october 24 – november 11, 2016 albuquerque, new … · october 24 – november 11, 2016...
TRANSCRIPT
The Twenty-Sixth International Training Course
Page 1
25 – Preventive & Protective Measures Against the Insider Threat
25. Preventive and Protective Measures against the Insider Threat
October 24 – November 11, 2016Albuquerque, New Mexico, USA
Joel Lewis
Measures Against Insider Threat
Object ives
• Define the insider threat
• Define insider targets and associated special considerations
• Describe specific measures that may be implemented for prevention of and protecting against insiders
2
The Twenty-Sixth International Training Course
Page 2
25 – Preventive & Protective Measures Against the Insider Threat
Measures Against Insider Threat
Fundamental Pr inc ip le G: Threat
“When considering the threat, due attention should be paid to insiders. They could take advantage of their access rights, complemented by their authority and knowledge, to bypass dedicated physical protection elements or other provisions, such as safety procedures.” [NSS No. 13, 3.36]
The physical protection system is complemented by cyber security and nuclear material accountancy and control measures (NMAC) to deter and detect the theft or sabotage of nuclear material by an insider.
NSS 13 defines insiders as “One or more individuals with authorized access to nuclear facilities or nuclear material in transport who could attempt unauthorized removal or sabotage, or who could aid an external adversary to do so.”
3
IAEA Nuclear Secur i ty Ser ies No. 8
The objective of this Implementing Guide is to provide updated general guidance to States, and their competent authorities, and operators, on selecting, implementing, and evaluating measures for addressing defined insider threats.
4
Measures Against Insider Threat
The Twenty-Sixth International Training Course
Page 3
25 – Preventive & Protective Measures Against the Insider Threat
Breakdown of Inc idents f romJanuary 1993 to 31 December 2014
• 2727 confirmed incidents have been reported to the ITDB
• 442 incidents involved unauthorized possession and related criminal activity (illegal possession, movement, or attempts to illegally trade in or use nuclear or radioactive sources) 16 of the 442 incidents involved HEU or plutonium
• 714 incidents were reported involving the theft or loss of nuclear and other radioactive material
• 1519 incidents involved other unauthorized activities including unauthorized disposal of radioactive materials or discovery of uncontrolled sources
5
Measures Against Insider Threat
Ins ider Categor ies
Internally motivated
orExternally coerced
Insider
Passive
Active
Non‐Violent
Violent
Measures Against Insider Threat
6
The Twenty-Sixth International Training Course
Page 4
25 – Preventive & Protective Measures Against the Insider Threat
Ins ider Categor ies (cont ’d.)Passive• No action, transmit information
Active• Non-violent
• Uses stealth and deceit, not force, against personnel• Willing to use covert force against barriers and hardware• Aborts if detected and confronted while in the act or is
in danger of being identified• Violent
• Willing to use force against personnel
Measures Against Insider Threat
7
Ins ider Mot ivat ions
• Ideological Fanatical conviction Political conviction
• Financial – wants/needs
• Revenge/Embarrassment – disgruntled employee or customer
• Ego – “Look what I am smart enough to do”
• Psychological – Mentally unstable
• Coercion – Family or self threatened
• Unwitting – Exploited without his/her awareness
Measures Against Insider Threat
8
The Twenty-Sixth International Training Course
Page 5
25 – Preventive & Protective Measures Against the Insider Threat
Opportuni ty
Access
Authority
Knowledge
Insider
Opportunity
Measures Against Insider Threat
9
Ins ider Access Attr ibutes
• Authorized work areas – physical access• Unauthorized access (easy to obtain?)
Special temporary access Escorted or unescorted (restrictions on insider during access) Emergency access (fire, medical, police)
• Access to target Duration of target exposure Conditions of target during insider access
• Access to databases and systems – cyber access (e.g., design information, accounting information)
• Equipment (e.g., physical protection systems, NMAC systems, safety systems, process systems)
Measures Against Insider Threat
10
The Twenty-Sixth International Training Course
Page 6
25 – Preventive & Protective Measures Against the Insider Threat
Ins ider Author i ty Attr ibutes
• Authority over people Designated authority over others Personal influence over others
• Authority over tasks and equipment Assessment of alarms Preparation of sensitive forms Authorization of processes and procedures
• Temporary authority• Falsified authority• Exemption from procedures
Measures Against Insider Threat
11
Ins ider Knowledge Attr ibutes
• Locations, characteristics, and details of targets
• Details of facility layout May be obtained from records kept outside the facility
• Security system operations and vulnerabilities
• Processes, procedures, and operations
• Safety and radiation protection systems
• Available tools and equipment
Measures Against Insider Threat
12
The Twenty-Sixth International Training Course
Page 7
25 – Preventive & Protective Measures Against the Insider Threat
Potent ia l for Mal ic ious Act
Insider Motivations
Insider Opportunity
Potential Malicious
Act=Ideological
Financial Revenge
Ego Psychological
CoercionUnwitting
+
Access Authority
Knowledge
Measures Against Insider Threat
13
Target Character i za t ion – Unauthor i zed Remova l
• Identify all nuclear material to protect against unauthorized removal. Consider:
Abrupt unauthorized removal (bulk material or discrete items)• Abrupt theft can be described as the unauthorized removal of a large
quantity of nuclear material during a single event.
