Browse > Article
http://dx.doi.org/10.1016/j.net.2020.08.021

A novel approach for analyzing the nuclear supply chain cyber-attack surface  

Eggers, Shannon (Idaho National Laboratory)
Publication Information
Nuclear Engineering and Technology / v.53, no.3, 2021 , pp. 879-887 More about this Journal
Abstract
The nuclear supply chain attack surface is a large, complex network of interconnected stakeholders and activities. The global economy has widened and deepened the supply chain, resulting in larger numbers of geographically dispersed locations and increased difficulty ensuring the authenticity and security of critical digital assets. Although the nuclear industry has made significant strides in securing facilities from cyber-attacks, the supply chain remains vulnerable. This paper discusses supply chain threats and vulnerabilities that are often overlooked in nuclear cyber supply chain risk analysis. A novel supply chain cyber-attack surface diagram is provided to assist with enumeration of risks and to examine the complex issues surrounding the requirements for securing hardware, firmware, software, and system information throughout the entire supply chain lifecycle. This supply chain cyber-attack surface diagram provides a dashboard that security practitioners and researchers can use to identify gaps in current cyber supply chain practices and develop new risk-informed, cyber supply chain tools and processes.
Keywords
I&C; supply chain; cyber-attack surface;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Advisory Committee on Reactor Safeguards Digital Instrumentation and Control Systems, U.S. Nuclear Regulatory Commission, 2019.
2 S. Eggers, M. Rowland, Deconstructing the nuclear supply chain cyber-attack surface, in: Proceedings of the INMM 61st Annual Meeting, Online Virtual Meeting, 2020. July 12-16.
3 S. Boyson, Cyber supply chain risk management: revolutionizing the strategic control of critical IT systems, Technovation 34 (7) (2014) 342-353.   DOI
4 C. Nissen, J. Gronager, R. Metzger, H. Rishikof, Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War, The MITRE Corporation, 2019.
5 Global Oil and Gas Cyber Threat Perspective: Assessing the Threats, Risks, and Activity Groups Affecting the Global Oil and Gas Industry, Dragos, August 2019.
6 D. Shackleford, Combatting Cyber Risks in the Supply Chain, SANS Institute, 2015.
7 Regulatory Guide 5.71, Cyber Security Programs for Nuclear Facilities, U.S. Nuclear Regulatory Commission, January 2010.
8 T. Quinn, J. Mauck, K. Thomas, Digital Technology Qualification Task 2-Suitability of Digital Alternatives to Analog Sensors and Actuators, Idaho National Laboratory, 2012.
9 10 C.F.R. ξ 73.54 Protection of Digital Computer and Communication Systems and Networks, U.S. Nuclear Regulatory Commission, 2009.
10 M. Windelberg, Objectives for managing cyber supply chain risk, International Journal of Critical Infrastructure Protection 12 (2016) 4-11.   DOI
11 Symantec, Internet security threat report, February 24 (2019).
12 NEI 08-09, Cyber Security Plan for Nuclear Power Reactors, Revision 6, Nuclear Energy Institute, April 2010.
13 N. Bartol, Cyber supply chain security practices DNA - filling in the puzzle using a diverse set of disciplines, Technovation 34 (7) (2014) 354-361.   DOI
14 D.R. Coats, Statement for the Record: Worldwide Threat Assessment of the US Intelligence Community 29, Office of the Director of National Intelligence, 2019. January.
15 US-CERT, TA17-117A: Intrusions affecting multiple victims across multiple sectors, Revised December 20 (2018).
16 ICS-CERT, Ongoing Sophisticated Malware Campaign Compromising ICS, Update E, 2016.
17 Kingslayer - A Supply Chain Attack, RSA Research, February 2017.
18 Integrated circuits trade. The Obervatory of Economic Complexity (OEC). Accessed on: April 4, 2020. Available: https://oec.world/en/profile/hs92/8542/.
19 Securing the United States Bulk-Power System 85, Department of Energy, 2020. Federal Register, DOE-HQ-2020-0028.
20 US-CERT, TA14-098A: OpenSSL 'heartbleed' vulnerability (CVE-2014-0160), 2016. Revised October 5.
21 Attack Surface, Accessed on: July 8, National Institute of Standards and Technology, 2020. Available, https://csrc.nist.gov/glossary/term/attack_surface.
22 J. Wynn, et al., Threat Assessment & Remediation Analysis (TARA): Methodology Description, The MITRE Corporation, 2011, Version 1.0.
23 Cybersecurity Maturity Model Certification (CMMC), Version 1.02, Department of Defense, 2020.
24 Government-Industry Data Exchange Program. GIDEP, Accessed on: July 21 Available, www.gidep.org, 2020.
25 US-CERT, ICS joint security awareness report (JSAR-12-241-01B): Shamoon/DisTrack malware (Update B), Revised April 18 (2017).
