Josef Schindler
Framatome GmbH
Paul-Gossen-Str. 100, 91052 Erlangen josef.schindler@framatome.com
|
Claudia Lemos Sebastiao |
Christine Bürger |
Karl Waedt |
|
Framatome GmbH |
Framatome GmbH |
Framatome GmbH |
|
claudia.lemos- |
christine.buerger@framatome.com |
INTRODUCTION
Due to the upcoming Cyber Resilience Act (CRA) and the EU NIS2 directive (directive on measures for a high common level of cybersecurity across the European Union) suppliers and sub-suppliers of Interim Storage Facilities and Final Storage / Disposal Facilities are confronted with increasingly more stringent cybersecurity requirements. Regarding the nuclear waste management additional new national regulations apply. For Germany these include the so called SEWD-RL IT Cat. I, SEWD-RL IT Cat. II and III, SEWD-RL sisoraK and SEWD-RL sisoraSt. According to these regulations different levels of security trust must be met and enforced after a rigorous cybersecurity risk assessment and assignment of systems with digital elements to security zones. In this paper, we propose a practical cybersecurity hardening approach which is scalable from small devices to hundreds of interconnected systems. This approach assures that all suppliers and sub-suppliers of an autarkic Interim Storage Facility or Final Disposal Facility will provide an appropriately graded, consistently structured, traceably implemented, and completely validated set of cybersecurity measures.
PRECONDITIONS FOR THE FRAMEWORK
|
Figure 1 depicts the intended framework on a high-level basis. On the basis of the input data (Figure 1, grey & orange), and given objectives, we will describe, why and how we design the Guidelines (Figure 1, blue) and Templates (Figure 1, green), before giving details on the documentation to be delivered.
Input data
Input data is divided into two categories:
In the specific use case, the main input document is a TÜV SÜD Guideline, which comprises 7 general subjects divided into 40 security aspects, i.e., requirements.
Objectives
The objectives of the framework are, to
O1. Fulfill the requirements from authority and appraisers towards cybersecurity (Figure 1, grey) O1.1 Implement the requirements correct from a technical point of view
O1.2 Facilitate a review of the compliance
O2. Fit additional requirements from the plant conception and operator (Figure 1, orange)
O3. Streamline cybersecurity documentation beyond isolated IT networks to ease future operation and recurring inspections
O4. Enable any (sub-)supplier to comply with the cybersecurity requirements and provide the documentation, regardless of the (sub-)suppliers’ expertise in cybersecurity
DESIGN OF THE FRAMEWORK
Guideline (Figure 1, blue)
The entry point for documentation through (sub-)suppliers and review from appraisers is the “Guideline for Suppliers – Cybersecurity”. This document explains
- The relationship between documents inside the complete framework
- How to fill Asset List, Cybersecurity Analysis and Cybersecurity Manual (Figure 1, blue pointers)
- The subordinate technical Guidelines for Suppliers: each explains a specific topic and its treatment, like:
- BIOS/UEFI-settings
- Integrity proven images of all computer systems
- Configuration/hardening of computer systems (with operating system)
- Configuration of switches
- Configuration of firewalls
- Configuration of automation controllers and other components
- Handling of files and download; the handling and usage of downloaded software is depicted in the flow chart in Figure 2 as an example for the degree of detail in the appendices
- Definition of user concept
The “Guideline for Suppliers – Cybersecurity” also picks up the structure of the 7 general subjects and 40 security aspects to prove that the complete framework covers all requirements (O1). Submitting this document and its technical appendices to the appraisers allows for early discussion about general approaches for specific problems. This can reduce cost significantly by avoiding late discussion when vendors already delivered IT systems and final documentation.
Templates (Figure 1, green)
The templates ensure a streamlined documentation through their uniform design and generic applicability (O3). (sub-)suppliers can and shall chose templates based on the architecture of the IT network. For example, the template for network device configuration does not apply for a standalone computer. In other cases, there are Windows and Linux computers, so both guidelines must be applied.
For many aspects, templates already predefine paragraphs which are expected to be similar for any system. For example, in the “Template – Cybersecurity Analysis”, many aspects of the risk assessment, like
- boundary conditions (like 2-person-/4-eye-principle, USB-media handling, physical security for cabinets) or
- attack scenarios (insiders, admins )
are similar and therefore are be answered the same way through the templates (O4).
The “Template – Cybersecurity Manual” again uses the structure of the appraiser guideline (7 general subjects, 40 security aspects), and only points to technical appendices where a closer look is required. This eases up the traceability with the requirements (O1.2).
(Sub-)Supplier Scope (Figure 1, yellow)
(Sub-)Suppliers must deliver one Asset List which describes the IT components of the IT network. This helps the operator to easily identify and maintain the IT components (O3). Maintaining an asset list throughout and beyond the project is usually a requirement from the future operators (O2).
One Cybersecurity Analysis shows how the IT network is secured against predefined risks. This is prepared up to a certain degree already within the Template (O4). Nevertheless, it is recommended to
guide and support (sub-)suppliers throughout the Cybersecurity Analysis, as specifics of the Storage/Disposal Facility are most likely unknown to the (sub-)suppliers.
Several Cybersecurity Manuals are to be prepared, depending on the number of IT components. In general, one Cybersecurity Manual for the service laptop of the IT network, and one Cybersecurity Manual for all other IT components are enough.
Depending on the types of IT components in the IT network, suppliers must take the topic-related templates for appendices and fill them several times, depending on the number of IT components of a certain type (O1.1). In the Cybersecurity Manual, the (sub-)suppliers then only link to the corresponding technical appendices (O1.2).
RESULTS
The approach is currently being applied for ongoing interim storage facility projects and one final storage
/ disposal facility project in Germany. As indicated in Figure 1, the approach takes into consideration the maturity level of the Information Security Management System (ISMS) at the facility organization and the facility site. The approach assures that each supplier must perform a comprehensive cybersecurity risk assessment and will describe the planned cybersecurity measures at a consistent level of detail with an adequate coverage, according to the graded requirements to be met by the respective supplier.
Restrictions are described and enforced for each supplier and (sub-)supplier, e.g., regarding the location of executable programs, the scope of software backups, the hardening of Windows client / server / standalone operating systems, Linux distribution specific operating system kernels and installation packages, industrial standard software, and project specific application software.
Tools are provided for repetitive tasks, e.g., for continuous or recurrent integrity checks of embedded software, regular device security status reports, logging of messages related to forensic readiness, generation of alarms towards a central unit etc.
The well-structured and consistent documentation serves as a solid basis for cybersecurity trainings needed during the expected facility lifetime during dozens of years.
CONCLUSION
Due to continuously more stringent cybersecurity requirements on the one hand side and different cybersecurity maturity levels at the suppliers and (sub-)suppliers side a practical, comprehensive, and scalable approach for assuring long-time cybersecurity of Interim Storage Facilities and Disposal Facilities is needed. Ideally, the proposed consistent and scalable approach must be encompassed already during the planning stage of a new Interim Storage / Disposal Facility, or at least when starting the acquisition of equipment with digital elements. Framatome GmbH is happy to support Interim Storage Facility and Disposal Facility operators by leveraging its expertise from similar projects in the nuclear domain.
0 Comments