In-Progress Implementation of Cyber Security Requirements at DC Cook

Amal Al-Katrib I&C COP 2/13/12

Overview
Cyber-Security Codes, Standards, and Regulatory Requirements Previous Work Scope of Current DC Cook Modification Level 3 Level 2 Communication Waterfall Data-Diode Architecture Waterfall Proprietary Transfer Protocol Software Configuration

Cyber-Security Codes, Standards and Regulatory Requirements

NRC Regulatory Guide 5.71 Cyber Security Programs for Nuclear Facilities NRC Regulatory Guide 1.152 Criteria for Use of Computers In Safety Systems of Nuclear Power Plants 10 CFR 73.54 Protection of Digital Computer and Communication Systems and Networks NIST SP 800-53 Recommended Security Controls for Federal Information Systems NIST SP 800-82 Guide to Industrial Control Systems Security

Previous Work
A previous DC Cook modification installed HP ProLiant DL360 (G6) servers in the Plant Process Computer Rooms (Defensive Levels 2, 3, and 4). Data-diodes were installed between (a) Level 4 (Control & Safety System Network) & Level 3 (Data Acquisition Network) and (b) Level 3 (Data Acquisition Network) and Level 2 (Local Area Network). No data was directed through those data-diodes as part of this design package. This task was reserved for subsequent modifications.

Scope of Current DC Cook Modification

Redirect the outputs of RMS servers through a unidirectional firewall between Levels 4 and 3 networks. Remove existing Level 3 to Level 2 firewalls and install necessary hardware/software and cabling to complete the communications link through Level 3 and 2 data-diode networks. Redirect RDR and R-Time server communications through the Level 2 data network.

Scope of Current DC Cook Modification Contd

Install 1 Cisco Firewall in U1 PPC room between Level 4 and Level 3 network Relocate firewall between 2-RMS-ROUT-PPC and U2RCD212 PPC switch Install A/B switch in Unit 1 PPC room to redirect network traffic through Level 3 to Level 2 networks Install new workstation on both Unit 1 and Unit 2 PPC Programmers Console and provide Level 4 network connection to each workstation using RMS network switches Re-route RDR system network cables from Level 3 to Level 2 network Install 100BaseT cable between existing GPS clock in U2 PPC Computer Room and Data Diode Tx server in U1 PPC Computer Room Abandon in place 1 Fibronics from Rack 3 in Server Room #333

Scope of Current DC Cook Modification Contd

Remove 3 Fibronics from Communication Cabinet & 1 Fibronics from RDR cabinet in U1 PPC Computer Room Remove 2 DEC Bridge 90 units from I/O Cabinet in U1 PPC Computer Room Remove 2 PIX 515 Firewalls from Communication Cabinet in U1 PPC Computer Room Install 1 Cisco Level 2 Business LAN switch in the TSC Communication Room

BEFORE
Data Diode

AFTER
Data Diode

Level 4

Firewall

RMS Switch

RMS Switch

PPC Switch

Firewall

Level 3

RDR Server

PPC Switch

Firewall

Data Diode

Other L 2 Devices

Satellite Display System

RDR Server

Satellite Display System

Level 2

Level 3 Level 2 Communication

Per NRC RG 5.71, only one-way (unidirectional) data flow is allowed from Level 3 to Level 2 to qualify for an acceptable defensive architecture.

This mod configures the data-diode setup (consisting of a transmitter and a receiver server) to ensure such unidirectional data flow. This task is achieved through a Waterfall data-diode architecture.

Waterfall Data-Diode Architecture

Multi-layered architecture consisting of a transmit/receive software agent that resides on transmitter/receiver servers Basic components of a Waterfall One-Way Architecture:
1) 2) 3) 4) 5)

Waterfall TX Software Agent Waterfall TX Appliance (i.e. Transmitter Server) Waterfall RX Appliance (i.e. Receiver Server) Waterfall RX Software Agent Single Fiber Optic Cable
L3 Transmitter Server
Unidirectional Data Flow
Fiber Optic Cable

L2 Receiver Server

Waterfall Data-Diode Architecture Contd

Benefits of the Waterfall Architecture:
Provides high-speed, real-time, and reliable data transfer Eliminates the ability to initiate communications between assets at different security levels Eliminates bi-directional data flow between assets at different security levels Data only flows from 1 level to other levels through a device or devices that enforce security policy between each level Eliminates applications, services, and protocols not necessary to support the design-basis function of the contained assets Effective protection against external cyber attacks

Waterfall Proprietary Transfer Protocol Software Configuration

Software Waterfall for Ethernet Multicast Waterfall for Remote Printer Waterfall for Syslog Waterfall for SMTP Waterfall for SNMP Function Allows for multicast communication from the PPCs to RDR. Allows for TCP communication from print queues to business LAN PrintWizard software and PPCs to R*TIME links. Provides logging of Level 3 Cisco Network Switches and monitoring of data on Level 2 devices. Allows email notification of Level 3 device failures. Listens to SNMP traffic in the Level 4 and Level 3 networks and captures SNMP traps according to predefined rules set by IT. The software unidirectionaly streams the SNMP traps through the Level 3 to Level 2 data diode network to a Network Management System on the Level 2 network to monitor the status of critical assets and receive alerts following failures. Allows for file transfers of MIDAS, Chemistry & PPC Data to Level 2 servers including RMS Server CNP523 and R*TIME Server CNP524. Transfers UDP packets from the Level 3 to Level 2 network. This is required for R*TIME Relay PSS Software to communicate to the Level 2 R*Time plant system server. Transfers TCP packets from the Level 3 to Level 2 network. This is required for the replication of RadServ and Containment Cooling data on the Level 2 network. Provides network time synchronization through the Level 3 to Level 2 data diodes.

Waterfall for FTP Waterfall for UDP

Waterfall for TCP

Waterfall for NTP

Questions / Comments

Amal K. AlKatrib Amal.K.AlKatrib@sargentlundy.com