PREVENTIVE AND PROTECTIVE MEASURES AGAINST INSIDER THREATS

Transcription

1 NUCLEAR SECURITY SERIES NO. XX NST01 DRAFT, November 01 STEP : Submission to MS for comment Interface Document: NSGC, all SSCs PREVENTIVE AND PROTECTIVE MEASURES AGAINST INSIDER THREATS (REVISION OF NUCLEAR SECURITY SERIES NO. ) DRAFT IMPLEMENTING GUIDE INTERNATIONAL ATOMIC ENERGY AGENCY VIENNA, 01X

2 FOREWORD By Yukiya Amano, Director General The IAEA s principal objective under its Statute is to accelerate and enlarge the contribution of atomic energy to peace, health and prosperity throughout the world. Our work involves both preventing the spread of nuclear weapons and ensuring that nuclear technology is made available for peaceful purposes in areas such as health and agriculture. It is essential that all nuclear and other radioactive materials, and the facilities in which they are held, are managed in a safe manner and properly protected against criminal or intentional unauthorized acts. Nuclear security is the responsibility of each individual country, but international cooperation is vital to support States in establishing and maintaining effective nuclear security regimes. The central role of the IAEA in facilitating such cooperation, and providing assistance to States, is well recognized. The Agency s role reflects its broad membership, its mandate, its unique expertise and its long experience of providing technical assistance and specialist, practical guidance to States. Since 00, the IAEA has issued Nuclear Security Series publications to help States to establish effective national nuclear security regimes. These publications complement international legal instruments on nuclear security, such as the Convention on the Physical Protection of Nuclear Material and its Amendment, the International Convention for the Suppression of Acts of Nuclear Terrorism, United Nations Security Council Resolutions 1 and 10, and the Code of Conduct on the Safety and Security of Radioactive Sources. Guidance is developed with the active involvement of experts from IAEA Member States, which ensures that it reflects a consensus on good practices in nuclear security. The IAEA Nuclear Security Guidance Committee, established in March 01 and made up of Member States representatives, reviews and approves draft publications in the Nuclear Security Series as they are developed. The IAEA will continue to work with its Member States to ensure that the benefits of peaceful nuclear technology are made available to improve the health, well-being and prosperity of people world-wide.

3 CONTENTS 1. INTRODUCTION... 1 Background... 1 Objective... 1 Scope... 1 Structure.... CHARACTERIZATION OF INSIDERS... Attributes of insiders... Motivations of insiders... Categories of insider adversaries... Guidance for identifying potential insider threats.... TARGET IDENTIFICATION... Targets for unauthorized removal... Sabotage targets... Protection of systems that contribute to nuclear security.... COMPREHENSIVE MEASURES AGAINST POTENTIAL INSIDER THREATS... General approach... Preventive measures... 1 Management Systems... 1 Computer Systems... 1 Protective measures... 1 Detection... 1 Delay... Response... Contingency plans... Maintenance programme... System recovery.... EVALUATION OF MEASURES... Objectives and overview of the evaluation process... Evaluation of preventive measures... Evaluation of protective measures... Evaluation of measures against collusion between insiders... 1 Evaluation of measures against protracted theft... 1 Evaluation of measures against sabotage REFERENCES... GLOSSARY...

4

5 1. INTRODUCTION BACKGROUND 1.1. The IAEA published an Implementing Guide in 00 on preventive and protective measures against insider threats. Since then, the IAEA has issued Nuclear Security Fundamentals [1] describing the essential elements of a national nuclear security regime and Nuclear Security Recommendations setting out measures that States should take to achieve and maintain an effective national nuclear security regime consistent with the Fundamentals for nuclear material and nuclear facilities []1, for radioactive material and associated facilities [] and for nuclear and other radioactive material out of regulatory control [] or in transport. 1.. All of these publications, as well as guidance in the Nuclear Security Series on other specific aspects of nuclear security [ 1], recognize the particular threat that could be posed by insiders and the need to implement specific measures against the insider threat. This Implementing Guide has been developed to update and revise the guidance provided in the 00 Guide, to ensure that it is consistent with the Nuclear Security Fundamentals and Recommendations published since 00. OBJECTIVE 1.. The objective of this Implementing Guide is to provide updated general guidance to States, and their competent authorities and operators, on implementing recommendations for addressing insider threats, particularly those set out in Ref. [] for nuclear material and nuclear facilities. SCOPE 1.. This Implementing Guide focuses primarily on preventive and protective measures against insider threats in relation to the unauthorized removal of nuclear material and sabotage of nuclear material and facilities, and therefore makes particular reference to the recommendations in Ref. []. The general approaches described in the guidance may also be applied, following a graded approach, to measures against insider threats in relation to radioactive material and associated facilities, materials undergoing transport, as well as to the measures to deal with radioactive material out of regulatory control. 1 The recommendations for nuclear material and nuclear facilities in Ref. [] are also Revision of INFCIRC/, the guidance to Contracting Parties to the Convention on the Physical Protection of Nuclear Material (CPPNM) [] on measures to meet their obligations under the Convention. Revision also includes guidance on how to meet the obligations of Contracting Parties under the amended Convention in the event of the 00 Amendment to the CPPNM [] entering into force. 1

