IAEA Division of Nuclear Security

Transcription

1 IAEA Division of Nuclear Security Computer Security Activities Overview Donald Dudenhoeffer 25 May 2017

2 Computer and Information Security The Division of Nuclear Security (NSNS) seeks to support Member States in enhancing their computer security with their nuclear security regime. Focused on preventing malicious computer acts that could directly or indirectly lead to: unauthorized removal of nuclear/ other radioactive material sabotage against nuclear material or nuclear facilities theft of sensitive nuclear information 2

3 Protection of Sensitive Information Convention on the Physical Protection of Nuclear Material (CPPNM) Amendment Fundamental Principle L: Confidentiality The State should establish requirements for protecting the confidentiality of information, the unauthorized disclosure of which could compromise the physical protection of nuclear material and nuclear facilities. Entered into force on 8 May

4 IAEA Basis - Computer Security Nuclear Security Series No 13 (INFCIRC/225/Revision 5) Computer based systems used for physical protection, nuclear safety, and nuclear material accountancy and control should be protected against compromise (e.g. cyber attack, manipulation or falsification) consistent with the threat assessment or design basis threat. 4

5 Future Activities 2017 Action Areas NSS guidance development (NST057, NST045, NST047) Computer security support for advisory missions Coordinated research programme (continuation) Computer security regulation models and lessons learned Computer security for the supply chain Regional and national level capacity development (training and education support) 2018 and Beyond International Training Course on Computer Security (2 week ITC) International Conference on Computer Security (2020) Computer security assurance and evaluation activities (exercises, metrics, etc. ) Regional and national level capacity development distance learning and information exchange 5

6 Information and Computer Security for Nuclear Security IAEA Publications: Nuclear Security Series Documents & Others NSS 20 Objective and essential of a State s nuclear security regime NSS Recommendations NSS 13 Nuclear Material and Nuclear Facilities NSS 14 - Radioactive Material and Associated Facilities NSS 15 Nuclear and other Radioactive MORC NSS Computer Security Implementing Guides NSS 23-G - Security of Nuclear Information (2012) NST045 (2017 est) - Computer Security for Nuclear Security NSS Computer Security Technical Guides NSS 17 - Computer Security Nuclear Facilities (2011) NST047 (2018 est) Computer Security Techniques for Nuclear Facilities NST036 (Completed Print 2016) Computer Security for I&C Systems at Nuclear Facilities Application in Grade Approach Application in Grade Approach Application in Grade Approach Documents Outside Nuclear Security Series Conducting Computer Security Assessments (2016) Incident Response Planning for Computer Security Events (2016) 6

7 Completed MS Review NST 045 Computer Security for Nuclear Security Implementing Level Guidance NST045 spans NSS13, 14, and 15 Focuses on computer security responsibilities across competent authorities, operators, and other entities in a nuclear security regime. Status in 120 Day MS Review

8 Sensitive Digital Assets

9 MS Review Q NST047 Computer Security Techniques for Nuclear Facilities Technical Guidance Focus is NSS13 (Nuclear Facilities) Interfaces with NST045 and NST036 Follows lifecycle of facility Provides guidance on: Use of risk-informed approaches Implementation of graded approach Assignment of any system type to a specific security level Status Submitted to NSCG for 120 Day Review Approval

10 Computer Security Training Primary Training Courses 1. Basic Information and Computer Security Awareness 2. Conducting Computer Security Assessments (new 2013) 3. Advanced Course in Information and Computer Security (new 2014) 4. Computer Security for Nuclear Industrial Control Security (ICS) and Instrumentation and Control (I&C) Systems (2016) 5. International Training Course on Computer Security (2 week ITC) (Proposed for 2018) 10

11 Cyber Security User s Group IAEA s information portal for cyber security 11

12 2017 IAEA Security Conference International Conference on Physical Protection of Nuclear Materials and Nuclear Facilities November 2017, IAEA HQ Purpose - To foster the exchange, among competent authorities, facility operators, shippers and carriers, and technical support organizations, of information, practices and experiences related to the physical protection of nuclear material and facilities, including nuclear material in transport. > Technical Session on Computer Security Conference website: www-pub.iaea.org/iaeameetings/50819/international-conference-on-physical-protection-of-nuclear-material-and-nuclear-facilities 12

13 Questions Donald D. Dudenhoeffer Nuclear Security Information Officer International Atomic Energy Agency Vienna International Centre A-1400 Wien Austria Tel: +43 (1) Fax: +43 (1)