View
222
Download
2
Category
Tags:
Preview:
Citation preview
Cyber and Information Security from a Regulatory Viewpoint
Cyber Security for Nuclear Newcomer States
1
Senior Regulators’ MeetingInternational Atomic Energy Agency
Vienna, Austria19 September 2013
Dr. Farouk EltawilaChief Scientist
Federal Authority for Nuclear Regulation
Presentation Outline
The Nuclear Energy Policy of the UAEInternational Commitments and CooperationCooperation with the IAEALicensing the First NPP in the UAECyber Security Regulatory FrameworkNational Allocation of ResourcesInformation SecurityCyber SecurityConclusion
2
UAE Policy on the Evaluation and Potential Development of Peaceful Nuclear Energy
Complete operational transparencyHighest standards of non-proliferationHighest standards of safety and securityClose cooperation with the IAEAPartnership with governments and firms of responsible nationsLong-term sustainability
3
The UAE Concluded all Relevant International Agreements
Convention on Nuclear SafetyJoint Convention on the Safety of Spent Fuel Management and the Safety of Radioactive Waste ManagementConventions on Early Notification and AssistanceVienna Convention on Civil Liability for Nuclear DamageConvention on Physical Protection of Nuclear Material (and CPPNM Amendment)Comprehensive Safeguards Agreement with IAEAAdditional protocol to the Safeguards Agreement
4
Cooperation with IAEA
The UAE Nuclear Law codified the essential principles and priorities in the Nuclear PolicyImplementation of safety, security, safeguards regulation (3S)Use of IAEA guidance− Milestones in the Development of a National
Nuclear Infrastructure− Safety Standards − Security SeriesTechnical Cooperation Programme− Workshops, training, technical assistancePeer review and expert missions− INIR, IRRS, siting review…
5
Construction Licence Application/License
Preliminary Safety Analysis Report − 21 Chapters and supplements and
addenda covering Safety, Security and Safeguards
Physical Protection Plan for constructionPreliminary Safeguards PlanPreliminary Probabilistic Safety Assessment Report SummarySevere Accident Analysis ReportAircraft Impact Analysis ReportConstruction Licence for Barakah Units1 & 2 (July 17, 2012)Application received (February 2013) for construction of Barakah Units 3&4
7
General Principles of Cyber Security Regime
Fundamental Principle A: The responsibility for establishment, implementation, and maintenance of a Physical Protection Regime within the State rests entirely with the StateNational allocation of responsibilitiesEstablish a Cyber Security Regulatory Framework
─ Realistic, proportionate, and flexible to implement requirementsIncluding cyber security threats in the physical DBT
─ Cyber threat is continually changing─ Sustained attacks can go without detectionMaintain skilled cyber security workforceEngagement of senior leadership in cyber security risk management
─ Identifying, Protecting, Detecting, Responding, and Recovering from cyber security events– Capitalize on built-in safety measures (DiD, Diversity, …)– Cyber security measures and safety measures should not compromise one another– Provide Cyber Security awareness and training to all users– Combating insiders threats using technical, administrative, and physical measures.– Managing supply chain risk and other dependencies
8
NSS 17
National Allocation of ResponsibilitiesIn the early planning stages, the UAE government identified key competent authorities and their responsibilities
Nuclear Law; Federal Law by Decree No 6 of 2009 Concerning Peaceful Uses of Nuclear Energy
─ Established FANR; provided the legal framework for Safety, Security, Safeguards (3S)
─ Establish and maintain a state system of accounting for and control of nuclear material
─ Establishment, implementation, and maintenance of an effective, sustainable nuclear security infrastructure• Allows for other competent authorities in the State to provide security to vital facilities
─ Determine Civil and criminal penalties • unauthorized disclosure of information that affects the Physical Protection System• any act that breaches the provisions of the International Convention for the Suppression of
Acts of Nuclear Terrorism─ Cooperation with authorities with relevant responsibilities
» Critical Infrastructure and Coastal Protection Authority (CICPA), » National Electronic Security Authority (NESA),» National Crisis Emergency Management Authority (NCEMA), » UAE Telecommunications Regulatory Authority (Computer Emergency Response Team
(CIRT), etc.9
Performance ObjectivesHigh assurance that critical digital assets (CDAs)are protected against cyber attacks Safety and security are implemented in integrated manner so as one does not adversely impact the otherCDAs are treated as vital equipment that if failed or destroyed could lead to core / spent fuel damage
− located within double barriers of the Physical Protection Program ; − controlled access− included within target set as elements, and − included within security guard surveillance rounds
Capitalize on facility design and operation− Defence-in-depth, diversity, redundancy− Measures to mitigate the consequences of accidents and failures
Cyber security features included in safety systems should be developed and qualified to the same level as the systems they reside in
10
Physical Protection/Cyber Security RegulationIAEA Recommended Requirements
FANR Security Regulation conforms with IAEA INFCIRC/225Revision5 (NSS13)Requires operator to establish and maintain a Cyber Security Plan as part of the Physical Protection Plan to ensure that− Computer based systems used for physical protection, nuclear safety,
emergency response, and nuclear material accountancy and control should be protected against compromise (e.g. cyber attack, manipulation or falsification) consistent with the threat assessment)
Implementation DocumentsFANR Regulation (REG-008) & Regulatory Guide (RG 011)
IAEA Security Series (NSS 17)
USNRC Regulatory Guide 5.71− National Institute of Standards and Technology—Cyber Security Framework− Nuclear Energy Institute Guidance NEI 10-04− World Institute of Nuclear Security (Security of IT and IC Systems at Nuclear
Facilities)
11
ENEC Cyber Activities
MoU
CICPA LawCICPA Law
- Classified DBT was established by CICPA
- Training and exchange of Expertise.