6 This publication applies to any type of nuclear facility, notably nuclear power plants, research reactors and other nuclear fuel cycle facilities (e.g. enrichment plants, reprocessing plants, fuel fabrication plants and storage facilities), whether in construction, operation, shut down or being decommissioned. As indicated above, the general approaches may also be applicable to other facilities and activities For the purposes of this publication insider access to the facility includes three different types: 1) physical access, ) remote computer access, and ) access to or knowledge of sensitive information about the facility. 1.. The preventive and protective measures described in this publication should be implemented in manner that does not affect safety systems. Implementation of this guidance should consider worker radiation protection when implementing this guidance. 1.. Information regarding measures against insider threats, incidents involving malicious insiders and associated lessons learned should be carefully collected by official national organizations to analyse trends, weaknesses and best practices, and if appropriate, share with authorized international agencies. 1.. This publication is a revision of, and supersedes, the Implementing Guide Preventive and Protective Measures against Insider Threats published as Nuclear Security Series No. in 00. STRUCTURE 1.. Sections of this Implementing Guide provide general guidance to States, competent authorities and operators regarding insider threats. Section introduces the concepts of the insider and insider threats, the motivations and other considerations for use in analysing insider actions, and ways to categorize insiders into groups. Section identifies targets and facility systems that need protection from malicious insider activities. Section describes comprehensive preventive and protective measures that can be applied at the facility level to address insider threats. Section discusses the evaluation of the measures introduced in Section CHARACTERIZATION OF INSIDERS.1. An insider is defined in Ref. [] as one or more individuals with authorized access to nuclear facilities or nuclear material in transport who could attempt unauthorized removal or sabotage, or who could aid an external adversary to do so. The definition in Ref. [1] generalizes this to include access to other radioactive material, facilities and activities, and the possibility of committing or facilitating other possible criminal or unauthorized acts, and also specifically includes individuals with authorized access to sensitive information... The term adversary is used in this Implementing Guide to describe an individual or group of individuals performing or attempting to perform a malicious act.

7 Insider adversaries pose a severe threat to a facility because they can exploit their advantages of having authorized access to, authority over, or knowledge about nuclear material, nuclear facilities or associated systems when attempting a malicious act. The insider s advantage may include access to or knowledge of sensitive information or sensitive information assets, including, for example, information regarding transport or movement of nuclear material... The term outsider is used to describe an adversary other than an insider. ATTRIBUTES OF INSIDERS.. A nuclear security system is designed and evaluated against threats posed both by outsiders and insiders. Insider threats possess a unique set of attributes that give them advantages over outsiders in conducting malicious activities. Those advantages include: Access. Insiders by the nature of their position in the organization have access to areas, equipment and information relevant to their work. Access includes physical or remote computer access to nuclear facilities, nuclear materials and associated systems, components and equipment. This may include access to computer systems and networks that control processes, provide safety, contain sensitive information or otherwise contribute to nuclear security. Authority. Insiders have authority to conduct operations in the performance of their assigned duties, and may also have the authority to direct other employees. Such authority may be used to support malicious activities and can include physical acts, but may also include computer activities such as digital file or process manipulation. Knowledge. Insiders may have expert knowledge of the facility or systems, including knowledge enabling them to bypass or defeat dedicated physical protection elements or other facility systems such as safety, nuclear material accounting and control (NMAC), operating measures, procedures and response capabilities... In addition to potential insiders identified through the inherent ability to obtain authorized access, people with no access to a facility or transport operation but with sufficient knowledge and/or authority to conduct a malicious act (e.g. a headquarters manager who issues a counterfeit delivery order to an outside location) should be given specific consideration... Access, authority and knowledge create more opportunities for insiders to select the most vulnerable target and the best time to perform or attempt to perform a malicious act. Insider adversaries might extend a malicious act over a long period of time to maximize the likelihood of success. This could include, for example, tampering with physical protection equipment, safety equipment to prepare for an attempt or act of sabotage, or falsifying accounting records to repeatedly steal small amounts of nuclear material that have less robust protection.

