The consequences of a cyber-attack on a commercial nuclear power plant are very real. Examples of what can happen are visible with the disasters at the US’s Three Mile Island, Russia’s Chernobyl disaster, and Japan’s Fukushima Daiichi nuclear plant. Although none of the disasters was the result of a cyber-attack, they all provide an example of the potential results of such an attack. Although no known successful cyber-attacks have been successful, two examples of unintentional but similar occurrences highlight the potential for such an attack. Exporting the HMI (Human-Machine Interface) screen is a form of spoofing that allows the hacker to access the input/output device that provides the control panel for the computer system. Plant engineers working at the Browns Ferry Nuclear Plant in Athens, Alabama, intentionally accomplished this form of spoofing, although not intending to hack the system. The exported HMI screen allowed the Reactor Recirculation pump vendor technician to control the reactor recirculation pumps through control of the variable frequency drive (VFD) that controls the pumps speed. Ultimately, the technician gained control of reactor power, something only a United States Nuclear Regulatory Control (NRC) licensed individual is authorized to do. Data storming is a term similar to denial of service attacks, but instead of originating externally to the computer system, it is derived from within the system. Many digital control systems function using a variety of operating systems and, therefore, communicate differently. In such systems, a translator converts all such communications into one that is common to the primary computer. Again, the Browns Ferry Nuclear Plant pumps suffered such a data storm causing them to trip and then causing the reactor to trip. However, the engineers realized that a data storm could have a more adverse effect on the nuclear plant, for example, by causing the pumps to operate in such a way as to exceed reactor thermal limits, causing a meltdown. In addition to the inadvertent cyber configuration control issues occurring at Browns Ferry Nuclear Plant, at least one “worm” infection has occurred at a US nuclear plant. In January 2003, The Davis-Besse nuclear plant was infected by this worm, which caused increased data traffic in the site’s network, resulting in the plant’s Safety Parameter Display System (SPDS) and plant process computer being unavailable for several hours. The investigation determined that this was a failure by a contractor to clear his computer of malware and was not a malicious cyber-attack. In addition, plant personnel were not aware of a patch that could have protected the network.

Commercial Nuclear Power Plant Cyber Security Policy The birth of the current security posture for commercial nuclear power plants is linked to the security imposed on the Manhattan Project, which ultimately resulted in the creation of the atomic bomb. Following World War II, the United States Congress passed the McMahon Act, which determined how the US government would control and manage nuclear technology. The legislation also created the Atomic Energy Commission (AEC). Congress amended the McMahon Act as the Atomic Energy Act of 1954, and included provisions for the security of nuclear material. The US Executive Branch promulgated the Act into Title 10 of the Code of Federal Regulations (CFRs). 10CFR73, Physical Protection of Plants and Materials, prescribes the requirements and maintenance of physical protection systems that have capabilities for the protection of special nuclear material. Further, regulations pertinent to cyber security are located in 10CFR73.54, Protection of Digital Computer and Communications Systems and Networks, which requires that nuclear plant operators provide high assurance that digital computer and communications are adequately protected against cyber-attacks, up to and including the design basis threats. The commercial nuclear industry-lobbying group, Nuclear Energy Institute (NEI) collaborated with the federal regulators, Nuclear Regulatory Commission (USNRC) and developed NEI 08-09, Cyber Security Plan for Nuclear Power Reactors. When implemented, this document serves as a template or prototype for nuclear plant operators to develop a cyber-security plan, which satisfies 10CFR73.54. Nuclear plant operators are required to protect those digital assets subject to cyber-attack that would act to modify, destroy, or compromise the integrity or confidentiality of data and/or software; deny access to systems, services, and/or data, and impact the operation of systems, networks, and associated equipment, as they pertain to: • Nuclear safety-related and important-to-safety functions; • Security functions; • Emergency preparedness functions, including offsite communications; and • Support systems and equipment that, if compromised, would adversely affect safety, security, or emergency preparedness functions. Nuclear plant operators have until December 31, 2015, to implement the requirements of 10CFR73.54. However, due to costs and other implementation coordination issues, some nuclear plant operators are requesting an extension of the deadline by a year or two.

