety analysis report;

The site security plan;

The computer security policy.

Identify all the interfaces of the system.

Identify all the points at which data enter and leave the system (points at which an adversary might be likely to attempt to inject malicious code). Any means of injecting malicious code into the system should be considered in the system security risk assessment. For example, malicious code could be injected via communication connections, supplied products and services, or portable devices that are temporarily connected to target equipment.

Identify the procedures that involve interaction with the system in normal operation and in specific circumstances (e.g. patching).

Identify which data pathways (if any) are not used by any procedures during system operation and maintenance. Unused data pathways represent a significant vulnerability.

Identify the assigned computer security level of the system (from the facility CSRM output).

List the computer security measures applied to the system or its environment.

Systems belonging to the same zone form a trusted area for internal communications between those systems, and the computer security level applied throughout a zone that has such a trusted area is the most stringent level of those assigned to the systems involved.

Safety architecture requirements (e.g. redundancy, diversity, physical and electrical separation, single failure criterion) are maintained.

Defence in depth is applied both within each computer security zone (by using diverse, independent and overlapping administrative, physical and technical control measures) and between computer security zones.

Technical control measures to provide continuous or automatic preventive or protective actions (i.e. requiring no human intervention) complement physical or administrative control measures (i.e. requiring human intervention) where appropriate.

All connections between zones have decoupling mechanisms for data flow, operating according to zone dependent rules to prevent unauthorized access and undesired interactions between the zones. This includes continuous network connections and intermittent connections, for example using removable media.

The level of decoupling between zones is dependent on the computer security levels of the two zones. Decoupling measures include technical control measures, such as packet filters, firewalls and data diodes, at zone boundaries to restrict data flow and communication between different zones.

Permitted communications between zones at different security levels follow requirements specified for the levels involved in the CSP. The development of requirements for permitted communications may include consideration of trust models (see para. 4.83).

If the requirements in the CSP permit SDAs from zones assigned to different security levels to communicate, the connection is allowed to be initiated only by the SDA assigned to the higher (more stringent) computer security level. SDAs performing sensitive information management functions typically do not allow for communication from higher to lower levels (i.e. information flows in the opposite direction), in accordance with the Bell–LaPadula trust model (see para. 4.83).

If communication initiated by the SDA subject to the lower computer security level³⁷ is unavoidable and in violation of its trust model, exceptionally stringent decoupling mechanisms are used.

Logical or physical access to digital assets in a zone by permitted mobile devices or other temporary equipment is treated as a form of intermittent connection to that zone and is subject to computer security measures for both the established zone and the temporarily connected devices. Such devices are subject to additional computer security measures if they connect to more than one zone.

Zones can be partitioned into subzones to improve the configuration and to prevent undesired interactions with other systems.

The digital assets belong to systems that perform different facility functions.

Systems contributing to the same facility function are assigned different computer security levels.

Systems contributing to the same facility function and assigned the same computer security level are managed by different organizational units.

Servers communicate with multiple clients (e.g. those used with distributed control systems and programmable logic controllers). The zone requiring the most stringent protection should contain the minimum possible number of unique assets.

Systems need to communicate with common infrastructure components used by multiple systems (e.g. directory services, time servers, security log collectors) but not with one another. Communication between zones containing these types of system and zones containing the common infrastructure components needs to be monitored and controlled.

The systems are administration systems (especially when the same systems are used to administer several functional systems).

Regulations require distinct zones.

The digital assets are in systems performing different facility functions. In such cases, assignment of digital assets to different zones may improve the separation of the zones and systems that contribute to a facility function.

Different organizational units are responsible for different digital assets.

There are isolated digital assets, or several digital assets of the same functional system are hosted on an isolated network.

Separate redundant systems performing the same facility function need to be assigned to individual zones.

Regulations require separation of the digital assets.

System asset database (of all digital components);

Software and firmware inventory;

Lists of sensitive information relevant to the system [5];

System network and architecture diagrams;

Facility design documents such as the safety analysis report or test reports;

Data flow diagrams;

List of user and system accounts and privileges;

Procedures related to the identified system.

Trusted internal communications: This category would include communications within and between systems or within a zone or between digital assets within a system, including internal pathways to devices at the zone boundary (e.g. firewalls, data diodes). There are no computer security measures that can effectively monitor or protect internal trusted communication pathways against cyber‑attack.

Authorized external communications: This category would include connections between zones via authorized permitted pathways and boundary devices. Such communications are normally between separate systems performing different facility functions. Computer security measures in the form of boundary devices ensure that all communication pathways, whether digital or analogue, are continually monitored and only those that are authorized can be used.