8 1 1 1 MOTIVATIONS OF INSIDERS.. Insiders may have different motivations for their malicious activities. Examples of possible motivations include financial or ideological factors, revenge or ego, and coercion... Sufficient motivation for an individual to become an insider adversary may exist prior to or after access to the facility is obtained. An insider who already has access may develop the motivation to perform a malicious act independently, or as a result of a mental health or medical issue, or may be recruited by another adversary seeking to exploit their access. An insider could be forced to commit a malicious act through coercion (such as threats against his person or family)... An unwitting insider is an insider without motivation who may be exploited without his/her knowledge by another insider or by an outsider to complete or facilitate a malicious action. For example, in a computer-based attack, an insider may not be aware that they are providing information or authenticated access to an adversary, and is therefore unaware of their involvement in the attack... Figure 1 represents the process an insider may follow in committing a malicious act. The algorithm addresses how attributes, motivation and confidence can affect the insider s actions.

9 FIG. 1. Algorithm of a malicious act. CATEGORIES OF INSIDER ADVERSARIES.1. An insider adversary may be categorized as being passive or active, and an active adversary may be violent or non-violent (Figure )..1. A passive insider adversary is characterized by non-violent activity, primarily providing privileged information that could help adversaries to perform a malicious act..1. An active non-violent insider adversary can provide information and/or use stealth and deceit to complete or facilitate a malicious act. The active non-violent insider adversary may attempt an abrupt or protracted theft of nuclear material, or may assist outside adversaries (for example, by

10 disabling or ignoring alarms, or opening doors). Active non-violent insiders would be expected to abandon their actions if there were a high probability of being identified (they may risk detection but not identification)..1. An active violent insider adversary differs from the active non-violent insider only in that the individual is willing to use force against personnel in order to complete or facilitate a malicious act. Insider Passive Active Nonviolent Violent FIG.. Categories of insider adversaries..1. Insiders hold many different positions in an organization (e.g., experimenter, physical protection system designer, system administrator, IT specialist, security guard, material handler, clerk, nuclear material custodian, safeguards officer, operational and maintenance worker or senior manager) and any of these might have the motivation to be an insider adversary. Others not directly employed by the operator but who also have access (such as vendors, emergency personnel such as firefighters and first responders, contractors, subcontractors and inspectors from regulatory bodies or other competent authorities) should also be considered..1. Insider adversaries may therefore have the opportunity to commit a malicious act during normal or abnormal conditions of a facility, maintenance, or transport or movement of nuclear material, and may select the most favourable time to do so..1. Insiders could act independently or in collusion (secret cooperation for an illegal or malicious purpose) with other insiders or outsiders. GUIDANCE FOR IDENTIFYING POTENTIAL INSIDER THREATS.1. The design basis threat is an important tool commonly used as a basis for developing nuclear security systems and measures. A State should consider attributes and characteristics of potential insider adversaries and include them in the design basis threat or threat assessment..0. This section presents guidance for identifying potential insider threats at the facility level. Information on insiders should be provided in the design basis threat or other State-level documents, such as a national threat assessment, as a starting point.

11 When the design basis threat has not been developed for certain areas of nuclear activities with limited potential radiological and proliferation consequences, the measures to protect against insider threats should be based on those proposed in Sections and of this publication... In addition to the information in the design basis threat, information on the facility, nuclear material, and processes or transport operations should be used to identify potential insider threats based on levels of access, authority over others and knowledge that could support performing or facilitating malicious acts... Modern facility systems, including those that contribute to nuclear security, rely on computer controls and networks. These should be protected against cyber attack as set out in Ref. [1] for nuclear material and nuclear facilities and should be considered when identifying potential insider threats. The threat from an external person with approved access to facilities systems through computer networks, must be treated as a potential inside threat... Situations outside the facility or in the vicinity of transport routes, including the general attitude of the community and any presence of organized hostile groups, may also be favourable to insider threats. Any such conditions should also be considered. Special attention should be given to possible connections between hostile groups and individuals with experience in facility operations or with access to the nuclear facility. The operator, through formal relationship with appropriate government agencies, should be made aware of these situations when considering insider threats TARGET IDENTIFICATION.1. Target identification is an evaluation of what needs to be protected, including nuclear material, associated areas, buildings and equipment, components, systems and functions, but does not include consideration of how to provide protection... Guidance on target identification for facilities and for nuclear and radioactive material is provided in Refs [], [] and [1]... Assets that are not themselves considered targets but are critical for the protection of identified targets may also require protection. These are systems that an insider adversary can potentially bypass or compromise in order to complete a malicious act. Examples of these systems may include those for NMAC, physical protection, operations, process control equipment important to safety, and computer systems. TARGETS FOR UNAUTHORIZED REMOVAL.. Nuclear material targets for unauthorized removal should be identified through information or criteria contained in a State-level document. Targets may be grouped in one of three categories (I, II and III) identified in the table Categorization of Nuclear Material in both the CPPNM [] and Ref.

