Nuclear Engineering and Technology

  • 제53권3호
  • /
  • Pages.879-887
  • /
  • 2021
  • /
  • 1738-5733(pISSN)
  • /
  • 2234-358X(eISSN)
한국원자력학회 (Korean Nuclear Society)
권호 표지
DOI QR코드

DOI QR Code

A novel approach for analyzing the nuclear supply chain cyber-attack surface

  • 투고 : 2020.02.19
  • 심사 : 2020.08.24
  • 발행 : 2021.03.25
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

The nuclear supply chain attack surface is a large, complex network of interconnected stakeholders and activities. The global economy has widened and deepened the supply chain, resulting in larger numbers of geographically dispersed locations and increased difficulty ensuring the authenticity and security of critical digital assets. Although the nuclear industry has made significant strides in securing facilities from cyber-attacks, the supply chain remains vulnerable. This paper discusses supply chain threats and vulnerabilities that are often overlooked in nuclear cyber supply chain risk analysis. A novel supply chain cyber-attack surface diagram is provided to assist with enumeration of risks and to examine the complex issues surrounding the requirements for securing hardware, firmware, software, and system information throughout the entire supply chain lifecycle. This supply chain cyber-attack surface diagram provides a dashboard that security practitioners and researchers can use to identify gaps in current cyber supply chain practices and develop new risk-informed, cyber supply chain tools and processes.

키워드

과제정보

I would like to thank Timothy McJunkin and Julio Rodriguez for their critical reviews. This research was funded by the U.S. Department of Energy Office of Nuclear Energy Cybersecurity research and development program under DOE Idaho Operations Office, Contract DE-AC07-05ID14517.

