survivability and recovery of process control systems · 1 nacio non-obtrusive authentication of...

11

NACIONon-obtrusive Authentication of Critical

Infrastructure Operators

Sam Clements, Mark Hadley,

Tom Edgar, and Cliff Glantz

Pacific Northwest National Laboratory (PNNL)

March 2010

This material is based upon work supported by the U.S. Dept. of Homeland Security under Grant Award Number 2006-CS-001-

000001, under the auspices of the Institute for Information Infrastructure Protection (I3P) research program. The I3P is managed

by Dartmouth College. The views and conclusions contained in this document are those of the authors and should not be

interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland

Security, the I3P, or Dartmouth College.

The NACIO Team

Project Team Members

• Sam Clements

• Mark Hadley

• Thomas Edgar

Working out of PNNL’s main campus in Richland, Washington

2

3

What is Authentication?

“All information systems

must have a security

mechanism installed that

requires authentication prior

to file access.”

- API 1164

“…Responsible Entity shall

have a policy for managing the

use of such accounts [shared,

generic] that limits access to

only those with authorization,

[and] an audit trail of the

account use …”

- NERC CIP 7 R5.2.3

The process of verifying a user’s identity and

authorization to access a network or its resources.

- NIST 800-53

- NRC RG-5.71

What is Required for Authentication?

• For IT systems we often require:

– Something you know (e.g.; password)

– Something you have (e.g.; security

token, mag. card)

– Something you are (e.g., fingerprints)

4

Control System Authentication Issues

• Authentication restrictions cannot be allowed to:

– impede operator control

– negatively impact control system operation

– negatively impact process/facility critical events

• Immediate access and control are required when

needed – delays cannot be tolerated!

• A forgotten or mistyped password cannot be

allowed to lock up a control system’s human

machine interface!

• So how can authentication be done?

• How much is too much?

5

6

Hand Scan

6

Right Elbow

7

Left Elbow

8

Foot

9

Tongue

10

Finishing up with a Butt Scan

11Thanks to Monsters vs. Aliens (DreamWorks®) and Sam Clements for these images!

Now that’s way too much!

Example Authentication Approach:

NRC Regulatory Guidance

RG 5.71:“Cyber Security Programs for Nuclear Facilities” (11/09)

Requires the following:

• uniquely identify each user

• verify the identity of each user

• disable a user identifier after a predetermined time

period of inactivity

• change and refresh authenticators periodically

• only appropriate officials can issue a user identifier

• ensure that a user identifier is issued to the intended party

12

NRC Authentication (cont)

If a control system cannot support all user

authentication requirements, all of the following

must be implemented:

• physically restrict access to the control

system

• ensure only security qualified and

credentialed individuals have access to

control systems

• monitor and record access to the control

system in a timely manner

• use auditing/validation measures to detect

unauthorized access and modifications to the

control system

13

14

The NACIO Approach

Security Camera

Network Sensor

Control System Network

Operator

Console Network Traffic

Authenticator

PictureBadge + RFID

NACIO InterfacePhysical Access

Control Database

Alert: Critical System Command

15

NACIO Advantages and Security Impact

• NACIO’s Advantages

– Triggers only on critical commands and alarms on a defined

subset of these commands

– Avoids an inundation of data

– Records:

• Network traffic

• Badge info

• Image of operator

– Supports post-incident investigation

• NACIO’s Impact: Reduces Insider Threat

– impression that your activities are being monitored and you

can’t get away without your actions being revealed

– establishes a much higher threshold for malicious acts

16

NACIO Uses COTS Technologies

• Components

– “IDS”

– Cameras

– Badge with RFID

• Advantages

– Readily Available Components

– Fast to Market Bridging the Gap

17

NACIO Wrap-Up

• Does not impact operations

• Helps meet or exceed current standards and

guidance for control system authentication

• Provides an innovative integration of COTS

technologies

• Undergoing testing and refinement at PNNL

• We are seeking partners for technology transfer

Questions?

• For more information, contact one of the following PNNL

NASIO team members:

– Sam Clements

samuel.clements@pnl.gov; 509-375-3945

– Mark Hadley

mark.hadley@pnl.gov; 509-375-2298

Your presenter has been Cliff Glantz; cliff.glantz@pnl.gov; 509-375-2166

18