ML22333A895
| ML22333A895 | |
| Person / Time | |
|---|---|
| Issue date: | 02/10/2023 |
| From: | Kim A NRC/RES/DE |
| To: | |
| Anya Kim 301-415-3633 | |
| References | |
| TLR-RES-DE-2023-001 | |
| Download: ML22333A895 (26) | |
Text
Technical Letter Report TLR-RES-DE-2023-001 Zero Trust for Operational Technology Literature Review Date:
November 2022 Prepared under the Future Focused Research Initiative, by:
Dr. Anya Kim Computer Scientist RES/DE/ICEEB Kim Lawson-Jenkins IT Specialist (Cyber)
NSIR/DPCP/CSB Division of Engineering Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington, DC 20555-0001
i Table of Contents Table of Contents......................................................................................................................... i Executive Summary.................................................................................................................... ii Acknowledgements..................................................................................................................... ii
- 1.
Introduction......................................................................................................................... 1
- 2.
Zero Trust Literature Review............................................................................................... 3 2.1 US Federal Government.............................................................................................. 4 White House and Office of Management and Budget (OMB).......................................... 4 National Institute of Standards and Technology (NIST).................................................. 5 Cybersecurity and Infrastructure Security Agency (CISA)............................................... 6 U.S. Department of Defense (DoD)................................................................................ 7 National Security Agency (NSA)..................................................................................... 9 2.2 Commercial Efforts in Zero Trust................................................................................. 9 Microsoft Corporation..................................................................................................... 9 Google LLC...................................................................................................................10 Forrester Research Inc..................................................................................................10 American Council for Technology-Industry Advisory Council (ACT-IAC)........................11 2.3 Zero Trust Efforts in OT..............................................................................................12
- 3.
SMRs and Advanced Reactors..........................................................................................13 3.1 Overview of Select Reactor Designs...........................................................................14 SMRs / Microreactors....................................................................................................14 Molten Salt Reactors (MSRs)........................................................................................14 High-Temperature Gas-Cooled Reactors (HTGRs).......................................................14 Liquid Metal Cooled Fast Reactors (LMFRs).................................................................15 3.2 Security Considerations..............................................................................................15
- 4.
Proposed Zero Trust Framework for OT at Nuclear Facilities.............................................16 4.1 Challenges of applying Zero Trust to OT.....................................................................16 4.2 Proposed Zero Trust Principles and Framework for OT..............................................18 Device...........................................................................................................................19 User..............................................................................................................................20 Network.........................................................................................................................20
- 5.
Conclusion and Next Steps................................................................................................22
- 6.
References........................................................................................................................23
ii Executive Summary Advanced reactors and small modular reactors (SMRs) may employ emerging technologies such as remote monitoring and operations, wireless, and drones that do not fit into the existing defensive architecture and regulatory guidelines. Hence, the perimeter-based cybersecurity model and domination of physical controls used in current operating reactors with primarily analog and/or hard-wired technology may not be sufficient to protect reactors that employ these emerging technologies.
NRC staff is performing research on whether Zero Trust architectures (ZTAs) can replace or augment the current defensive architecture and reduce the security challenges of introducing these technologies. While the findings will be applicable to other OT areas, the focus of this research is its applicability to SMRs and advanced reactors as they adopt technologies that are not addressed in current regulatory guidelines.
Zero Trust is a paradigm that moves cybersecurity from perimeter defense to focus on users, assets, and resources. It is not a specific technology or set of technologies, but rather a security strategy with a set of principles designed to prevent data breaches and limit lateral movements within the network. In a nutshell, it can be characterized by the sentiment never trust, always verify.
Current literature on Zero Trust focuses on protection of information technology (IT) systems in which data protection is the main focus. The limited work that discusses applying Zero Trust to operational technology (OT) environments proposes adopting IT-based Zero Trust models to the OT environment without full consideration of the different characteristics between the two environments. In an IT environment, data protection is the main focus, with confidentiality being the key security objective, while in an OT environment, safety and device security is the main focus, with availability being the more important security objective [1], [2].
Based on insights from the authors review of the literature and careful considerations of OT system characteristics, this paper presents a high level Zero Trust framework for OT. In this framework, three Zero Trust for OT pillars are proposed: 1) User, 2) Device, and 3) Network.
Unlike the existing IT-focused Zero Trust literature, this paper does not consider data as a crucial pillar. Rather, together with identity, applications, and automation, it is included as a cross-cutting capability to be considered across the pillars. The next step of the research, to be described in subsequent papers will provide a more detailed description of the Zero Trust framework for OT, including capabilities to support each pillar and develop a Zero Trust Architecture (ZTA) that details the logical components that support the Zero Trust framework.
Acknowledgements The authors would like to thank Juris Juantirans of the NRC for his valuable contribution to Section 3 of this report.
1
- 1. Introduction Advanced reactors (typically called non-light water reactors) and small modular reactors that are very different from the currently operating large light water reactor technology used in nuclear power plants of today are being considered as a way to address energy needs while providing enhanced safety. These reactor designs, with potential inherent and passive safety features claim improved safety characteristics that must be investigated [3]. The same is true for the cybersecurity aspect of these new reactors: as new reactors employ emerging technologies such as artificial intelligence, remote and autonomous monitoring, drones, and robotics, their use creates a significant cybersecurity challenge that current perimeter-based security models and domination of physical controls may not be able to address0F1. These new technologies do not neatly fit into the defensive architecture or regulatory guidelines in place today, especially since their risk profile is yet unknown. For example, when remote monitoring is introduced, how is the protected area or vital area defined and defended? How are the additional attack pathways addressed when wireless and drones are permitted? New guidance is needed not only to assess the cybersecurity implications of these new technologies, but to address how to secure them and to demonstrate that security requirements have been met.
The security approach within operating Nuclear Power Plants (NPPs) is perimeter-based security with the concept of security levels, each protected by a perimeter security device such as a firewall, or in many nuclear power plants, one-way data diodes, as illustrated in Figure 1
[4]. Your location within this perimeter model determines the level of trust assigned - inside the network is trusted, outside the network is not. However, recent trends such as cloud computing, virtual private network (VPN)s and remote access technologies have blurred these lines in an IT network, invalidating the concept of a perimeter. Furthermore, this paradigm is inadequate at limiting lateral movement - enabling an attacker, once in, to easily move within a security level [5]. As can be seen from the latest daily headlines, cyberattacks keep escalating, disrupting national critical infrastructures [6] [7] [8].
To that extent, NRC staff is examining whether Zero Trust architectures can replace or augment the current defensive architecture and reduce the security challenges of introducing newer technologies (such as wireless devices, drones, cloud computing, and remote monitoring) in a secure manner while satisfying the safety requirements. This paper proposes the Zero Trust concept as one way that licensees and applicants of SMRs and advanced reactors can look at to secure their OT networks.
1 That is not to say that traditional large light water reactor (LLWR) technologies will not adopt some of these technologies to some degree, but the focus of this research is predominantly on SMRs and advanced reactors.
2 Figure 1-Traditional security model for NPPs With Zero Trust, security is moved from perimeter defense to focus on users, assets, and resources. It is not a new technology or set of new technologies, but rather a security strategy with a set of principles designed to prevent data breaches and limit lateral movement. In a nutshell, it can be characterized by the sentiment never trust, always verify [9].
The authors of this paper believe that when properly implemented, a Zero Trust architecture (ZTA) shifts the burden of network defense from the defender to the attacker who must constantly guess correctly to move through the network.
The remainder of this report is organized as follows: Section 2 provides an overview of Zero Trust. It introduces concepts and principles associated with Zero Trust as defined in the literature, especially in the context of the major federal government efforts as well as commercial and academic research that have been produced in this area. It also examines implementation strategies and maturity models that recommend a gradual shift towards an optimal Zero Trust framework Section 3 is a very high-level overview of advanced reactor concepts and introduces some of the different types of advanced reactors and SMRs as a brief introduction. It also points out some literature that identifies cybersecurity concerns associated with adoption of emerging technologies in these reactors.