Potential unauthorized communications: This category would include the capability to make unauthorized connections between zones, for example using network cables, wireless connections or removable media. Such unauthorized communication pathways could be made between systems or digital assets that are in different zones but in physical or logical proximity, for example systems that are physically located in the same area with no physical barriers controlling access between them.

Analysing or testing the effectiveness of the security measures;

Documenting the status of the measures, including defining possible improvement points;

For identified systems, ensuring that the software has been subject to a vulnerability assessment.

Social engineering, including phishing attacks;

Malicious emails;

Malicious web sites;

Infected mobile media devices;

Compromised maintenance and inspection equipment;

Remote access;

Insiders (witting and unwitting);

Compromise of the supply chain.

To determine the highest consequence scenarios involving SDAs;

To determine the most likely scenarios involving digital assets, including SDAs.

Identification of all SDAs, including (as far as possible) all hardware and software components of each SDA.

Identification of digital assets that are components of, interface with, support or have the potential to access communication pathways connected to SDAs. These might include components of systems assigned a computer security level.

Identification of known vulnerabilities, deficiencies or weaknesses in the systems or components, for example potential procurement issues (e.g. supply of counterfeit or substandard parts), or human actions or omissions that might affect security.

Identification of technical, administrative and physical control measures.

Recommendations for implementation of countermeasures.

Recommendations for improvements to countermeasures (i.e. additional technical, administrative or physical control measures).

Identification of deficiencies in facility documentation or records.

Classification of sensitive information.

Access control lists for personnel and services.

Corrective actions, when adverse conditions appear.

Assessment of the residual system level risk.

Identification and description of other indicators that will assist in the evaluation of computer security (e.g. mean time between failures, mean time to repair, mean time to detect, mean time to recover, security quality metrics).

Appropriate computer security requirements are included.

Design changes improve and do not degrade computer security.

The changes, as implemented, meet the defined computer security requirements.

The effectiveness review includes computer security.

Assurance activities (i.e. testing, assessments, audits);

Use of staging areas, with process and security controls to verify that SDAs have not been tampered with;

Management of staff and verification of products of vendors, contractors and suppliers (both on the site and working remotely), from fabrication to installation;

Supply chain evaluation and management, ensuring that the verified procurement process is followed consistently and is not tampered with.

Passwords and secondary authentication methods for digital assets should be changed according to approved procedures.

Development and construction accounts for digital assets should be removed, and technical control measures should be enabled.

System support tools (software and hardware) should be submitted for testing and evaluation using appropriate computer security measures.

Access restrictions, access control and monitoring may be different for equipment assigned to different computer security levels.

Different levels of trustworthiness check may be required for personnel working on different systems, depending on their assigned computer security level.

Duties may be segregated.

The permitted maintenance activities should be specified.

The necessary access for maintenance should be identified and controlled.

Maintenance equipment may be restricted for use only within a specific computer security zone (or for a specific system or digital asset) or only for systems at a specific computer security level.

Secure maintenance environments may be required for some systems or digital assets.

Compensatory measures should provide physical protection when equipment is unlocked.

The need for remote interfaces for maintenance should be identified (and justified) in advance and appropriate computer security measures should be applied to such interfaces in accordance with the CSP.

The use of computer based tools (e.g. measurement, testing and calibration equipment) should be controlled and monitored to ensure that the tools are not compromised by cyber‑attack or provide a route to compromise the systems on which they are used. Computer equipment that may be temporarily connected to the system — such as testing or configuring equipment — should be protected against malicious software and unauthorized data transfer. The use of external equipment for such purposes should be minimized. Any such equipment should be inspected before it is brought into the facility.

Software should be checked to confirm that it is free from malicious software before it is loaded on to the system. This may include verifying that the software has not been tampered with and is authentic, for example through software signing with cryptographic hashes.

Safety measures (e.g. concurrent verification by a second party) can also be used for security purposes.

Computer security architectures and measures being modified or disabled to allow modification work to take place.

Fluctuations in staffing levels, possibly including new personnel being brought on‑site to perform activities involving digital assets, including SDAs. This may require that additional trustworthiness checks or other measures be put in place to address the insider threat.

Significant replacement of components, which need the creation of a secure installation environment, secure storage, and additional measures for handling and secure sanitization of replaced SDAs.

Organization and responsibilities:

Risk, vulnerability and compliance management:

Security design and management:

Digital asset management:

Security procedures:

Personnel management:

Organizational charts;

Responsible persons and reporting responsibilities (see paras A.3–A.13 of the Appendix);

Periodic review and approval process; (iv) Interfaces with other programmes, such as human resources, personnel related security, physical protection and training (see paras A.15–A.38 of the Appendix).

