Cyber Security and the
Canadian Nuclear Industry –
a Canadian Regulatory
Perspective
Terry Jamieson
Vice-President
Technical Support Branch
Canadian Nuclear Safety Commission
August 11, 2015
www.nuclearsafety.gc.ca
Outline
CNSC mission and mandate
Modern cyber security threat
Cyber security and modern industrial
control system
Regulatory approach to cyber security
International perspectives
Current and future challenges
Closing remarks
2
Canadian Nuclear Safety
Commission
Regulates the use of nuclear
energy and materials to protect
health, safety, security and the
environment, and to implement
Canada’s international
commitments on the peaceful
use of nuclear energy; and to
disseminate objective scientific,
technical and regulatory
information to the public
3
CNSC presence
• Headquarters in Ottawa
• Five offices at nuclear power plants
• One site office at Chalk River Labs
• Four regional offices
• Staff: ~800
• Resources: $140M (75% of costs
recovered)
• Number of licensees: 2,500
• Total number of licences: 3,300
Calgary
Western Regional Office
Saskatoon
Uranium Mills and Mines
Division Regional Office
Gentilly-2
Chalk River
Bruce
Point Lepreau
HQ
Laval Eastern Regional
Office
Darlington
Mississauga Southern
Regional Office
Pickering – A and B
4
CNSC regulates all nuclear-related
facilities and activities
Imports and exports
Controlled
material
Controlled
equipment
Irradiators
Accelerators
Fuel
fabrication
Controlled
information
Nuclear
gauges
Power
reactor
Refining
Waste
Medical
diagnostics
Milling
Mining
Brachytherapy
Nuclear medicine and
radiation therapy
Nuclear
R&D test
facilities
Radioisotope
reactors
Therapeutic
Teletherapy
Industrial
applications
High power
accelerators
…From cradle to grave
Research
reactors
Research and radioisotope
production facilities
5
Nuclear power plants in Canada
Darlington (4 unit station)
• Refurbishment of current 4-unit station
scheduled to begin in 2016
Point Lepreau (single unit station)
• Refurbishment project completed and
unit returned to service (late 2012)
Gentilly-2 (single unit station)
• HQ permanently shut down facility in
December 2012
Bruce (8 unit station)
• Refurbishments ongoing (2 of 8 units
completed as of 2015)
Pickering (6 of 8 units operating)
• Shutdown expected in 2020
6
In the “old days”
• Operators of process control systems
(PCS) believed they were invulnerable to
cyber attack for two main reasons:
1. PCS are isolated from the Internet.
2. PCS generally use proprietary protocols and
specialized hardware, which are not
compatible with common network protocols
and the Internet.
Source: The Vulnerability of Nuclear
Facilities to Cyber Attack, B. Kesler, 2011
7
Cyber security and modern
digital systems: the reality
• 2003: Slammer worm at
Davis‐Besse Nuclear
Power Plants (2003) in the
US
• 2010: Stuxnet malware
infiltrated Natanz (Iran)
nuclear facility disabling
over 1000 centrifuges
• 2014: Monju fast reactor
(Japan) infected by
malware (data integrity
and compromise)
• And many more cyber
incidents
Siemens Programmable
Logic Controller
Various
theories as to
its introduction
Natanz
Enrichment
Facility, Iran
Monju
Sodium Fast
Reactor
8
And more recent incidents
South Korean nuclear operator hacked amid
cyber‐attack fears
Operator begins two-day exercise after suspected hacker tweets
information on Korea Hydro & Nuclear Power (KHNP) plants and staff
The latest attack resulted in the leak of
personal details of 10,000 KHNP workers,
designs and manuals for at least two
reactors, electricity flow charts and
estimates of radiation exposure among
local residents. There was no evidence,
however, that the nuclear control systems
had been hacked.
9
What do we mean by cyber
security and the nuclear industry?
