Cybersecurity is critical for the nuclear industry, requiring the implementation of strict protective measures against cyberattacks. Among the possible threats are PMMD attacks. Since many nuclear facilities' operations happen within air-gapped zones, data transfers between facilities and endpoints must use peripheral and removable media (such as USB sticks and floppy disks).
The nuclear power industry falls under strict regulatory requirements. The U.S. NRC (Nuclear Regulatory Commission) imposes comprehensive security requirements known as the CFR (Code of Federal Regulations). Title 10, section 73.54 of the CFR outlines the cybersecurity requirements for protecting “Digital Computer and Communication Systems and Networks.”
Cybersecurity Frameworks & Regulations for Nuclear Facilities
With the strict requirements to secure digital and communication systems, the NEI (Nuclear Energy Institute) published two documents, NEI 08-09 and NEI 18-08, that align with the CFR, title 10, section 73.54. The two documents form a robust foundation for protecting nuclear power facilities, emphasizing a risk-based approach to cybersecurity.
Section 73.54 CFR
Title 10, Section 73.54 of the Code of Federal Regulations enforces strict security measures at nuclear facilities by establishing a framework for the security of nuclear materials and facilities. Its provisions require operators to implement robust physical protection systems, ensure system integrity and redundancy, and apply strict access protocols. The regulation's comprehensive approach focuses on physical protection while addressing the threats posed by malicious peripheral media, including USB drives, DVDs, and legacy devices like floppy disks.
NEI 08-09
NEI 08-09 provides a comprehensive framework to establish a cybersecurity program for nuclear power reactors. It outlines methods for identifying critical digital assets (CDAs), protecting against insider and outsider threats, and mitigating vulnerabilities across systems, including portable and mobile media.
NEI 18-08
NEI 18-08 sets guidance on securing according to the evolving cybersecurity standards. With nuclear facilities commonly including multiple air-gapped zones, moving data between these secured zones requires the use of portable and mobile media. The need to use such media requires the presence of scanning stations or scanning consoles, often referred to as kiosks.
The focus of the NEI 018-08 guidelines is addressing the attack pathways of PMMD attacks and guiding mitigating the risk of such attacks. They also include modern approaches to risk management and to protect newer digital systems, including IoT devices.
Developing a Cybersecurity Plan for Nuclear Facilities
Developing an effective cybersecurity plan that adheres to regulatory requirements should include the following considerations.
Identification of Risks
Identifying risks is the first step to developing a robust cybersecurity plan, including facilities’ OT (operational technology) and IT (information technology) systems. Common potential risks include internal and external threats, possible hardware and software vulnerabilities, and risks posed by peripheral and removable media.
Defense in Depth
Implementing multiple layers of defense in a cybersecurity plan is recommended by the NEI 08-09 guidelines, such as restricting device usage, network segmentation to isolate critical systems and real-time monitoring and scanning for malware.
Access Control
Access Control includes ensuring that only authorized personnel can use portable media in secure zones, while also ensuring no unauthorized devices are granted access to secure networks.
Enforcing Strict Usage Policies for Peripheral Media
In addition to the deployment of scanning kiosks, USB usage must be restricted to approved devices only. Such devices should also be monitored by endpoint protection software.
Device Isolation
Isolating devices applies to both those suspected of compromise and unauthorized devices. Peripheral media used for system maintenance must be sanitized before and after use to prevent cross-contamination. In addition to physical isolation, using NAC (Network access control) to restrict the entry of unapproved devices adds another layer of defense.
Securing Cloud-Connected Devices and Mobile Applications
Even with strict isolation and access requirements, the use of cloud-connected devices in the modern era can’t be avoided. Rules on where a cloud-connected device can be physically present, along with access control solutions, such as zero-trust, are essential.
Pathways for PMMD Attacks
Within air-gapped environments, kiosks become a primary target for cyberattacks. Addressing the pathways for PMMD attacks is crucial to plan and implement a robust cybersecurity plan.
Physical Access to the Kiosk
Physical access control is an essential aspect of securing scanning stations. A kiosk’s software can be compromised if an attacker gains access to its underlying hardware or unprotected ports.
Wired Network Connections
Even with air-gapped deployment, kiosks often rely on wired connections for maintenance operations. Such connections open the door for attacks like malware injection.
Wireless Network Connection
Wired connections should strictly be the preferred way of connecting to kiosks. Unlike wired network connections, wireless connections can be more easily intercepted and compromised by threat actors and unauthorized users.
Removable Media Connection
Constant monitoring and strict access control are necessary to ensure that kiosks’ ports are used only to scan portable media. This helps protect a kiosk’s software and its scanning engines from tampering by preventing adversaries from gaining physical access to its removable media ports.
Supply Chain Access
In addition to previously mentioned attack pathways that introduce risks after deploying kiosks, attacks can occur during production or distribution. The compromise of a kiosk’s software before deployment introduces greater risk since it makes it harder to detect.
Securing Nuclear Power Plants Against PMMD Attacks
Aside from the consideration of creating a cybersecurity plan, implementing these specific measures helps secure nuclear facilities against PMMD attacks.
Device Control Policies within OT Environments
Imposing strict control policies for portable media and mobile devices within OT Environments to restrict unauthorized devices and using endpoint protection solutions, such as MetaDefender Endpoint™, help monitor and control device usage. Additionally, organizations should enforce policies requiring encryption for all portable media to protect data integrity in case of device loss or theft.
Authorize, Monitor, and Control Removable Devices
Before gaining access to critical networks, peripheral and removable devices connecting to the network should undergo authentication. Such a process ensures that only adequately scanned and secured devices can interact with a facility’s systems. A solution such as MetaDefender Kiosk™, with its MetaDefender Media Firewall™ technology and its multiple form factors that fit in various locations, has proven its effectiveness in securing nuclear facilities’ file transfer operations.
Monitoring and Auditing
Continuous monitoring of device activities and comprehensive logging of data transfers help identify unusual activity or unauthorized access attempts. In addition, maintaining device connection logs can help with security audits.
Enforced Scanning and Malware Detection
Enforced scanning for all portable and mobile media entering a facility is crucial to check all devices for malware before allowing access to the network. In addition to stationary scanning tools, a portable bare-metal scanning tool, such as MetaDefender Drive™, with the ability to detect hidden malware, such as rootkit infections, can help strengthen a cybersecurity plan.
Security Training and Awareness
Most modern security systems are still prone to human error. Organizations should provide regular and updated employee training about the risks associated with using portable media and mobile devices. NEI guidelines advocate for educating personnel on best practices, such as avoiding the use of unknown USB devices and ensuring personal devices are not connected to critical systems.
Emergency Response Planning
Even with the strictest security measures, cyberattacks may still occur. A robust PMMD incident response plan is necessary to include steps to isolate infected devices, notify relevant teams, and recover compromised systems.
Conclusion
Many of the nuclear facilities' operations happen within air-gapped zones, making the use of peripheral and removable media necessary to transfer data between facilities and endpoints. This increases the risk of cyberattacks, especially PMMD attacks, and requires adherence to strict regulatory compliance guidelines. Peripheral and removable media protection solutions such as MetaDefender Kiosk with its MetaDefender Media Firewall, and MetaDefender Endpoint™, coupled with MetaDefender Drive and its ability to detect hidden malware, provide integrated cybersecurity solutions to achieve up to 99.2% malware detection rates.
To know more about OPSWAT’s solutions to secure critical infrastructure and mitigate the risks of PMMD attacks, talk to one of our experts.