Protracted unauthorized removal (bulk or process materials)• Protracted theft can be described as the repeated unauthorized removal of
small quantities of nuclear material during several events. – One possibility is that the material may be removed from the facility each time it
is taken. – Another possibility is that the material may be moved into a hidden cache (roll-up)
for removal from the facility in one event.
Roll-up can be described as the accumulation of small amounts of material possibly from different locations
Measures Against Insider Threat
14
The Twenty-Sixth International Training Course
Page 8
25 – Preventive & Protective Measures Against the Insider Threat
Target Character izat ion – Sabotage
• Nuclear materials• Process or support equipment needed to prevent
radiological consequences
15
Measures Against Insider Threat
Protect ion of Fac i l i ty Systems
• Facility system which contribute to Nuclear Security systems can be used by an insider to indirectly perpetrate attacks, aid an external adversary, or mask unauthorized removal or sabotage acts and may include:
Physical Protection Systems
NMAC Systems
Safety and Process Control Systems
• Less obvious is the information provided by or about the detection elements or systems: PPS design information, vulnerability assessment information Radiation portal monitor or metal detector limits Physical inventory schedule, accounting information, inventory
difference limits
Measures Against Insider Threat
16
The Twenty-Sixth International Training Course
Page 9
25 – Preventive & Protective Measures Against the Insider Threat
Ins ider Threat Case Study
• Theft of HEU at the Luch Scientific Production Association, Podolsk, Russia
17
Measures Against Insider Threat
Research Methodology
• Case studies provide a very good source to illustrate that malicious acts by insiders have occurred.
• Throughout the course I will present case studies that are based on independent research from outside the IAEA.
• This case study was derived purely from open sources including peer-reviewed academic articles, news reports and government testimony and statements by subject matter experts (SMEs). Minor variations in different accounts, reconciled as much as
possible.• Wider contextual information on the nuclear security situation
in FSU in the early 1990s has also been included.
18
Measures Against Insider Threat
The Twenty-Sixth International Training Course
Page 10
25 – Preventive & Protective Measures Against the Insider Threat
Overv iew
• Facility: Luch Scientific Production Association, Podolsk (40km South West of Moscow), Russia
• Date: Late May to early September 1992• Incident: Theft of weapons-grade highly enriched
uranium (HEU) – 90% 235U• Perpetrator: Leonid Smirnov, Luch Scientific Production
Association• Impact: Approximately 1.5 kg was stolen and later
recovered (first documented theft of HEU from a nuclear facility in the FSU)
19
Measures Against Insider Threat
Prof i le – Leonid Smirnov
• Had worked at Luch Scientific Production Association for over 25 years: Chemical engineer working on nuclear reactors for
Soviet space programme Major role: Dispense HEU to research teams
• Intended to sell HEU for financial gain, ‘to buy a new stove and refrigerator’: Does not appear to have had a buyer in mind, planned
to sell to firms in Moscow, thought he’d have ‘no trouble selling it’
20
Measures Against Insider Threat
The Twenty-Sixth International Training Course
Page 11
25 – Preventive & Protective Measures Against the Insider Threat
Inc ident T imel ine
• Early 1990s dissolution of Soviet Union: Reduction in working conditions, wages for nuclear FSU
scientists, & hyper inflation => Financial hardship
• Smirnov apparently became aware of the potential value of HEU via reading an article in a Russian newspaper article: “I read an article on someone stealing 1200 grams of uranium…
The idea flashed through my mind… why can’t I do the same? ”
21
Measures Against Insider Threat
Inc ident T imel ine (cont ’d.)
