Conversations in Risk-Based Security

Case Study: Nuclear Industry

Posted by Teresa Maugeri on Aug 9, 2018 10:25:10 AM

Background:
The nuclear industry is struggling to meet compliance deadlines and find dedicated, knowledgeable resources who can be embedded into the existing workforce and function as a cohesive team. A typical nuclear plant contains thousands of Critical Digital Assets (CDAs) that need identified attributes collected and assessments conducted. With many plants identifying over 80 required attributes for each of thousands of devices, these projects can quickly become overwhelming.

From the Client:
Finding a partner company that could ramp up quickly, learn the processes and procedures, and meet a very rigid timeline was becoming difficult.  We joined with Lynx Technology Partners (Lynx) and could not have been happier.  They provided the highest level of service and quality by providing personalized service and adapting to our needs. 

We partnered with Lynx for assistance with the CDA identification, reference gathering, assessments, vulnerability analysis, policy and procedure review, and remediation efforts for two new nuclear facilities.  The security framework to be assessed included RG 5.71 and NEI 08-09.  Lynx delivered extremely-qualified candidates with the required skills and experience.  By developing a Center of Excellence, Lynx quickly trained and ramped up the Team during peak periods, allowing it to fully meet the timelines and expectations.  The Team augmented our current staff, allowing us to seamlessly function together. The Lynx approach provided in-depth assessment of our current security posture, while clearly identifying the impediments to achieving security availability, integrity, and confidentially of our CDAs.

Results:
The Lynx-tailored Cyber Security Assessment (CSA) allowed the client to achieve a detailed understanding of its CDA current compliance with security control requirements and comprehend the current security posture, alternative controls, and necessary remediation methods.  The Lynx Cyber Security Vulnerability Analysis Approach provided a comprehensive search methodology that identified all known CDA vulnerabilities which provided a clear roadmap for mitigation. 

The assessment included an evaluation of the security configuration of the network and infrastructure, along with a review of the policies, procedures, and practices at both plants to ensure compliance with Regulatory Guide (RG) 5.71 and NEI 08-09 industry-recognized compliance frameworks.  Lynx’s ability to produce quality work within a very aggressive timeline, complete the large number of assessments, and assist in the identification of vulnerabilities in less than one year was described as “Incredible” by the client. 

Lynx Risk Manager (LRM), a leading-edge risk assessment tool, was used to perform the assessments of over 6,600 CDAs. LRM is a leading and robust IT risk and compliance solution that allowed the client to immediately improve its audit workflow and assess the IT risk posture against internal and external regulations.  Each identified CDA was passed through a questionnaire within LRM to further assist with the understanding of scoping and classification requirements by identifying the associated risk profile attributes.  This minimized the survey questionnaire to which the assessor was to respond.  For similar devices, additional controls were grouped into commonalities. A “Generic Device” was assessed, and all common controls relevant to those device types were scored. These device-level common controls were then sent to the actual CDA assessments via ScoreSync.  This LRM feature cut thousands of hours and reduced costs by hundreds of thousands of dollars by combining similar device types and makes/models into common asset groups.

Hi-Level Results:

  • 6,612 Total Assessments, involving 76 systems, in just over 11 months.
  • Reference material including vendor manuals, network diagrams, and design documents were identified for all CDAs.
  • The LRM SW solution was installed and implemented to track progress, run reports, and distribute surveys.
  • 26 Policy and Procedure documents were reviewed, which correlates to 481 Control Surveys (RG 5.71) for each plant.
  • 4,354 Vulnerabilities were found: 1,488 Critical; 1,138 High; 1,544 Medium; and 184 Low.