Speaker
Description
The identification of digital assets and their classification (i.e. assignment to security levels) within computer security programmes at nuclear facilities has historically been a complex process. The current approaches use a system or asset-centric approach with the aim of applying cyber-security retro-actively. A example of such an approach is provided in US NRC Reg Guide 5.71 [1] whereby Licensee systems are classified as critical systems if they have meet one or more of the following criteria: (1) Performs Safety, Security or Emergency Preparedness (SSEP) functions; (2) Affects critical systems, functions or pathways; or (3) Supports critical systems.
This paper outlines a simplified approach for identification and classification of digital assets, and provides opportunities to identify strategic improvements and efficiencies in achieving the computer security goals. The paper outlines a 4-element process: (1) identify and enumerate the nuclear security goals; (2) identify the functions that provide, support, or assist in realizing the security goals; (3) identify the digital assets (or systems) that perform or support these functions; (4) assign a computer security level to the digital assets upon the potential consequence as well as thelevel of support the digital asset provides (i.e. directly performs function, supports function, or indirectly supporting function/auxiliary); and (5) evaluate the effects of compromise using an adversary profile and characterization.
The paper will provide a description of key steps stressing the importance of security by design that is encapsulated in elements (1) through (4) above. The objective of these steps is to establish a baseline using analysis of facility systems and digital assets that perform or support functions that are important to achieving security goals. This analysis can lead to highly accurate outputs that justify assigning a high degree of confidence to the identification and classification. This approach mirrors with safety analysis as the threat is not considered, simply the security goals that are achieved through the provision of functions.
No matter how capable the team performing the analysis, or how accurate the results are, compromise of digital assets can lead to indeterminate effects (ref NSS 33-T). Indeterminate effects reduce the confidence in the functional analysis that dominates elements (1) to (4) , and necessitates element (5) . The process for element (5) is to bound the potential for compromise resulting in indeterminate effects to those that are bound to an adversary profile and to a credible scenario. This process will never be as accurate as the results of analysis of (1) to (4) since both the scope bounding the adversary and the credible scenarios will not have high confidence, but when used to verify element (4) it is effective. The paper argues that (4) should only be used to confirm the assignment of a security level or raise the level, it should not be used to lower the level.
References:
[1] United States Nuclear Regulatory Commission, Regulatory Guide 5.71, Cyber Security Programs for Nuclear Facilities, January 2010.
| State | Canada |
|---|---|
| Gender | Male |