• May 1992 – He started removing small quantities (25-70 grams) of HEU as UO2 powder, while his colleagues were out of the room: Siphoned off ~1% of the 3% ‘irretrievable loss’ 20 to 25 diversions over a 5-month period
• Stored the HEU at his home on his balcony in a lead container
22
Measures Against Insider Threat
The Twenty-Sixth International Training Course
Page 12
25 – Preventive & Protective Measures Against the Insider Threat
Inc ident T imel ine (cont ’d.)
• 9th October 1992 – arrested at Podolsk Railroad Terminal with most of the HEU concealed in three lead cylinders within a briefcase: Apprehended purely by chance, having bumped into neighbours
being followed by police for stealing batteries from their factory Was planning to travel to Moscow to sell the HEU
• March 1993 – Tried, found guilty of stealing and storing nuclear material and sentenced to three years probation
23
Measures Against Insider Threat
Ins ider Attr ibutes – Smirnov
• Access: HIGH: Hands on access to HEU
• Authority: LOW: But didn’t need the support of anyone else
• Knowledge: HIGH: Knew properties of HEU, understood weakness
of NMAC and wider security systems
24
Measures Against Insider Threat
The Twenty-Sixth International Training Course
Page 13
25 – Preventive & Protective Measures Against the Insider Threat
Secur i ty System Fai lures
• Weak nuclear material accounting and control (NMAC): Process allowed for a 3% ‘irretrievable loss’ Missing 1.5 kg didn’t show in balance books Not a weakness unique to Luch:
• In 1992 employees of Chepetsk Mechanical Plant in Glazov, Russia exploited 4% allowed inventory loss to diverted LEU
• No remote visual surveillance or ‘two-person’ rule• No nuclear material detection system:
No detection devices (e.g., portal monitors) at facility doors, checkpoints etc.
No bag searching upon entrance and exit
25
Measures Against Insider Threat
References
• Zaitseva, Lyudmila and Kevin Hand, “Nuclear Smuggling Chains: Suppliers, Intermediaries, and End-Users,” American Behavioral Scientist Vol. 46, No. 6, p. 825 (2003)
• Potter, William C. (1996), “Nuclear Leakage from the Post-Soviet Nuclear States,” Oral Presentation before the Permanent Subcommittee on Investigations US Senate Committee on Governmental Affairs, available via http://www.bu.edu/globalbeat/pubs/papers/w_potter.html (13th March 1996)
• Sam Roe, “Trafficking in stolen nuclear material on the rise,” Chicago Tribune, http://articles.chicagotribune.com/2002-01-31/news/0201310215_1_nuclear-materials-nuclear-device-nuclear-weapon(31st January 2002)
• Transcript of interview with Leonid Smirnov, Public Broadcasting Service, http://www.pbs.org/wgbh/pages/frontline/shows/nukes/stuff/script.html(November 1996)
26
Measures Against Insider Threat
The Twenty-Sixth International Training Course
Page 14
25 – Preventive & Protective Measures Against the Insider Threat
Prevent ion vs. Protect ion
Prevention:1. Exclude potential insiders by identifying undesirable behavior or
characteristics, which may indicate motivation prior to allowing them access;
2. Exclude further potential insiders by identifying undesirable behavior or characteristics, which may indicate motivation after they have access;
3. Minimize opportunities for malicious acts by limiting access, authority, and knowledge, and by other measures.
Protection:1. Detect, delay, and respond to malicious acts;2. Mitigate or minimize consequences.