Facility CSRM process and outputs (see Section 4);

System CSRM process and outputs (see Section 5), including the process for the classification and identification of digital assets⁴⁰, including SDAs;

Frequency of security plan review and reassessment;

Self‑assessment practices;

Audit procedures and deficiency tracking and correction;

Method for and occasions to start or repeat risk and vulnerability assessment;

Regulatory and legislative compliance.

Fundamental security architecture (i.e. DCSA);

Fundamental security design approaches (i.e. computer security levels and zones);

Assignment of baseline computer security measures to each computer security level;

Formalization of computer security requirements for contractors, vendors and suppliers, including maintenance contracts;

Security considerations for the applicable stages in the facility lifetime (see Section 6).

Attributes of digital assets (identification, computer security level, zone, location, associated consequences);

Configuration management (hardware, operating systems, firmware, software applications, equipment status, associated configurations);

Data flow and network diagrams identifying all external connections to other systems;

Supplier information for assets.

Security incident handling;

Business continuity;

System backup, restoration and recovery;

Supply chain;

Access control;

Information and communications management;

Platform and application security (e.g. system hardening);

System monitoring, including logging.

Trustworthiness checks;

Awareness and training;

Qualification of personnel;

Reporting of security issues, including protection of staff reporting these issues;

Termination or transfer.

Routine interfaces between the facility operator and relevant competent authorities (e.g. regulatory bodies, law enforcement, intelligence agencies, security services);

Reporting to competent authorities and interface with external response forces in the event of a security incident;

Internal interface with on‑site response team;

Public relations;

Relations with vendors, contractors and suppliers, including the supply chain.

Functional requirements;

Interface requirements;

Operational requirements;

Location of equipment;

Environmental considerations;

Codes and standards to be used;

Contractual considerations;

Supply chain considerations;

Logistics (e.g. coordination of complex operations involving many people, facilities or supplies);

Past operating experience;

Introduction of new technologies;

Human factor considerations;

Design requirements for each engineering discipline (including computer security);

Fabrication considerations;

Installation;

Commissioning;

Decommissioning;

Financial considerations.

Asset identifier and location;

Asset configuration;

Functions and operational modes;

Interconnections, including power supplies;

Data flow, including internal and external connections;

Procedures that initiate communication, frequency of communication and protocols for such communication;

Analysis of user groups;

Ownership (for data and computerized systems);

Computer security level and zone, and assessed consequences of failure.

Identifying the need for computer security measures;

Verifying that the computer security measures are implemented and configured correctly;

Managing changes throughout the life cycle of the systems;

Supporting computer security assessments;

Understanding the reasons for changes to the computer security measures.

Environmental monitoring systems;

Building automation systems;

Fire protection systems;

Communications with emergency centres;

Remote vendor access (where permitted);

Field devices located outside the physical security perimeter;

Visitor control.

Restricted or proscribed equipment, where restrictions placed on the operator mean that the security of the digital assets cannot be assessed. This could be due to licence conditions, or to contractual, regulatory or legal requirements that prohibit the operator from inspecting and modifying the equipment (e.g. safeguards related equipment).

Unannounced equipment, which might be brought to the facility without being requested by or without the prior agreement of the operator. Such equipment is considered to be ‘contraband’ until a computer security risk assessment can be completed.

All technical, physical, personnel and organizational security measures for systems and networks are designed and implemented in a systematic manner and according to approved processes and procedures.

Policies and practices are defined for each computer security level.

Users are obliged to comply with security policies and security operating procedures.

Staff permitted access to the system are suitably qualified and experienced and determined to be trustworthy where necessary.

Users and administrators have access only to those functions on those systems that they need for performing their jobs. Accumulation of access rights by an individual person is avoided.

The system’s functionality and interfaces are limited to the extent possible, with the objective of reducing overall system vulnerability.

Appropriate access control and user authentication are in place.

Protection against infection and spreading of malware is in place.

Security logging and monitoring, including procedures for adequate response, are in place.

Application and system vulnerabilities are monitored, and appropriate measures are taken.

The adequacy and effectiveness of measures is reviewed periodically.

System vulnerability assessments are undertaken periodically.

Removable media are controlled in accordance with security operating procedures. Privately owned devices are not allowed to be connected to systems and networks.

Digital assets and associated computer security measures are strictly maintained using the applicable change management procedures.

Appropriate backup and recovery procedures are in place.

