Year
2016
Abstract
Conducting vulnerability assessments (VAs) is an important practice for ensuring the security of sites and facilities in the nuclear industry. The increasing pervasiveness of cyber technologies at these sites means that it is necessary to identify and mitigate vulnerabilities and risk through conduct of VAs in both the physical and cyber domains. However, the current practice of stove-piped physical and cyber security regimes conducting distinct VAs is not sufficient. The increasing integration of physical and cyber components creates an overall system that is highly interconnected and interdependent. This enables an expanded attack surface across which a malicious actor could exploit vulnerabilities in both the physical and cyber domains in a complementary fashion, utilizing their interfaces to cause cascading failures of protective measures in both domains. In this way, an actor could execute a blended attack not possible in either domain individually. This paper shows that the existing practice of physical and cyber VAs is insufficient for capturing the additional potential vulnerabilities resulting from the interplay of physical and cyber components in a system as a whole. Instead, the concept of an Integrated Systems Security is proposed that synthesizes multiple security focus areas to enable holistic system-level security, including integrated VAs that capture the vulnerabilities resulting from cross-domain interfaces and reflect the true risk present in a system. Finally, based on its research developing these concepts and practices, Pacific Northwest National Laboratory offers lessons learned and recommendations.