Section 4 examines the challenges involved in deploying a Zero Trust framework within the nuclear industry. It also introduces the conceptual design of the authors Zero Trust framework for OT.
Section 5 provides our conclusion and lays the groundwork for developing a Zero Trust framework for OT with a focus on SMRs and advanced reactors, which are part of the current efforts of this project.
3
- 2. Zero Trust Literature Review The security model most people are familiar with is the perimeter-based security model depicted in Figure 2 where security controls such as firewalls or other security devices segment the network into an inside-outside concept where outside is untrusted and inside is trusted).
Figure 2. Perimeter-based Security Model This model has not been successful in defending networks from newer attacks, as can be seen by the numerous security incidents that made the headlines [7] [10]. The main problem with this model is that once inside the perimeter, trust is assumed, making it easy for attackers to move laterally through the network. In particular, from an IT perspective, the introduction of technology such as the cloud, Bring Your Own Device (BYOD), Virtual Private Networks (VPNs), and Internet of Things (IoTs) has blurred the concept of a perimeter.
Zero Trust is a concept where the meaning of trusted and untrusted is reexamined: Zero Trust adopts the concept of never trust, always verify. This translates to verifying each request (regardless of where it originated or what resource it requests), and requiring every access request to be fully authenticated, and authorized before access is granted1F2.
While it has recently garnered a lot of attention, Zero Trust is not a new concept. While the term Zero Trust was first coined by John Kindervag in 2010 when he was at Forrester, the concept itself has been around since 2004 when it was introduced as a security design concept by the Jericho Forum2F3 [11]. This concept involved limiting implicit trust based on network location and the addressed the drawbacks of having single, static security controls to defend a large network segment [12] [13].
This section provides a literature of the Zero Trust landscape. First, the US Federal government efforts related to Zero Trust are examined, briefly illuminating the definitions, tenets, principles, and pillars identified/used in each approach. Next, Zero Trust efforts and implementations from 2 In IT networks, where data protection is most important, requests are not only authenticated and authorized, but encrypted as well.
3 UK based group of Chief Information Security Officers (CISOs).
4 the commercial sector are discussed. Finally, a brief discussion of work that examines Zero Trust related efforts in OT or OT-related domains are presented.
The insights gathered from the literature review will provide insights into what a Zero Trust concepts means for OT, Industrial Control Systems (ICS), and NPPs, as well as the similarities and differences to consider when applying Zero Trust to those areas. In this way, the authors will be able to define a Zero Trust framework that addresses the characteristics of an ICS and NPPs specifically. These insights help the authors form their own basic tenets for OT (presented in section 4) and will continue to be applied as the authors continue their work in Zero Trust for OT.
2.1 US Federal Government Several federal agencies released their own guidelines and strategies leveraging each others works when developing their own Zero Trust publications and maturity models, yet they have slight differences among each other. This section briefly summarizes these efforts, in an attempt to frame the requirements of a Zero Trust framework for OT. These efforts are focused solely on security of the enterprise, and hence Zero Trust principles and tenets are defined with the enterprise in mind. Therefore, not all the concepts presented here may be applicable to an OT network. However, it is still worthwhile to review the different principles and tenets as we consider their applicability to critical infrastructures.
In general, these reports all describe what Zero Trust is, its principles, and then identifies several pillars of Zero Trust. In this context, pillars are areas of effort that must be performed to support (prop up) the Zero Trust architecture. Or to use Department of Defense (DoD) terminology, a pillar is a key focus area for implementation of Zero Trust controls [14].
White House and Office of Management and Budget (OMB)
In May 2021, as a response to the increasing number of high profile security breaches, the Biden administration issued Executive Order (E.O.) 14028, Improving the Nations Cybersecurity to (among other things) migrate the Federal government to a Zero Trust architecture, stating that Log4j vulnerability is the latest evidence that adversaries will continue to find new opportunities to get their foot in the door, [15]. In January of this year, the Office of Management and Budget released a Federal Strategy for moving the U.S. government towards a Zero Trust Architecture, memorandum M-22-09, designed to support E.O. 14028 [16]
[17].
The strategies outlined in this report include requiring all traffic be encrypted and authenticated, focusing near-term on Domain Name System (DNS) and Hyper Text Transfer Protocol (HTTP) traffic. It also states that users should log into applications, rather than networks, and enterprise applications should eventually be able to be used over the public internet. While these are not directly applicable to an OT network, as remote operation technologies are implemented, NPP applications/workflows may need to be (securely) accessed over the public internet.
The report outlines Zero Trust security goals (organized around CISAs Zero Trust maturity model and its five pillars) that agencies are to implement by the end of Fiscal Year (FY) 2024.
These pillars and the strategic goals for each are:
5 Identity: use enterprise-managed identities to access work, and phishing-resistant multi-factor authentication (MFA) to protects personnel from sophisticated online attacks.
Devices: Agencies should maintain a complete inventory of every device it operates and authorizes for government use with tools that can support dynamic discover and cataloging of assets. It must be able to prevent, detect, and respond to incidents on these devices.
Networks: All DNS requests and HTTP traffic on the network should be encrypted, and perimeters broken down into isolated environments.
Applications and Workloads: All applications should be considered as internet-connected and routinely subjected to rigorous application security testing.
Data: Protections should make use of data categorization (tagging and managing access to sensitive documents), use a cloud security infrastructure to monitor access to sensitive data, and implement comprehensive logging and information-sharing capabilities.
The next subsections describe various Federal Government efforts in the area of Zero Trust.
National Institute of Standards and Technology (NIST)
NIST SP 800-207 provides a technology-neutral enterprise implementation roadmap for zero trust security concepts and discusses how to set up a Zero Trust architecture [18]. It defines Zero Trust as a set of guiding principles rather than a specific technology or implementation. It provides an abstract definition of a ZTA and gives general deployment models and use cases where Zero Trust could improve an enterprises security posture:
Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.
ZTA is an enterprises cybersecurity plan that uses Zero Trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a Zero Trust enterprise is the network infrastructure (physical and virtual) and operational polices that are in place for an enterprise as a product of a ZTA plan.
The NIST publication also defines seven tenets of Zero Trust. These tenets are defined in a way that moves away from the discussion of the perimeter, avoids discussion of specific technologies or implementations, and focuses on what should be involved rather than what should be excluded [18]. They are:
All data sources and computing services are considered resources All communication is secured regardless of network location.
Access to individual enterprise resources is granted on a per-session basis.
Access to resources is determined by dynamic policy.
The enterprise monitors and measures the integrity and security posture of all owned and associated assets All resource authentication and authorization are dynamic and strictly enforced before access is allowed
6 The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture NIST also provides basic assumptions for network connectivity that should be considered when forming a ZTA during planning and deployment. These assumptions are:
The entire enterprise private network is not considered an implicit trust zone There may be devices on the network that may not be owned or configurable by the enterprise No resource is inherently trusted Not all enterprise resources are on enterprise-owned infrastructures:
Remote enterprise subjects and assets cannot fully trust their local network connection Assets and workflows moving between enterprise and non-enterprise infrastructure should have a consistent security policy and posture Regarding data, the NIST document states that A Zero Trust approach is primarily focused on data protection. While this may be true in an IT centric viewpoint, when considering an OT environment, and in particular a nuclear environment, data protection is not the main priority. In an OT environment within a nuclear facility, protection of a function associated with safety, security, or emergency preparedness (SSEP) is the primary focus.
As part of its responsibility to federal governments and enterprises, NIST recently announced the publication of a white paper, Planning for a Zero Trust Architecture: A guide for Federal Administrators [19]. The white paper describes the process for migrating to a Zero Trust architecture, using the NIST Risk Management Framework [20].
