Continuous Monitoring and Incident Response

Transcription

1 Continuous Monitoring and Incident Response Developing robust cyber continuous monitoring and incident response capabilities is mission critical to energy-related operations in today s digital age. As one of the world s largest clean energy suppliers, AREVA is fully committed to safety, quality, performance and delivery the pillars of all of our activities. We bring this framework of operational excellence to the cyber security products and services we offer to the energy sector to help you secure the future. Proven Track Record The AREVA team has a proven track record deploying continuous monitoring and incident response solutions that provide the highest return with the lowest plant impact. The AREVA team s approach to delivery is founded on decades of experience delivering world class security monitoring, configuration management, and incident response services to our nation s Critical Infrastructure, Department of Defense, Intelligence Community, and Federal Agency mission networks. We fully understand the mission criticality and sensitivity of these networks, and we have develop tailored security solutions that introduces zero risk to continued infrastructure operation while securely laying in a monitoring infrastructure that enables automated collection of network traffic, data, and system configuration details for monitoring, risk assessment and support for timely and effective incident response. Our overall service delivery approach can help centralized monitoring and cyber security response architecture supporting monitoring, system issue alerts, vulnerability advisories, reporting, log management, log parsing, and log analysis for process systems. The monitoring and analysis devices flag suspicious events and can send alert notifications to our 24x7x365 Incident Response Center for initial incident assessment, notification to personnel, and incident analysis to support incident response. The AREVA team brings with it, knowledge and experience in industry and regulatory positions, IDS/ IPS, Web Security Gateways, firewalls, networking, multiple Operating Systems, risk assessments, vulnerability management and network security. In addition, the project team has extensive commercial nuclear experience with Supervisory Control and Data Acquisition (SCADA) Systems, Programmable Logic Controllers, and Distributed Control Systems (DCS). AREVA is a proven cyber security partner bringing a holistic engineering perspective to ensure costeffective protection and regulatory compliance.

2 We Offer: The Expertise You Require: The AREVA team comprises industry recognized experts in nuclear plant engineering, security (cyber/physical), Software Quality Assurance, Verification & Validation and regulatory affairs. A Pragmatic and Cost-Effective Approach: Our diverse capabilities enable us to take a holistic approach to cyber security plan implementation, ensuring that you can fully leverage existing plant protections and integrate only those necessary while minimizing disruptions to plant operations. A Single Point of Accountability: AREVA has developed a robust supply chain to deliver a comprehensive suite of proven security solutions focused on minimizing your total cost of ownership. A Proven Team Member: The AREVA team provides various levels of cyber security support across the U.S. nuclear fleet. We have earned a reputation for operational excellence. We bring to bear all the lessons learned and best practices developed over time to each new engagement. Benefits of a Continuous Monitoring Solution Efficiently addresses required cyber security controls Cost-effective Inherently low-risk Proven technology in critical federal agency installations Focused on passively monitoring network traffic for signs of cyber attacks Provides an efficient foundation for capabilities extension Supported by an experienced project team with decades of combined experience Benefits of an Incident Response Solution Lower performance risk and higher customer satisfaction Complete and consistent, NRC/NEI compliant, incident response policy and procedures An independent and trained response team providing consistent and repeatable response to threats and incidents Systematic flexible training programs Forensic analyst experts providing quick, as needed, forensic capabilities Incident response certified resources AREVA Inc. For more information, contact: Frank Barilla Manager, Cyber Security Product Line Work: Moblie: Frank.Barilla@areva.com us.areva.com The data and information contained herein are provided solely for illustration and informational purposes and create no legal obligations by AREVA. None of the information or data is intended by AREVA to be a representation or a warranty of any kind, expressed or implied, and AREVA assumes no liability for the use of or reliance on any information or data disclosed in this document AREVA Inc. All rights reserved. 10/16 ANP:U-487-V4-16-ENG

