1 / 14

IAEA Nuclear Security Programme

IAEA Nuclear Security Programme. Enhancing cybersecurity in nuclear infrastructure TWG-NPPIC – IAEA May 09 – A. Cavina (IAEA-NSNS). IAEA and Nuclear Security. Office of Nuclear Security was created (2002) to address the urgent threats posed by the changing geopolitical situation

sharis
Download Presentation

IAEA Nuclear Security Programme

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IAEA Nuclear Security Programme Enhancing cybersecurity in nuclear infrastructure TWG-NPPIC – IAEA May 09 – A. Cavina (IAEA-NSNS)

  2. IAEA and Nuclear Security • Office of Nuclear Security was created (2002) to address the urgent threats posed by the changing geopolitical situation • The Nuclear Security programme has been one of the fastest growing programmes in the IAEA • Current budget €15-20m/year • Focus on prevention, detection and response to malicious acts (sabotage, insider threat, theft...) • About 50 staff

  3. Interplay within Nuclear Security NUCLEAR SECURITY FRAMEWORK Conventions Laws & regulations Regulatory bodies Law enforcement Threat assessment Accounting and control Guidance Prevention Detection/response Coordination Security culture TARGETS Nuclear weapons Nuclear material Radioactive material Nuclear facilities Transports Transits Technology Cyberspace Sensitive information THREATS Terrorists Criminal organizations Non-state factions

  4. IAEA - Improving Nuclear Security • Promoting international instruments and their implementation • Developing recommendations and guidelines • Providing evaluation and advisory services • Providing education and training – human resource development • Providing technical improvements and upgrades • Coordinating Member States and the global effort towards Nuclear Security

  5. Nuclear Security & Cybersecurity • Cyber is a relative newcomer in an established culture of (physical) security • Two documents in the Nuclear Security Series (to be published 2009, available in draft version) • A series of training courses on offer, from awareness to technical issues • A pilot Security Assessment Service at facilities • Coordination & cooperation with national authorities (regulators & operators)

  6. The history: Work started in 2003!! Has been the object of 4 CMs and 1 TM Has been widely reviewed Will be published later in 2009 Computer Security at Nuclear Facilities Computer Security at Nuclear Facilities

  7. Why an IAEA CompSec document? Global reasons: • Attackers focus on critical infrastructure (existing examples of sabotage / extortion), new attention to SCADA systems as targets • Relevant legislation and regulations of the field are lagging behind • Not all national infrastructures have recognized and standardized the issue • Existing international guidance is not industry specific and fails to capture some of the key issues • No existing IAEA document specifically addresses the field

  8. Why an IAEA CompSec document? Technological reasons: • Increased presence of digital I&C systems in the design of new (and old) NPPs and the corresponding introduction of new and unknown vulnerabilities • Increased interconnection and reliance of Physical Protection systems on computerized systems (alarms, access control,...) • Increased request for connection of Extranet, Intranet (Business) and Control networks

  9. Approaches: Responsibilities • Ensuring continuity and thoroughness in the implementation of security through levels of resp. • Connecting the levels and the relevant expertise • Regulating cybersecurity in all critical infrastructure

  10. App. II: Threat identification • Threats of either stand alone attacks or coordinated attacks including the use of computer systems should be incorporated into DBT (Design Basis Threat) scenarios • An adequate process of intelligence gathering is required to ensure the completeness and relevance of each facility’s attacker matrix • Likewise sensitive assets and their vulnerabilities should be identified and assessed

  11. App. III: People issue • No technological solution will replace the security provided by well trained personnel • Security awareness should start at the very highest level  Direct reporting lines for Security responsibilities!

  12. GRADED APPROACH TO COMPUTER SECURITY • The security of CS to bebased on a graded approach • The assignment of CSto different levels andzones should be basedon their relevance to safety and security • The risk assessment process should be allowed to feed back into and influence the graded approach

  13. Special considerations for Nuclear Facilities • Facility lifetime phases and modes of operation • Differences between IT systems and control systems • Demand for additional connectivity and related consequences • Considerations on software updates/patching • Secure design and specifications for computer Systems. • Third party/vendor access control procedure

  14. With many thanks... Andrea Cavina Office of Nuclear Security International Atomic Energy Agency A.Cavina@iaea.org +43-1-2600-26637 http://www-ns.iaea.org/security/

More Related