12 []. The categorization is the basis for a graded approach for protection against unauthorized removal of nuclear material that could be used in a nuclear explosive device... To consider all of these, the inventory of all nuclear material at a facility or during movements should be considered. The inventory list should include at a minimum the amount, form, type, responsibility, and location of all nuclear material at the facility or during movement... Potential targets for unauthorized removal of nuclear material by the insider should take into account protracted theft and abrupt theft. Abrupt theft is the unauthorized removal of a quantity of nuclear material during a single event; Protracted theft is the repeated, unauthorized removal of small quantities of nuclear material during several events from either single or multiple locations (possibly of lower categorization). Protracted theft may be accomplished either by removing the nuclear material from the facility with each acquisition, or by the accumulation of the nuclear material in a hidden unauthorized location and later removal from the facility in one attempt... In addition, in identifying the targets for unauthorized removal of nuclear material by insiders, the possibility of an adversary collecting an amount equivalent to a higher category from several locations of lower category should be considered... The insider may choose to use protracted theft of small quantities of nuclear material to stay under the detection limits of systems such as NMAC and physical protection systems. Properties of nuclear material, including physical form, should be considered when determining if protracted theft is reasonable... Theft targets may include sensitive nuclear technology, either physical items or information. SABOTAGE TARGETS.. Sabotage targets at a facility are determined by analysing the potential for the facility s radioactive material inventory, including nuclear material and radioactive sources, to result in unacceptable radiological consequences (URC) or high radiological consequences (HRC). HRC exceed URC and are defined by the State competent authority and may vary from State to State. For HRC it is recommended that vital areas are identified and protected at a higher level, as specified in paras.0. of Ref. []. If the analysis identifies material, equipment, systems, or devices that could directly or indirectly lead to URC or HRC then the material, equipment, systems, and devices must be protected... As specified in Ref. [], the operator should design a physical protection system (nuclear security) that is effective against defined sabotage scenarios (including insider adversaries). The physical protection system developed should be an element of an integrated facility system to prevent

13 the potential consequences of sabotage, taking into account the robustness of engineered safety and operational features..1. The combination of actions (scenarios) to degrade facility components, systems, and equipment that may result in unacceptable or high radiological consequences should be identified as part of the target identification process. PROTECTION OF SYSTEMS THAT CONTRIBUTE TO NUCLEAR SECURITY.1. Protection of systems that contribute to the facility nuclear security system should be considered. The more obvious components are the actual detection elements or systems, which include physical protection systems, NMAC systems, safety and process control systems..1. A complete insider evaluation should consider all aspects of the nuclear security system that could require additional protection from insider activities. The insider has authorized access to the facility and to information about the facility, and therefore can attack other systems or components that may indirectly perpetrate an attack, mask malicious acts or aid an external adversary. Depending on the facility or operation, computers used, for example, for office networks or communication, may be exploited by the insider, for example to acquire sensitive information Nuclear systems that are computer based provide functions that, if attacked, could have an adverse effect on safety, security of nuclear material, or accident mitigation. Cyber attacks may potentially cause safety, safety-related, non-safety systems and security systems to operate in ways that compromise facility safety and security. Computer systems that contained information related to safety or security should undergo a classification and inventory based on risk and potential consequence (e.g., defence in depth) to identify critical computer systems, which may be more vulnerable to an insider malicious act, and the failure of which could cause a nuclear security event..1. Outsiders may target the privileges provided to insiders to access a facility, sensitive information, sensitive information assets, or the facility s networks to facilitate a remote (stand-off attack). For example, a successful cyber attack against an unwitting insider may allow for use of their privileged access to facilitate the outsider s attack. Communication systems may be targeted by insider or with the help of an insider, for example as part of an act of sabotage or theft COMPREHENSIVE MEASURES AGAINST POTENTIAL INSIDER THREATS GENERAL APPROACH.1. The general approach to implementing comprehensive measures against potential insiders is to implement a combination of preventive and protective measures. The term preventive measures is used to describe measures to preclude or remove possible insiders, or to minimize threat opportunities,

