Cyber and Information Security from a Regulatory Viewpoint Cyber Security for Nuclear Newcomer States

1
Cyber and Information Security from a Regulatory
ViewpointCyber Security for Nuclear Newcomer
States
Dr. Farouk Eltawila Chief Scientist Federal
Authority for Nuclear Regulation
Senior Regulators Meeting International Atomic
Energy Agency Vienna, Austria 19 September 2013
2
Presentation Outline

• The Nuclear Energy Policy of the UAE
• International Commitments and Cooperation
• Cooperation with the IAEA
• Licensing the First NPP in the UAE
• Cyber Security Regulatory Framework
• National Allocation of Resources
• Information Security
• Cyber Security
• Conclusion

3
UAE Policy on the Evaluation and Potential
Development of Peaceful Nuclear Energy

• Complete operational transparency
• Highest standards of non-proliferation
• Highest standards of safety and security
• Close cooperation with the IAEA
• Partnership with governments and firms of
  responsible nations
• Long-term sustainability

4
The UAE Concluded all Relevant International
Agreements

• Convention on Nuclear Safety
• Joint Convention on the Safety of Spent Fuel
  Management and the Safety of Radioactive Waste
  Management
• Conventions on Early Notification and Assistance
• Vienna Convention on Civil Liability for Nuclear
  Damage
• Convention on Physical Protection of Nuclear
  Material (and CPPNM Amendment)
• Comprehensive Safeguards Agreement with IAEA
• Additional protocol to the Safeguards Agreement

5
Cooperation with IAEA

• The UAE Nuclear Law codified the essential
  principles and priorities in the Nuclear Policy
• Implementation of safety, security, safeguards
  regulation (3S)
• Use of IAEA guidance
• Milestones in the Development of a National
  Nuclear Infrastructure
• Safety Standards
• Security Series
• Technical Cooperation Programme
• Workshops, training, technical assistance
• Peer review and expert missions
• INIR, IRRS, siting review

6
FANR Organisation
IAG/NSR
IAG/NSR
7
Construction Licence Application/License

• Preliminary Safety Analysis Report
• 21 Chapters and supplements and addenda covering
  Safety, Security and Safeguards
• Physical Protection Plan for construction
• Preliminary Safeguards Plan
• Preliminary Probabilistic Safety Assessment
  Report Summary
• Severe Accident Analysis Report
• Aircraft Impact Analysis Report
• Construction Licence for Barakah Units1 2 (July
  17, 2012)
• Application received (February 2013) for
  construction of Barakah Units 34

8
General Principles of Cyber Security Regime

• Fundamental Principle A The responsibility for
  establishment, implementation, and maintenance of
  a Physical Protection Regime within the State
  rests entirely with the State
• National allocation of responsibilities
• Establish a Cyber Security Regulatory Framework
• Realistic, proportionate, and flexible to
  implement requirements
• Including cyber security threats in the physical
  DBT
• Cyber threat is continually changing
• Sustained attacks can go without detection
• Maintain skilled cyber security workforce
• Engagement of senior leadership in cyber security
  risk management
• Identifying, Protecting, Detecting, Responding,
  and Recovering from cyber security events
• Capitalize on built-in safety measures (DiD,
  Diversity, )
• Cyber security measures and safety measures
  should not compromise one another
• Provide Cyber Security awareness and training to
  all users
• Combating insiders threats using technical,
  administrative, and physical measures.
• Managing supply chain risk and other dependencies

NSS 17
9
National Allocation of Responsibilities

• In the early planning stages, the UAE government
  identified key competent authorities and their
  responsibilities
• Nuclear Law Federal Law by Decree No 6 of 2009
  Concerning Peaceful Uses of Nuclear Energy
• Established FANR provided the legal framework
  for Safety, Security, Safeguards (3S)
• Establish and maintain a state system of
  accounting for and control of nuclear material
• Establishment, implementation, and maintenance of
  an effective, sustainable nuclear security
  infrastructure
• Allows for other competent authorities in the
  State to provide security to vital facilities
• Determine Civil and criminal penalties
• unauthorized disclosure of information that
  affects the Physical Protection System
• any act that breaches the provisions of the
  International Convention for the Suppression of
  Acts of Nuclear Terrorism
• Cooperation with authorities with relevant
  responsibilities
• Critical Infrastructure and Coastal Protection
  Authority (CICPA),
• National Electronic Security Authority (NESA),
• National Crisis Emergency Management Authority
  (NCEMA),
• UAE Telecommunications Regulatory Authority
  (Computer Emergency Response Team (CIRT), etc.

10
Performance Objectives

• High assurance that critical digital assets
  (CDAs)are protected against cyber attacks
• Safety and security are implemented in integrated
  manner so as one does not adversely impact the
  other
• CDAs are treated as vital equipment that if
  failed or destroyed could lead to core / spent
  fuel damage
• located within double barriers of the Physical
  Protection Program
• controlled access
• included within target set as elements, and
• included within security guard surveillance
  rounds
• Capitalize on facility design and operation
• Defence-in-depth, diversity, redundancy
• Measures to mitigate the consequences of
  accidents and failures
• Cyber security features included in safety
  systems should be developed and qualified to the
  same level as the systems they reside in

11
Physical Protection/Cyber Security
RegulationIAEA Recommended Requirements

• FANR Security Regulation conforms with IAEA
  INFCIRC/225Revision5 (NSS13)
• Requires operator to establish and maintain a
  Cyber Security Plan as part of the Physical
  Protection Plan to ensure that
• Computer based systems used for physical
  protection, nuclear safety, emergency response,
  and nuclear material accountancy and control
  should be protected against compromise (e.g.
  cyber attack, manipulation or falsification)
  consistent with the threat assessment)
• Implementation Documents
• FANR Regulation (REG-008) Regulatory Guide (RG
  011)
• IAEA Security Series (NSS 17)
• USNRC Regulatory Guide 5.71
• National Institute of Standards and
  TechnologyCyber Security Framework
• Nuclear Energy Institute Guidance NEI 10-04
• World Institute of Nuclear Security (Security of
  IT and IC Systems at Nuclear Facilities)

12
Implementation of FANR-REG-08
(Roles and Responsibilities)
CICPA Law
FANR Federal Law
MoU
FANR Implementing Regulations
CICPA Command Mandated Critical Infrastructre
Protection

• Classified DBT was established by CICPA
• Training and exchange of Expertise.
• Ease of Access to FANRs IAEAs Inspectors.
• Inspections (joint / separate).