Cybersecurity and Infrastructure Security Agency (CISA)
As the operational lead for Federal cybersecurity and the national coordinator for critical infrastructures security and resilience, the Department of Homeland Security (DHS) CISA provides support to agencies for evolving and operationalizing their cybersecurity programs and capabilities. E.O. 14028 tasked CISA with modernizing its current cybersecurity programs, services, and capabilities to be fully functional with cloud-computing environments with ZTA
[15].
CISAs Zero Trust Maturity Model [21] was created to assist Federal agencies in the development of their Zero Trust strategies and implementation plans by providing one way to support the transition to Zero Trust.
The CISA maturity model uses NISTs definition of Zero Trust and ZTA and reflects NISTs seven tenets. The CISA model provides five pillars of Zero Trust. These five pillars and how CISA will align to each pillar are:
Identity: An identity is an attribute or set of attributes that describe a user or entity and will form a core component of CISAs ZTA. Under this pillar, CISA can help agencies gain a better understanding of their users and provide best practices to increase the security of identities.
7 Device: Devices are any hardware assets that can connect to the network and can be agency-owned or BYOD. CISA will provide capabilities for better device security and enhanced integration of device compliance into access control and risk decisions.
Network/Environment: A network refers to an open communications medium. CISA can provide guidance on the protections that can be applied to protect assets, users, and data flows.
Application and Workload: Applications and workloads include systems, computer programs, and services. CISA can provide threat-based assessments of cyber capabilities that better align with agency application deployments and may be able to use application-level telemetry rom agencies to detect malicious activity more effectively.
Data: Agency data should be protected across devices, applications, and networks. In an IT environment, agencies need to shift towards a data-centric approach to cybersecurity. CISA can provide capabilities in data protection management.
This model includes three themes that cut across these areas: Visibility and Analytics, Automation and Orchestration, and Governance. Visibility and Analytics refers to the capability to view and monitor the behavior of all users, resources, and data while monitoring and enforcing Zero Trust policies using intelligent analytics. Automation and Orchestration refers to the ability to automate security processes to take policy-based actions with speed and at scale and integrate Security Information and Event Management (SIEM) and other automated security tools to manage disparate security systems.
The CISA Maturity Model states that Zero Trust presents a shift from a location-centric model to a more data-centric approach for fine-grained security controls between users, systems, data, and assets [21]. As will be explained in section 4, for an OT environment, the shift to Zero Trust will not be a data-centric approach, but with a focus on devices that perform critical functions.
U.S. Department of Defense (DoD)
The DoDs Zero Trust Reference Architecture (DoD ZT RA) describes potential security features and architectural controls that the DoD plans to execute across its system as it moves towards Zero Trust. It uses NISTs [14], [18] definition of Zero Trust, stating Zero trust is the term for an evolving set of cybersecurity paradigms that move network defenses from static, network-based perimeters to focus on users, assets, and resources3F4. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e.,
local area networks versus the internet) or based on asset ownership (enterprise or personally owned).
DoD ZT RA focuses on capabilities and integrations that can be used to successfully advance the DoD information Network (DODIN) into an interoperable Zero Trust end state. To that end, the architecture focuses on a data-centric design, while maintaining loose coupling across services to maximize interoperability.
The Reference Architecture was created specifically to determine capabilities and integrations that can be used to advance the DoD Information network (DODIN) into an interoperable Zero Trust end state [14] and focuses on a data-centric design.
4 Resources include things such as data, services, and information systems. In fact, NIST SP 800-207 states that all data sources and computing services are considered resources [18].
8 Per the DoDs definition, a Zero Trust approach includes the following three elements:
No actor, system, network, or service operating outside or within the security perimeter is trusted : This is fundamental and common to other definitions of Zero Trust where trust is not implicit nor guaranteed.
Verify anything and everything attempting to establish access: if you trust nothing, then you must verify everything and continuously monitor and assess the security posture of the device or network.
Dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data from verify once at the perimeter to continual verification of each user, device, application, and transaction.
The DoD ZT RA identified 5 major tenets of Zero Trust:
Assume Hostile Environment Presume Breach Never Trust, Always Verify Scrutinize Explicitly Apply Unified Analytics for Data, Applications, Assets, Services (DAAS) to include behavioristics, and log each transaction.
DoD Capability Viewpoint (CV)-24F5 capabilities are defined in terms of the following seven Zero Trust pillars: User, Device, Network/Environment, Application and Workload, Data, Visibility &
Analytics, and Automation and Orchestration:
User: includes person, non-person, and federated entities Device: the ability to identify, authenticate, authorize, inventory, isolate, secure, remediate, and control all devices Network/Environment: logical and physical segmentation, isolation and control of the network is critical to control privileged access, manage data flows, and prevent lateral movement Application and Workload: includes tasks on systems or services on-premise, as well as applications or services in a cloud environment. The Zero Trust workload spans the complete application stack from application layer to hypervisor.
Data: develop a comprehensive data management strategy based on mission criticality.
Visibility & Analytics: availability of vital contextual details in regard to performance, behavior and activity baseline Automation & Orchestration: proactive command and control The DoD ZT RA specifically states that The pillar and capabilities enable maximum visibility and protection of data, which are the key focuses of any implementation of Zero Trust. This statement again highlights the importance placed on data protection in an IT environment when considering a Zero Trust framework.
5 CV-2: CV-2 captures capability taxonomy models, and includes identification of capability requirements as defined in the DoDAF Architecture Framework Version 2.02 [14].
9 National Security Agency (NSA)
The NSA Embracing Zero Trust Security Model provides guidance as well as challenges for implementing a Zero Trust security model. It stresses the importance of building a detailed strategy, dedicating the necessary resources, maturing the implementation, and fully committing to the Zero Trust model to achieve the desired result [22].
NSA considers Zero Trust to be a set of design principles and strategy that deals with threats from both inside and outside of the (traditional) network boundaries. The three guiding principles they use are:
Never trust, always verify - requires authentication and explicit authorization (using least privilege) with dynamic security policies Assume breach - deny by default and carefully scrutinize all access requests Verify explicitly - make contextual access decisions based on confidence levels obtained from multiple (dynamic and static) attributes.
NSA also suggests leveraging the following design concepts:
Define mission outcomes - derive the organizations Zero Trust architecture from its mission requirements that identify the critical DAAS Architect from the inside out - Focus on protecting the critical DAAS Determine who/what needs access to the DAAS to create access control policies Inspect and log all traffic before acting - establish full visibility NSA points out that implementing Zero Trust cannot be achieved overnight, requiring time and effort. And that while in many cases, existing infrastructure can be leveraged and integrated to incorporate Zero Trust concepts, but additional capabilities will be required to be implemented.
Their roadmap of a Zero Trust maturity model includes a preparation stage (with no Zero Trust) with Zero Trust being gradually implemented from Preparation stage to Basic, Intermediate, and Advanced maturity stages.
2.2 Commercial Efforts in Zero Trust While the US federal government has several Zero Trust related efforts as mentioned above, the commercial sector has certainly been busy as well. While most major companies have created their own Zero Trust model or developed some Zero Trust solution, for this research, the authors discuss only the following: Microsoft because it has a clearly defined set of principles and a maturity model, Google because it has an actual implementation of its Zero trust model, Forrester, because as the earliest company to create the concept, it has been leading the industry and providing frameworks that have been adopted by other industries, and ACT-IAC because of its relationship to government and industry. Most other commercial efforts leverage one of these.
Microsoft Corporation Microsoft presents a Zero Trust security model in which every access request is strongly authenticated, authorized within policy constraints, and inspected for anomalies before access is granted. Microsoft defines three guiding principles of Zero Trust [23]:
10 Verify explicitly. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
Use least privileged access. Limit user access with Just-In-Time and Just-Enough Access (JIT/JEA), risk-based adaptive polices, and data protection to protect both data and productivity.