27
Measures Against Insider Threat
IndividualsApplyingforAccess
IndividualswithAuthorizedAccess
IndividualswithAccess toCriticalAssets orVitalAreas
Insi
der
Initi
ates
Act
Insi
der
Initi
ates
Act
Minimize OpportunityMinimize Opportunity
Act
Com
plet
ed
or I
nter
rupt
edAct
Com
plet
ed
or I
nter
rupt
ed
Detect, Delay, ResponseDetect, Delay, Response
MitigationMitigation
Apply Preventive Measures
Apply Protective Measures
Number of People
Further reduce the number of potential insidersFurther reduce the number of potential insiders
Reduce the number of potential insidersReduce the number of potential insiders
Measures against Ins iders
28
Measures Against Insider Threat
The Twenty-Sixth International Training Course
Page 15
25 – Preventive & Protective Measures Against the Insider Threat
Exclude the Potent ia l Ins ider
• Filter potential Insiders before they have authorized access to a site Examples of Pre-employment – Hiring Process
• Identity verification• Work history to determine past work practices• References to identify possible undesirable behaviours• Background checks to identify criminal activity• Credit checks to evaluate financial situation• Drug screening to identify substance abuse
Deterrence effect
29
Measures Against Insider Threat
IndividualsApplyingforAccess
IndividualswithAuthorizedAccess
IndividualswithAccess toCriticalAssets orVitalAreas
Insi
der
Initi
ates
Act
Insi
der
Initi
ates
Act
Minimize OpportunityMinimize Opportunity
Act
Com
plet
ed o
r In
terr
upte
d
Act
Com
plet
ed o
r In
terr
upte
d
Detect, Delay, ResponseDetect, Delay, Response
MitigationMitigation
Apply Preventive Measures
Apply Protective Measures
Number of People
Further reduce the number of potential insidersFurther reduce the number of potential insiders
Reduce the number of potential insidersReduce the number of potential insiders
Measures against Ins iders
30
Measures Against Insider Threat
The Twenty-Sixth International Training Course
Page 16
25 – Preventive & Protective Measures Against the Insider Threat
• After an individual has authorized access to the site measures can include:
Exc lude Further Potent ia l Ins iders
• Employee evaluations including periodic background checks
• Trustworthiness programs
• Nuclear Security Culture
• Continuous observation programs
• Employee satisfaction programs
• Protection of sensitive information
• Authorization/revocation of access
• Compartmentalization
• Adherence to standard operation procedures
• Sanctions
• Quality Assurance programs
Measures Against Insider Threat
31
IndividualsApplyingforAccess
IndividualswithAuthorizedAccess
IndividualswithAccess toCriticalAssets orVitalAreas
Insi
der
Initi
ates
Act
Insi
der
Initi
ates
Act
Minimize OpportunityMinimize Opportunity
Act
Com
plet
ed
or I
nter
rupt
edAct
Com
plet
ed
or I
nter
rupt
ed
Detect, Delay, ResponseDetect, Delay, Response
MitigationMitigation
Apply Preventive Measures
Apply Protective Measures
Number of People
Further reduce the number of potential insidersFurther reduce the number of potential insiders
Reduce the number of potential insidersReduce the number of potential insiders
Measures against Ins iders
32
Measures Against Insider Threat
The Twenty-Sixth International Training Course
Page 17
25 – Preventive & Protective Measures Against the Insider Threat
Physical Compartmentalization
• Limit individual access (need-to-know rule) and limit persons empowered to give access authorization
Escorting and Surveillance
• Knowledgeable escorts protect against unapproved access or actions for visitors or other personnel who do not have authorized access
Confidentiality (security of information)
• Protect information (need to know) that could be exploited by an insider: Location and condition of sensitive targets Shipping schedule Critical elements of system design
Min imize Opportuni ty
Measures Against Insider Threat
33
Quality Assurance
• Provide confidence that specific requirements for all activities important for the prevention and protection against the insider are satisfied
Separation of Duties
• Check and balances to ensure that one person does not have sufficient access, authority, and knowledge to conduct malicious activities without detection Example: work order authorized by a supervisor is required and
verified by security before two operators can access a vault to remove material for processing
Min imize Opportuni ty (cont ’d.)
Measures Against Insider Threat
34
The Twenty-Sixth International Training Course
Page 18
25 – Preventive & Protective Measures Against the Insider Threat
IndividualsApplyingforAccess
IndividualswithAuthorizedAccess
IndividualswithAccess toCriticalAssets orVitalAreas
Insi
der
Initi
ates
Act
Insi
der
Initi
ates
Act
Minimize OpportunityMinimize Opportunity
Act
Com
plet
ed
or I
nter
rupt
edAct
Com
plet
ed
or I
nter
rupt
ed
Detect, Delay, ResponseDetect, Delay, Response
MitigationMitigation
Apply Preventive Measures
Apply Protective Measures
Number of People
Further reduce the number of potential insidersFurther reduce the number of potential insiders
Reduce the number of potential insidersReduce the number of potential insiders
Measures against Ins iders
35
Measures Against Insider Threat
• The malicious insider may pick the most opportune time for their actions, therefore, a continuous timeline or order of actions may not be applicable Detection is possible only after
initiation of malicious action Detection may be a function of the
number of events Actions may be extended over long
periods of time if not detected
• Detection may be by personnel (e.g. guards, co-workers) or system (e.g., protection, operations, or safety alarms)
Detect ion of Ins ider Act ions
Measures Against Insider Threat
36
The Twenty-Sixth International Training Course
Page 19
25 – Preventive & Protective Measures Against the Insider Threat
• A malicious Insider tries to minimize detection using: Deceit and stealth rather than force Plausible deniability to prevent correct
assessment
• A malicious Insider may: Test the protection system with “normal
mistakes” prior to initiating malicious act Take advantage of tools at their work
location
• Correct assessment may be difficult and may require analysis or investigation
Detect ion of Ins ider Act ions (cont.)