Protect digital assets that perform the
functions of systems important to
nuclear safety, security, emergency
preparedness and international
safeguards from cyber attack
Digital asset: A subcomponent of a system that consists of or
contains a digital device, computer or communication system or
network, and information stored in the subcomponent.
10
Scope of cyber security program –
nuclear facilities
Industrial Control System
for nuclear safety
Physical protection
systems
Annunciation,
communication
systems for
emergency
preparedness /
response
and
international
safeguards
systems
11
Cyber threats – What are the CNSC
and nuclear industry doing?
• Since 2008, the CNSC has engaged major
nuclear facilities in Canada in defining
requirements of and implementing programs for
cyber security
• Regulations updated, licence conditions added,
modern standards developed
• CSA N290.7 Cyber Security for Nuclear Power
Plants and Small Reactor Facilities (published
December 2014)
• Site cyber security inspections by CNSC staff began
in January 2015 for Canadian Nuclear Power Plants
12
CSA N290.7 security controls – cyber
security for nuclear facilities
• CSA N290.7 will form the cornerstone of
CNSC’s regulatory framework requirements
• N290.7 comprises technical, operational and
management control requirements:
• Technical - executed through non-human
mechanisms
• Operational - executed through human
mechanisms
• Management - risk management and general
policies including procurement strategies
13
Cyber defensive architecture at
NPPs
• Cyber security focuses on
defence in depth (similar to
traditional principles of safety)
• Data flow restricted as per
diagram (i.e., typically from
higher to lower security levels)
• Defensive architecture is
implemented by establishing the
logical and physical boundaries
14
State of cyber defensive architecture
in Canadian NPPs
• Networks responsible for safety systems, process control
systems, physical security systems and business
systems are segregated
• Safety system network connected to process system
network via one-way communication device (no
possibility of bidirectional information flow)
• Administrative and mechanical controls prevent
unauthorized access (portable mobile devices, etc.) to
safety, process control and physical security computers
• Licensees have robust cyber security measures in place
that have been verified by staff
15
Cyber security – the importance of
national/international collaboration
• Domestically, CNSC works with Public Safety Canada /
Canadian Cyber Incident Response Centre, Natural
Resources Canada, Communication Security
Establishment Canada and others
• Internationally, bilateral work with the US Nuclear
Regulatory Commission has greatly advanced knowledge
• CNSC contributes significantly to the work at International
Atomic Energy Agency (IAEA) in developing security series
documents
• Nuclear Security Series (NSS) 17 Computer Security at
Nuclear Facilities, Conducting Cyber Security
Assessments for Nuclear Facilities and many more
16
IAEA and cyber security (cont.)
• International Physical Protection Advisory Service
(IPPAS) missions
• Module on computer (cyber) security
• Canada will host an IPPAS mission in 2015!
• Training
• Offered by international cyber experts from nuclear
industry to host countries (operators, regulators,
others)
• Production of Nuclear Security Series publications to
assist IAEA member states with program implementation
and improvements
17
Challenges to managing and regulating
cyber security in the nuclear industry
• Rapid evolution of cyber threat vectors and instruments
– nuclear plants seen as a target of interest
• Challenges of regulating across global supply chain –
counterfeit, fraudulent, suspect items cases well
publicized
• Increased sophistication of cyber attacks makes
detection and prevention increasingly difficult
• Knowledge and resource limitations (cyber expertise):
industry and regulator
• State of board/senior executive oversight on cyber
security matters is still evolving
18
Conclusions
• Canadian nuclear power plants have robust
comprehensive cyber security programs in place
• CNSC is evolving its regulatory approaches to meet the
needs of the proponents now and in the future while
ensuring high levels of safety are assured
• Cyber security requirements need to be embedded into
every phase of the regulatory review process for I&C
systems
• Cyber security (like physical security) is only as strong
as the weakest link
19
Thank You
Any Questions?
nuclearsafety.gc.ca
facebook.com/CanadianNuclearSafetyCommission
twitter.com/CNSC_CCSN
youtube.com/cnscccsn
20