Securing Nuclear Facilities

PROTECTING NUCLEAR FACILITIES FROM THREATS ON PORTABLE MEDIA | PAGE 1
SECURING
NUCLEAR
FACILITIES
PROTECTING NUCLEAR
FACILITIES FROMTHREATS
ON PORTABLE MEDIA

After the September 11 attacks in 2001, the Nuclear Regulatory Commission (NRC) added cyber
attacks to the plant design basis threat (DBT), requiring strong cyber security measures to be implemented by
nuclear facilities. While historically the NRC was concerned with providing physical security for nuclear sites, the
attacks of 9/11 exposed several areas where critical infrastructure may be vulnerable and revealed the undeniable
importance of cyber security to the industry and critical infrastructure as a whole. In 2005 the NRC introduced a
voluntary cyber security plan with the assistance of the Nuclear Energy Institute (NEI). The NEI 04-04 standards
paved the way to the cyber security regulations 10 CFR 73.54 introduced by the NRC in 2009. The NRC 10 CFR
73.54 requires nuclear plants to have cyber security programs in place, which should include measures for isolating
critical digital assets by using air-gaps or other robust isolation methods, controlling and securing the use of
portable media that interface with plant equipment (including limiting access and anti-malware scanning), and
additional security measures when the portable media originates from outside the plant.
Based on the NRC Regulations 10 CFR 73.54, the Nuclear Energy Institute (NEI) developed a series of standards to
assist facilities in meeting cyber security regulations. NEI cyber security standards 08-09 Revision 6, require nuclear
facilities to achieve high assurance that their critical systems are protected from cyber attacks, including enforcing
the flow of information, controlling access for portable and mobile devices, and scanning devices for malicious
software.
Threats to nuclear facilities have
grown more sophisticated over time.

As attacks become more sophisticated and digital control systems increase in complexity and levels of automation,
it is crucial to prevent threats from impacting the operation of Nuclear Facilities.
Critical digital assets of nuclear plants need to be isolated from external networks. Because of this, portable media
is a primary vector for cyber attack. Portable media is often the only way to transport files to and from secure
areas. As key attack vectors for malware, it is extremely important that extra attention is placed on securing the
portable media devices that are brought in and out of a secure facility.
While imperative to the protection of nuclear facilities, securing portable media devices is not easily done, and
there are many requirements that can impact the portable media security policies for operators of critical
infrastructure. In many cases, there is no single source for an organization’s portable media security policy, and
individual facilities may require unique security policies. For example, acceptable media types and the appropriate
architecture can vary between different facilities, based on their unique requirements and expectations.
This whitepaper will outline a secure data workflow which organizations can implement in order to balance their
security business requirements, as well as outline how best to approach the crafting of security policies that
address the inclusion of portable media, while ensuring adherence to, NRC 10 CFR 73.54 and NEI 08-09 Revision 6.
Security Balancing Act
Increases in digital security rarely come without a corresponding increase in operating costs. These costs include
purchasing a security solution, implementing this security solution, and finally managing and maintaining the

solution. Initial costs often include the physical infrastructure necessary to deploy the solution, such as servers,
kiosks and networks, as well as the consulting services that are often required to implement the solution correctly.
Following the solution deployment there will be ongoing costs, which include the monitoring and management of
the solution, keeping the solution up-to-date, and finally employee education. Employees must be trained on the
new security policy and associated procedures. This often results in a subsequent impact to productivity as
employees acclimate to the new security processes and procedures. The addition of critical systems to an already
complex IT environment can result in increased risk and costs should those systems fail - causing downtime of the
critical infrastructure.
The effort and costs mentioned above must be weighed against the cost of an attack should a less rigorous
security policy be put in place. The costs of a security breach can be enormous.
Facilities may be forced to suspend operation if the breach is serious enough, the cost of which can be millions of
dollars per day. There are also the remediation costs – the forensics to assess the damage, as well as the removal
of any malware that has found its way into the secure network. Coupled with this is the significant productivity loss,
as employees’ usual workflow is hampered during the investigation and cleanup effort.
There are also other costs that may result from a security breach. The impact to a nuclear operator’s reputation
can be serious, and legal liability and lawsuits may follow if others are negatively impacted. Depending on the
breach, the loss of classified or sensitive information is also a possibility, the financial impact of which may be hard
to quantify. Finally, by definition, any operator of a nuclear plant provides services to the public, which, if disrupted,
will have significant negative impacts (such as power outages) on many individuals and groups outside of the
operator itself.

