Transcript IAEA Office of Nuclear Security`s Initiatives in Cyber and Information

IAEA Office of Nuclear Security’s
Initiatives in Cyber and Information
Security
Khammar Mrabit
Director
Office of Nuclear Security
IAEA
International Atomic Energy Agency
IAEA Role
Ministerial Declaration
We, Ministers of the Member States of the
International Atomic Energy Agency
(IAEA),...:
Recognize the IAEA’s efforts to raise
awareness of the growing threat of
cyber-attacks and their potential impact
on nuclear security, and encourage the
IAEA to make further efforts to foster
international cooperation and to assist
States, upon request, in this area
through the establishment of
appropriate guidance and by providing
for its application.
IAEA
2
Computer and Information Security
The Computer and Information Security programme
is focused on preventing computer acts that could
directly or indirectly lead to:
a.unauthorized removal of nuclear/other
radioactive material
b.sabotage against nuclear material or nuclear
facilities
c.theft of nuclear
sensitive information
.
IAEA
3
New Targets
Mobile Computing Devices
Control and Instrumentation System
IAEA
4
International Instruments
•
FUNDAMENTAL PRINCIPLE G: Threat
 The State’s PP should be based on
the State’s current evaluation of the threat.
•
FUNDAMENTAL PRINCIPLE I: Defence in Depth
 The State’s requirements PP
should reflect a concept of several layers and
methods of protection (structural or other technical,
personnel and organizational) that have to be
overcome or circumvented by an adversary in order
to achieve his objectives.
•
FUNDAMENTAL PRINCIPLE L: Confidentiality
 The State should establish requirements for protecting the confidentiality of
information, the unauthorized disclosure of which could compromise the
physical protection of nuclear material and nuclear facilities.
IAEA
5
International Instruments
Protection of computer systems
associated with Other Radioactive
Materials
Such systems may include:
•
Inventory systems/records
•
Physical access control
•
Security monitoring
•
Operational
•
Calibration
•
Boarder monitoring
IAEA
6
Nuclear Security Fundamentals (NSS 20)
• Provide for the establishment of regulations and requirements
for protecting the confidentiality of sensitive information
and for protecting sensitive information assets;
• Ensuring through appropriate
arrangements that sensitive
information or other information
exchanged in confidence is
adequately and appropriately
protected.
• Routinely performing assurance activities to identify and
address issues and factors that may affect the capacity to
provide adequate nuclear security, including cyber security,
at all times.
IAEA
7
Current Technical Guidance
NSS17 Computer Security at Nuclear Facilities
The objective of the document is to provide
guidelines to personnel designing, implementing,
and managing Instrumentation and Control (I&C)
and Information systems and networks at nuclear
facilities.
The guidance addresses prevention and detection
of potential attacks through reference to best
practices in architecture, assurance and
management of security information and I&C
systems.
IAEA
8
Guidance published and in Draft
Fundamentals:
• NSS No. 20 Objective and Essential Elements of a State’s Nuclear Security
Regimeobjectives, concepts, principles
Recommendations:
• NSS No. 13 Nuclear Security Recommendations on Physical Protection of
Nuclear Material and Nuclear Facilities (INFCIRC/225/Revision 5)
• NSS No. 14 Nuclear Security Recommendations on Radioactive Material and
Associated Facilities
Implementing Guides:
•
NSS XXX Information Security: Protection and Confidentiality
of Sensitive Information in Nuclear Security
Technical Guidance:
• NSS 17 Computer Security for Nuclear Facilities
• Other areas: Conducting Computer Security
Assessments; Computer Security of Nuclear I&C
Systems; Computer Incident Response
IAEA
9
Proposed Additional Guidance
• Nuclear Security Recommendations or Implementing Guide
for Computer Security ?
• Computer Security Systems and Measures for Nuclear
Facilities (implementing guide) ?
• Computer Security Practices for Nuclear Facilities
(Technical Guide) ?
These documents are designed to build a top to bottom framework to
support Member States, Competent Authorities, and nuclear organizations
in developing and conducting assurance activities for computer security.
The development of these documents will be discussed at the next
Nuclear Security Guidance Committee Meeting in October.
IAEA
10
International Physical Protection Advisory Service
(IPPAS)
New Information and Computer Security Review
conducted during IPPAS Missions to:
2012 - Netherlands, Finland, Romania
2013 - Laboratories in Seibersdorf, Hungary
Convergence of Physical
Protection and Cyber Security
IAEA
11
Training Activities
The request for awareness and advanced training by Member States
continues to grow. This trend will only continue.
Primary Training Courses
1.
Basic Information and
Computer Security
Awareness
2.
Conducting Cyber
Security Assessments
3.
Advanced Course in
Information and
Computer Security
4.
Professional
Development Course
for Nuclear Security
Professionals
IAEA
Projected
Training Events
2007
2008 2009
2010
2011
2012 2013
2014
Requests are currently in place for 2014
Estimate a sustained 6-9 courses per year
12
2015 Cyber Security Conferences
IAEA International Conference on Cyber Security:
“Nuclear Security in a Computer World: Prevention,
Detection and Resistance to Emerging Cyber Threats”
8-12 June 2015
IAEA
13
Cyber Security User’s Group
IAEA
IAEA’s information portal for cyber security
https://nusec.iaea.org/portal/UserGroups/CyberSecurity/CyberSecurityOverview/tabid/503/Default.aspx
14
Questions
Thank you
IAEA
15