Assume breach. Minimize blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices, and application awareness. Verify all sessions are encrypted end to end. Use analytics to get visibility, drive threat detection, and improve defenses.
Microsoft approaches Zero Trust using a security layers approach, implementing Zero Trust across six foundational elements, or pillars:
Identity: identities can represent people, devices, services, or processes Devices: this is the hardware accessing the organizations data Applications: these are the interfaces by which data is consumed Data: ultimate goal is protection of data - it should remain safe even when it leaves the device, applications, infrastructures, and network that is controlled by the organization Infrastructure: can include on-premise servers, cloud-based VMs, micro-services, etc.
Network: all data is accessed over a network infrastructure As with the other organizations, the main focus is on the protection of data.
Google LLC Googles BeyondCorp: BeyondCorp is an enterprise security model that Google published in 2014 as a practical application of Zero Trust. It protects access to its critical resources by implementing the following principles of Zero Trust [24]:
Perimeterless Design: Connecting from a particular network must not determine which services you can access. Instead, access depends solely on the credentials of the user and the device Context-Aware Access Policies: Access to services is granted based on what we know about you and your device.
Dynamic Access Controls: All access to services must be authenticated, authorized and encrypted based upon device state and user credentials.
The BeyondCorp architecture involves several concepts such as Trust Tiers that represent increasing levels of sensitivity and Resources as an enumeration of all the applications, services, and infrastructure that are subject to access control. The architecture also includes fundamental components include Device Inventory Service, Trust Inferer, Access Control Engine, Access Policy, and Gateways that perform various authorization actions [24]-[26].
Forrester Research Inc.
As stated earlier, John Kindervag of Forrester research used the term Zero Trust to describe stricter information security programs and access control regardless of location. Forrester defines the following three fundamental concepts of their Zero Trust model [27]:
11 All resources must be verified and secure, regardless of their location Access control must adopt a least privilege strategy, and must be strictly enforced, All network traffic should be continuously inspected and logged.
Forrester recently introduced their Zero Trust eXtended (ZTX) framework which is a conceptual and architectural framework for moving from a traditional, perimeter-based security model to one based on continuous verification of trust [13]. The framework is described as a security architecture and operations playbook [28]. This ZTX should help enterprises perform strategic decisions and map their technology to the implementation of a Zero Trust environment. The roadmap provides guidelines and considerations for implementing Zero Trust across all seven of its key pillars [29]which are:
Network: define logical boundaries around assets (e.g., segmentation) and isolation between these boundaries. Rethink boundaries so that they protect resources, not networks: segment around an application and its associated hosts, peers, and services.
Data: includes capabilities for data discovery and classification, data flow, data lifecycle, and associated threats.
People: focus is on identity and access management (IAM), multi-factor authentication (MFA), and least-privileged access for users.
Workload: primary focus is on cloud workloads.
Devices: ability to monitor, isolate, secure, control, and manage every device connected to the network at any given moment.
Visibility and Analytics: visibility and analytics capabilities that provide interaction between the five pillars above: for example, capabilities for visibility into the interaction between people, workloads, and data within the network across a multitude of devices.
Automation and Orchestration: unified protection and situational awareness is provided through use if automation, machine learning, and workflow orchestration.
American Council for Technology-Industry Advisory Council (ACT-IAC)
The ACT-IAC is a non-profit organization established to improve government through the effective and innovative application of technology forming a partnership between industry and government [30]. In their report, ACT-IAC defines Zero Trust as a strategic initiative that, together with an organizing framework, enables decision makers and security leaders to achieve pragmatic and effective security implementations [12].
In addition, ACT-IAC states that Zero Trust depends on five fundamental assertions:
The network is always assumed to be hostile External and internal threats exist on the network at all times Network locality is not sufficient for deciding trust in a network Every device, user, and network flow is authenticated and authorized Policies must be dynamic and calculated from as many sources of data as possible It is of interest to note that ACT-IAC, as well as NIST state that the purpose of a Zero Trust model is to protect the data [12], [18]. And that for such reasons, a clear understanding of ones organizations data assets is critical in successfully implementing a Zero Trust architecture.
Moreover, ACT-IAC stresses that an organization needs to have a data management strategy in place that is based on a categorization of the data assets. To this end, unlike other
12 organizations where data is one of the pillars, ACT-IACs Zero Trust security model shows data as the foundational concept that their six pillars rest on to support a Zero Trust framework.
The six pillars that are defined by ACT-IAC are:
Users: refers to people/identity security Device: real-time cybersecurity posture and trustworthiness of devices Network: the perimeter is still a reality but is more granular. With Zero Trust, the perimeter is no longer at the network edge, but is a concept that segments and isolates critical data (from each other). This concept is discussed further in Section 4.1 Application: considerations for securing the application later, compute containers, and virtual machines Automation: security automation and orchestration Analytics: use of advanced security analytics platforms, user behavior analytics and other data analytics systems for better situational awareness The report also states/claims that they found that Zero Trust solutions are widely available and currently in use in the private sector, and that there is no single holistic Zero Trust solution available from a single vendor. These statements tend to consider that Zero Trust can be thought of as a solution or set of implementations, rather than a strategy, as is described in [18],
[21], [22].
2.3 Zero Trust Efforts in OT While consideration of Zero Trust in IT networks has been around for a while, the idea of applying it to OT is fairly new. For that reason, the few papers that do address this issue look at OT systems in general, without consideration to unique characteristics that each OT system and domain area may have. For example, in their paper, Towards Zero Trust for Critical Infrastructure, Boumhaout et al. simply map the Google BeyondCorp components to a generic ICS network proposing the use of microsegmentation and role-based access control without full consideration of the impact of implementing such solutions [31]. Their approach uses the Purdue model as a basis for their work, and simply applies Zero Trust pillars that have been identified. In fact, the pillars that they identify are actual technologies, not essential elements or pillars as described in other literature. For example, the paper states that microsegmentation is a pillar of Zero Trust. The differences in their approach, compared to the Google BeyondCorp model is that they examine a device trying to access an ICS resource, rather than a human user. They also propose a model where every device and resource is segregated, even against those that are in the same level. Another limitation of this approach is that they take the Zero Trust principles and pillars that were created for an IT system and apply them to an OT system without the due consideration of unique aspects of OT systems, such as lengthy lifespans of legacy OT devices, limited security features of OT protocols and devices, power and timing constraints of OT systems and devices, and availability requirements of OT systems.
In Augmenting Zero Trust Network Architecture to enhance security in virtual power plants, Alagappan et al. suggest the use of a Zero Trust network architecture for enhancing security in virtual power plants [32]. Virtual power plants, as defined in [32] are multiple distributed energy resources such as generators that can be combined for the purposes of enhancing power generation. Alagappan et al. state that energy systems will adopt advanced technologies to monitor grids, control sensors, and apply data analytics for controls. They propose the
13 deployment of a Zero Trust-based security architecture to address these concerns. Their strategy for Zero Trust deployment includes as a first step, device inventory which is a continuous process and requires continuous monitoring. After a device is identified, its trust level is assessed, and this trust level is the basis for access decisions according to specified access policies. They focus on a specific way of implementing and adopting Zero Trust in virtual power plants using existing strategies.
Another Microsoft white paper, Zero Trust for IoT, discusses application of Zero Trust for IoT
[33]. Upcoming in Section 4.2 of this paper, the authors will refer to specific content of this Microsoft paper to discuss application of Zero Trust to OT.
This section of the paper has described the Zero Trust efforts of various organizations. Here is a summary of the common themes when applying the current Zero Trust approaches documented in this literature review:
Data is considered important and is often described as a pillar to be considered separately when applying Zero Trust concepts There is a need to identify the users accessing protected devices and how these users are accessing devices (via networks using services and applications)
There is a need to have an accurate inventory of devices and networks, Network visibility for monitoring, assessment, and access control is a primary component of Zero Trust.