A service device is assigned to exactly one computer security level.

Physical access to components and systems, including service devices, is restricted according to their functions.

Measures to prevent the unauthorized introduction of systems into computer security zones are in place.

Only approved and qualified users are allowed to make modifications to the systems.

Systems are designed and implemented to be verifiable and testable against a potential attack by an adversary.

No networked data flow of any kind from systems assigned less stringent computer security levels can enter level 1 systems when integrity and availability are priorities. Only outward communication is possible. Exceptions are strongly discouraged and may only be considered on a strict case by case basis and if supported by a complete justification and security risk analysis.⁴⁴

No remote maintenance access is allowed.

Physical and logical access to systems is strictly controlled, monitored and recorded.

The number of staff given access to the systems is limited to an absolute minimum.

The two person rule is applied to prevent unauthorized actions by an insider threat.

All activities and potential security events are logged and monitored.

Connection of external storage devices is approved and verified on a case by case basis.

Strict organizational and administrative procedures apply to any modifications, including hardware maintenance, software updates and software modifications.

Only an outward, unidirectional networked flow of data is allowed from level 2 to level 3 systems. Only necessary acknowledgement messages or controlled signal messages can be accepted in the opposite (inward) direction (e.g. for TCP/IP (Transmission Control Protocol/Internet Protocol)).

Remote maintenance is not allowed.

The number of staff given access to the systems is kept to a minimum, with a clear distinction between users and administrative staff.

Physical and logical access to systems is strictly controlled and documented.

Administrative access from other computer security levels is avoided. If this is not possible, such access is strictly controlled (e.g. by adopting the two person rule and two factor authentication).

All reasonable measures are taken to ensure the integrity and availability of the systems.

Access to the Internet from level 3 systems is not allowed.

Logging and audit trails for key resources are monitored.

Security gateways are applied to protect this level from uncontrolled data connections from level 4 systems and to allow only specific and limited activity.

Physical connections to systems are controlled.

Physical and logical access to systems is controlled and documented.

Remote maintenance access is allowed on a case by case basis provided that it is robustly controlled; the remote computer and user follow a defined security policy, specified in the contract.

System functions available to users are controlled by access control mechanisms and based on the ‘need to know’ rule. Any exception to this rule is carefully considered and protection is ensured by other means (e.g. physical access).

Administrative access from other computer security levels is avoided wherever possible. If this is not possible, such access is strictly controlled (e.g. through two factor authentication).

Access to the Internet from level 4 systems is not allowed.

Security gateways are implemented to protect this level from unauthorized data communications through trusted and approved external company or facility networks and to allow specific activities that are authorized.

Physical connections to systems are controlled.

Remote maintenance access is allowed but controlled; the remote computer and user follow a defined security policy, specified in the contract.

System functions available to users are controlled by access control mechanisms. Any exception to this rule is carefully considered and protection is ensured by other means.

Remote external access is allowed to selected services and for approved users, provided that appropriate access control mechanisms are in place.

The computer security level does not fall below a baseline protection level, defined according to the latest state of the art.

Only approved and qualified users are allowed to make modifications to the systems.

Access to the Internet from level 5 systems is allowed, provided that adequate preventive and protective measures are applied.

Remote external access is allowed for authorized users, provided that appropriate measures are in place.

Physical connection of third party devices to systems and networks is technically controlled. Those interfaces to higher level systems are characterized and evaluated independently to ensure compliance with the computer security architecture.

Assume overall responsibility for all aspects of computer security.

Define security objectives for the facility.

Ensure compliance with relevant laws and regulations.

Maintain awareness of the current nuclear security threat and associatedtrends.

Set the risk acceptance level for the facility.

Assign organizational responsibilities for computer security.

Ensure adequate communication between personnel responsible for different aspects of nuclear security.

Ensure compliance with the computer security policy.

Provide adequate resources to implement a sustainable CSP.

Ensure periodic reviews and updates of the computer security policy and procedures.

Ensure support for training and awareness programmes.

Advising senior management on computer security.

Leading the computer security team.

Advocating computer security within the organization, including improvements when necessary.

Coordinating and controlling the development of computer security activities (e.g. implementing computer security policy, specific directives and guidelines, procedures and, ultimately, computer security measures).

Coordinating with physical protection personnel and other security and safety personnel to plan and specify computer security measures, including those to respond to computer security incidents.

Identifying systems critical to computer security within the facility (i.e. those providing baseline computer security measures). Asset owners should be informed of their equipment’s role in computer security.

Conducting periodic computer security risk assessments, independently from operational staff.