14 or to deter or prevent a malicious act from being carried out. The term protective measures is used to describe measures to deter, detect, delay, and respond to malicious acts that are carried out; and to mitigate or minimize their consequences. Protective measures should be coordinated with the overall contingency plans in accordance with agreed procedures... A robust nuclear security culture is an essential aspect in countering the insider and outsider threat. The foundation of nuclear security culture is recognition that a credible threat exists and that nuclear security is important. Personnel that have a role in regulating, managing, or operating nuclear facilities and activities and should be trained to understand their role as part of an important aspect of the nuclear security culture. (For more information on nuclear security culture, see Ref. [])... Nuclear security culture plays a key role in ensuring that individuals, organizations, and institutions remain vigilant and that sustained measures are taken to counter insider threats. The effectiveness of preventive and protective measures against insider threats depends on the behaviours and actions of individuals (For indicators that can be used to evaluate the security culture, see Ref. [1])... Preventive and protective measures may be implemented by the use of technical means, administrative means, or a combination of both... Preventive and protective measures should provide defence in depth, and should be fully integrated into a well-developed nuclear security system. Security system at existing operating facilities may need to be upgraded to meet evolving insider threats... The facility should develop a nuclear security plan as defined in Ref. [] and ensure that it addresses the insider threat. The primary principle of insider threat prevention and mitigation is to incorporate the insider threat as an integral part of planning and evaluation at the facility level, when designing and implementing protection systems... The nuclear security plan, should be used to define how measures are implemented at the nuclear facility including measures to specifically protect against the insider threat for the identified targets and should include the following: Technical measures; 0 1 o o o multiple protection layers, including containment and surveillance fitted with detection and delay, monitoring and hardening of networks and associated devices, technical measures to enforce access control, and Administrative aspects; o o procedures, instructions,

15 o o o o o administrative sanctions, access control rules, two-person rules, confidentiality rules, and administrative checks The plan should also specify how the measures will be evaluated... A robust security system design should include several layers of defence and should effectively and comprehensively integrate the administrative and technical aspects of the preventive and protective measures that insiders would have to overcome or circumvent in order to achieve their objectives. Implementation of the administrative and technical aspects is through documented operating procedures that integrate people and equipment... Technical and administrative aspects against insider threats have traditionally been shaped primarily by physical protection principles. Therefore, it is recommended that information and computer security be considered as a component in the overall security plan and that such a plan addresses the insider threat posed by adversaries with the ability to conduct cyber attacks... For insiders, requirements of preventive and protective measures should be based on a graded approach that takes into account the current defined threat; the relative attractiveness; the characteristics of the nuclear material; and, the potential consequences associated with the unauthorized removal of nuclear material, and sabotage against nuclear material or nuclear facilities... Figure illustrates the steps (represented by the arrows between boxes) for preventive and protective measures against the potential insiders identified in Section. Preventive Measures: (1) Exclude potential insiders by identifying undesirable behaviour or characteristics, which may indicate motivation, prior to allowing them access; () Further exclude potential insiders by identifying undesirable behaviour or characteristics, which may indicate motivation, after they have access; () Minimize opportunities for malicious acts by limiting access, authority and knowledge, and by other measures. Protective Measures: () Detect, delay, and respond to malicious acts; () Mitigate or minimize consequences and locate or recover the material.

16 1 FIG.. Steps for preventive and protective measures against potential insiders..1. Many measures listed in paras.1. can be considered as both preventive and protective measures. Each proposed measure should be considered and taken into account for its preventive or protective characteristics. PREVENTIVE MEASURES.1. The goal of preventive measures is to reduce the number of potential adversaries and to minimize the likelihood of insiders attempting a malicious act. Preventive measures are applied preemployment, during employment, and upon termination. The following are recommended as preventive measures..1. Individuals applying for access should be subject to: (a) Identity verification, to authenticate an individual s identity. This confirms that personal details of the individual in question are correct. National laws may restrict the scope or conduct of identity verification and trustworthiness assessments in a State. The provisions of this Implementing Guide are without prejudice to the legal rights of individuals, including the right to due process, under national and/or international law. 1