26 U. Guin, N. Asadizanjani, M. Tehranipoor, Standards for hardware security, GetMobile: Mobile Comput. Commun. 23 (1) (2019) 5-9.   DOI
27 C. Anderson, K. Sadjadpour, Iran's Cyber Threat: Espionage, Sabotage, and Revenge, Carnegie Endowment for International Peace, 2018.
28 W.J. Heinbockel, E.R. Laderman, G.J. Serrao, Supply Chain Attacks and Resiliency Mitigations, The MITRE Corporation, 2017.
29 NEI 10-04, Identifying Systems and Assets Subject to the Cyber Security Rule, Revision 2, Nuclear Energy Institute, July 2012.
30 NEI 13-10, Cyber Security Control Assessments, Revision 5, Nuclear Energy Institute, February 2017.
31 Annual report to Congress, Military and security developments involving the People's Republic of China, Office of the Secretary of Defense, 2019.
32 https://arstechnica.com/information-technology/2019/05/stolen-nsahacking-tools-were-used-in-the-wild-14-months-before-shadow-brokersleak/.
33 CAPEC: Common Attack Pattern Enumeration and Classification. The MITRE Corporation. Accessed on: April 28, 2020. Available: https://capec.mitre.org/.
34 US-CERT, TA18-074A: Russian government cyber activity targeting energy and other critical infrastructure sectors, Revised March 16 (2018).
35 R. Langner, Stuxnet: dissecting a cyberwarfare weapon, IEEE Security & Privacy 9 (3) (2011) 49-51.   DOI
36 ICS-CERT, Cyber-attack against the Ukranian Critical Infrastructure, 2016.
37 B. Johnson, D. Caban, M. Krotofil, D. Scali, N. Brubaker, C. Glyer, Attackers Deploy New ICS Attack Framework "TRITON" and Cause Operational Disruption to Critical Infrastructure, FireEye Threat Research Blog, 2017.
38 S. Eggers, The nuclear digital I&C system supply chain cyber-attack surface, in: Transactions of the American Nuclear Society, Online Virtual Meeting, 122, 2020, pp. 8-11. June.
39 J.F. Miller, Supply Chain Attack Framework and Attack Patterns, The MITRE Corporation, MacLean, VA, 2013.
40 H. Li, Q. Liu, J. Zhang, A survey of hardware Trojan threat and defense, Integration 55 (2016) 426-437.
41 https://www.trendforce.com/presscenter/news/20190613-10149.html.
42 Cybersecurity Capability Maturity Model (C2M2) Version 1.1, Department of Energy, 2014.
43 ERAI, Accessed on: July 21 Available, www.erai.com, 2020.
44 Guidance documents and background information for counterfeit, fraudulent, and suspect items (CFSI), Accessed on: July 21, U.S. Nuclear Regulatory Commission (2020). Available, https://www.nrc.gov/about-nrc/cfsi/guidance.html.
45 M. Tehranipoor, U. Guin, D. Forte, Counterfeit Integrated Circuits: Detection and Avoidance, Springer, 2015.
46 https://www.zdnet.com/article/source-code-of-iranian-cyber-espionagetools-leaked-on-telegram/.
47 C. Levin, J. McCain, Senate Armed Services Committee Releases Report on Counterfeit Electronic Parts, Senate Committee On Armed Services, 2012.
48 Executive Order 13920 of May 1, 2020, Securing the United States Bulk-Power System, The U.S. President, 2020.
49 M. Beaumont, B. Hopkins, T. Newby, Hardware Trojans-Prevention, Detection, Countermeasures (A Literature Review), Australian Department of Defense, 2011.
50 K. Xiao, D. Forte, Y. Jin, R. Karri, S. Bhunia, M. Tehranipoor, Hardware Trojans: lessons learned after one decade of research, ACM Trans. Des. Autom. Electron. Syst. 22 (1) (2016) 1-23.
51 https://securelist.com/operation-shadowhammer-a-high-profile-supplychain-attack/90380/.
52 2019 State of the Software Supply Chain: the 5th Annual Report of Global Open Source Development, Sonatype, 2019.
53 N. Falliere, L.O. Murchu, E. Chien, W32.Stuxnet Dossier, Symantec, 2011, Version 1.4.
54 M. Graham, Context threat intelligence - the Monju incident, Context Information Security (Febrary 2014).
55 ICS-CERT, ICS-ALERT-14-176-021: ICS focused malware (Update A), Revised August 22 (2018).
56 US-CERT, TA17-181A, Petya ransomware, Revised Febrary 15 (2018).
57 NIST Special Publication 800-30, Revision 1, Guide for conducting risk assessments, 2012.
58 B. Liu, R. Sandhu, Fingerprint-based detection and diagnosis of malicious programs in hardware, IEEE Trans. Reliab. 64 (3) (2015) 1068-1077.   DOI