참고문헌

  1. T. Quinn, J. Mauck, K. Thomas, Digital Technology Qualification Task 2-Suitability of Digital Alternatives to Analog Sensors and Actuators, Idaho National Laboratory, 2012.
  2. 10 C.F.R. ξ 73.54 Protection of Digital Computer and Communication Systems and Networks, U.S. Nuclear Regulatory Commission, 2009.
  3. W.J. Heinbockel, E.R. Laderman, G.J. Serrao, Supply Chain Attacks and Resiliency Mitigations, The MITRE Corporation, 2017.
  4. M. Windelberg, Objectives for managing cyber supply chain risk, International Journal of Critical Infrastructure Protection 12 (2016) 4-11. https://doi.org/10.1016/j.ijcip.2015.11.003
  5. Regulatory Guide 5.71, Cyber Security Programs for Nuclear Facilities, U.S. Nuclear Regulatory Commission, January 2010.
  6. NEI 10-04, Identifying Systems and Assets Subject to the Cyber Security Rule, Revision 2, Nuclear Energy Institute, July 2012.
  7. Advisory Committee on Reactor Safeguards Digital Instrumentation and Control Systems, U.S. Nuclear Regulatory Commission, 2019.
  8. NEI 08-09, Cyber Security Plan for Nuclear Power Reactors, Revision 6, Nuclear Energy Institute, April 2010.
  9. NEI 13-10, Cyber Security Control Assessments, Revision 5, Nuclear Energy Institute, February 2017.
  10. S. Eggers, M. Rowland, Deconstructing the nuclear supply chain cyber-attack surface, in: Proceedings of the INMM 61st Annual Meeting, Online Virtual Meeting, 2020. July 12-16.
  11. S. Boyson, Cyber supply chain risk management: revolutionizing the strategic control of critical IT systems, Technovation 34 (7) (2014) 342-353. https://doi.org/10.1016/j.technovation.2014.02.001
  12. N. Bartol, Cyber supply chain security practices DNA - filling in the puzzle using a diverse set of disciplines, Technovation 34 (7) (2014) 354-361. https://doi.org/10.1016/j.technovation.2014.01.005
  13. C. Nissen, J. Gronager, R. Metzger, H. Rishikof, Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War, The MITRE Corporation, 2019.
  14. C. Anderson, K. Sadjadpour, Iran's Cyber Threat: Espionage, Sabotage, and Revenge, Carnegie Endowment for International Peace, 2018.
  15. D.R. Coats, Statement for the Record: Worldwide Threat Assessment of the US Intelligence Community 29, Office of the Director of National Intelligence, 2019. January.
  16. Global Oil and Gas Cyber Threat Perspective: Assessing the Threats, Risks, and Activity Groups Affecting the Global Oil and Gas Industry, Dragos, August 2019.
  17. Annual report to Congress, Military and security developments involving the People's Republic of China, Office of the Secretary of Defense, 2019.
  18. US-CERT, TA17-117A: Intrusions affecting multiple victims across multiple sectors, Revised December 20 (2018).
  19. US-CERT, TA18-074A: Russian government cyber activity targeting energy and other critical infrastructure sectors, Revised March 16 (2018).
  20. R. Langner, Stuxnet: dissecting a cyberwarfare weapon, IEEE Security & Privacy 9 (3) (2011) 49-51. https://doi.org/10.1109/MSP.2011.67
  21. ICS-CERT, Ongoing Sophisticated Malware Campaign Compromising ICS, Update E, 2016.
  22. ICS-CERT, Cyber-attack against the Ukranian Critical Infrastructure, 2016.
  23. B. Johnson, D. Caban, M. Krotofil, D. Scali, N. Brubaker, C. Glyer, Attackers Deploy New ICS Attack Framework "TRITON" and Cause Operational Disruption to Critical Infrastructure, FireEye Threat Research Blog, 2017.
  24. Symantec, Internet security threat report, February 24 (2019).
  25. https://arstechnica.com/information-technology/2019/05/stolen-nsahacking-tools-were-used-in-the-wild-14-months-before-shadow-brokersleak/.
  26. https://www.zdnet.com/article/source-code-of-iranian-cyber-espionagetools-leaked-on-telegram/.
  27. Integrated circuits trade. The Obervatory of Economic Complexity (OEC). Accessed on: April 4, 2020. Available: https://oec.world/en/profile/hs92/8542/.
  28. C. Levin, J. McCain, Senate Armed Services Committee Releases Report on Counterfeit Electronic Parts, Senate Committee On Armed Services, 2012.
  29. Executive Order 13920 of May 1, 2020, Securing the United States Bulk-Power System, The U.S. President, 2020.
  30. Securing the United States Bulk-Power System 85, Department of Energy, 2020. Federal Register, DOE-HQ-2020-0028.
  31. U. Guin, N. Asadizanjani, M. Tehranipoor, Standards for hardware security, GetMobile: Mobile Comput. Commun. 23 (1) (2019) 5-9. https://doi.org/10.1145/3351422.3351424
  32. M. Tehranipoor, U. Guin, D. Forte, Counterfeit Integrated Circuits: Detection and Avoidance, Springer, 2015.
  33. B. Liu, R. Sandhu, Fingerprint-based detection and diagnosis of malicious programs in hardware, IEEE Trans. Reliab. 64 (3) (2015) 1068-1077. https://doi.org/10.1109/TR.2015.2430471
  34. M. Beaumont, B. Hopkins, T. Newby, Hardware Trojans-Prevention, Detection, Countermeasures (A Literature Review), Australian Department of Defense, 2011.
  35. K. Xiao, D. Forte, Y. Jin, R. Karri, S. Bhunia, M. Tehranipoor, Hardware Trojans: lessons learned after one decade of research, ACM Trans. Des. Autom. Electron. Syst. 22 (1) (2016) 1-23.
  36. US-CERT, ICS joint security awareness report (JSAR-12-241-01B): Shamoon/DisTrack malware (Update B), Revised April 18 (2017).
  37. https://securelist.com/operation-shadowhammer-a-high-profile-supplychain-attack/90380/.
  38. 2019 State of the Software Supply Chain: the 5th Annual Report of Global Open Source Development, Sonatype, 2019.
  39. US-CERT, TA14-098A: OpenSSL 'heartbleed' vulnerability (CVE-2014-0160), 2016. Revised October 5.
  40. N. Falliere, L.O. Murchu, E. Chien, W32.Stuxnet Dossier, Symantec, 2011, Version 1.4.
  41. M. Graham, Context threat intelligence - the Monju incident, Context Information Security (Febrary 2014).
  42. Kingslayer - A Supply Chain Attack, RSA Research, February 2017.
  43. ICS-CERT, ICS-ALERT-14-176-021: ICS focused malware (Update A), Revised August 22 (2018).
  44. US-CERT, TA17-181A, Petya ransomware, Revised Febrary 15 (2018).
  45. Attack Surface, Accessed on: July 8, National Institute of Standards and Technology, 2020. Available, https://csrc.nist.gov/glossary/term/attack_surface.
  46. NIST Special Publication 800-30, Revision 1, Guide for conducting risk assessments, 2012.
  47. CAPEC: Common Attack Pattern Enumeration and Classification. The MITRE Corporation. Accessed on: April 28, 2020. Available: https://capec.mitre.org/.
  48. J. Wynn, et al., Threat Assessment & Remediation Analysis (TARA): Methodology Description, The MITRE Corporation, 2011, Version 1.0.
  49. J.F. Miller, Supply Chain Attack Framework and Attack Patterns, The MITRE Corporation, MacLean, VA, 2013.
  50. H. Li, Q. Liu, J. Zhang, A survey of hardware Trojan threat and defense, Integration 55 (2016) 426-437.
  51. D. Shackleford, Combatting Cyber Risks in the Supply Chain, SANS Institute, 2015.
  52. S. Eggers, The nuclear digital I&C system supply chain cyber-attack surface, in: Transactions of the American Nuclear Society, Online Virtual Meeting, 122, 2020, pp. 8-11. June.
  53. https://www.trendforce.com/presscenter/news/20190613-10149.html.
  54. Cybersecurity Maturity Model Certification (CMMC), Version 1.02, Department of Defense, 2020.
  55. Cybersecurity Capability Maturity Model (C2M2) Version 1.1, Department of Energy, 2014.
  56. Guidance documents and background information for counterfeit, fraudulent, and suspect items (CFSI), Accessed on: July 21, U.S. Nuclear Regulatory Commission (2020). Available, https://www.nrc.gov/about-nrc/cfsi/guidance.html.
  57. Government-Industry Data Exchange Program. GIDEP, Accessed on: July 21 Available, www.gidep.org, 2020.
  58. ERAI, Accessed on: July 21 Available, www.erai.com, 2020.