Conducting periodic inspections, audits and reviews of the baseline computer security measures and providing status reports to senior management.

Developing and arranging computer security training and qualification of relevant personnel.

Preparing for and leading the response to computer security incidents, including coordination with relevant internal and external personnel involved in the response.

Investigating computer security incidents and developing post‑incident corrective actions.

Participating in assessment of overall facility security.

Participating in analysis of requirements for new computer based systems.

Understanding the significance and the role of computer security in nuclear security;

Operating within the requirements and processes defined by the CSP;

Providing operational requirements and feedback to senior management relevant to computer security, and resolving any conflicts between operational, security and safety requirements;

Alerting senior management to any conditions that might lead to changes in the level of computer security, such as changes in personnel, equipment or processes;

Ensuring that staff are sufficiently trained and briefed on computer security issues relevant to their roles;

Ensuring that vendors, contractors and suppliers working for them operate within the requirements and processes defined by the CSP;

Tracking, monitoring, responding to and reporting on computer security incidents;

Enforcing computer security measures.

Understanding the significance and the role of computer security in nuclear security;

Understanding the organization’s policy for computer security;

Having knowledge of computer security procedures relevant to their job;

Operating within the constraints implied by the computer security policy;

Notifying managers of any changes that might adversely affect computer security;

Notifying relevant points of contact and managers of any incidents or possible incidents involving a compromise of computer security;

Attending initial training on computer security and refresher training on a regular basis.

Ensuring that only authorized access is permitted to SDAs;

Identifying unauthorized removable media and mobile devices entering the facility;

Identifying unauthorized removal of information or information assets from the facility;

Ensuring that policies applicable to any removable media and mobile devices permitted in the facility are applied (e.g. scanning for malicious software before entry into the facility);

Reporting computer security incidents (e.g. detection of malicious software, unauthorized removal of information assets) according to the incident response procedure;

Assessing information security practices (e.g. desk checks, checking of locked rooms and cabinets, provision of standards for devices providing physical protection of information assets, access control and monitoring);

Supporting incident response for computer security incidents related to the physical protection system.

Review of documents and records (e.g. legislation, regulations, facility records);

Interviews with personnel from the relevant organizations, such as competent authority personnel, operating personnel of the facility and representatives of other organizations;

Direct observation of the organization, its practices and systems, and the implementation of computer security measures.

Assign relevant roles and responsibilities, and define configuration management processes and procedures.

Detail the configuration of the SDAs and their interactions.

Identify when in the system development life cycle the SDAs are placed under configuration management.

Establish the means for identifying SDAs and a process for managing computer security measures to protect them.

Unused network interfaces or protocols (including disabling of driver software);

Unused peripherals (including disabling of driver software);

Support for removable media;

Unauthorized wired and wireless communications;

Messaging services not related to the facility functions performed by the system;

Social media services and applications;

Servers or clients for unused services;

Software compilers in user workstations and servers, except for those used for system development;

Software compilers for languages that are not used in the control system;

Unused networking and communications protocols;

Unused administrative utilities, diagnostics, network management and system management functions;

Backups of files, databases and programs used during system development;

Unused data and configuration files;

Sample programs and scripts;

Unused document processing utilities;

Unnecessary add‑ins for applications (e.g. browsers);

Games.

Exercises of security procedures to test the effectiveness of the procedures in meeting the objectives of the CSP;

Drills to train personnel in carrying out the security procedures and thereby improve awareness of the procedures, the rationale for the tasks in the procedure and the response to computer security incidents.

‘Fingerprinting’, which involves identifying and quantifying all communications within and between components in a system and analysing the effects of these communications on the SDAs to which the tests relate. Fingerprinting a network provides the following:

‘Fuzzing’, which aims to find bugs or vulnerabilities in a component or system by injecting a wide variety of data in an automated fashion to identify types of data and injection points that might be used for malicious purposes. This can identify weaknesses in software coding and provide an indication of system hardness.

A network baseline;

An accurate network diagram;

Identification of any rogue devices or malicious data communications;

Verification that boundary protection devices are working as designed;

Identification of opportunities to improve zoning and perimeter protection.

Determining the potential effects of the computer security incident on nuclear security, safety and emergency preparedness and response, and identifying actions to place the facility in a safe condition;

Identifying the extent of the incident to determine an adequate response;

Determining the potential damage from the computer security incident in terms of information loss, physical damage to the facility and public perception;

Determining the nature of the computer security incident with regard to the adversary’s immediate intent and possible future threats, including the possibility of a future attack exploiting effects from this incident;

Identifying the root cause of the computer security incident and the measures needed to prevent or mitigate the effects of future incidents of a similar nature;

Identifying the adversary and developing a profile of the adversary, including the techniques and tools used and the vulnerabilities exploited by the adversary.