Even though the various Zero Trust efforts contain common themes, each individual Zero Trust approach reviewed and presented in this section emphasizes some aspects (e.g., data, identity, devices, network) over other aspects, such as automation and applications. This use of common Zero Trust themes but with various emphasis and priorities will be applicable for Zero Trust in OT environments and will be further discussed this in section 4.
- 3. SMRs and Advanced Reactors In SECY-20-0032 (ADAMS Accession No. ML19340A056), the NRC defines advanced nuclear reactors as a nuclear fission or fusion reactor, including a prototype plant, with significant improvements compared to commercial nuclear reactors under construction [34]. The SECY paper goes on to describe those improvements to include additional inherent safety features, significantly lower levelized cost of electricity, lower waste yields, greater fuel utilization, enhanced reliability, increased proliferation resistance, increased thermal efficiency and the ability to integrate into electric and nonelectric applications. While there may be increased safety features, the adoption of emerging technologies may create new attack surfaces and novel cybersecurity risks that must be investigated.
In general, the reactor designs that are currently seeking or expecting to seek NRC certification can be categorized as Small Modular Reactors (SMRs) / Microreactors or as non-Light Water Reactor (non-LWR) designs. This section gives a brief overview of a few of these reactor designs.
14 3.1 Overview of Select Reactor Designs SMRs / Microreactors This category of advanced reactor is not distinguished by a unique reactor type, but by portability and output. As such, SMRs and microreactors can be light water reactors or utilize a different reactor technology. Microreactors produce 50 megawatts electric (MWe) or less, while SMRs may produce 50 to 300 MWe. Both reactor types are expected to be able to be produced quickly, and often fueled within a factory environment. They are readily transportable to remote areas and are often designed to be replace on site with a complete, freshly fueled reactor rather than conducting on-site refueling.
Many of these will rely on new digital instrumentation and control systems, employ remote and autonomous control, have increasingly complex digital supply chains, and even utilize cloud computing [35].
Molten Salt Reactors (MSRs)
MSRs encompass reactor designs that utilize molten salt for either cooling or as a coolant/fuel mixture. Molten salt cooled reactors are conceptually similar to LWR designs, with solid nuclear fuel being cooled by a liquid. In this case, however, molten salt is used as a coolant rather than water. MSRs that utilize the molten salt as fuel are an entirely disparate technology. In molten salt fueled reactors, the nuclear fuel (uranium, or in some cases thorium) is dissolved in the salt mixture and circulated through the reactor core, acting as both fuel and coolant. In a thermal spectrum design, the core contains graphite control rods whereas in a fast spectrum design radioactivity is controlled by the formulation of the molten salt fuel. Liquid fuel provides the advantage of inline refueling and waste processing. Inherent safety features of MSR designs are twofold. First, reactivity naturally decreases as the temperature of the liquid fuel increases as a result of expansion. Second, many designs incorporate a freeze plug at the bottom of the core that melts upon significant temperature increase. Upon the freeze plug melting, the liquid fuel feeds through gravity into a holding tank system designed to control the latent reactivity.
MSRs will also employ remote operations and monitoring technologies. According to [36], the distinctive aspect of cybersecurity of an MSRs remote operations and monitoring system is the inaccessibility of the sensors and cabling due to high background radiation. Additional cybersecurity concerns include spoofing of sensor data, and the threat of falsified safety inspections which can increase with use of remote operation technologies.
High-Temperature Gas-Cooled Reactors (HTGRs)
HTGRs utilize Tristructural Isotropic (TRISO) fuel, in either a prismatic block or pebble bed configuration, which is cooled by inert gas (usually helium). TRISO fuel, also used in molten salt cooled reactors and some microreactors, is formed by uranium particles that are coated with three layers of carbon and ceramic based materials. These poppy seed sized particles are then suspended in a pyrocarbon and silicon carbide matrix and formed into prismatic blocks or tennis ball sized pebbles. This tristructural format helps prevent the release of fission products and helps control heat. Theoretically, the materials that suspend the fuel in these blocks or pebbles is able to withstand temperatures higher than the theoretical maximum temperatures that these reactors can reach, ostensibly creating a fuel that cannot melt down.
15 In their paper, Using Wireless Sensor Networks to Achieve Intelligent Monitoring for High-Temperature Gas-Cooled Reactor, Li et al. discuss three concerns regarding the use of wireless technologies in HTGRs - wireless device interference, the cybersecurity of the wireless networks themselves, and the security of the wireless standard selected for the wireless platform [37]. While the scope of the work was for HTGRs, these wireless issues will be applicable to other reactors technologies within the scope of this research.
Liquid Metal Cooled Fast Reactors (LMFRs)
LMFRs can be divided into two types based on coolant. They can either be liquid sodium cooled or liquid lead cooled reactors. These reactors operate in the fast spectrum because liquid metal does not moderate neutrons as well as water. The advantage to their use in reactors is the high heat conductivity of the coolant and that they operate at relatively low pressures compared to LWRs. Additionally, LMFRs can use a variety of fuels and can be designed in a breeder configuration to create a self-sustaining plant that can theoretically refuel itself.
Similar to the other advanced reactor technologies, LMFRs can also use remote monitoring and wireless within the power plants, leading to the same cybersecurity concerns discussed above.
3.2 Security Considerations The Nuclear Energy Innovation and Modernization Act (NEIMA Public Law 115-439) signed into law in January 2019 requires the NRC to complete a rulemaking to establish a technology-inclusive, regulatory framework for optional use for commercial advanced nuclear reactors no later than December 2027 [38]. The term technology-inclusive regulatory framework means a regulatory framework developed using methods of evaluation that are flexible and practicable for application to a variety of reactor technologies, including, where appropriate, the use of risk-informed and performance-based techniques and other tools and methods. 10 CFR 73.110 will define technology neutral requirements for protection of digital computer and communication systems and networks [34]. Each licensee of a commercial nuclear reactor under 10 CFR part 53 shall establish, implement, and maintain a cybersecurity program that is commensurate with the potential consequences resulting from cyberattacks, up to and including the design basis threat as described in 10 CFR 73.1 [39]. The cybersecurity program must provide reasonable assurance that digital computer and communication systems and networks are adequately protected against cyberattacks that are capable of causing the following consequences:
adversely impacting the functions performed by digital assets that would lead to offsite radiation hazards that would endanger public health and safety adversely impacting the functions performed by digital assets used by the licensee for implementing the physical security requirements While specific security vulnerabilities will be design dependent, there are trends in advanced reactor design that may indicate future security concerns. For example, advanced reactor designs that have been made public at this time have included increased use of digital instrumentation and control (I&C), wireless technology, remotely operated reactors, autonomously operated reactors, and digital twins [40].
Some of these technologies, notably increased digital I&C and use of wireless technologies, may result in an increased attack surface that could be exploited by adversaries. Additionally, reduced physical footprints of owner controlled areas needed for smaller reactors and minimal
16 staffing may create potential difficulties with the introduction of wireless networks. A shorter standoff distance could ease the burden on adversaries who are intent on disrupting, intercepting or spoofing a wireless signal.
It is also important to note that existing nuclear reactor regulation is predicated on the notion that the control room is geographically adjacent to the reactor that is being controlled and typically is dedicated to controlling a single reactor. With remote operation concepts being proposed by some advanced reactor designs, the possibility exists that a control room may be used to control numerous smaller reactors from a location hundreds of miles away. Unless dedicated cabling is used in this instance, there are significant regulatory and security challenges for remote operation of multiple reactors.