17 (b) Personal document verification, to authenticate details of an applicant s work history, educational background and skill set applicability to the work to be performed. Verification and validation of the documents may be accomplished by contacting prior employers, educational institutions and references. (c) Trustworthiness assessment, providing initial and ongoing assessments of an individual s integrity, honesty and reliability in pre-employment checks and checks during employment that are intended to identify the motivation or behaviour of persons who could become insider adversaries. These checks attempt to identify motivational factors such as greed, financial factors, ideological interests, psychological factors, desire for revenge (e.g., due to perceived injustice), physical dependency (e.g., on drugs, alcohol, or sex) and factors due to which an individual could be coerced by outsiders. Such factors might be indicated by a review of criminal records, references, past work history, financial records, social networks, political networks, medical records and psychological examinations or records. The State should determine a trustworthiness policy..1. The following measures should be applied for individuals with authorized access (including access to critical assets or vital areas): (d) Escorting. Persons whose trustworthiness has not been determined (e.g., temporary repair, service or construction workers, and visitors) should be escorted by persons who have authorized, unescorted access. Escorting such people is a way of making sure that they are in the correct location and that they are performing their duties properly. To be effective, the escort should be knowledgeable about their approved activities, including access to specific places and actions they should not perform. (e) Periodic reassessment of trustworthiness. Ongoing trustworthiness assessments should be conducted during employment as some of the behaviours and characteristics of an employee may not have previously been apparent or may change over time. These reviews are of particular interest in the case of temporary employees and workers whose duties may place them close to sensitive targets. The use of random testing for drug use or alcohol use during a work shift should also be considered. The depth of the trustworthiness checks should be graded according to the level of access the individual has (e.g., insiders performing network administration or supervisory activities should require a higher level of trustworthiness). This should include insiders that may facilitate remote access to sensitive information assets. National laws may restrict the scope or conduct of identity verification and trustworthiness assessments in a State. The provisions of this Implementing Guide are without prejudice to the legal rights of individuals, including the right to due process, under national and/or international law. 1

18 (f) Requirements to protect sensitive information. Information on security measures or sensitive targets (e.g., the location of the nuclear material inventory, facility maps or specific drawings of equipment, systems or devices that represent the design features of specific targets, lock combinations, passwords, and mechanical key designs) could help insiders successfully perform a malicious act. This information should be kept confidential so that only those who need to know are permitted access to it. In addition, information addressing potential vulnerabilities in nuclear security systems should be highly protected and compartmentalized, as it could facilitate the unauthorized removal of nuclear material or an act of sabotage. (g) Authorization of access. A documented process for authorizing and revoking access to nuclear facilities, nuclear material, systems or sensitive information should be established and implemented. The process should apply strict need-to-know and need-to-access rules defined for the facility. Individuals should be authorized for unescorted access only to areas that are required to complete assigned work. The number of persons with authorized access to designated areas should be kept to the minimum necessary. (h) Authorization of activities that involve nuclear material. Activities with nuclear material such as processing or transportation should be authorized prior to their occurrence. One example of the use of authorization of activities with nuclear material is the removal of nuclear material from a storage vault for use in processing. Having a written procedure, which specifies who can remove material and when it can be removed from a storage vault and who can authorize that removal gives an auditable trail for each removal. A coordinated and approved daily or weekly schedule of activities also focuses additional attention on any unscheduled activities and helps eliminate opportunities for unauthorized activities, even those by personnel who normally perform those activities. (i) Compartmentalization. Compartmentalization is used to divide areas, duties or information such that one individual does not have sufficient access, authority or knowledge to complete a malicious act. Effective compartmentalization ensures that insiders would have to expend additional efforts to complete a malicious act. 0 1 o Physical areas. Compartmentalizing physical areas ensures that one individual does not have the access to all systems, components and equipment that would enable the individual to complete a malicious act. Every effort should be made to ensure that a single person does not acquire all the necessary access authorizations that would enable such an individual to commit a malicious act. The number of individuals with access to any area requiring protection should be limited. Need-to-access rules should be defined and applied to each compartmentalized area. Additionally, the number of persons empowered to give access authorization to each of the compartmentalized areas should be strictly limited. Need-to-access rules should be reviewed and changed when processes or configurations within the compartmentalized area are changed. 1