Removal of computer security measures (to allow for maintenance);

Provision of alternate or compensatory measures (while normal measures are unavailable);

Reapplication of computer security measures (following maintenance);

Confirming that computer security measures have been correctly re‑established.

By promoting understanding that computer security supports not only the nuclear security of the facility but also the safety of the facility;

By ensuring a common understanding of the key aspects of computer security within the organization;

By encouraging observation and coaching of colleagues, reporting of potential computer and information security incidents, and situational awareness;

By promoting understanding that cyber‑attacks can affect multiple security and/or safety measures simultaneously, reducing defence in depth;

By providing a means by which conflicts between safety and security objectives can be resolved;

By recognizing and promoting good practices in computer security;

By raising awareness of how humans can inadvertently contribute to computer security incidents.

Computer security requirements are clearly documented and well understood by staff.

Clear and effective protocols and procedures exist for operating computer systems both inside and outside the organization.

Staff members understand and are aware of the importance of the computer security measures set out in the CSP.

Computer systems are kept secure and operated in accordance with the computer security baseline and approved procedures.

Breaches of computer security procedures are regarded by all as serious and undesirable.

Results of observations, evaluations, tests and exercises are positive (e.g. testing indicates that staff do not respond to phishing emails).

Managers are fully committed to and supportive of security initiatives, whether related to cyber or to physical systems.

A computer security training programme, successful completion of which is a precondition for access to computer systems. Individuals’ training should be commensurate with the computer security levels of systems to which they will have access.

Specialized training and qualification for individuals with key security responsibilities (e.g. computer security specialist, computer security team, other security officers, project managers, IT administrators, system engineers, designers, technicians, document management personnel, project personnel, procurement personnel, contractors, senior management).

Training materials that are updated on a regular basis to include new procedures and measures to address emerging threats.

Training that is repeated on a regular basis to ensure that staff are familiar with the latest procedures and threats.

A requirement for staff to acknowledge that they understand their computer security responsibilities.

Practical evaluations of staff’s understanding of their computer security responsibilities.

INTERNATIONAL ATOMIC ENERGY AGENCY, Objective and Essential Elements of a State’s Nuclear Security Regime, IAEA Nuclear Security Series No. 20, IAEA, Vienna (2013).

INTERNATIONAL ATOMIC ENERGY AGENCY, Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities (INFCIRC/225/Revision 5), IAEA Nuclear Security Series No. 13, IAEA, Vienna (2011).

INTERNATIONAL ATOMIC ENERGY AGENCY, Nuclear Security Recommendations on Radioactive Material and Associated Facilities, IAEA Nuclear Security Series No. 14, IAEA, Vienna (2011).

EUROPEAN POLICE OFFICE, INTERNATIONAL ATOMIC ENERGY AGENCY, INTERNATIONAL CIVIL AVIATION ORGANIZATION, INTERNATIONAL CRIMINAL POLICE ORGANIZATION–INTERPOL, UNITED NATIONS INTERREGIONAL CRIME AND JUSTICE RESEARCH INSTITUTE, UNITED NATIONS OFFICE ON DRUGS AND CRIME, WORLD CUSTOMS ORGANIZATION, Nuclear Security Recommendations on Nuclear and Other Radioactive Material out of Regulatory Control, IAEA Nuclear Security Series No. 15, IAEA, Vienna (2011).

INTERNATIONAL ATOMIC ENERGY AGENCY, Security of Nuclear Information, IAEA Nuclear Security Series No. 23‑G, IAEA, Vienna (2015).

INTERNATIONAL ATOMIC ENERGY AGENCY, Preventive and Protective Measures against Insider Threats, IAEA Nuclear Security Series No. 8‑G (Rev. 1), IAEA, Vienna (2020).

INTERNATIONAL ATOMIC ENERGY AGENCY, Computer Security for Nuclear Security, IAEA Nuclear Security Series No. 42‑G, IAEA, Vienna (2021).

INTERNATIONAL ATOMIC ENERGY AGENCY, Computer Security of Instrumentation and Control Systems at Nuclear Facilities, IAEA Nuclear Security Series No. 33‑T, IAEA, Vienna (2018).

INTERNATIONAL ATOMIC ENERGY AGENCY, National Nuclear Security Threat Assessment, Design Basis Threats and Representative Threat Statements, IAEA Nuclear Security Series No. 10‑G (Rev. 1), IAEA, Vienna (2021).

