1 / 22

Senior Regulators’ Meeting International Atomic Energy Agency Vienna, Austria 19 September 2013

Cyber and Information Security from a Regulatory Viewpoint Cyber Security for Nuclear Newcomer States. Dr. Farouk Eltawila Chief Scientist Federal Authority for Nuclear Regulation. Senior Regulators’ Meeting International Atomic Energy Agency Vienna, Austria 19 September 2013.

kathy
Télécharger la présentation

Senior Regulators’ Meeting International Atomic Energy Agency Vienna, Austria 19 September 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber and Information Security from a Regulatory ViewpointCyber Security for Nuclear Newcomer States Dr. Farouk Eltawila Chief Scientist Federal Authority for Nuclear Regulation Senior Regulators’ Meeting International Atomic Energy Agency Vienna, Austria 19 September 2013

  2. The Nuclear Energy Policy of the UAE International Commitments and Cooperation Cooperation with the IAEA Licensing the First NPP in the UAE Cyber Security Regulatory Framework National Allocation of Resources Information Security Cyber Security Conclusion Presentation Outline

  3. Complete operational transparency Highest standards of non-proliferation Highest standards of safety and security Close cooperation with the IAEA Partnership with governments and firms of responsible nations Long-term sustainability UAE Policy on the Evaluation and Potential Development of Peaceful Nuclear Energy

  4. The UAE Concluded all Relevant International Agreements • Convention on Nuclear Safety • Joint Convention on the Safety of Spent Fuel Management and the Safety of Radioactive Waste Management • Conventions on Early Notification and Assistance • Vienna Convention on Civil Liability for Nuclear Damage • Convention on Physical Protection of Nuclear Material (and CPPNM Amendment) • Comprehensive Safeguards Agreement with IAEA • Additional protocol to the Safeguards Agreement

  5. The UAE Nuclear Law codified the essential principles and priorities in the Nuclear Policy Implementation of safety, security, safeguards regulation (3S) Use of IAEA guidance Milestones in the Development of a National Nuclear Infrastructure Safety Standards Security Series Technical Cooperation Programme Workshops, training, technical assistance Peer review and expert missions INIR, IRRS, siting review… Cooperation with IAEA

  6. FANR Organisation IAG/NSR IAG/NSR

  7. Preliminary Safety Analysis Report 21 Chapters and supplements and addenda covering Safety, Security and Safeguards Physical Protection Plan for construction Preliminary Safeguards Plan Preliminary Probabilistic Safety Assessment Report Summary Severe Accident Analysis Report Aircraft Impact Analysis Report Construction Licence for Barakah Units1 & 2 (July 17, 2012) Application received (February 2013) for construction of Barakah Units 3&4 Construction Licence Application/License

  8. General Principles of Cyber Security Regime • Fundamental Principle A: The responsibility for establishment, implementation, and maintenance of a Physical Protection Regime within the State rests entirely with the State • National allocation of responsibilities • Establish a Cyber Security Regulatory Framework • Realistic, proportionate, and flexible to implement requirements • Including cyber security threats in the physical DBT • Cyber threat is continually changing • Sustained attacks can go without detection • Maintain skilled cyber security workforce • Engagement of senior leadership in cyber security risk management • Identifying, Protecting, Detecting, Responding, and Recovering from cyber security events • Capitalize on built-in safety measures (DiD, Diversity, …) • Cyber security measures and safety measures should not compromise one another • Provide Cyber Security awareness and training to all users • Combating insiders threats using technical, administrative, and physical measures. • Managing supply chain risk and other dependencies NSS 17

  9. National Allocation of Responsibilities • In the early planning stages, the UAE government identified key competent authorities and their responsibilities • Nuclear Law; Federal Law by Decree No 6 of 2009 Concerning Peaceful Uses of Nuclear Energy • Established FANR; provided the legal framework for Safety, Security, Safeguards (3S) • Establish and maintain a state system of accounting for and control of nuclear material • Establishment, implementation, and maintenance of an effective, sustainable nuclear security infrastructure • Allows for other competent authorities in the State to provide security to vital facilities • Determine Civil and criminal penalties • unauthorized disclosure of information that affects the Physical Protection System • any act that breaches the provisions of the International Convention for the Suppression of Acts of Nuclear Terrorism • Cooperation with authorities with relevant responsibilities • Critical Infrastructure and Coastal Protection Authority (CICPA), • National Electronic Security Authority (NESA), • National Crisis Emergency Management Authority (NCEMA), • UAE Telecommunications Regulatory Authority (Computer Emergency Response Team (CIRT), etc.

