Integrated Protection for Nuclear Facilities: Physical, Cyber and Information Protection

1
Integrated Protection for Nuclear Facilities
Physical, Cyber and Information Protection

• Chris Price

2
INTEGRATION

• The physical protection system of a nuclear
  facility should be integrated and effective
  against both sabotage and unauthorised removal
• Appropriate physical protection measures
  should be designed based on the more stringent
  applicable requirements and implemented for both
  in an integrated manner
• INFCIRC/225/Rev.5, paragraphs 4.9 and 5.3

3
RISK

• THREAT
• VULNERABILITY
• CONSEQUENCES

4
THREAT

• Intention Capability
• Threat Assessment
• Of Unauthorised Removal and Sabotage
• Assisted by Unauthorised Access to
  Sensitive Information and Cyber Attack
• Carried out by External Attackers and Insiders

5
DESIGN BASIS THREAT

• Group Size
• Equipment
• Capability
• Tactics
• Attack methodology

6
TARGET IDENTIFICATION AND POTENTIAL CONSEQUENCES
(1)

• Unauthorised Removal of Nuclear and
• other Radioactive Material
• Nuclear Material Accountancy
• Register of Radioactive Sources
• Categorisation Tables

7
TARGET IDENTIFICATION AND POTENTIAL CONSEQUENCES
(2)

• Sabotage of Nuclear and Other Radioactive
  Material/Facilities
• Define Unacceptable Radiological Consequences
  (URC) using Graded Approach
• Determine whether Radioactive Inventory has
  potential to result in URC
• Identify material, equipment, systems and
  devices

8
TARGET IDENTIFICATION AND POTENTIAL CONSEQUENCES
(3)

• Unauthorised Access to Sensitive
  Information/Cyber Attack
• Sensitive Information Classification Policy
• Information and Communications Technology
  (ICT) Systems/Instrument and Control (IC) Systems
  
• Loss of Confidentiality, Integrity and
  Availability
• Impact on Security and Safety Systems

9
VULNERABILITY ASSESSMENT (1)

• Unauthorised Removal of Category I Nuclear
  Material Sabotage of High Consequence
  Material/Systems
• Against DBT

10
VULNERABILITY ASSESSMENT (2)

• Unauthorised Removal of other material
  Sabotage of other material/systems Compromise
  of Sensitive Information and ICT/IC Systems -
• Against DBT or
• Threat Assessment
• Physical Protection design Objectives and/or
  Levels of Protection
• Detect DBT

11
SECURITY PLAN

• Integrated set of technical and organisational
  measures
• Utilising Defence in Depth
• To protect against attack
• Including predefined response actions
• To effectively counter attempted unauthorised
  removal or sabotage

12
INTEGRATED MEASURES

• Physical measures access control, alarm
  monitoring etc
• Security Culture training and education
• Personnel Security measures
• Investigation of Security Events impact
  assessment
• Sustainability testing, change management
• Exercises

13
CONCLUSIONS

• Physical Protection is a Package
• Attackers exploit vulnerabilities
• All Fundamental Principles in the CPPNM apply
  equally to Information/Cyber Security