In Świerk, about cybersecurity of nuclear installations

The National Center for Nuclear Research (NCBJ), in cooperation with the International Atomic Energy Agency (IAEA) in Vienna, has organized a workshop on conducting assessment on the state of cyber security in nuclear installations. Invited experts will meet in Świerk with workshop attendees, delegated from government agencies, scientific institutes and commercial organizations. They will present cyber security assessment methodology and recommended practices for identifying in advance cyber vulnerabilities and threats and taking appropriate prevention measures.

The threat of cyber-attacks and cyber-incidents is real and it is constantly growing. Increasing automation and digitization of all activities introduces new possibilities for making mistakes and opens gates for criminals. Hackers - amateurs and professionals - constantly "test" cyber security measures, by trying to gain access to process control systems or to physical protection systems in critical infrastructure facilities. Similarly, negative consequences can be a result of a random error in process execution or incompatibility of software used in industrial devices and factory production lines. Therefore, it is very important to be aware of existing problem and to have an ability to systematically monitor and analyze industrial installations against potential cyber threats. NCBJ, expecting the implementation of the Polish Nuclear Power Program, is preparing to meet these challenges.

On April 23, a five-day training course on "Conducting Computer Security Assessments at Nuclear and Other Radioactive Material Facilities" has begun in Świerk. The course is co-organized by IAEA and NCBJ. Over 40 participants, delegated by government agencies (Ministry of Energy, PAA, RCB, KPK), scientific institutes (NCBJ, NASK, WSGE) and commercial organizations (ZUOP, PGE EJ1, PGNiG, ComCERT, MCX, POC), participate in the training. Experts from the Vienna Agency and from Poland are giving lectures during the course. "We invited the best professionals to share with the course attendees their knowledge, world class expertise and industry best practices" - says Monika Adamczyk, a cyber security expert at the NCBJ and co-organizer of the workshop. "Although we are concerned mainly with cybersecurity in nuclear facilities, most subjects included in the training can be applied and reused in any industrial infrastructure."

This course has been already organized several times by IAEA in other countries. The program is based on one of their technical publications, which is available for download from their website network.

Cybersecurity is one of the NCBJ's priorities and is subject of research conducted at the Institute. NCBJ participates e.g. in the National Cybersecurity Platform project (NPC), run together with the Research and Academic Computer Network (NASK), Warsaw University of Technoogy and the National Institute of Telecommunications. As part of the IAEA Coordinated Research Project, a specialized CyberLAB laboratory has been created in Świerk, where programmable logical controllers (PLCs) are tested for cyber vulnerabilities. In the future, other industrial control system (ICS) components will be tested there as well.

Many people believe that the best way to secure critical installations is to disconnect them from the internet. "It's not so easy" - says prof. Wojciech Wiślicki (NCBJ), head of the Świerk Computer Center and coordinator of the NPC project at NCBJ. "Large industrial or infrastructure systems are built from a huge number of components. Many of them come from independent suppliers and must be serviced by them. The most sensitive systems are of course completely cut off from the rest of the world and their service is done on-site." However, even then, a threat may arise, e.g. when a service technician needs access to resources available remotely from his company. Servicing many less-critical subsystems is done often remotely. This can significantly reduce maintenance costs and it is often the only reasonable solution when every minute of system malfunction can generate huge losses. Therefore, all remote and local access channels must be secured in such way as to minimize a risk of undesired behavior. For that reason, there have been many cybersecurity methods developed. One of them is called a “honeypot”. At NCBJ, virtual systems are created to simulate production installations, to monitor their resilience against unexpected visitors. "With help of honeypots you can collect relevant information and identify cyber threats, that intruders create, in order to adapt their security" - explains prof. Wiślicki. "It is also important to continuously monitor cyber threats and fill in identified security gaps, by adapting used tools and databases to the changing skills and knowledge of the attack perpetrators"

A potential source of cyber threats are not only communication channels, but also hardware components. "Today, not only industrial facilities, but also every-day household appliances are digitally controlled," says Dr. Jacek Gajewski (NCBJ), the CyberLAB project manager. "Usually, programmable logic controllers (PLCs) are used to run and monitor modern technological processes. Normally, a relevant component is programmed only once in a factory, to operate e.g. a washing machine, a refrigerator or a much more advanced technical device which is part of the entire infrastructure. Of course, the factory installed software in such controllers can be modified. The purpose of the laboratory created at the NCBJ is testing these controllers to verify whether they perform only those functions that they were programmed for, only and always these functions and whether exist operating conditions which can result in a controller malfunction or allow intentional modification of their behavior.

"Almost everyone knows that it is worth having an antivirus program," summarizes Monika Adamczyk, "but most of us are very surprised and irritated when installation of a new, verified application on our smartphone, causes the phone to behave unpredictably. Similar risks are associated with industrial control systems, only there a consequence of a sudden unpredictable problem can be much more dramatic. People responsible for key components and installations must be aware of the fact that even a trivial update of one of thousands of controllers may affect the entire system: introduce dangerous distortions or open the way for undesirable actions from third parties. "