Most legitimate cyber security news publishers, such as Security Magazine (http://www.securitymagazine.com) and Government Security News (http://www.gsnmagazine.com/) can be considered a credible source of information. Other sources of information are found with by computer industry trade groups like the Software Engineering Institute (http://www.sei.cmu.edu/), and the Verizon data breach investigations reports (http://www.verizonenterprise.com/DBIR/2013/). Another excellent source of cyber security news is the SANS Institute (http://www.sans.org/newsletters/). However, the source, most recognized as a source of threat, vulnerabilities, updates and security news is the Mitre Corporation (http://www.mitre.org/). This organization is responsible for maintaining the Common Vulnerability Exposure (CVE) listing, a listing of the vulnerabilities associate with products and services. Actually, there are many others out there, just to numerous to list. These are by far the most credible sources of information. The respective organizations are not promoting a product to the everyday commercial consumer. Also, these organizations are staffed and supported by industry professionals and, as such, are subject to peer scrutiny. They are not likely to publish bad information. Commercial computer security suppliers, like Norton (http://us.norton.com/) and McAfee (http://www.mcafeeoffers.com/) are also good sources of information. I secure my home computer using Norton 360 and periodically (about once per month) I get a pop-up notifying me of the latest news. McAfee antivirus software may do this also. A google search for the term “data breach reports” returns a link to the identity theft vendor Lifelock (http://www.lifelock.com/), although the services provided by this supplier may be satisfactory, the web site does not provide any useful information. Other similar products may also provide dubious information. If I find conflicting information, I consider the information source and any possible motivations behind their respective pronouncements. I prefer those organizations/sources who are not attempting to promote a product.

CYBR 650 Introductory Blog -- Hello, my name is Robert Nilsson. I am a student at Bellevue University’s Cyber Security Master’s degree (MS) program. I am in my final semester and am taking two courses: CYBR 650, Current Trends in Cyber Security, and PS 639, Cyberwar and Cyber Deterrence. The CYBR 650 is a capstone course and we are currently engaged in process modeling. Based upon the subjects listed by the Discussion Board (where we post our assignments), it appears that we will be discussing processes and systems analysis, amongst other things. We will also be delving into current trends in cyber security. This blog will focus on the CYBR 650 course and will most likely be updated weekly (depending on the weekly assignment requirements) on my progress and what I’ve learned discovered during this semester. This first week I am challenged with determining a threat analysis process model. Yeah, right! I have a lot of research to complete before I begin to develop my model. What is a threat (I already know that) but how do I create a process and fit it into a flow chart. Interestingly enough, in my research, I came across a power point presentation developed by Microsoft which indicates that a flow chart is the wrong way to do this. Oh, well – I’ve got do what the assignment requires. I don’t believe Microsoft is the only player in the cyber security game anyway. So it’s off to the cyber world, getting creative and having fun learning.

CYBR 625, Business Continuity Plan and Rec:

What to do when the poop hits the fan is the subject of Business Continuity Planning.  The difference between and event and an incident was explored and defined as were the various vulnerabilities (hearken back to CYBR 610, Risk Management Studies) that can overtake a business or enterprise.  With this in mind, students were required to develop a business continuity plan for a small veterinarian business.  Contingencies were required to be developed for various “what if” scenarios that were developed from the risk management study done for the animal hospital.  The course centered on recovery plan development, implementation and ultimately the restoration of the business.

CYBR 615, Cybersecurity Governance and Compliance:

Governance is a contemporary term that is becoming more and more prevalent.  It is not enough for corporations to be managed – the ever growing legal considerations and their ramifications and the size of corporations (some are bigger than small countries) make governance necessary.  Course discussions included the importance of compliance with laws, regulations, policies and procedures as a means of minimizing risk through mandated security and control measures.  One of these control measures is found in the audit process.

CYBR 610, Risk Management Studies:

The course required students to identify assets, including tangible (desks, computers, buildings) and nontangible (reputation, customer data, etc.), their associated vulnerabilities (physical loss, compromised data or  inaccurate data) and associated risks (theft, tampering, information disclosure) for each.  Each asset was assigned a dollar value, probability value for the vulnerability with the risk to the asset calculated.  Modes and methods for the vulnerabilities and risk avoidance were investigated.  Obtaining management by-in from less than enthusiastic management (due to costs, not convinced of risk, etc.) to implement risk management strategies (making a persuasive argument) was discussed.