3 Cyber Security Program Overview AREVA is committed to being a trusted cyber security team member, supporting your ability to achieve cost-effective threat protection and regulatory compliance. In today s digital age, many critical energy-related operations take place in cyberspace. Regulators such as the NRC and FERC are requiring utilities to take measures to protect their employees and infrastructure from cyber-attack. These cyber security measures are constantly evolving based on the ever-changing nature of the threat and the evolving regulatory frameworks that drive enhanced protection. As one of the world s largest clean energy suppliers, AREVA is fully committed to safety, quality, performance and delivery the pillars of all of our activities. We bring this framework of operational excellence to the cyber security products and services we offer the energy sector to help you secure your future. Our Goal is Simple: To work with you to protect your critical digital assets, physical assets and enterprise networks from exploitation in the most practical and cost-effective manner. The Path Forward: Development and implementation of a practical approach to protect critical enterprise and industrial control infrastructure while ensuring your economic viability. Our Commitment to You: AREVA is committed to being a trusted cyber security team member. We are driven to support your ability to successfully implement necessary and prudent cyber security controls to achieve cost-effective threat protection and regulatory compliance. A Single Point of Accountability: AREVA has developed cyber security solutions including any required engineering modifications to minimize your total cost of ownership. The Expertise You Require: The AREVA team comprises industry-recognized experts in nuclear plant engineering, cyber security, and regulatory affairs. These diverse capabilities enable AREVA to take a holistic approach to cyber security plan implementation, ensuring that our customers meet regulatory requirements in the most prudent manner, while minimizing disruption to plant operations. A Proven Team Member: The AREVA team provides various levels of cyber security support across the North American nuclear fleet. We have earned a reputation for operational excellence. We bring to bear all the lessons learned and best practices developed over time to each new engagement.

4 How Can We Help You? The AREVA team can support any and all aspects of your cyber security program implementation including: Full Program Development, Implementation and Ongoing Operational Support: Rest assured that you can meet security standards and regulatory requirements for enterprise and industrial control system cyber security by selecting a partner with the expertise, resources and tools to fully develop and implement all aspects of your cyber security plan. By choosing AREVA, you benefit from a seamless solution with a single point of accountability. Critical Digital Asset Assessments: AREVA offers the right combination of plant engineering, regulatory proficiency, and cyber expertise. We couple that expertise with a pragmatic approach to assess your critical digital assets and identify and mitigate security gaps, whether they are technical, programmatic or organizational in nature. Continuous Monitoring & Incident Response: The AREVA team has a proven track record deploying continuous monitoring and incident response solutions that provide the highest return with the lowest plant impact. Our overall service delivery approach can help centralized monitoring and cyber security response architecture in support of increased efficiency and effective decision making. Services include monitoring, system issue alerts, vulnerability advisories, reporting, log management, log parsing, and log analysis for process systems. Alert notifications can be sent to our 24x7x365 Incident Response Center for rapid response, issue identification and mitigation. Digital Plant Modifications: AREVA can provide turnkey or supplemental support for cyber security engineering modifications. You can benefit from the deployment of team members within our engineering organizations, which have a proven track record for performing plant modification tasks associated with the cyber security requirements. Given our breadth of experience, AREVA is renowned for optimizing these modifications as required to improve performance and generate efficiencies. This thorough and comprehensive approach allows licensees to have predictability to achieve the highest quality modification within budget and schedule. AREVA Inc. For more information, contact: Frank Barilla Manager, Cyber Security Product Line Work: ; Moblie: Frank.Barilla@areva.com us.areva.com Periodicity Programs: AREVA has developed a programmatic approach to minimize the cost associated with ongoing cyber security programrelated activities. The AREVA team can provide support for cyber security modification reviews and maintenance-related work. You can benefit from the deployment of team members from our current projects, which have a proven track record for performing analysis tasks associated with the cyber security requirements, accompanying efforts and specialty needs associated with modification reviews and coordination studies. Rather than increasing headcount for periodic activities, you can rely on AREVA for the support you need and only when you need it. Regulatory Affairs Support: AREVA can provide industry-recognized regulatory affairs support to ensure the successful outcome of NRC cyber security interactions and inspections. This offering can include: (1) Periodic regulatory oversight of implementation efforts according to a defined regulatory and inspection support model; and (2) Performance of a pre-nrc inspection to identify potential gaps and to assess regulatory compliance with a focus on reviewing justifications provided in support of alternate controls. Vulnerability and Penetration Testing: Penetration testing simulates covert and hostile attacks against your infrastructure in order to evaluate the effectiveness of an organization s security measures. It is a means of testing systems against advanced hacking techniques and provides insight into where your networks may be vulnerable and how they may be exploited. This information can then be used to develop a mitigation plan to close any identified security gaps. Verification and Validation (V&V) and Software Quality Assurance: AREVA s V&V department can provide you with an objective assessment of the products developed from your system development lifecycle process. The services provided by AREVA include software V&V for analysis, program evaluation, independent reviews, audits and inspections, quality assessments, validation of software products, and overall digital I&C equipment testing, such as software and hardware integration testing, factory acceptance testing and site commissioning and startup testing. The data and information contained herein are provided solely for illustration and informational purposes and create no legal obligations by AREVA. None of the information or data is intended by AREVA to be a representation or a warranty of any kind, expressed or implied, and AREVA assumes no liability for the use of or reliance on any information or data disclosed in this document AREVA Inc. All rights reserved. 10/16 ANP:U-492-V4-16-ENG