Measures Against Insider Threat
37
• Physical Protection System Entry and Exit control Surveillance
• NMAC System Material Control Material Accounting
• Operations System Observation by personnel Operational process alarms
• Safety System Criticality/fire alarms Safety inspections
Examples of Detect ion Systems
Measures Against Insider Threat
38
The Twenty-Sixth International Training Course
Page 20
25 – Preventive & Protective Measures Against the Insider Threat
• Material Accounting – detects abnormalities in amounts of material through: • Item and bulk inventories
• Material measurements and characterization, including weight and isotope content
• Ensuring measurement accuracy and precision goals
• Accurate accounting records and documentation
Detect ion – NMAC System
Measures Against Insider Threat
39
Material Control – tracks material movement and maintains continuity of knowledge of nuclear material by implementing administrative and technical measures, such as:
• Strict procedures for nuclear material movements
• Periodic administrative checks to detect gross anomalies
• Tags and seals (e.g., TIDs)
• Tie Downs
• Two-person rule
Detect ion – NMAC System (cont ’d.)
Measures Against Insider Threat
40
The Twenty-Sixth International Training Course
Page 21
25 – Preventive & Protective Measures Against the Insider Threat
NMAC Detects I r regu lar i t ies That Requ i re a Response or Invest igat ion
TIME
Scheduled Inventory
Scheduled Inventory
Violation of two-person
rule
Unauthorized entry
Disabled Portal Monitor
Broken TID
Errors in Accounting
Reports
Suspicious Admin Check
Emergency Inventory
Investigateand Respond
Investigateand Respond
Investigateand Respond
Investigateand Respond
Investigateand Respond
Investigateand Respond
Measures Against Insider Threat
41
Process Information• Can be used to detect small anomalies in material
accounting• Should be analyzed to determine what information
could be used to detect abrupt or protracted theft Identified information should be shared with the Security
System Alarm generated with this information should be
investigated in a timely manner
Detect ion – Operat ions System
Measures Against Insider Threat
42
The Twenty-Sixth International Training Course
Page 22
25 – Preventive & Protective Measures Against the Insider Threat
• Investigate safety alarms that could indicate malicious activity in a timely manner Certain alarm conditions, including activation of passive safety
systems*, should be reported immediately to security
Identify such alarms and establish a procedure for reporting
* Independent of human actions
Detect ion – Safety System
Measures Against Insider Threat
43
De lay – Ins ider
The purpose of delay for insiders is to complicate their tasks, increase the time required to complete the task and provide additional opportunities for detection
• May be provided by Personnel Procedural Physical Barriers
• Barriers requiring contraband items or special skills to defeat close to equipment or material are more effective Multiple layers of different physical or procedural barriers
requiring different resources, logistics, training, tools and skills
44
Measures Against Insider Threat
The Twenty-Sixth International Training Course
Page 23
25 – Preventive & Protective Measures Against the Insider Threat
Response
• Every employee and contractor should be trained to: To detect a malicious act Transmit the alarm according to specified procedures Protect self and facility Reverse, mitigate or minimize a malicious act
• Response is complicated by the fact that the insider may not be identified
• Response procedures should assume response personnel may be an insider
45
Measures Against Insider Threat
Cyber Ins ider ThreatThe cyber insider threat may include:
Indirectly perpetrating a physical attack Masking malicious acts Aiding an external adversary Destruction, disclosure, or modification of data Denial of service
• Potential cyber insiders include SystemAdministrators, Maintenance Personnel, Operators,Developers/Integrators
• Specific preventive and protective measures against the cyber insider include: Identification and authentication (credential) Password protection Event logging and auditing Mitigation and recovery - redundancy, backup, and recovery procedures Establishing media devices, such as USB devices, as contraband
Measures Against Insider Threat
46
The Twenty-Sixth International Training Course
Page 24
25 – Preventive & Protective Measures Against the Insider Threat
Summary
• The external adversary is not the only threat that should be considered. The insider could take advantage of authorized access complemented by authority and knowledge to commit a malicious act
• Both preventive and protective measures are required to develop an effective nuclear security system against the insider threat
47
Measures Against Insider Threat