Transcript 1. dia - International Atomic Energy Agency

Hungary’s Experience in the Regulation of
Cyber and Information Security
presented by
Dr. Kristóf Horváth
Deputy Director General
Hungarian Atomic Energy Authority
Based on the Guideline developed by
the WG on Computer Protection
History … 2005-2008
• Well developed
– requirements and regulatory system for peaceful applications
(NM and RM)
– radiation protection requirements and regulatory system
– nuclear safety requirements and regulatory system
– system for materials out of regulator control
– emergency preparedness and response for safety events
• Ad-hoc
– physical protection requirements
– physical protection as part of radiation protection and nuclear
safety
• All nuclear related sensitive information protected as State Secret
International Instruments (the frame)
• Ratified international conventions:
– CPPNM
– Amendment to CPPNM
– Nuclear terrorism convention
– Mode-specific transport agreements
• UN Council resolutions
• EU regulations and directives
• IAEA Code of Conduct and Guidance
And then…Fundamental objective
• The fundamental safety-security-safeguards objective
of regulatory control:
– To protect people and environment
– from harmful effects of (any harm of)
– ionizing radiation (generated by various
applications of atomic energy).
• without unduly limiting the operation of facilities or the
conduct of activities.
Goals of regulatory control
• To protect people and environment through
– Prevention
• Regulations, licensing, vetting, registration ….
– Detection
• Inspection, reporting, monitoring …
– Response
• Enforcement, contingency/emergency planning
• Common legal and technical principles to be applied
– E.g. responsibility, independence…
– E.g. design basis, graded approach, defence in depth
…
New regulations
• Four level approach
• Classification and protection of information
– Restricted, Confidential, Secret, Top Secret
• Physical protection governmental decree
– Based on threat assessment
– DBT defined by HAEA with concerned gov organs
– Performance based approach with performance
requirements for facilities
– Prescriptive requirements for NM and RM
• Updated safety code
Cyber and information secuirty
Confidentiality
Availability
•
Integrity
•
•
•
•
General security and safety
requirements for
allocation of I&C components and
their cabelling acc to PP zones
one-way direction from vital areas
credibility of input to be checked
availability of systems
interaction cannot hinder safety
functions
WG establishment
• Instead of
– Requesting the NPP to recommend a cyber DBT
• Recognition that computer protection is a joint
safety/security issue
– Very similar threats
– Almost identical protection
– Identical protectors
• WG participation
– HAEA, Police, MVM Electricity Trust, NPP, new-built,
university, experts
• To develop a guideline on
– The protection of programmable systems and
components
Guideline on the protection
requirements for computer systems
• Taking into consideration
–
–
–
–
Lessons learned from IAEA NSS 17
Principles from IEC 62645 Ed.1
Existing safety requirements
Existing security requirements
Guideline on the protection requirements for
computer systems
Graded approach
Classification from safety as well
as from security aspects, then
the more rigorous requirements
shall be applied
Level of protection measures
Guideline on the protection
requirements for computer systems
– Summary about international and domestic recommendations
– Protection policy for programmable systems and components
– Organizational and management aspects, responsibilities
– Inventory of systems (systems, networks, applications and their
interfaces)
– Definition of protection levels
– Protection classification of systems and components
– Risk assessment (threat analysis, vulnerability analysis, risk evaluation)
– Defence in depth principles
– Physical access aspects
– Training and education
Guideline on the protection requirements for
computer systems
• According to the Guideline, nuclear operators
should
– Categorize the computer systems to Level-5,4,3,2
– Analyse the vulnerabilities of existing computer
systems
– Establish additional protection measures (if required)
to meet the safety and security requirements
– Propose a cyber design basis threat
Regulation development
• Based on experience on the application of the guideline
– Issue regulations for the NPP
– Develop regulations and guidance to other
applications where programmable systems and
components are in use
I thank You for your kind attention!
Köszönöm a figyelmet!