Title: Cyber and Information Security from a Regulatory Viewpoint Cyber Security for Nuclear Newcomer States
1Cyber and Information Security from a Regulatory
ViewpointCyber Security for Nuclear Newcomer
States
Dr. Farouk Eltawila Chief Scientist Federal
Authority for Nuclear Regulation
Senior Regulators Meeting International Atomic
Energy Agency Vienna, Austria 19 September 2013
2Presentation Outline
- The Nuclear Energy Policy of the UAE
- International Commitments and Cooperation
- Cooperation with the IAEA
- Licensing the First NPP in the UAE
- Cyber Security Regulatory Framework
- National Allocation of Resources
- Information Security
- Cyber Security
- Conclusion
3UAE Policy on the Evaluation and Potential
Development of Peaceful Nuclear Energy
- Complete operational transparency
- Highest standards of non-proliferation
- Highest standards of safety and security
- Close cooperation with the IAEA
- Partnership with governments and firms of
responsible nations - Long-term sustainability
4The UAE Concluded all Relevant International
Agreements
- Convention on Nuclear Safety
- Joint Convention on the Safety of Spent Fuel
Management and the Safety of Radioactive Waste
Management - Conventions on Early Notification and Assistance
- Vienna Convention on Civil Liability for Nuclear
Damage - Convention on Physical Protection of Nuclear
Material (and CPPNM Amendment) - Comprehensive Safeguards Agreement with IAEA
- Additional protocol to the Safeguards Agreement
5Cooperation with IAEA
- The UAE Nuclear Law codified the essential
principles and priorities in the Nuclear Policy - Implementation of safety, security, safeguards
regulation (3S) - Use of IAEA guidance
- Milestones in the Development of a National
Nuclear Infrastructure - Safety Standards
- Security Series
- Technical Cooperation Programme
- Workshops, training, technical assistance
- Peer review and expert missions
- INIR, IRRS, siting review
6FANR Organisation
IAG/NSR
IAG/NSR
7Construction Licence Application/License
- Preliminary Safety Analysis Report
- 21 Chapters and supplements and addenda covering
Safety, Security and Safeguards - Physical Protection Plan for construction
- Preliminary Safeguards Plan
- Preliminary Probabilistic Safety Assessment
Report Summary - Severe Accident Analysis Report
- Aircraft Impact Analysis Report
- Construction Licence for Barakah Units1 2 (July
17, 2012) - Application received (February 2013) for
construction of Barakah Units 34
8General Principles of Cyber Security Regime
- Fundamental Principle A The responsibility for
establishment, implementation, and maintenance of
a Physical Protection Regime within the State
rests entirely with the State - National allocation of responsibilities
- Establish a Cyber Security Regulatory Framework
- Realistic, proportionate, and flexible to
implement requirements - Including cyber security threats in the physical
DBT - Cyber threat is continually changing
- Sustained attacks can go without detection
- Maintain skilled cyber security workforce
- Engagement of senior leadership in cyber security
risk management - Identifying, Protecting, Detecting, Responding,
and Recovering from cyber security events - Capitalize on built-in safety measures (DiD,
Diversity, ) - Cyber security measures and safety measures
should not compromise one another - Provide Cyber Security awareness and training to
all users - Combating insiders threats using technical,
administrative, and physical measures. - Managing supply chain risk and other dependencies
NSS 17
9National Allocation of Responsibilities
- In the early planning stages, the UAE government
identified key competent authorities and their
responsibilities - Nuclear Law Federal Law by Decree No 6 of 2009
Concerning Peaceful Uses of Nuclear Energy - Established FANR provided the legal framework
for Safety, Security, Safeguards (3S) - Establish and maintain a state system of
accounting for and control of nuclear material - Establishment, implementation, and maintenance of
an effective, sustainable nuclear security
infrastructure - Allows for other competent authorities in the
State to provide security to vital facilities - Determine Civil and criminal penalties
- unauthorized disclosure of information that
affects the Physical Protection System - any act that breaches the provisions of the
International Convention for the Suppression of
Acts of Nuclear Terrorism - Cooperation with authorities with relevant
responsibilities - Critical Infrastructure and Coastal Protection
Authority (CICPA), - National Electronic Security Authority (NESA),
- National Crisis Emergency Management Authority
(NCEMA), - UAE Telecommunications Regulatory Authority
(Computer Emergency Response Team (CIRT), etc.
10Performance Objectives
- High assurance that critical digital assets
(CDAs)are protected against cyber attacks - Safety and security are implemented in integrated
manner so as one does not adversely impact the
other - CDAs are treated as vital equipment that if
failed or destroyed could lead to core / spent
fuel damage - located within double barriers of the Physical
Protection Program - controlled access
- included within target set as elements, and
- included within security guard surveillance
rounds - Capitalize on facility design and operation
- Defence-in-depth, diversity, redundancy
- Measures to mitigate the consequences of
accidents and failures - Cyber security features included in safety
systems should be developed and qualified to the
same level as the systems they reside in
11Physical Protection/Cyber Security
RegulationIAEA Recommended Requirements
- FANR Security Regulation conforms with IAEA
INFCIRC/225Revision5 (NSS13) - Requires operator to establish and maintain a
Cyber Security Plan as part of the Physical
Protection Plan to ensure that - Computer based systems used for physical
protection, nuclear safety, emergency response,
and nuclear material accountancy and control
should be protected against compromise (e.g.
cyber attack, manipulation or falsification)
consistent with the threat assessment) - Implementation Documents
- FANR Regulation (REG-008) Regulatory Guide (RG
011) - IAEA Security Series (NSS 17)
- USNRC Regulatory Guide 5.71
- National Institute of Standards and
TechnologyCyber Security Framework - Nuclear Energy Institute Guidance NEI 10-04
- World Institute of Nuclear Security (Security of
IT and IC Systems at Nuclear Facilities)
12Implementation of FANR-REG-08
(Roles and Responsibilities)
CICPA Law
FANR Federal Law
MoU
FANR Implementing Regulations
CICPA Command Mandated Critical Infrastructre
Protection
- Classified DBT was established by CICPA
- Training and exchange of Expertise.