5 Vulnerability Assessment and Penetration Testing AREVA s Vulnerability Assessments identify and quantify vulnerabilities, and provide recommendations to eliminate or mitigate the risk. Our Penetration Testing uses advanced hacking techniques to safely simulate attempts to gain access to your infrastructure, and results in recommendations to better protect your networks and systems from compromise. AREVA s Vulnerability Assessments identify and quantify vulnerabilities, and provide recommendations to eliminate or mitigate the risk. Our Penetration Testing provides another set of information by simulating covert and hostile attacks against your infrastructure to test your system against advanced hacking techniques and to determine what can be attained. Vulnerability Assessments Vulnerability Assessments include identification of key assets and resources, prioritization and quantification of the value of these assets and resources, identification of the vulnerabilities of these assets and systematically eliminating or mitigating the risks for the most critical assets or resources. Penetration Testing AREVA s senior security engineers use best-in-class scanning tools to simulate real-world attacks and mimicking the tactics employed by malicious hackers. We then identify which vulnerabilities present the highest potential risk to your environment. The result is a comprehensive report with risk-rated findings and recommendations to better protect your networks and systems from compromise. Step 1: Discovery Our experts conduct methodical reconnaissance, scanning, and reporting to discover, verify, and report security flaws. From the Internet to inside your company, what are the weakest links in your chain? and manual techniques to leverage the discovered weaknesses and prove the ease of actual penetration. Carefully recording our steps, theory becomes reality. Step 3: System Compromise Often infiltrating the system is not enough. Can anything harmful or destructive be done? Our professionals will work with you to identify your critical data and systems. After establishing our presence, be it in your server or the HVAC controller, we attempt to capture your critical data and validate the weakness. Step 4: Debrief and Recommendations Once completed, our team provides a complete description of our efforts and an executive summary suitable for leadership understanding. We provide advice on remediations and improvements, and we stand by to share our knowledge on how to strengthen defenses. Step 2: Attempted Exploitation Suspecting a weakness and proving one are two different things. One a theory; the other, something that cannot be ignored. In close coordination with your organization, our team will use a variety of tools

6 Testing Protocols Common testing procedures include discovery, research, exploitation and documentation. AREVA s elite testing team will identify Operating System versions, network devices and configurations, and applications. Research is performed to identify vulnerabilities on the systems you implement. Brute force attack methods including: password cracks, buffer overflows, string formatting errors, SQL injection, and cross site scripting may also be employed to attempt to compromise and gain access to your organization s information resources. All procedures will be documented to provide you with a clear understanding of what was discovered and the level of compromise obtained if successful. Why AREVA? AREVA has a long history of providing cyber security solutions, including vulnerability assessments and penetration testing, to the nuclear industry as well as other commercial clients. Our testing approach has been proven successful in the energy industry and our highly experienced team is provided at a very competitive price. Our project team has decades of technical experience and the innovative thinking that is necessary to successfully perform penetration testing with the highest quality and technical excellence. By using our real-world experience gained from previous development, operations and audit engagements, our experts provide results that are relevant and actionable. We align our efforts with the critical elements of your business. We deliver high-quality results, quickly, and with minimal impact on your resources and personnel. AREVA Inc. For more information, contact: Frank Barilla Manager, Cyber Security Product Line Work: Moblie: Frank.Barilla@areva.com us.areva.com The data and information contained herein are provided solely for illustration and informational purposes and create no legal obligations by AREVA. None of the information or data is intended by AREVA to be a representation or a warranty of any kind, expressed or implied, and AREVA assumes no liability for the use of or reliance on any information or data disclosed in this document AREVA Inc. All rights reserved. 10/16 ANP:U-491-V4-16-ENG

