Managing Nuclear Security and Safety Interface: What, Why, and How

MANAGEMENT OF THE INTERFACE OF MANAGEMENT OF THE INTERFACE OF NUCLEAR SECURITY AND NUCLEAR SAFETY: NUCLEAR SECURITY AND NUCLEAR SAFETY: WHAT, WHY AND HOW WHAT, WHY AND HOW Paula Karhu/STUK/Finland, Marco Schraver/ANVS/the Netherlands, Bernard Stauffer/ENSI/Switzerland, Tapani Hack/STUK/Finland [CN278/#185/PKa] IAEA International Conference on Nuclear Security: Sustaining and Strengthening Efforts (ICONS 2020), Vienna, 10-14 February 2020 1

Interface Interface management management WHAT and WHY WHAT and WHY Security-safety interface is a decision point any decision where both safety and security issues should be taken into consideration. If the consideration is done in a risk-informed, balanced manner, it should result in an informed decision and the best possible overall state of safety and security. Ensuring this by effective processes and procedures is safety-security interface management. An intermediate goal is to take advantage of the synergies and to resolve the possible conflicts between safety and security interests. [CN278/#185/PKa] 2

Joint fundamental objective: to protect people and the Joint fundamental objective: to protect people and the environment from harmful effects of ionizing radiation environment from harmful effects of ionizing radiation Nuclear safety measures Nuclear security measures ensure the safety of normal operations, a low probability of accidents, and effective emergency preparedness combat unlawful and other intentional unauthorized acts (e.g. theft, sabotage) Approach the fundamental objective from different angles both are needed to achieve it [CN278/#185/PKa] 3

The The fundamental fundamental difference difference : : accident accident vs. vs. adversary adversary Nuclear safety measures Nuclear security measures effective against unintentional events and their unwanted consequences accident management paradigm: instructions and procedures widely known, controls easily accessed deal with active adversaries, who adapt their actions based on their knowledge of the defences security event paradigm: need-to-know, confidentiality Potential for conflict [CN278/#185/PKa] 4

[CN278/#185/PKa] 5

Interface Interface management management HOW HOW intelligence, law enforcement, investigation, rescue, defence forces, border guard, information security authorities, counter- terrorism and/or CBRNE authorities, crisis management agencies State level legal and regulatory framework licensing process inspection programmes of the regulatory authority/authorities coordination with other authorities who have a role in nuclear safety and security Operator level design and implementation of nuclear security and safety measures and integration of these into an effective system Processes and procedures to define who, how, where and when should consider security and safety issues leadership, management & culture; information & computer security; design & change management; response [CN278/#185/PKa] 6

Practical Practical examples a a will will to to understand understand each examples it it takes takes good each other other good communication communication and and Regulatory requirements, case the Netherlands Nuclear facility operator must analyze and resolve possible conflicts between safety and security: optimize and apply compensatory measures Review and inspection, case Finland One regulatory authority, for nuclear facilities the interfaces must be managed with sections in charge of safety and security aspects of the regulatory control, for radioactive sources all inspections include both safety and security aspects, according to a risk-informed model The concept of site-walks (case Finland) Multidisciplinary teams to make observations, record findings, and follow up corrective actions: to raise awareness, to drive continuous improvement, and balanced decision making Transport of nuclear material, case Switzerland Trans-shipments faced with different national requirements: international coordination meetings of authorities and license holders could resolve potential safety-security conflicts and find satisfactory and balanced solutions a non-integrated approach is unthinkable [CN278/#185/PKa] 7

Information Information security security is a bridge is a bridge Effective response to accidents and incidents Case nuclear facility: availability and integrity of information of plant status Case MORC: secure and efficient information transmission INFOSEC The interface and interdependence between computer security, physical security, and safety has grown in importance and scope increased use of programmable and networked systems in information technology and industrial processes (IT and I&C/ICS systems) the phenomenon of internet of things (IoT) >> design of hard-to-hack systems, including I&C/ICS systems, balance of security and usability [CN278/#185/PKa] 8

one cyber world is reality [CN278/#185/PKa] 9

Thank Thank you you! ! ICONS 2020 #185 paula.karhu@stuk.fi [CN278/#185/PKa] 10