FANR regulatory activities
CICPAs Nuclear Physical Protection Department
NESA
ENEC Cyber Activities
Design Implementaion of PPP
FANR Review Approval of PPP
12
13
Protection of Information and Information Systems

• States Role
• Implement a resilient IT infrastructure and cyber
  security
• Issued Federal Law by Decree On Combating
  Cybercrime
• Established
• The National Electronic Security Authority (NESA)
  for Reducing Cyber Risks to critical
  infrastructure
• Organize the protection of the communication
  network and information systems in the UAE
• Set network security standards
• Supervise their execution
• Established the UAE Telecommunications Regulatory
  Authority
• Computer Emergency Response Team (CERT) for
  detecting and preventing cyber-crime and
  safeguard critical national computer
  infrastructure
• Using a graded protection, State Security
  determines the trustworthiness policy, with
  consideration of UAE laws, regulations, and job
  requirements

14
Protection of Information and Information Systems

• FANRs Role
• Issued (in collaboration with CICPA) Information
  Protection Programme Operating Manual
• Operators Role
• Protect against unauthorised access to sensitive
  nuclear information and cyber intrusion of
  digital computer systems, communication systems
  and networks
• important to the safety and operation of the
  facility
• support the physical protection system,
• emergency planning and communication
• Selection and implementation of Security
  Controls
• To protect the confidentiality, integrity, and
  availability of information system, and the
  information processed, stored, and transmitted by
  those systems and
• To mitigate the risk of using information and
  information systems to achieve the desired or
  required level of assurance

15
Cyber Security

• FANRs Role
• Issues regulatory requirement to
• Improve security
• Increase reliability and resiliency in the
  delivery of services critical to cyber security
• Non prescriptive encourage more innovation and
  effective solution
• Ensure compliance and enforcement
• Prevent unauthorised access to computer systems
  or communications equipment
• Operators Role
• Establish/maintain Cyber Security Plan
• Prevent unauthorised access to computer systems
• Response and reconstitution of critical
  infrastructure
• Combating insiders threats using technical,
  administrative, and physical measures.

16
Cyber Security Plan

• Critical Digital Assets
• Safety related and important-to-safety
  functions
• Security Functions
• Emergency Preparedness functions, including
  offsite communication functions and networks
• Information technology functions
• Material Accounting and Control functions
• Support systems and equipment that, if
  compromised, would adversely impact safety,
  security, or emergency preparedness functions
• Physical Protection
• Critical Digital Assets should reside in a
  configuration that includes multiple layers of
  physical protection
• Access (Physical and Remote)
• System Integrity
• Unauthorized entry detection
• Virus/malware detection
• User roles and responsibilities (Designated
  Authority and separation of duties)
• Compartmentalization
• Use of wireless and portable computing devices
• Incident Response and Mitigation
• Detection
• Correcting

17
Defence-in-depth architecture 
WWW
Network Intrusion Detection Prevention
G

• Corporate Accessible Area
• Technical Data Management,

Level-1
G

• Owner Controlled Area
• Real Time Supervisory

Level-2
G
Gateway that Enforces Security Policy
G
G
The State should incorporate a defence-in-depth
strategy (which is fundamental to safety of
nuclear facility) requiring multiple layers of
physical protection of nuclear material and
facilities (INFCIRC/225/Revision 5)
18
Identification of Critical Systems and Critical
Digital Assets(SourceUSNRC RG 5.71, Cyber
Security Programme)
19
Cyber Incident Response Team-Source NIST
800-61Rev 2
Preparation, detection and analysis, response,
containment and eradication, recovery, and
follow-up

• Establishing and training an incident
  response team
• Develop Implementation Plan
• Develop Incident Response Policy
• Detection of security breach
• Restore and resume system operation
• Issue report about steps to be taken to prevent
  future incident
• Preservation of evidence

• Incident response team should communicate,
  whenever appropriate, with outside parties
• Law enforcement
• ISP
• Vendor of venerable software
• Other incident response team
• Establish policy and procedures regarding
  information sharing

20
Concluding Remarks

• UAE established comprehensive legal regulatory
  framework to regulate the nuclear sector
  conforming to IAEA standards/guidance
• Cyber threat is real continually changing
• UAE is committed to high standards of safety
  security
• Maintaining strong safety and security culture
• Incorporation of cyber element(s) in the DBT
  allows for a comprehensive, holistic assessments
  of all threats
• Nuclear facilities employ
• DiD protective strategies make them resilient
  to cyber attacks R
• Rredundant and diverse capabilities to detect,
  prevent, respond to, and recover from cyber
  attacks make them invulnerable to the failure of
  a single protective strategy
• Measures to defend against cyber threats must be
  appropriate, proportionate, and flexible to
  implement
• IAEA Nuclear Security Series and implementation
  guides are important to member states,
  particularly new entrants

21
Abu Dhabi Development
22
(No Transcript)