  10. High assurance that critical digital assets (CDAs)are protected against cyber attacks Safety and security are implemented in integrated manner so as one does not adversely impact the other CDAs are treated as vital equipment that if failed or destroyed could lead to core / spent fuel damage located within double barriers of the Physical Protection Program ; controlled access included within target set as elements, and included within security guard surveillance rounds Capitalize on facility design and operation Defence-in-depth, diversity, redundancy Measures to mitigate the consequences of accidents and failures Cyber security features included in safety systems should be developed and qualified to the same level as the systems they reside in Performance Objectives

  11. FANR Security Regulation conforms with IAEA INFCIRC/225Revision5 (NSS13) Requires operator to establish and maintain a Cyber Security Plan as part of the Physical Protection Plan to ensure that Computer based systems used for physical protection, nuclear safety, emergency response, and nuclear material accountancy and control should be protected against compromise (e.g. cyber attack, manipulation or falsification) consistent with the threat assessment) Implementation Documents FANR Regulation (REG-008) & Regulatory Guide (RG 011) IAEA Security Series (NSS 17) USNRC Regulatory Guide 5.71 National Institute of Standards and Technology—Cyber Security Framework Nuclear Energy Institute Guidance NEI 10-04 World Institute of Nuclear Security (Security of IT and IC Systems at Nuclear Facilities) Physical Protection/Cyber Security RegulationIAEA Recommended Requirements

  12. Implementation of FANR-REG-08 (Roles and Responsibilities) FANR Federal Law CICPA Law MoU FANR Implementing Regulations CICPA Command Mandated Critical Infrastructre Protection • Classified DBT was established by CICPA • Training and exchange of Expertise. • Ease of Access to FANR’s & IAEA’s Inspectors. • Inspections (joint / separate). FANR regulatory activities CICPA’s Nuclear Physical Protection Department NESA ENEC Cyber Activities FANR Review & Approval of PPP Design & Implementaion of PPP 12

  13. State’s Role Implement a resilient IT infrastructure and cyber security Issued Federal Law by Decree “On Combating Cybercrime” Established: The National Electronic Security Authority (NESA) for Reducing Cyber Risks to critical infrastructure Organize the protection of the communication network and information systems in the UAE Set network security standards Supervise their execution Established the UAE Telecommunications Regulatory Authority Computer Emergency Response Team (CERT) for detecting and preventing cyber-crime and safeguard critical national computer infrastructure Using a graded protection, “State Security” determines the trustworthiness policy, with consideration of UAE laws, regulations, and job requirements Protection of Information and Information Systems

  14. Protection of Information and Information Systems • FANR’s Role • Issued (in collaboration with CICPA) Information Protection Programme Operating Manual Operator’s Role • Protect against unauthorised access to sensitive nuclear information and cyber intrusion of digital computer systems, communication systems and networks • important to the safety and operation of the facility • support the physical protection system, • emergency planning and communication • Selection and implementation of Security Controls: • To protect the confidentiality, integrity, and availability of information system, and the information processed, stored, and transmitted by those systems; and • To mitigate the risk of using information and information systems to achieve the desired or required level of assurance

  15. Cyber Security • FANR’s Role • Issues regulatory requirement to • Improve security • Increase reliability and resiliency in the delivery of services critical to cyber security • Non prescriptive ; encourage more innovation and effective solution • Ensure compliance and enforcement • Prevent unauthorised access to computer systems or communications equipment • Operator’s Role • Establish/maintain Cyber Security Plan: • Prevent unauthorised access to computer systems • Response and reconstitution of critical infrastructure • Combating insiders threats using technical, administrative, and physical measures.

  16. Critical Digital Assets Safety – related and important-to-safety functions Security Functions Emergency Preparedness functions, including offsite communication functions and networks Information technology functions Material Accounting and Control functions Support systems and equipment that, if compromised, would adversely impact safety, security, or emergency preparedness functions Physical Protection Critical Digital Assets should reside in a configuration that includes multiple layers of physical protection Access (Physical and Remote) System Integrity Unauthorized entry detection Virus/malware detection User roles and responsibilities (Designated Authority and separation of duties) Compartmentalization Use of wireless and portable computing devices Incident Response and Mitigation Detection Correcting Restoration (continuity of operation) Cyber Security Plan

  17. Defence-in-depth architecture WWW Network Intrusion Detection & Prevention G • Corporate Accessible Area • Technical Data Management, Level-1 G • Owner Controlled Area • Real Time Supervisory Level-2 G Gateway that Enforces Security Policy G G The State should incorporate a defence-in-depth strategy (which is fundamental to safety of nuclear facility) requiring multiple layers of physical protection of nuclear material and facilities (INFCIRC/225/Revision 5)

  18. Identification of Critical Systems and Critical Digital Assets(Source—USNRC RG 5.71, Cyber Security Programme)

  19. Cyber Incident Response Team-Source NIST 800-61Rev 2 Preparation, detection and analysis, response, containment and eradication, recovery, and follow-up Incident response team should communicate, whenever appropriate, with outside parties Law enforcement ISP Vendor of venerable software Other incident response team Establish policy and procedures regarding information sharing Establishing and training an incident response team Develop Implementation Plan Develop Incident Response Policy Detection of security breach Restore and resume system operation Issue report about steps to be taken to prevent future incident Preservation of evidence

  20. UAE established comprehensive legal & regulatory framework to regulate the nuclear sector conforming to IAEA standards/guidance Cyber threat is real; continually changing UAE is committed to high standards of safety & security Maintaining strong safety and security culture Incorporation of cyber element(s) in the DBT allows for a comprehensive, holistic assessments of all threats Nuclear facilities employ: “DiD” protective strategies; make them resilient to cyber attacks R Rredundant and diverse capabilities to detect, prevent, respond to, and recover from cyber attacks; make them invulnerable to the failure of a single protective strategy Measures to defend against cyber threats must be appropriate, proportionate, and flexible to implement IAEA Nuclear Security Series and implementation guides are important to member states, particularly new entrants Concluding Remarks

  21. Abu Dhabi Development

More Related