- Ease of Access to FANRs IAEAs Inspectors.
- Inspections (joint / separate).
FANR regulatory activities
CICPAs Nuclear Physical Protection Department
NESA
ENEC Cyber Activities
Design Implementaion of PPP
FANR Review Approval of PPP
12
13Protection of Information and Information Systems
- States Role
- Implement a resilient IT infrastructure and cyber
security - Issued Federal Law by Decree On Combating
Cybercrime - Established
- The National Electronic Security Authority (NESA)
for Reducing Cyber Risks to critical
infrastructure - Organize the protection of the communication
network and information systems in the UAE - Set network security standards
- Supervise their execution
- Established the UAE Telecommunications Regulatory
Authority - Computer Emergency Response Team (CERT) for
detecting and preventing cyber-crime and
safeguard critical national computer
infrastructure - Using a graded protection, State Security
determines the trustworthiness policy, with
consideration of UAE laws, regulations, and job
requirements
14Protection of Information and Information Systems
- FANRs Role
- Issued (in collaboration with CICPA) Information
Protection Programme Operating Manual - Operators Role
- Protect against unauthorised access to sensitive
nuclear information and cyber intrusion of
digital computer systems, communication systems
and networks - important to the safety and operation of the
facility - support the physical protection system,
- emergency planning and communication
- Selection and implementation of Security
Controls - To protect the confidentiality, integrity, and
availability of information system, and the
information processed, stored, and transmitted by
those systems and - To mitigate the risk of using information and
information systems to achieve the desired or
required level of assurance
15Cyber Security
- FANRs Role
- Issues regulatory requirement to
- Improve security
- Increase reliability and resiliency in the
delivery of services critical to cyber security - Non prescriptive encourage more innovation and
effective solution - Ensure compliance and enforcement
- Prevent unauthorised access to computer systems
or communications equipment - Operators Role
- Establish/maintain Cyber Security Plan
- Prevent unauthorised access to computer systems
- Response and reconstitution of critical
infrastructure - Combating insiders threats using technical,
administrative, and physical measures.
16Cyber Security Plan
- Critical Digital Assets
- Safety related and important-to-safety
functions - Security Functions
- Emergency Preparedness functions, including
offsite communication functions and networks - Information technology functions
- Material Accounting and Control functions
- Support systems and equipment that, if
compromised, would adversely impact safety,
security, or emergency preparedness functions - Physical Protection
- Critical Digital Assets should reside in a
configuration that includes multiple layers of
physical protection - Access (Physical and Remote)
- System Integrity
- Unauthorized entry detection
- Virus/malware detection
- User roles and responsibilities (Designated
Authority and separation of duties) - Compartmentalization
- Use of wireless and portable computing devices
- Incident Response and Mitigation
- Detection
- Correcting
17Defence-in-depth architecture
WWW
Network Intrusion Detection Prevention
G
- Corporate Accessible Area
- Technical Data Management,
Level-1
G
- Owner Controlled Area
- Real Time Supervisory
Level-2
G
Gateway that Enforces Security Policy
G
G
The State should incorporate a defence-in-depth
strategy (which is fundamental to safety of
nuclear facility) requiring multiple layers of
physical protection of nuclear material and
facilities (INFCIRC/225/Revision 5)
18Identification of Critical Systems and Critical
Digital Assets(SourceUSNRC RG 5.71, Cyber
Security Programme)
19Cyber Incident Response Team-Source NIST
800-61Rev 2
Preparation, detection and analysis, response,
containment and eradication, recovery, and
follow-up
- Establishing and training an incident
response team - Develop Implementation Plan
- Develop Incident Response Policy
- Detection of security breach
- Restore and resume system operation
- Issue report about steps to be taken to prevent
future incident - Preservation of evidence
- Incident response team should communicate,
whenever appropriate, with outside parties - Law enforcement
- ISP
- Vendor of venerable software
- Other incident response team
- Establish policy and procedures regarding
information sharing
20Concluding Remarks
- UAE established comprehensive legal regulatory
framework to regulate the nuclear sector
conforming to IAEA standards/guidance - Cyber threat is real continually changing
- UAE is committed to high standards of safety
security - Maintaining strong safety and security culture
- Incorporation of cyber element(s) in the DBT
allows for a comprehensive, holistic assessments
of all threats - Nuclear facilities employ
- DiD protective strategies make them resilient
to cyber attacks R - Rredundant and diverse capabilities to detect,
prevent, respond to, and recover from cyber
attacks make them invulnerable to the failure of
a single protective strategy - Measures to defend against cyber threats must be
appropriate, proportionate, and flexible to
implement - IAEA Nuclear Security Series and implementation
guides are important to member states,
particularly new entrants
21Abu Dhabi Development
22(No Transcript)