A characterization of remote monitoring or operation of protected devices at a NPP is that an associated user or network is not within the owner controlled area as defined in 10 CFR 73.55 (e)(6) that states that the licensee shall establish and maintain physical barriers in the owner controlled area as needed to satisfy the physical protection program design requirements of § 73.55(b) [39]. Many advanced reactor designs may rely to some extent on remote monitoring to monitor safety and security functions. Remote monitoring can be used to perform or replace activities that would either be time consuming or challenging (i.e., unsafe or difficult) for humans to perform. However, there are potential security challenges with remote monitoring and operation of devices at NPPs. The confidentiality and need-to-know requirements of safeguard information (SGI) regarding the physical protection of operating power reactors must be maintained. In addition, the integrity and availability requirements in 10 CFR 73.54(a)(2) for the systems and networks for remote access must be assured.
The security models of operating NPPs illustrated in Figures 1 and 2 will not be sufficient to address security concerns of advanced reactors and SMRs if they employ new or advance digital technologies such as remote monitoring and operations, wireless, and drones, which are different from the current analog technologies associated with LLWRs.
This may also require significantly different Cyber Security Program (CSP) implementations than those used in currently operating NPPs. CSPs of older NPPs rely heavily on physical security and prohibit use of wireless technology or remote access for devices associated with safety and security functions.
- 4. Proposed Zero Trust Framework for OT at Nuclear Facilities The previous sections introduced the background information required for this research: the concept of Zero Trust and how it is defined and modeled by different agencies and organizations, the high-level considerations of applying Zero Trust to an OT environment, and an overview of SMRs and advanced reactor technologies. Based on this, this section discusses the authors concept of Zero Trust and its applicability to SMRs and advanced reactors with advanced Digital Instrumentation and Controls (DI&C) technology.
4.1 Challenges of applying Zero Trust to OT While consideration of Zero Trust in IT networks is not novel, as can be seen from the literature, the idea of applying it to OT is fairly new. For that reason, the few papers that do address this
17 issue look at OT systems in general, without consideration to unique characteristics that each OT system and domain area may have. For example, [41] simply maps the google BeyondCorp components to a generic ICS network, proposes the use of microsegmentation and role-based access control without full consideration of the impact of implementing such solutions.
Traditional OT systems are characterized by devices with decades-long life cycles as opposed to IT systems with much shorter life spans. Sensitive devices cannot be scanned easily or patched frequently due to potential safety risks. These devices generally also lack basic cybersecurity features such as authentication and encryption. The Microsoft white paper, Zero Trust for IoT, reviews the aspects of IoT that distinguish application of Zero Trust when compared to IT. While IoT is strictly speaking, not ICS, there are some commonalities worth exploring. The white paper defines five key capabilities required to implement a Zero Trust security model for IoT: strong identity, least privileged access, device health, continual updates, and security monitoring & response. In particular, the paper examines the technical characteristics of IoT that should be considered when applying a Zero Trust security model. As many future nuclear power plant systems may share these characteristics, they are reproduced here discussed briefly in terms of these characteristics:
IoT devices are userless and run automated workloads: for nuclear DI&C systems, this implies that the user of the device is actually the device itself IoT device platforms are varied and integrate into an aging infrastructure: devices run on a mixture of operating systems, using many different communication protocols, and are expected to last 10 or more years, resulting in a network composed of devices that cannot be (easily) updated.
Many IoT devices have limited capability and connectivity: this can be due to the device characteristics themselves, or network constraints such as lack of wireless, air-gapping, or use of a data diode. These constraints may limit the type of security controls or Zero Trust services that the devices can support.
IoT devices can be high-value targets IoT devices can be exposed to physical or local attack: even when isolated from the network, devices are exposed to insider threats.
Note that Microsoft IoT concepts for Zero Trust focus on devices and not data, unlike the emphasis on data in Zero Trust for IT systems. For this reason and because of lessons learned during the implementation of cybersecurity plans at nuclear power plants, it is logical to develop a Zero Trust model for OT (with applicability for nuclear power plants and IoT) rather than adapt an IT based Zero Trust framework for OT. This includes taking the definition of Zero Trust and considering what it means within an OT system.
Zero Trust Networks are sometimes described as perimeterless, however this is a bit of a misnomer. Zero Trust Networks actually attempt to move perimeters in from the network edge and segment and isolate critical data from other data or functions. For OT networks, this would map to segmentation and isolation of critical functions. The perimeter is still a reality, albeit in much more granular ways. The traditional infrastructure firewall perimeter castle and moat approach is not sufficient [12]. The perimeter must move closer to what it is trying to protect - in our case SSEP systems and assets. One way to achieve this is to draw logical segmentation boundaries around high valued facility systems and assets, and to increase the isolation between segmentations. An illustration of this technique is shown in Figure 3, taken from IAEA NSS 17-T (rev. 1) Computer Security Techniques for Nuclear Facilities [42].
18 Figure 3 - Use of security zones and levels in a nominal NPP defensive architecture [reproduced from IAEA NSS 17-T (rev. 1) Computer Security Techniques for Nuclear Facilities]
In IAEA NSS 17-T rev 1, a computer security level is a designation that indicates the degree of security protection required for a facility function and consequently for the system that performs that function. A computer security zone is a logical and/or physical grouping of digital assets that are assigned to the same computer security level and that share common computer security requirements owing to inherent properties of the systems or their connections to other systems (and, if necessary, additional criteria). The use of computer security zones is intended to simplify the administration, communication and application of computer security measures. This use of security levels and zones in the proposed Zero Trust defensive architecture is similar to the concept of trust tiers used in Googles BeyondCorp architecture [25]. For a defensive architecture to be defined in Task 2 of this project, a proposed Zero Trust Architecture may make use of the security level and zones identified in IAEA guidance to draw logical segmentation boundaries around high valued facility systems and assets.
4.2 Proposed Zero Trust Principles and Framework for OT The proposed Zero Trust principles for OT environments at nuclear facilities are very close to the DoD tenets with some insights and adjustments:
Assume Hostile Environment - licensees tend to assume that beyond the data diode, everything is secure, and minimize the risk of malicious insiders.
Presume Breach - this may be the most difficult mind-set challenge for operators of nuclear facilities but is absolutely necessary for Zero Trust.
Never Trust, Always Verify Scrutinize Explicitly
19 The Zero Trust framework consist of pillars that uphold Zero Trust principles. Because this framework is to be used for digital systems associated with operational technology, the authors selected the essential elements or pillars of Zero Trust to be those essential to performing a safety, security, or emergency preparedness function. While Zero Trust principles should extend to every aspect of the architecture, in nuclear power plants it fundamentally begins with knowing what are the assets in the network, and who is interacting with the identified assets. All other characteristics of various Zero Trust frameworks, usually defined as pillars in other organizations - such as identity, data, application, analytics - are derived from or are associated with one or more of the proposed essential pillars of Zero Trust for nuclear security.
In defining the essential pillars of a Zero Trust framework for nuclear security, the principle of a graded approach will be used. A graded approach based on consequences is intended to account for the differing risk levels within reactor technologies. Also, based on the literature review and our expertise, the authors determined that the foundational basis of any Zero Trust to be developed should have complete visibility into the devices, users and systems in an organization. Lastly, the framework leverages the experience and lessons learned from CSP implementations at operating nuclear power plants. Designers and operators of nuclear power plants must 1) identify devices associated with safety, security, or emergency preparedness functions, 2) identify users who will interact with the devices, 3) identify the network used by users to interact with the devices, and 4) protect the safety, security, and emergency preparedness functions according to NRC regulations (such as 10 CFR 73.54 [43] and 73.55
[44]). Based on this, the authors identified the following pillars for Zero Trust in NPPs:
The three essential pillars of a Zero Trust framework for nuclear security are devices, users, and networks. This is illustrated in Figure 4.
