1 / 14

Hungary’s Experience in the Regulation of Cyber and Information Security

Hungary’s Experience in the Regulation of Cyber and Information Security. presented by Dr. Kristóf Horváth Deputy Director General Hungarian Atomic Energy Authority Based on the Guideline developed by the WG on Computer Protection. History … 2005-2008. Well developed

kaye-mcintyre
Download Presentation

Hungary’s Experience in the Regulation of Cyber and Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hungary’s Experience in the Regulation of Cyber and Information Security presented by Dr.KristófHorváth Deputy Director General Hungarian Atomic Energy Authority Based on the Guideline developed by the WG on Computer Protection

  2. History … 2005-2008 • Well developed • requirements and regulatory system for peaceful applications (NM and RM) • radiation protection requirements and regulatory system • nuclear safety requirements and regulatory system • system for materials out of regulator control • emergency preparedness and response for safety events • Ad-hoc • physical protection requirements • physical protection as part of radiation protection and nuclear safety • All nuclear related sensitive information protected as State Secret 2005-2008

  3. International Instruments (the frame) • Ratified international conventions: • CPPNM • Amendment to CPPNM • Nuclear terrorism convention • Mode-specific transport agreements • UN Council resolutions • EU regulations and directives • IAEA Code of Conduct and Guidance 2005-2008

  4. And then…Fundamentalobjective • The fundamental safety-security-safeguards objective of regulatory control: • To protect people and environment • from harmful effects of (any harm of) • ionizing radiation (generated by various applications of atomic energy). • without unduly limiting the operation of facilities or the conduct of activities. 3S 2009

  5. Goals of regulatory control 2009 • To protect people and environment through • Prevention • Regulations, licensing, vetting, registration …. • Detection • Inspection, reporting, monitoring … • Response • Enforcement, contingency/emergency planning • Common legal and technical principles to be applied • E.g. responsibility, independence… • E.g. design basis, graded approach, defence in depth …

  6. New regulations • Four level approach • Classification and protection of information • Restricted, Confidential, Secret, Top Secret • Physical protection governmental decree • Based on threat assessment • DBT defined by HAEA with concerned gov organs • Performance based approach with performance requirements for facilities • Prescriptive requirements for NM and RM • Updated safety code 2009-2011

  7. Cyber and information secuirty 2011 General security and safety requirements for • allocation of I&C components and their cabellingacc to PP zones • one-way direction from vital areas • credibility of input to be checked • availability of systems • interaction cannot hinder safety functions Availability Confidentiality Integrity

  8. WG establishment • Instead of • Requesting the NPP to recommend a cyber DBT • Recognition that computer protection is a joint safety/security issue • Very similar threats • Almost identical protection • Identical protectors • WG participation • HAEA, Police, MVM ElectricityTrust, NPP, new-built, university, experts • To develop a guideline on • The protection of programmable systems and components 2012-2013

  9. Guideline on the protection requirements for computer systems • Taking into consideration • Lessons learned from IAEA NSS 17 • Principles from IEC 62645 Ed.1 • Existing safety requirements • Existing security requirements 2013

  10. Guideline on the protection requirements for computer systems 2013 Graded approach Classification from safety as well as from security aspects, then the more rigorous requirements shall be applied Level of protection measures

  11. Guideline on the protection requirements for computer systems • Summary about international and domestic recommendations • Protection policy for programmable systems and components • Organizational and management aspects, responsibilities • Inventory of systems (systems, networks, applications and their interfaces) • Definition of protection levels • Protection classification of systems and components • Risk assessment (threat analysis, vulnerability analysis, risk evaluation) • Defence in depth principles • Physical access aspects • Training and education 2013

  12. Guideline on the protection requirements for computer systems • According to the Guideline, nuclear operators should • Categorize the computer systems to Level-5,4,3,2 • Analyse the vulnerabilities of existing computer systems • Establish additional protection measures (if required) to meet the safety and security requirements • Propose a cyber design basis threat 2013

  13. Regulation development • Based on experience on the application of the guideline • Issue regulations for the NPP • Develop regulations and guidance to other applications where programmable systems and components are in use 2013-

  14. I thank You for your kind attention! Köszönöm a figyelmet!

More Related