Insights on Computer Security Approaches in Nuclear Security
Discover the outcomes of the 2019 IAEA Technical Meeting on Computer Security Approaches and Applications in Nuclear Security. Explore the challenges, historical events, and future developments in ensuring the safety of digital systems within critical infrastructure.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Results of the 2019 IAEA Technical Meeting Computer Security Approaches and Applications in Nuclear Security in Berlin Dagmar Sommer, GRS 13th February 2020 International Conference on Nuclear Security: Sustaining and Strengthening Efforts (ICONS 2020), Vienna
Outline Introduction on the Technical Meeting Challenges of Computer Security Regulatory Approaches Future Developments 2
Introduction (1 / 3) Computer Security in Nuclear Security History of Computer Security Events Ignalina NPP 1992: First known virus infection on NPP computer systems Browns Ferry NPP 2006: Two primary coolant pumps break down following a computer error event Stuxnet 2010: First known computer attack leading to nuclear facility damage Kudankulam NPP 2019: Most recent breach into computer systems of a NPP Why do we talk about Computer Security in Nuclear Security? Ongoing trend to replace analog systems with digital programable systems Growing and evolving threats endanger computer systems of critical infrastructure 3
Introduction (2 / 3) The IAEA Technical Meeting Computer Security Approaches and Applications in Nuclear Security Berlin, 23rd 27thSeptember 2019 Over 140 members from 68 IAEA Member States Five topical sessions One Workshop IAEA Working Draft Documents: NST 045: Computer Security for Nuclear Security NST 047: Computer Security Techniques for Nuclear Facilities 4
Introduction (3 / 3) Topics of the Technical Meeting Computer Security Approaches and Applications in Nuclear Security IAEA Computer Security - IAEA actions, international framework and a critical discourse on unusual attacks Approaches to Computer Security Risk in Nuclear Security - Seven member states presented their Computer Security approaches in Nuclear Security International Standards and Publications - Current developments of nuclear IEC standards for Computer Security Workshop on Computer Security - Functional and organizational approaches on Computer Security in Nuclear Security Computer Security within German Nuclear Security - Framework, supervision and protection of digital systems in German nuclear facilities 5
Outline Introduction on the Technical Meeting Challenges of Computer Security Regulatory Approaches Future Developments 7
Radioactive Material and Associated Facilities Radioactive Materials and their associated facilities are widely used in industry and healthcare Computer Security has to adapt to different environments of radioactive materials: Material often less considered Public accessible facilities like hospitals Less stringent regulations for transport of such material Possible high risks (Goiania-Incident 1987) To support the member states in development and implementation of Computer Security regulations for radioactive materials, following papers are in development by the IAEA: NST 044: Security of Radioactive Material in Transport NST 048: Security of Radioactive Material in Use and Storage and of Associated Facilities Non-Serial-Publication: Information and Computer Security for Activities Involving Radioactive Material 8
Supply-Chain Risks for Computer Security Implementation of analogue I&C systems by commercial (non-nuclear) digital components, e. g. COTS (commercial of the shelf) Supplied products can be a major attack path without direct user influence while promising low costs Supply-Chain attacks have caused major disruptions in general industry: NotPetya: Uses the update mechanism of a commercial tax preparation program - NotPetya spreaded around the world, affected companies like Maersk Line (-300 Million $ revenue) - In the Chernobyl NPP the automated radiation monitoring system went offline Shadowhammer targeted specific Asus Computers for surveillance measures - Around 1 Million PCs were targeted, but only on 600 surveillance measures activated themselves =>Further regulatory and qualification efforts next to IEC 61508 and IEC 61513 are necessary to encounter the threat of supply-chain attacks. 9
Professional Staff and Training Several Member States reported a shortage of professional staff and difficulties in acquiring new staff members during the Technical Meeting Discussed solutions were: Training and retraining of current personnel University cooperation Scholarships Innovative strategies and unused potentials have been identified as a core solution to the shortage of professional IT-security staff for industrial applications 10
Outline Introduction on the Technical Meeting Challenges of Computer Security Regulatory Approaches Future Developments 11
Approaches to Computer Security Regulation Two general approaches for Computer Security regulation were reported by the Member States: Threat and Scenario based Approaches - Developed cyber threat scenarios are evaluated - Computer Security measures must ensure protection against all scenarios and outcomes - Combined with a graded approach a detailed framework against assessed threats is developed Prescriptive Approaches - Requirements are developed based on potential consequences entailed by cyber attacks - Computer Security measures must comply with all requirements - Combined with a graded approach a detailed framework against known and unknown threats is developed 12
Implementation Approaches to Computer Security Three different approaches to the implementation of computer security regulations have been proposed: Regular Facility Checks: - Operators are responsible for compliant implementation of Computer Security - Regular facility checks are performed by the regulators General Implementation and Modification Approval System: - Facilities develop compliant concepts for the implementation of Computer Security - Authorities approve the concepts and review the implementations - Any modification has to be reviewed and approved by the authorities Independent Technical Expert Licensing: - Operators have to prove they are compliant with the regulations - Independent technical experts license the operators measures - Regular reviews by technical experts shall ensure constant compliance 13
Outline Introduction on the Technical Meeting Challenges of Computer Security Regulatory Approaches Future Developments 14
Future Developments Future of Computer Security in Nuclear Security: - Most countries have established dedicated computer security regulations for nuclear facilities - The next step is establishing Computer Security for other radioactive materials and facilities - New emerging threats need constant evolution of Computer Security New emerging threats challenge computer security: - Supply Chain attacks - Hardware attacks - A.I. supported imposing (deepfake) Conference like the Technical Meeting in Berlin, this ICONS and all future ones on Nuclear Security and Computer Security will help us to ensure these challenges will be faced adequately. 15
Thank you for your attention! Any questions? Dagmar.Sommer@grs.de 16