19 o o Inspections and performance tests should be performed to ensure procedural adherence to the need-to-access rules. The time of day that an individual accesses an area should also be considered. Segregation of duties. Segregation of duties compartmentalizes the activities of individuals in order to limit an individual s ability to obtain the complete set of capabilities necessary to conduct a malicious act. For example, when authorizing activities, restricting use of special tools and equipment (including computer systems) required for operations or for handling material to only designated individuals under specified conditions. Transfer of such special tools, material, and equipment between areas should also be formalized and should involve more than one person in order to minimize opportunities for unauthorized removal of nuclear material by insider adversaries. Segregation of duties includes applying the principle of least privilege to computer systems. The principle of least privilege means assigning an individual only those privileges that are essential to that individual s work. Information. Compartmentalizing information means dividing information into separately controlled parts and enforcing access control measures by administrative and technical means to prevent insiders from collecting all the information necessary to attempt a malicious act. Special attention should be paid to electronic information. Need-to-know rules that are defined for sensitive information should be used when compartmentalizing information (j) Standard operating procedures. A standard operating procedure (SOP) is a written instruction that directs recurring tasks according to approved specifications in order to produce a required outcome. SOPs are useful in mitigating possible malicious insider acts because they provide a baseline of predetermined activities from which deviations in procedure can be more readily detected and challenged by other employees or managers. (k) Security awareness raising and training. Implementing a strong security awareness programme for staff and contractors contributes to an ongoing security culture within the organization and is an effective measure against the insider threat. A strong security awareness programme requires clear security policies, the enforcement of security practices and continuous training. The purpose of the training programme is to establish an environment in which all employees are mindful of security policies and procedures, so that they can aid in detecting and reporting inappropriate behaviour or acts. The training programme should include methods to evaluate security awareness, training effectiveness, and processes for continuous improvement or retraining including methods and indications associated with cyber attacks. (l) Everyone, irrespective of their role or function, should be aware of the threats and potential consequences of malicious acts and of their own role in reducing the risks and in developing a 1

20 comprehensive and effective security framework. Security awareness programmes should also provide for measures to reduce risks of blackmail, coercion, extortion or other threats to employees and their families, and should promote the reporting of such coercions or attempts thereof to the security management. Finally, security awareness programmes should be developed in a coordinated manner with safety awareness programmes in order to establish effective and complementary safety and security cultures. It is important for management to ensure that security awareness of the insider threat is fully integrated into the overall facility nuclear security culture. (m) Investigation of incidents of security concern. Incidents of security concern are any incidents that occur at a facility that are related to violations or irregularities associated with security policies, procedures, or systems. A programme of investigating these incidents by a facility to determine potential impacts, cause, and extent of condition will help the facility develop corrective actions and can be a preventive measure for insider threats. Some incidents may be caused by an insider threat as a precursor to a malicious event to prepare for the event or to test the system. Investigating these incidents may act as a deterrent and may identify personnel who pose a potential threat to the facility. (n) Employee satisfaction and rewards. Good relations among workers and between management and workers should be given due consideration and should be part of the security culture. Managers should be trained to identify and raise any concerns about an employee s behaviour with an appropriate person, (e.g., a senior manager, security manager, or human resource adviser). Rewards and recognition are an important part of maintaining and increasing employee morale and loyalty. Assistance to employees who are in difficult situations (financial, medical, and psychological) may be considered. Employee health and fitness for duty programs may also be considered. (o) Sanctions (disciplinary actions and prosecution). It is important that potential insiders be aware that deliberate violation of laws and regulations or the instructions of the operator may be sanctioned. The certainty of disciplinary action and prosecution may deter insiders from committing malicious acts. In addition, requiring operators to inform the competent authority of every malicious act or attempt would provide, after proper evaluation, a basis for feedback to other operators and for a possible need for updating regulatory requirements. (p) On termination of an individual s position or employment, that individual s access (including computer access) and authority should be cancelled. Termination procedures should be established, which should include measures such as revoking physical access, invoking a nondisclosure agreement to protect sensitive information, changing encryption keys, passwords, ciphers and monitoring information. 1

21 Management Systems.1. Quality assurance is an element of a satisfactory nuclear security programme. The quality assurance policy and programmes for nuclear security should ensure that a nuclear security system is designed, implemented, operated, inspected, and maintained in a condition capable of effectively responding to the insider adversary based on the threat assessment or design basis threat and the State s regulations..1. Quality assurance programmes should ensure that nuclear security systems designed to a performance-based approach have adequate supporting documentation for effectiveness. This is particularly important when establishing compensatory measures and implementing justifying corrective actions..1. Implementation of preventive and protective measures may be implemented through standard operating procedures. SOPs minimize variation and promote quality through consistent implementation of a process within an organization, even if there are personnel changes. SOPs can also encourage compliance with organizational and governmental requirements, as they provide written documentation that can be compared with actual activities at facility..1. Quality assurance should require configuration management of the nuclear security systems to ensure continuity of these systems and understanding the potential consequences when changes are made. Computer Systems.0. Escorting, and quality assurance will not provide sufficient protection for computer and network systems. For example, third parties and vendors may have physical access during development, and logical access during all lifecycle stages to sensitive information and assets..1. An acceptable use of computer-based systems policy should be defined. This policy may include the approved use of assets, set forth employee expectations in regards to monitoring that use, provide training, and explicitly identify unapproved actions on computing systems. The use of technical measures to enforce or enhance the systems policy should be considered. For example, define a social media policy and provide training on the use of social media in target identification for cyber adversaries (unwitting insider)... Information security includes protection of the integrity, availability, authenticity, nonrepudiation and confidentiality of sensitive information. It uses physical, technical and administrative controls to accomplish these tasks. 1