Figure 4. Essential Pillars and Major Sub-Elements in a Zero Trust Framework for Nuclear Facilities Device A necessary criterion in the definition of a device in the Zero Trust framework for OT is that it is a hardware asset that can connect with a network based on the definition of device in the CISA Zero Trust Maturity Model [21].
20 Current nuclear security guidance focuses on identifying critical digital assets (CDAs). CDAs are highest-valued assets that, if compromised, could cause adverse impact to the safety and/or security functions of an NPP. OT manages the operation of physical processes and the machinery used to perform functions. For this reason, another necessary criterion for a device in Zero Trust for nuclear facilities will be on devices that perform or are associated with SSEP functions. Identification of the critical safety, security, and emergency preparedness functions should address the special requirements for nuclear facilities. To effectively implement Zero Trust, in addition to identifying CDAs, critical data, applications, and functions associated with the CDAs must be identified. This identification of critical data, (digital) assets, applications, and functions can be referred to by using the acronym DAAF. DAAF is analogous to Resources defined in Googles BeyondCorp architecture and NSAs DAAS [25].
In addition to CDAs that may perform an SSEP function, it is necessary to identify devices that can act as a user within the digital system. As an example, an automated process may run on a device that communicates with, monitors, and/or operates a CDA. These devices that can run processes or act as proxies for a human user should be identified.
Devices such as drones can be remote and operate outside of the owner controlled area.
User Users can be humans or non-person entities as defined in NIST SP 800-207 [18]. Users must be properly identified and authenticated. Users have associated identities, applications, data, and functions/roles.
The users of concern from a Zero Trust perspective are the users that have a relationship with a device that operates within the NPPs operator controlled area. If a user does not have a relationship with a device that operates within the NPPs operator controlled area, then the user is not performing or affecting an SSEP function. Therefore, the actions of the user are not relevant within the Zero Trust framework. A user is not limited to local users - it can be remote, such as a human or device in a Security Operations Center outside of the owner controlled area.
Network Communication networks have associated identities, applications, data, and functions. Physical access is considered a network in this Zero Trust framework. Automation can be used to reorganize communication traffic within a network without human intervention or limited human intervention.
Identity, data, application, and automation sub-elements can be applicable for all three essential pillars of the Zero Trust framework for OT. In particular, data will be tracked and analyzed for situational awareness and trust algorithms. Automation is applicable for any critical function (e.g., safety, security, or emergency preparedness) at a nuclear facility.
Limiting the number of pillars or essential pillars of Zero Trust for nuclear security to these three elements will allow the system developers and operators to identify and focus on the most important things - from a risk informed security perspective - first. This scoping criteria is based on lessons learned from the implementation of cybersecurity plans at U.S. nuclear power plants.
If the inventory of devices, list of user categories, and networks supported are not accurately
21 captured, it will be difficult to determine the completeness and effectiveness of the implemented Zero Trust. While the literature reviewed in this paper highlight the importance of data in a Zero Trust framework, this work, while recognizing the importance of data protection, does not focus on data as a Zero Trust pillar: only data that is associated with a device performing a safety or security function or with a network or user interfacing with the device is relevant for the Zero Trust framework. All entities other than device, network, and user but defined as pillars in alternate Zero Trust effort discussed in Section 2 of this paper - are listed as sub-elements of essential pillars in this proposed Zero Trust for nuclear facilities. The relevance of the sub-elements in the Zero Trust framework is due to their association with one or more essential pillars.
The DoD Zero Trust framework and this papers proposed Zero Trust framework for nuclear facilities will be used in high security, mission critical environments. However, the proposed Zero Trust framework will focus on protecting critical functions in OT systems in contrast to the DoD Zero Trust framework that focuses on protecting data in IT systems.
Figure 5 illustrates the use of the proposed Zero Trust framework using a simple programable logic controller (PLC) implementation example. The pump would perform a function with a safety system at an NPP, thus it would be designated as an essential element of type device.
The PLC (essential element type user type device) communicates with the pump via Profibus, which will be a network essential element. Additional user essential elements can be identified as a human user via the PLC HMI (the network is physical proximity) or as a device (an engineering workstation or data historian) via a local area network carrying Industrial Ethernet data traffic. Data, application, and identity are associated with all essential pillars. Automation, depending on applicability, may be associated with an essential pillar. In this example, an automated process may exist in the PLC or at the engineering workstation.
Figure 5 - PLC Control System Implementation Example
22
- 5. Conclusion and Next Steps This report summarized a literature review of Zero Trust for IT and OT systems in Section 2.
Section 3 provided a high-level introduction to several reactor designs and discussed the security considerations for SMRs and advanced reactor designs that may contain systems that make use of wireless technologies, remote monitoring and access, robotics, and drones. Use of such technologies will require a different security defensive approach than what is currently implemented at operating nuclear power plants that heavily rely on physical security and the presence of experienced, well trained human staff.
Section 4 proposed a set of principles and the initial Zero Trust framework for OT applicable to nuclear facilities based on NRC regulations and on lessons learned over the past decade of licensees CSP implementations. The framework includes Devices, Users, and Network as its pillars. A Zero Trust framework for OT at NPPs can address some of the security challenges with deploying new and emerging technologies. Leveraging aspects of the literature review, the Zero Trust framework for OT focuses on protection of critical functions, in contrast to data protection in IT systems. The next phases of work for this Zero Trust effort will provide more details of the framework postulated in Section 4 and propose an architecture to be used for implementing the framework. Future work will also discuss strategies for implementing the ZTA.
An overview of the work to be performed in this future focused research is shown in Figure 6.
Figure 6 - Zero Trust Overview
23
- 6. References
[1]
Fortinet, Information Technology (IT) vs. Operational Technology (OT) Cybersecurity.
view-source:https://www.fortinet.com/resources/cyberglossary/it-vs-ot-cybersecurity (accessed Aug. 01, 2022).
[2]
F. Zhang, Cybersecurity Solutions for Industrial Control Systems and Key Equipment, Doctoral Dissertation, University of Tennessee, Knoxville, 2019. [Online]. Available:
https://trace.tennessee.edu/utk_graddiss/5763
[3]
J. Beardsley, NRC Cyber Security Regulatory Overview, presented at the State Liaison Officers Conference, Rockville, MD, Sep. 26, 2017. [Online]. Available: ADAMS Accession No. ML17278A744
[4]
U.S. Nuclear Regulatory Commission, Cyber Security Programs for Nuclear Facilities, revision 0, Washington, DC, Regulatory Guide (RG) 5.71, Jan. 2010. [Online]. Available:
ADAMS Accession No. ML090340159
[5]
E. Gilman and D. Barth, Zero trust networks: building secure systems in untrusted networks, First edition. Beijing Boston Farnham Sebastopol Tokyo: OReilly, 2017.
[6]
Check Point, From SolarWinds to Log4j: The global impact of todays cybersecurity vulnerabilities, Apr. 05, 2022. https://blog.checkpoint.com/2022/04/05/from-solarwinds-to-log4j-the-global-impact-of-todays-cybersecurity-vulnerabilities/ (accessed Jul. 20, 2022).
[7]
H. Solomon, 2021: A crazy mess: Cybersecurity year in review and a look ahead, IT World Canada, Dec. 31, 2021. Accessed: Jul. 03, 2021. [Online]. Available:
[8]
R. Lakshmanan, Watering Hole Attack Was Used to Target Florida Water Utilities, The Hacker News, May 20, 2021. https://thehackernews.com/2021/05/watering-hole-attack-was-used-to-target.html (accessed Jul. 03, 2022).
[9]
Chase Cunningham, VP, Principal Analyst, A Look Back At Zero Trust: Never Trust, Always Verify, Aug. 24, 2020. https://www.forrester.com/blogs/a-look-back-at-zero-trust-never-trust-always-verify/ (accessed Nov. 03, 2021).
