iaea international atomic energy agency iaea office of nuclear securitys initiatives in cyber and...
Post on 31-Mar-2015
234 Views
Preview:
TRANSCRIPT
IAEAInternational Atomic Energy Agency
IAEA Office of Nuclear Security’s Initiatives in Cyber and Information
Security
Khammar MrabitDirector
Office of Nuclear Security
IAEA
IAEA Role
Ministerial Declaration
We, Ministers of the Member States of the International Atomic Energy Agency (IAEA),...:
Recognize the IAEA’s efforts to raise awareness of the growing threat of cyber-attacks and their potential impact on nuclear security, and encourage the IAEA to make further efforts to foster international cooperation and to assist States, upon request, in this area through the establishment of appropriate guidance and by providing for its application.
2
IAEA
Computer and Information Security
The Computer and Information Security programme is focused on preventing computer acts that could directly or indirectly lead to:
a.unauthorized removal of nuclear/other radioactive material
b.sabotage against nuclear material or nuclear facilities
c.theft of nuclear sensitive information
.
3
IAEA
New Targets
Control and Instrumentation System
4
Mobile Computing Devices
IAEA
International Instruments
• FUNDAMENTAL PRINCIPLE G: Threat
The State’s PP should be based on the State’s current evaluation of the threat.
• FUNDAMENTAL PRINCIPLE I: Defence in Depth
The State’s requirements PP should reflect a concept of several layers and methods of protection (structural or other technical, personnel and organizational) that have to be overcome or circumvented by an adversary in order to achieve his objectives.
• FUNDAMENTAL PRINCIPLE L: Confidentiality
The State should establish requirements for protecting the confidentiality of information, the unauthorized disclosure of which could compromise the physical protection of nuclear material and nuclear facilities.
5
IAEA
International Instruments
Protection of computer systems associated with Other Radioactive
Materials
Such systems may include:
•Inventory systems/records
•Physical access control
•Security monitoring
•Operational
•Calibration
•Boarder monitoring
6
IAEA
Nuclear Security Fundamentals (NSS 20)
• Provide for the establishment of regulations and requirements for protecting the confidentiality of sensitive information and for protecting sensitive information assets;
• Ensuring through appropriate arrangements that sensitive information or other information exchanged in confidence is adequately and appropriately protected.
• Routinely performing assurance activities to identify and address issues and factors that may affect the capacity to provide adequate nuclear security, including cyber securitycyber security, at all times.
7
IAEA
Current Technical Guidance
NSS17 Computer Security at Nuclear Facilities
8
The objective of the document is to provide guidelines to personnel designing, implementing, and managing Instrumentation and Control (I&C) and Information systems and networks at nuclear facilities.
The guidance addresses prevention and detection of potential attacks through reference to best practices in architecture, assurance and management of security information and I&C systems.
IAEA
Fundamentals: •NSS No. 20 Objective and Essential Elements of a State’s Nuclear Security Regimeobjectives, concepts, principles
Recommendations:•NSS No. 13 Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities (INFCIRC/225/Revision 5)•NSS No. 14 Nuclear Security Recommendations on Radioactive Material and Associated Facilities
Implementing Guides: •NSS XXX Information Security: Protection and Confidentiality of Sensitive Information in Nuclear Security
Technical Guidance: •NSS 17 Computer Security for Nuclear Facilities•Other areas: Conducting Computer Security Assessments; Computer Security of Nuclear I&C Systems; Computer Incident Response
9
Guidance published and in Draft
IAEA 10
Proposed Additional Guidance
• Nuclear Security Recommendations or Implementing Guide for Computer Security ?
• Computer Security Systems and Measures for Nuclear Facilities (implementing guide) ?
• Computer Security Practices for Nuclear Facilities (Technical Guide) ?
These documents are designed to build a top to bottom framework to support Member States, Competent Authorities, and nuclear organizations in developing and conducting assurance activities for computer security.
The development of these documents will be discussed at the next Nuclear Security Guidance Committee Meeting in October.
IAEA
International Physical Protection Advisory Service (IPPAS)
New Information and Computer Security Review conducted during IPPAS Missions to:
2012 - Netherlands, Finland, Romania
2013 - Laboratories in Seibersdorf, Hungary
11
Convergence of Physical Protection and Cyber Security
IAEA
Training Activities
The request for awareness and advanced training by Member States continues to grow. This trend will only continue.
2007 2008 2009 2010 2011 2012 2013 2014
Primary Training Courses
1.Basic Information and Computer Security Awareness
2.Conducting Cyber Security Assessments
3.Advanced Course in Information and Computer Security
4.Professional Development Course for Nuclear Security Professionals
Requests are currently in place for 2014Estimate a sustained 6-9 courses per year
Training Events
Projected
12
IAEA
2015 Cyber Security Conferences
13
IAEA International Conference on Cyber Security:
“Nuclear Security in a Computer World: Prevention, Detection and Resistance to Emerging Cyber Threats”
8-12 June 2015
IAEA
Cyber Security User’s Group
IAEA’s information portal for cyber security https://nusec.iaea.org/portal/UserGroups/CyberSecurity/CyberSecurityOverview/tabid/503/Default.aspx 14
IAEA
Questions
Thank you
15
top related