22 PROTECTIVE MEASURES.. The purpose of protective measures is to detect, delay, and respond to malicious acts after their initiation by the insider. When designing and implementing protective measures, efforts should be made to ensure that these measures are supportive of and do not have an adverse effect on plant operations and safety. In case of conflict, particularly with safety measures, a solution must be reached in which the overall risk to the workers and the public is minimized. The following items are recommended as protective measures. They include physical protection systems, operations systems, safety systems, information security and NMAC, which can be used in combination to aid in protecting against malicious acts by insiders. These measures should be applied using a graded approach for identified targets, including nuclear material, nuclear facilities, and other areas identified with targets that contribute to nuclear security. Detection.. Detection (for both the insider and outsider adversaries) is a process that begins with sensing a potentially malicious or otherwise unauthorized act and is completed with the assessment of the cause of the alarm. Provision should be made for timely detection of unauthorized or suspicious acts... Detection of insider malicious acts is heavily dependent on personnel monitoring systems, network monitoring controls, inspecting system activity logs, and observing activities. To be effective, the monitoring, inspecting, and observation require the personnel performing these duties to be authorized and trained in established procedures, and have the knowledge and means to immediately report suspected malicious acts or suspicious activity. Policies and procedures should be implemented which ensure employees receive no repercussions for reporting malicious acts or suspicious activity... Assessing an insider action may be difficult and may require time to analyse data or perform an investigation. Investigation may include review of recorded videos, network monitoring data, inspection of access logs, review of measurement NMAC data, or performing emergency inventories. Correct assessment of an insider malicious act is heavily dependent on personnel performing analysis and investigation. When analysis or investigation is required for assessment, the time between sensing and assessment directly affects the ability to respond to a malicious act in a timely manner... Procedures for reporting malicious acts or potential malicious acts should be established to ensure timely communication to the appropriate entity... It is very important to detect and investigate actions that may be in the preparatory or exploratory phase. This may include detecting and monitoring attempts to bypass procedures (such as bringing prohibited items into an area); entering areas where the person is not authorized (attempting to enter through an emergency door or other possible path); causing some alarm and then observing 1

23 the time and nature of the response; or attempting to gain access to information which is not granted to them... Detecting the insider requires identifying facility specific protective measures that are designed to identify (sense), correctly assess, and report potential insider malicious acts or preparatory acts..0. In the case of outsiders, detection measures focus on detecting penetration of protective layers by adversaries. Detection of malicious acts committed by insiders is more difficult. Insiders may have authorized access or be able to bypass or defeat many physical protection and NMAC measures. However, many (multiple and diverse) elements of the physical protection and NMAC systems may be implemented to specifically address sensing of potential insider malicious actions and provide information for correct assessment. A comprehensive assessment of possible insider activities should combine the investigation of all sensing provided by different measures to ensure that signals which individually might seem meaningless or insignificant but when combined are indications of malicious activity are not missed Access control.1. Monitoring access is an element of a robust access control system that provides protection by defining and preventing unauthorized access for personnel and vehicles to nuclear material, systems, and equipment. Potential insider malicious acts may be identified when monitoring or inspecting access logs of physical locations and computer systems for irregularities or suspicious events. Inspections of logs may identify events such as unscheduled vault access, a failed PIN or biometric for an authorized badge, or entry attempts by unauthorized individuals. Once identified, the irregularity or suspicious event can be assessed as a potential malicious act... If appropriately recorded, access control records can be used during the investigation of a malicious act to determine a list of possible suspects. Requests for authorized access to security areas, or systems relevant to safety or security, whether approved or disapproved, should also be reviewed and inspected to identify potential insider malicious activity... Strict access control rules and the process for authorizing and revoking access to nuclear material, equipment used for processing or handling nuclear material, or data about nuclear material or systems relevant to safety or security should be established and documented. Procedures should be developed to provide instructions on authorization to access nuclear material areas and actions required to control nuclear material in routine and non-routine situations as well as actual or simulated emergency situations. Examples of access control rules apply to provisions for manual systems (control and disseminate keys and combinations) and electronic systems (printing badges, enrolling PINs and biometrics, and control of locks). 1