When making decisions about security policies for a critical infrastructure facility, the costs of implementing a
stricter policy need to be weighed against the potential costs that could result from the failure of a weaker policy.
The solution for each organization will vary based on the requirements necessary to meet their security and
business objectives.
Defining Acceptable Media and Content
Portable media includes devices such as:
When developing a secure data workflow policy, organizations should define what types of portable media are
acceptable and how they can be used. Security policies should be defined based on the following criteria:
Portable media type: In secure facilities the standard policy is to restrict the types of media and files
to only those necessary for employees to perform their jobs successfully. For example, if there is no
business reason for USB drives in a facility, these should be prohibited to mitigate the risk they introduce.
Another facility may decide to only allow USBs and CD/DVDs and ban other types of portable media.
Portable media properties: In addition to the type of portable media, administrators may choose to
limit portable media devices based on specific properties of that media. For example, if a device has
multiple partitions or is not a read-only device it could be classified as a high security risk and therefore not
adhere to the secure data policy.
USB DRIVES CD / DVDs DIGITAL AUDIO PLAYERS MOBILE DEVICES EXTERNAL HARD DRIVES

Portable media file type: The same is true for limiting the files that are allowed by an organization’s
security policy. Administrators may choose to limit the file types that are allowed; for example, not allowing
executable files, but allowing document files.
Portable media file properties: Administrators could also filter files based on their properties; for
example, limiting files to a specific size or blocking any encrypted files where a password has not been
provided.
Defining a portable media and content strategy is key to a secure data workflow policy. As with all security
programs, development of a program and policy should consider the business and technology requirements and
limitations of an organization. The resulting secure data workflow policy must be able to be implemented by an
organization as well as continue to fit their needs over time.
We needed to track and manage the constant flow of data in
and out of our facilities. Metadefender has enabled us to set up
detailed security policies for specific users and keep pace with
the ever-changing industry requirements. It adds another layer
of protection for us.
Malie Combs, Cyber Security Analyst/
Information Technology at Omaha Public Power District

Designing Secure DataWorkflows
The secure data workflow policy within a nuclear facility, especially pertaining to physical media being brought from
an insecure environment into a secure network, should attempt the highest level of precaution achievable. The
best security policies have multiple layers of protection, to guard against many types of threats, both known and
unknown. This defense-in-depth strategy will minimize the risk of any one threat getting past all of the security
layers. A secure data workflow should leverage threat protection methods including:

User authentication and source verification: Prevent unauthorized users or sources from
bringing in data and facilitate logging for future auditing
File type analysis and filtering: Prevent risky file types from entering the facility, including files
that have spoofed extensions
Multiple anti-malware engine scanning: Detect threats that are known by any of the many
commercial anti-malware engines, and leverage many varying heauristic algorithms to detect zero-day
attacks
Data sanitization: Further protect against unknown threats by using data sanitization methods to
strip potential threats out of documents and images.

Below is an example of a secure data workflow that uses multiple detection and mitigation methods.
A common real-world implementation of the above referenced data workflow are kiosks stationed as check points
at the entrance to secure facilities. Kiosks provide the bridge for any data entering a secure facility, so that the
workflow can be controlled and known and unknown threats can be kept out of the facility. Anyone entering a
secure area would be required to use the kiosks to scan all portable media drives before the devices are allowed
into the secure area. The kiosks would confirm the user, the source, the file type, look for any malicious partitions
and malware, and determine whether the device is secure or if it requires further inspection. An administrator can
then also add enforcement of the specific media devices that are allowed into the facility. For example, allowed
media devices could be restricted to known, pre-screened portable media that are trusted to be “clean”. Any files
allowed through the secure data policy above would need to be copied to the trusted drives before entering the
secure facility. This workflow ensures that no portable media enters a secure area without first passing through a
full data security analysis.