INTERNATIONAL ATOMIC ENERGY AGENCY, Security during the Lifetime of a Nuclear Facility, IAEA Nuclear Security Series No. 35‑G, IAEA, Vienna (2019).

INTERNATIONAL ORGANIZATION FOR STANDARDIZATION, INTERNATIONAL ELECTROTECHNICAL COMMISSION, Information Technology — Security Techniques — Information Security Management Systems — Overview and Vocabulary, ISO/IEC 27000:2018, ISO, Geneva (2018).

INTERNATIONAL ATOMIC ENERGY AGENCY, IAEA Safety Glossary, Terminology Used in Nuclear Safety and Radiation Protection, 2018 Edition, IAEA, Vienna (2019).

INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Design, IAEA Safety Standards Series No. SSR‑2/1 (Rev. 1), IAEA, Vienna (2016).

INTERNATIONAL ORGANIZATION FOR STANDARDIZATION, INTERNATIONAL ELECTROTECHNICAL COMMISSION, Information Technology — Security Techniques — Information Security Risk Management, ISO/IEC 27005:2018, ISO, Geneva (2018).

INTERNATIONAL ATOMIC ENERGY AGENCY, Physical Protection of Nuclear Material and Nuclear Facilities (Implementation of INFCIRC/225/Revision 5), IAEA Nuclear Security Series No. 27‑G, IAEA, Vienna (2018).

INTERNATIONAL ATOMIC ENERGY AGENCY, Identification of Vital Areas at Nuclear Facilities, IAEA Nuclear Security Series No. 16, IAEA, Vienna (2013).

INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Classification of Structures, Systems and Components in Nuclear Power Plants, IAEA Safety Standards Series No. SSG‑30, IAEA, Vienna (2014).

INTERNATIONAL ORGANIZATION FOR STANDARDIZATION, INTERNATIONAL ELECTROTECHNICAL COMMISSION, Information Technology — Security Techniques — Evaluation Criteria for IT Security, ISO/IEC 15408:2009, ISO, Geneva (2009).

INTERNATIONAL ORGANIZATION FOR STANDARDIZATION, INTERNATIONAL ELECTROTECHNICAL COMMISSION, Information Technology — Security Techniques — Information Security Management Systems — Requirements, ISO/IEC 27001:2013, ISO, Geneva (2013).

INTERNATIONAL ELECTROTECHNICAL COMMISSION, Nuclear Power Plants — Instrumentation and Control Systems — Requirements for Security Programmes for Computer‑Based Systems, IEC 62645:2014, IEC, Geneva (2014).

INTERNATIONAL ORGANIZATION FOR STANDARDIZATION, INTERNATIONAL ELECTROTECHNICAL COMMISSION, Information Technology — Security Techniques — Code of Practice for Information Security Controls, ISO/IEC 27002:2013, ISO, Geneva (2013).

INTERNATIONAL ATOMIC ENERGY AGENCY, The Management System for Nuclear Installations, IAEA Safety Standards Series No. GS‑G‑3.5, IAEA, Vienna (2009).

INTERNATIONAL ATOMIC ENERGY AGENCY, Conducting Computer Security Assessments at Nuclear Facilities, IAEA, Vienna (2016).

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, Computer Security Incident Handling Guide, NIST SP 800‑61, Rev. 2, NIST, Gaithersburg (2012).

INTERNATIONAL ATOMIC ENERGY AGENCY, Computer Security Incident Response Planning at Nuclear Facilities, IAEA, Vienna (2016).

Identifying a target or targets;

Performing reconnaissance;

Obtaining access to or otherwise compromising relevant systems;

Carrying out the attack;

Concealing evidence about the attack and the adversary.

Using open source tools and search engines, the adversary locates the perimeter network¹ server used to report production information related to nuclear isotopes from trusted internal systems to the Internet. This server resides on the perimeter network but is populated by a master database server on the same network as the control system for a facility that produces nuclear isotopes. The master database server collects information from the internal manufacturing production environment and sends this information to the database located on the perimeter network. The perimeter network is separated from the production network by a firewall, which is configured with an access control list to ensure that only the database on the perimeter network server can communicate to the master database.

The adversary exploits a vulnerability to obtain administrative access to the server on the perimeter network and takes control of the communication channel between that server and the master database server on the control system network. The firewall is configured to allow communications between the perimeter network and the master database (i.e. it establishes ‘transitive trust’ between the networks), so the adversary, who has control of the server on the perimeter network, can connect directly to the master database on the control system network.