[10] Kim M. Lawson-Jenkins and Fleurdeliza De Peralta, Consideration Of Cybersecurity Risks With The Use Of Emerging Technologies, in The INMM 61st Annual Meeting, Virtual, Jul.
2020.
[11] A. Kerman, Zero Trust Cybersecurity: Never Trust, Always Verify, NIST Taking Measure, Oct. 28, 2020. https://www.nist.gov/blogs/taking-measure/zero-trust-cybersecurity-never-trust-always-verify (accessed Aug. 01, 2022).
[12] ACT-IAC, Zero Trust Cybersecurity Current Trends, American Council for Technology-Industry Advisory Council (ACT-IAC), Apr. 2019. Accessed: Jun. 14, 2021. [Online].
Available: https://www.actiac.org/zero-trust-cybersecurity-current-trends
[13] J. Kindervag and S. Balaouras, No more chewy centers: Introducing the zero trust model of information security, Forrester Res., vol. 3, 2010.
[14] Department of Defense (DoD), The DoDAF Architecture Framework Version 2.02, Aug.
2010. https://dodcio.defense.gov/Library/DoD-Architecture-Framework/ (accessed Jul. 14, 2022).
[15] Executive Office of the President, Executive Order No. 14028 Improving the Nations Cybersecurity, vol. 86. 2021, pp. 26633-26647.
[16] The White House, Office of Management and Budget Releases Federal Strategy to Move the U.S. Government Towards a Zero Trust Architecture, Washington DC, Press Release, Jan. 2022. Accessed: Feb. 10, 2022. [Online]. Available:
https://www.whitehouse.gov/omb/briefing-room/2022/01/26/office-of-management-and-
24 budget-releases-federal-strategy-to-move-the-u-s-government-towards-a-zero-trust-architecture/
[17] Office of Management and Budget, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, White House, Memorandum M-22-09, Jan. 2022. Accessed:
Jan. 26, 2022. [Online]. Available: https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf
[18] S. Rose, O. Borchert, S. Mitchell, and S. Connelly, Zero Trust Architecture, National Institute of Standards and Technology, Gaithersburg, MD, NIST Special Publication (SP) 800-207, Aug. 2020. doi: 10.6028/NIST.SP.800-207.
[19] S. Rose, Planning for a Zero Trust Architecture: A Planning Guide for Federal Administrators, National Institute of Standards and Technology, Gaithersburg, MD, NIST White Paper CSWP 20, May 2022. Accessed: Aug. 02, 2022. [Online]. Available:
https://doi.org/10.6028/NIST.CSWP.20
[20] Joint Task Force, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, National Institute of Standards and Technology, Gaithersburg, MD, NIST Special Publication (SP) 800-37 Rev. 2, Dec. 2018. doi: 10.6028/NIST.SP.800-37r2.
[21] Cybersecurity and Infrastructure Security Agency (CISA), Zero Trust Maturity Model, Jun.
2021.
[22] National Security Agency (NSA), Embracing a Zero Trust Security Model, NSA, Fort Meade, MD, U/OO/115131-21, PP-21-0191, Feb. 2021. Accessed: Jun. 10, 2021. [Online].
Available: https://media.defense.gov/2021/Feb/25/2002588479/-1/-
1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF
[23] Microsoft, Zero Trust Maturity Model.
[24] R. Ward and B. Beyer, Beyondcorp: A new approach to enterprise security, 2014.
[25] B. Osborn, J. McWilliams, B. Beyer, and M. Saltonstall, Beyondcorp: Design to deployment at google, 2016.
[26] B. Spear, L. Cittadini, and M. Saltonstall, BeyondCorp: The Access Proxy, 2016.
[27] J. Kindervag, Build security into your networks dna: The zero trust network architecture, Forrester Res. Inc, vol. 27, 2010.
[28] S. Turner et al., A Practical Guide to a Zero Trust Implementation. Roadmap: The Zero Trust Security Playbook, Forrester, Corporate Report, March 3, 20201.
[29] D. Holmes, J. Burn, A. Mellen, and J. Pollard, OMBs Zero Trust Strategy: Government Gets Good, Forrester, Feb. 01, 2022. https://www.forrester.com/blogs/ombs-zero-trust-strategy-government-gets-good/ (accessed Aug. 03, 2022).
[30] ACT-IAC, ACT-IAC At a Glance. https://www.actiac.org/act-iac-glance (accessed Aug.
03, 2022).
[31] E. B. Boumhaout and A. S. Danielsen, Towards Zero Trust For Critical Infrastructure:
Rethinking The Industrial Demilitarized Zone, 2020.
[32] A. Alagappan, S. K. Venkatachary, and L. J. B. Andrews, Augmenting Zero Trust Network Architecture to enhance security in virtual power plants, Energy Rep., vol. 8, pp. 1309-1320, Nov. 2022, doi: 10.1016/j.egyr.2021.11.272.
[33] Microsoft, Zero Trust Cybersecurity for Internet of Things, White Paper, Apr. 2021.
Accessed: Sep. 03, 2021. [Online]. Available: https://azure.microsoft.com/en-us/resources/zero-trust-cybersecurity-for-the-internet-of-things/
[34] U.S. Nuclear Regulatory Commission, Rulemaking Plan on Risk Informed, Technology-Inclusive Regulatory Framework for Advanced Reactors (RIN-3150-AK31; NRC-2019-0062), Commission Report SECY-20-0032, Apr. 2020. [Online]. Available: ADAMS Accession No. ML19340A056
25
[35] R. Busquim and N. N. Kubelwa, SMR Digital Technologies and Computer Security: The Interlinkages, IAEA News, May 16, 2022. https://www.iaea.org/newscenter/news/smr-digital-technologies-and-computer-security-the-interlinkages
[36] D. E. Holcomb, C. L. Britton Jr., V. K. Varma, and L. G. Worrall, Remote Operations and Maintenance Framework for Molten Salt Reactors, Oak Ridge National Laboratory, ORNL/TM-2018/1107, Dec. 2018.
[37] J. Li, J. Meng, X. Kang, Z. Long, and X. Huang, Using Wireless Sensor Networks to Achieve Intelligent Monitoring for High-Temperature Gas-Cooled Reactor, Sci. Technol.
Nucl. Install., vol. 2017, p. 3721578, May 2017, doi: 10.1155/2017/3721578.
[38] U.S. Senate Committee on Environment and Public Works, Nuclear Energy Innovation and Modernization Act (NEIMA), vol. 512. 2019, p. pages. [Online]. Available:
https://www.congress.gov/115/plaws/publ439/PLAW-115publ439.pdf
[39] U.S. Code of Federal Regulations (CFR), Purpose and scope, Section 1, Part 73, Chapter 1, Title 10, Energy.
[40] International Atomic Energy Agency, Instrumentation and Control Systems for Advanced Small Modular Reactors. Vienna: INTERNATIONAL ATOMIC ENERGY AGENCY, 2017.
Accessed: Dec. 20, 2021. [Online]. Available:
[41] S. Dhar and I. Bose, Securing IoT devices using zero trust and blockchain, J. Organ.
Comput. Electron. Commer., vol. 31, no. 1, pp. 18-34, 2021.
[42] International Atomic Energy Agency, Computer Security Techniques for Nuclear Facilities.
Vienna: INTERNATIONAL ATOMIC ENERGY AGENCY, 2021. Accessed: Dec. 20, 2021.
[Online]. Available: https://www.iaea.org/publications/14729/computer-security-techniques-for-nuclear-facilities
[43] U.S. Code of Federal Regulations (CFR), Protection of digital computer and communication systems and networks, Section 54, Part 73, Chapter 1, Title 10, Energy.
[44] U.S. Code of Federal Regulations (CFR), Requirements for physical protection of licensed activities in nuclear power reactors against radiological sabotage., Section 55, Part 73, Chapter 1, Title 10, Energy.