The NIST definition of a cyber incident as defined in FIPS PUB 200, Minimum Security Requirements for Federal Information and Information System, is electronic communications between systems or systems and people that impacts Confidentiality, Integrity, and/or Availability. The incident doesn’t have to be malicious or targeted to be a cyber incident.
I am a designated US expert to the IEC TC45A nuclear plant cyber security committee. In preparation for the IEC TC45A (nuclear plant cyber security) meetings the week of October 7th, I reviewed the IEC TC45A nuclear plant cyber security draft standard to be discussed at the meeting. The draft standard explicitly excluded non-malicious cyber incidents. Specifically, it stated: “In this standard (as in IEC 62645), cybersecurity relates to prevention of, detection of, and reaction to malicious acts perpetrated by digital means (cyberattacks). In this context, it does not cover considerations related to non-malevolent actions and events such as accidental failures, human errors or natural events.” It defines a cyberattack as: “attempt by digital means to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset [based on the ISO/IEC 27000:2009 definition of “attack”, modified]. Even though the TC45A meeting is on the International Standard, I also reviewed NEI-0809, the US nuclear industry cyber security guidance. NEI-0809 includes the following definitions: Cyber Attack - Any event in which there is reason to believe that an adversary has committed or caused, or attempted to commit or cause, or has made a credible threat to commit or cause malicious exploitation of a SSEP function.Cyber Incident - A digital-related adverse condition.However, NEI-0809 only discusses cyber attacks not cyber incidents.
I find the exclusion of unintentional cyber incidents to be short-sighted for several reasons:
-
As demonstrated by the 2008 Florida outage, the only difference between a malicious cyber attack and an unintentional cyber incident can be the motivation of the person involved as the impact can be the same. How do you determine intent?
-
ISO/IEC27000 is an IT not ICS standard and does not address the differences between IT and ICS systems. It does not make sense to use an IT definition for ICS systems and not one from IEC-62443.
-
If a system can be impacted by an unintentional cyber incident, there is a good chance it can also be vulnerable to a malicious attack.
-
Unintentional cyber incidents can cause significant damage including contributing to core melt (see below).
Why should unintentional cyber incidents be of interest to the nuclear power industry? I had believed that the current vintages of nuclear plants were not susceptible to core melt from cyber because they had hard-wired analog safety systems and the nuclear plant systems were isolated from the outside world. However, traditional IT network threats are not the only cyber threats. One aspect that makes cyber threats different than physical threats is the ability to unintentionally or maliciously change operator displays effectively making the operator his own intruder. This can occur from unintentional issues such as the software glitch that prevented any SCADA system alarms at the First Energy Control Center contributing to the 2003 Northeast Outage. It can also be done maliciously such as with Stuxnet to convince the operator the system was still functioning properly as the centrifuges were being destroyed.
What does this have to do with nuclear power plants? According to the NRC Backgrounder on the Three Mile Island (TMI) Accident, the accident initiated from TMI Unit 2's turbine-generator and the reactor itself automatically shutting down resulting in an increase in pressure in the nuclear portion of the plant. In order to control that pressure, the relief valve opened. The valve should have closed when the pressure fell to proper levels, but it became stuck open. Instruments in the control room, however, indicated to the plant staff that the valve was closed. As a result, the plant staff was unaware that cooling water was pouring out of the stuck-open valve. As coolant flowed from the primary system through the valve, other instruments available to reactor operators provided inadequate information. There was no instrument that showed how much water covered the core. As a result, plant staff assumed that as long as the pressurizer water level was high, the core was properly covered with water. As alarms rang and warning lights flashed, the operators did not realize that the plant was experiencing a loss-of-coolant accident. They took a series of actions that made conditions worse. TMI was an unintentional control system cyber incident that directly led to a core melt!
Incidents such as Stuxnet and TMI are ICS cyber incidents caused by plant instrumentation and controllers not IT network vulnerabilities. I have been concerned about the lack of focus on cyber security of field instrumentation for years where most instrumentation have no authentication, etc. Now, a Russian cyber researcher has demonstrated the ability to compromise HART protocols – the 4-20 milli-amp serial communication protocol from sensors to controllers (this will be addressed at the October ICS Conference). This is a huge vulnerability.
The nuclear industry has been reticent to participate in non-nuclear industry cyber efforts and also lacks what I consider to be appropriate training (including simulator training) to address many ICS-unique cyber threats that can be either malicious or unintentional. I hope the nuclear industry (including the NRC) reconsiders the unfortunate and unsafe decision to effectively ignore unintentional cyber incidents (unconfirmed malicious attacks) before another TMI, or worse, occurs. TMI not only cost hundreds of millions of dollars, it almost killed the industry. I also hope the nuclear industry changes its insular response to cyber security and participates in the overall ICS cyber security efforts such as ISA99.
Joe Weiss