The adversary uses the connection to the master database to perform reconnaissance and enumeration of the control system assets that are on the same network. Since there are no security measures on the control system network, the adversary is able to take control of SDAs and compromise the technology controlling isotope development, management, transport, storage and inventory.

An engineer at a nuclear power plant works at home on a laptop computer that is used to support plant engineering and optimization, update performance programmes and ‘tune’ software for safety monitoring.

While at home, the engineer uses the computer to access a vendor’s web site and obtain a software update for the plant I&C systems that are instrumental in supporting plant operations. While the update is downloading, the engineer uses an on‑line bank, visits the corporate web site and uses social media, during which malicious software is downloaded to the computer. This malware is new and is not detected by the antivirus software on the computer.

Since corporate policy prohibits taking the computer into the plant, the engineer copies the downloaded control system update to a USB storage device, intending to use this to apply the software updates to the I&C assets. However, the malware has also copied itself to the USB device, and when the engineer uses it to install the update through an engineering workstation in the plant, the malware copies itself onto the plant system. The plant operator has assumed that the physical protection measures in place will prevent an unauthorized computer from connecting to the plant control system network, and the possibility of infection via removable media has not been considered.

After the malware infects the engineering workstation, it replicates and moves to other networked components within the plant. Since the operator has not deployed computer security measures at the plant level and there is no antivirus software on critical plant systems, the malware infects critical digital assets on the network, causing failures and forcing the plant to shut down.

An adversary collects information from social media and observation indicating that a nuclear facility will be procuring a control system in the form of a system upgrade. In addition, the facility operator intends to sell old operational equipment to help pay for the new control system.

Since the facility has no formal decommissioning procedure related to information security, a system that was used to run critical I&C operations is sold without reviewing or removing information stored in it. The adversary buys the system and discovers up to date project files, network diagrams, username and password information, and other data that provide a comprehensive understanding of the nuclear facility operations.

The adversary uses this information to develop a plan to attack specific SDAs used at the facility and to create convincing emails for use in a phishing campaign. Ultimately, the adversary uses both the information obtained from the purchased system and that unwittingly provided by victims of the phishing campaign to launch a blended attack on the facility.

An adversary conducts a focused social engineering campaign against a facility security officer using phishing, physical reconnaissance and publicly available information, including that from the officer’s social media presence.

The adversary, with a false identity, uses this information to begin communicating directly with the security officer, who gradually comes to trust the adversary, believing that it is someone else. As the correspondence continues, the adversary starts to add credible email attachments that are actually malicious software that, when activated, covertly opens a communication path back to the adversary’s computer and sends specific files from the security officer’s computer to the adversary. With this information, the adversary is able to create accurate and detailed plans to attack the plant’s physical protection systems and intercept nuclear material in transit.

Computer security level 1 is assigned to plant digital systems for which compromise of their integrity or availability could lead to radiological consequences to the population off the site. This corresponds to the criterion for 1E/F1A safety classified systems (corresponding to systems supporting category A functions in the International Electrotechnical Commission safety scheme [II–1]).

Computer security level 2 is assigned to plant digital systems for which compromise of their integrity or availability could degrade one or more of the following:

(i)The management of an emergency;

(ii) Plant safety in normal operation;

(iii) The main nuclear process operation;

(iv) The physical protection of the plant.

Computer security level 3 is assigned to plant digital systems for which compromise of their integrity or availability has no radiological consequences, nor an adverse effect on safety or physical protection, but could have other major effects. Such systems might include, in particular, digital assets assisting plant operation or maintenance, or systems that could have an effect on power generation.

Computer security level 4 is assigned to plant digital systems for which compromise of their integrity or availability has no short term effect on plant performance but can have such an effect in the longer term.

Computer security level 5 is assigned to plant digital systems for which compromise of their integrity or availability has no effect on safety, on plant availability or on the performance of the facility.

Older human–machine interface consoles typically include controls for multiple systems, especially for balance of plant and auxiliary systems. This aggregation can increase the difficulty in providing for isolation and separation of these systems. In some cases, facility functions performed by systems assigned to different computer security levels may be combined into one human–machine interface console, to which the most stringent security level needs to be applied.

The digital assets located within the physical area of the main control room and its equipment rooms would, using the approach of computer security levels and zones, be assigned different computer security levels. For example, a reactor protection system may be assigned the most stringent level (e.g. security level 1), while a personal computer providing the operator with access to email may be assigned the least stringent level (e.g. security level 5).

Personnel performing authorized activities on a system within the main control room may have access to other equipment within the main control room.