Common architectures for a kiosk-based secure data workflow can include: standalone kiosks, kiosks networked
together, and kiosks connected to a centralized scanning server. These solutions can be connected or
disconnected from the Internet depending on the facility’s level of security, and the desire for ease of management.
Summary
In summary, the most efficient method of protecting a nuclear facility against the threats potentially found on
portable media depends on the circumstances of the facility. There are many aspects that impact how a secure
data workflow is defined and implemented, including the types of portable media expected to be brought into a
facility by employees, outside contractors, and visitors. Each should be weighted and quantified to define a strong
The Metadefender kiosks give us added confidence in our ability to
help keep our network malware-free.With the multi-scanning software
provided by OPSWAT, we don’t have to rely on definitions from a single
antivirus engine to catch every threat. In the first two months, the
kiosks have proven highly effective in protecting our systems.
Ed Koeller, Security Analyst at Ameren

and robust secure data workflow policy that allows an organization to operate in the most secure and productive
way possible.
A nuclear facility should err on the side of caution and develop secure data policies that are as restrictive as
possible, but flexible enough to evolve with an organization’s shifting security and business needs. An administrator
should evaluate various data security policies, measure the benefits and costs of each one, and determine how to
successfully implement the security solution. The best policy will be one that takes a facility’s specific business and
technology needs into account and is designed appropriately.

About OPSWAT
OPSWAT is a San Francisco based software company that provides solutions to secure and manage IT
infrastructure. Founded in 2002, OPSWAT delivers solutions that provide manageability of endpoints and networks,
and that help organizations protect against zero day attacks by using multiple anti-malware engine scanning, data
santization, and file filtering. OPSWAT’s intuitive applications and comprehensive development kits are deployed by
SMB, enterprise, and OEM customers to more than 100 million endpoints worldwide.
OPSWAT’s software management solutions offer streamlined technology partnerships between leading technology
solutions and software vendors. By enabling seamless compatibility and easy management capabilities, we allow
network security and manageability solutions to provide visibility and management of multiple application types
installed on an endpoint, as well as the ability to remove unwanted or non-compliant applications.
Our innovative multi-scanning solutions deliver anti-malware protection with increased detection rates and
minimized performance overhead. In addition to maximizing detection rates, we provide the ability for customers
to easily adapt our solutions to their existing infrastructure to add control over the flow of data into and out of
secure networks.
Metadefender helps protect networks by enabling secure data workflow into and out of organizations. Commonly
used as a checkpoint to protect critical infrastructure, SCADA controlled environments, industrial control systems
(ICS), and process control systems from the risk of portable media devices (such as USB drives, CDs/DVDs),
Metadefender allows administrators the ability to configure detailed content filters for unknown removable devices
brought in by employees, contractors, vendors and others.

http://www.opswat.com
Disclaimer. © 2014. OPSWAT, Inc. (“OPSWAT”). All rights reserved. All product and company names herein may be trademarks of their respective owners.
The information and content in this document is provided for informational purposes only and is provided “as is” with no warranty of any kind, either express or implied,
including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. OPSWAT is not liable for any damages,
including any consequential damages, of any kind that may result from the use of this document. Though reasonable effort has been made to ensure the accuracy of
the data provided, OPSWAT makes no claim, promise or guarantee about the completeness, accuracy and adequacy of information and is not responsible for misprints,
out-of-date information, or errors. OPSWAT makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of
any information contained in this document.
If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as practical.

Securing Nuclear Facilities

More Related Content

Securing Nuclear Facilities