- Ease of Access to FANR’s & IAEA’s Inspectors.
- Inspections (joint / separate).
12
(Roles and Responsibilities)Implementation of FANR-REG-08
FANR FederalLaw
FANR FederalLaw
FANRImplementing
Regulations
FANRImplementing
Regulations
CICPA CommandMandated
Critical Infrastructre Protection
CICPA CommandMandated
Critical Infrastructre Protection
FANR regulatoryactivities
FANR regulatoryactivities
CICPA’s Nuclear Physical
Protection Department
CICPA’s Nuclear Physical
Protection Department
Design & Implementaion
of PPP
Design & Implementaion
of PPP
FANR Review & Approval
of PPP
FANR Review & Approval
of PPP
NESA
Protection of Information and Information Systems
State’s RoleImplement a resilient IT infrastructure and cyber security Issued Federal Law by Decree “On Combating Cybercrime” Established:− The National Electronic Security Authority (NESA) for Reducing Cyber Risks to
critical infrastructure • Organize the protection of the communication network and information
systems in the UAE• Set network security standards• Supervise their execution
− Established the UAE Telecommunications Regulatory Authority Computer Emergency Response Team (CERT) for detecting and preventing
cyber-crime and safeguard critical national computer infrastructure
Using a graded protection, “State Security” determines the trustworthiness policy, with consideration of UAE laws, regulations, and job requirements
13
Protection of Information and Information Systems
FANR’s RoleIssued (in collaboration with CICPA) Information Protection Programme Operating Manual
Operator’s RoleProtect against unauthorised access to sensitive nuclear information and cyber intrusion of digital computer systems, communication systems and networks
─ important to the safety and operation of the facility─ support the physical protection system,─ emergency planning and communication
Selection and implementation of Security Controls:─ To protect the confidentiality, integrity, and availability of
information system, and the information processed, stored, and transmitted by those systems; and
─ To mitigate the risk of using information and information systems to achieve the desired or required level of assurance
14
Cyber Security
FANR’s RoleIssues regulatory requirement to
─ Improve security─ Increase reliability and resiliency in the delivery of services critical
to cyber security─ Non prescriptive ; encourage more innovation and effective
solution─ Ensure compliance and enforcement─ Prevent unauthorised access to computer systems or
communications equipmentOperator’s Role
Establish/maintain Cyber Security Plan:─ Prevent unauthorised access to computer systems ─ Response and reconstitution of critical infrastructure ─ Combating insiders threats using technical, administrative, and
physical measures. 15
Cyber Security Plan Critical Digital Assets
Safety – related and important-to-safety functionsSecurity FunctionsEmergency Preparedness functions, including offsite communication functions and networksInformation technology functionsMaterial Accounting and Control functionsSupport systems and equipment that, if compromised, would adversely impact safety, security, or emergency preparedness functions
Physical ProtectionCritical Digital Assets should reside in a configuration that includes multiple layers of physical protectionAccess (Physical and Remote)
System IntegrityUnauthorized entry detectionVirus/malware detectionUser roles and responsibilities (Designated Authority and separation of duties)CompartmentalizationUse of wireless and portable computing devices
Incident Response and MitigationDetectionCorrectingRestoration (continuity of operation)
16
WWW
Defence-in-depth architecture
17
Level-2 • Owner Controlled Area• Real Time Supervisory
Level-1 • Corporate Accessible Area• Technical Data Management,
Gateway that Enforces Security Policy G
G
G
G
G
Network Intrusion Detection & Prevention
The State should incorporate a defence-in-depth strategy (which is fundamental to safety of nuclear facility) requiring multiple layers of physical protection of nuclear material and facilities
(INFCIRC/225/Revision 5)
Identification of Critical Systems and Critical Digital Assets(Source—USNRC RG 5.71, Cyber Security Programme)
18
Incident response team should communicate, whenever appropriate, with outside parties•Law enforcement •ISP•Vendor of venerable software•Other incident response team•Establish policy and procedures regarding information sharing
19
Cyber Incident Response Team-Source NIST 800-61Rev 2
• Establishing and training an incident response team
• Develop Implementation Plan• Develop Incident Response Policy• Detection of security breach• Restore and resume system operation• Issue report about steps to be taken to
prevent future incident• Preservation of evidence
Preparation, detection and analysis, response, containment and eradication, recovery, and follow-up
Concluding RemarksUAE established comprehensive legal & regulatory framework to regulate the nuclear sector conforming to IAEA standards/guidanceCyber threat is real; continually changing
− UAE is committed to high standards of safety & security− Maintaining strong safety and security culture− Incorporation of cyber element(s) in the DBT allows for a
comprehensive, holistic assessments of all threatsNuclear facilities employ:
− “DiD” protective strategies; make them resilient to cyber attacks R− Rredundant and diverse capabilities to detect, prevent, respond
to, and recover from cyber attacks; make them invulnerable to the failure of a single protective strategy
Measures to defend against cyber threats must be appropriate, proportionate, and flexible to implementIAEA Nuclear Security Series and implementation guides are important to member states, particularly new entrants
20
Recommended