skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Vulnerabilities Under the Surface


This paper will describe a practical methodology for understanding the cyber risk of a digital asset. This research attempts to gain a greater understanding of the cyber risk posed by a hardware-based computer asset by considering it as a sum of its hardware and software based sub-components.

; ; ;
Publication Date:
Research Org.:
Idaho National Lab. (INL), Idaho Falls, ID (United States)
Sponsoring Org.:
USDOE Office of Nuclear Energy (NE)
OSTI Identifier:
Report Number(s):
DOE Contract Number:
Resource Type:
Resource Relation:
Conference: 2017 Cybersecurity Symposium, Coeur d’Alene, Idaho, April 17–19, 2017
Country of Publication:
United States
97 MATHEMATICS AND COMPUTING; Cyber Security; Hardware Security; System Security

Citation Formats

Keller, Todd M., Benjamin, Jacob S., Wright, Virginia L., and Gold, Bryan H. Vulnerabilities Under the Surface. United States: N. p., 2017. Web.
Keller, Todd M., Benjamin, Jacob S., Wright, Virginia L., & Gold, Bryan H. Vulnerabilities Under the Surface. United States.
Keller, Todd M., Benjamin, Jacob S., Wright, Virginia L., and Gold, Bryan H. Sat . "Vulnerabilities Under the Surface". United States. doi:.
title = {Vulnerabilities Under the Surface},
author = {Keller, Todd M. and Benjamin, Jacob S. and Wright, Virginia L. and Gold, Bryan H.},
abstractNote = {This paper will describe a practical methodology for understanding the cyber risk of a digital asset. This research attempts to gain a greater understanding of the cyber risk posed by a hardware-based computer asset by considering it as a sum of its hardware and software based sub-components.},
doi = {},
journal = {},
number = ,
volume = ,
place = {United States},
year = {Sat Apr 01 00:00:00 EDT 2017},
month = {Sat Apr 01 00:00:00 EDT 2017}

Other availability
Please see Document Availability for additional information on obtaining the full-text document. Library patrons may search WorldCat to identify libraries that hold this conference proceeding.

Save / Share:
  • The National Institute of Justice has tasked their Satellite Facility at Sandia National Laboratories and their Southeast Regional Technology Center in Charleston, South Carolina to devise new procedures and tools for helping correctional facilities to assess their security vulnerabilities. Thus, a team is visiting selected correctional facilities and performing vulnerability assessments. A vulnerability assessment helps to identi~ the easiest paths for inmate escape, for introduction of contraband such as drugs or weapons, for unexpected intrusion fi-om outside of the facility, and for the perpetration of violent acts on other inmates and correctional employees, In addition, the vulnerability assessment helps tomore » quantify the security risks for the facility. From these initial assessments will come better procedures for performing vulnerability assessments in general at other correctional facilities, as well as the development of tools to assist with the performance of such vulnerability assessments.« less
  • The primary goal of the Individual Plant Examination (IPE) Program was for licensees to identify plant-unique vulnerabilities and actions to address these vulnerabilities. A review of these vulnerabilities and plant improvements that were identified in the IPEs was performed as part of the IPE Insights Program sponsored by the U.S. Nuclear Regulatory Commission (NRC). The purpose of this effort was to characterize the identified vulnerabilities and the impact of suggested plant improvements. No specific definition for {open_quotes}vulnerability{close_quotes} was provided in NRC Generic Letter 88-20 or in the subsequent NRC IPE submittal guidance documented in NUREG-1335. Thus licensees were left tomore » use their own definitions. Only 20% of the plants explicitly stated that they had vulnerabilities. However, most licensees identified other plant improvements to address issues not explicitly classified as vulnerabilities, but pertaining to areas in which overall plant safety could potentially be increased. The various definitions of {open_quotes}vulnerability{close_quotes} used by the licensees, explicitly identified vulnerabilities, proposed plant improvements to address these vulnerabilities, and other plant improvements are summarized and discussed.« less
  • The BPI Model 2080 Pulsed Neutron Detector has been used for over seven years as an area radiation monitor and dose limiter at the LANSCE accelerator complex. Operating experience and changing environments over this time have revealed several vulnerabilities (susceptibility to electrical noise, paralysis in high dose rate fields, etc.). Identified vulnerabilities have been connected; these modifications include component replacement and circuit design changes. The data and experiments leading to these modifications will be presented and discussed. Calibration of the instrument is performed in mixed static gamma and neutron source fields. The statistical characteristics of the Geiger-Muller tubes coupled withmore » significantly different sensitivity to gamma and neutron doses require that careful attention be paid to acceptable fluctuations in dose rate over time during calibration. The performance of the instrument has been modeled using simple Poisson statistics and the operating characteristics of the Geiger-Muller tubes. The results are in excellent agreement with measurements. The analysis and comparison with experimental data will be presented.« less
  • Following the May 14, 1997 chemical explosion at Hanford's Plutonium Reclamation Facility, the Department of Energy Richland Operations Office and its prime contractor, Fluor Hanford, Inc., completed an extensive assessment to identify and address chemical and radiological safety vulnerabilities at all facilities under the Project Hanford Management Contract. This was a challenging undertaking because of the immense size of the problem, unique technical issues, and competing priorities. This paper focuses on the assessment process, including the criteria and methodology for data collection, evaluation, and risk-based scoring. It does not provide details on the facility-specific results and corrective actions, but discussesmore » the approach taken to address the identified vulnerabilities.« less
  • Industry is aware of the need for Control System (CS) security, but in on-site assessments, Idaho National Laboratory (INL) has observed that security procedures and devices are not consistently and effectively implemented. The Department of Homeland Security (DHS), National Cyber Security Division (NCSD), established the Control Systems Security Center (CSSC) at INL to help industry and government improve the security of the CSs used in the nation's critical infrastructures. One of the main CSSC objectives is to identify control system vulnerabilities and develop effective mitigations for them. This paper discusses common problems and vulnerabilities seen in on-site CS assessments andmore » suggests mitigation strategies to provide asset owners with the information they need to better protect their systems from common security flows.« less