7 Cyber Security Engineering Did you know AREVA offers a diverse team of cyber security engineering resources as an extension of your team? And we understand that the real success is in an ongoing relationship one where we work together to make the right decisions for your plant. AREVA can provide turnkey or supplemental support for critical digital asset assessments, cyber security engineering modifications, Verification and Validation (V&V) and regulatory affairs needs. You can benefit from the deployment of team members within our engineering organizations, which have a proven track record for cyber security engineering and bring to bear all the lessons learned and best practices from previous engagements. Critical Digital Asset Assessments AREVA couples our engineering expertise with a practical approach to assess your critical digital assets and identify and mitigate security gaps, whether they are technical, programmatic or organizational in nature. The benefits of our Critical Digital Asset Assessments include: An approach that is designed in accordance with the latest industry guidance, and ensures you meet regulatory requirements in the most cost effective manner. Assurance that deliverables and outcomes of the assessments will integrate within your current operating framework, minimizing the burden that results from the creation of new programs and procedures that can disrupt operations and maintenance activities. A diverse project team whose members bring a wide range of experience including digital plant modifications, design engineering, security, information technology, and regulatory affairs. Identification of all required plant modifications in advance of final implementation date, so they can be scheduled with sufficient time to execute. Plant Modifications AREVA s expert engineers can leverage our robust engineering and design processes to execute plant modifications. You can be confident the AREVA team is capitalizing on our elite knowledge and lessons learned from similar scopes of work across the United States and abroad. Given our breadth of experience, AREVA is renowned for optimizing these modifications for each customer as required to improve performance and generate efficiencies. This thorough and comprehensive approach from cradle to grave, allows you to have predictability to achieve the highest quality modification within budget and schedule. AREVA achieves engineering excellence by focusing on safety, quality, performance, and delivery. Verification and Validation (V&V) Verification and Validation (V&V), a technical discipline of systems engineering, provides an objective assessment of the products developed during the system development lifecycle process. Digital I&C equipment require additional design and qualification approaches above and beyond analog control systems. To obtain high confidence in Digital Software Quality, rigorous V&V processes are established based on guidance provided by NRC requirements. AREVA s full scale V&V fulfills the requirements of Appendix B to NRC Regulations, 10 CFR Part 50 and IEEE Std as endorsed by NRC Regulatory Guide revision 2 (2013).

8 AREVA s Independent Verification and Validation (IV&V) department provides the V&V qualification activities required by regulations for Digital Instrumentation and Controls (I&C) equipment for AREVA s TELEPERM XS. Additionally, AREVA s IV&V department also provides V&V services for third party vendors equipment, provides independent assessments of Software Development programs (i.e., V&V, Software Quality Assurance, Software Safety, Software Configuration Management, Cyber Security) for third party vendors or nuclear utilities. The services provided AREVA s IV&V department includes software V&V for analysis, program evaluation, independent reviews, audits and inspections, quality assessments, validation (testing) of software products, and the overall Digital I&C equipment testing (software and hardware integration testing, and Factory Acceptance Testing, and site commissioning and startup testing). Regulatory Affairs Support AREVA can provide industry recognized regulatory affairs support to ensure the successful outcome of NRC cyber security interactions and inspections. This offering can include: Periodic regulatory oversight of cyber security plan implementation efforts according to a defined regulatory and inspection support model. Performance of a pre-nrc inspection to identify potential gaps and to assess regulatory compliance with a focus on reviewing justifications provided in support of alternate controls. Proactively entering any identified gaps into the CAP prior to NRC inspection. Communication training for utility staff prior to NRC inspection to improve regulatory communications with NRC inspectors. NRC inspection support, either as a primary interface to NRC inspectors or in a background/ supporting role to ensure that the Cyber Security Program is well represented from a regulatory perspective. Evaluation of, and support in responding to and resolving, any findings resulting from the NRC inspection. AREVA s Unique Offering We combine a unique blend of engineering expertise with equipment and system knowledge, rigorous project management experience and regulatory expertise all driven to reduce risk while saving time and money. The combination of nuclear steam supply system OEM engineering and field service capabilities with secondary-side expertise allows AREVA to deliver a total-plant perspective. With customer-focused innovation, AREVA can deploy the technology and resources to lower your total cost and improve your facility s performance. We pledge uncompromising support for the long haul as you realize your vision for highly reliable, high quality and safe energy operations. AREVA is a proven cyber security partner bringing a holistic engineering perspective to ensure costeffective protection and regulatory compliance. We offer: The Expertise You Require: The AREVA team comprises industry recognized experts in nuclear plant engineering, security (cyber/physical), SQA, V&V and regulatory affairs. A Pragmatic and Cost-Effective Approach: Our diverse capabilities enable us to take a holistic approach to cyber security plan implementation, ensuring that you can fully leverage existing plant protections and integrate only those necessary while minimizing disruptions to plant operations. A Single Point of Accountability: AREVA has developed a robust supply chain to deliver a comprehensive suite of proven security solutions focused on minimizing your total cost of ownership. A Proven Team Member: The AREVA team provides various levels of cyber security support across the U.S. nuclear fleet. We have earned a reputation for operational excellence. We bring to bear all the lessons learned and best practices developed over time to each new engagement. AREVA Inc. For more information, contact: Frank Barilla Manager, Cyber Security Product Line Work: Moblie: Frank.Barilla@areva.com us.areva.com TELEPERM is a registered trademark of AREVA. The data and information contained herein are provided solely for illustration and informational purposes and create no legal obligations by AREVA. None of the information or data is intended by AREVA to be a representation or a warranty of any kind, expressed or implied, and AREVA assumes no liability for the use of or reliance on any information or data disclosed in this document AREVA Inc. All rights reserved. 10/16 ANP:U-488-V4-16-ENG