1. IAEA International Atomic Energy Agency IAEA Training Course on Conducting Computer Security Assessments Presented by: Donald D. Dudenhoeffer

2. IAEA Key objectives of this course: Provide training and exercises on how to apply NST037 - Conducting Computer Security Assessments at Nuclear Facilities with a focus on: Assessment Overview Assessment Methodology Assessment Planning Functional and Security Domains Final Report and Post-Assessment Activities The hypothetical Shapash Nuclear Facility will be used as an example to illustrate concepts for use in the exercises. 2 Course Objectives

3. IAEA Nuclear Security Nuclear security focuses on the prevention of, detection of, and response to, criminal or intentional unauthorized acts involving or directed at nuclear material, other radioactive material, associated facilities, or associated activities. Nuclear security is the ultimate focus of our training. 3

4. IAEA Nuclear and Computer Security Threat actors today have embraced computers as both a means and target of attacks. The security paradigm has changed from one of “Guns, Guards, and Gates” to that of “Guns, Guards, Gates, and Geeks”. Information and computer security are now key elements of Nuclear Security. 4

5. IAEA Why do an Assessment? Assessments help to measure the degree of confidence one has that the managerial, technical and operational security measures work as intended to protect the system and the Computer it processes. An assessment cannot guarantee that you are secure, but only that those items observed have met a certain level of compliance. 5

6. IAEA Focus of an Assessment? verify compliance with regulations, policies or procedures identify problem areas (e.g., safety hazards, inefficiencies, recurring errors, etc.), investigate an unusual occurrence or incident analyze a known or suspected problem area and make recommendations for improvements. identify excellent areas 6

7. IAEA Types of Assessment Compliance based Assessments Self-Assessments Assessments of Third Parties 7

8. IAEA Assessments may help you to understand the maturity of the computer security programme. 8 Programme Maturity Level Example Maturity Level Characteristics (Ref: CYBERSECURITY CAPABILITY MATURITY MODEL (C2M2), US DOE, Feb 2014).

9. IAEA Resources for Assessments IAEA Nuclear Security Series and assessment guides provide the assessors with the key points and areas for reviews. Member States and organizations may have additional reference documents for use in developing assessment guides. 9

10. IAEA The Assessment Process IAEA Guidance Standards Regulatory Guides Best Practices Lessons Learned Subject Experts IAEA Guidance Standards Regulatory Guides Best Practices Lessons Learned Subject Experts Assessment Planning Document Reviews Interviews Direct Observations Assessment Evaluation Framework / Checklist Assessment Evaluation Framework / Checklist Assessment Final Report Assessment Final Report The Assessment Planning Logistics Team Focus Assessment Framework Development Scope and Objective 10

11. IAEA Scoping the Assessment What do we want to assess? simple question, but often may be hard to define the exact bounds due to the interconnectivity of systems. Security Domains Constitute high level focus areas for computer security review. Functional domains help provide the assessment team with a comprehensive target for review of the security practices. 11

12. IAEA Information Collection Direct Observations: 12 Where to get information? Documents and Records Interview Questions

13. IAEA Assessment Analysis Process Requirements/Guidelines Observations Findings Good Practices Recommendations Suggestions Analysis What is the significance of the observation/finding, the impact? What are the recommended actions forward? Analysis How does the observation compare to established guidelines? What does the information tell us? 13

14. IAEA The Final Report Basic elements of evaluation and reporting Final report composition Observation Finding Recommendations/suggestions Finding significance/Potential Impact determination Scoring methods Out Briefing Interpretation of results and trends Follow on activities 14

15. IAEA Definitions from NSS No. 17 Computers and computer systems refer to the computation, communication, instrumentation and control devices that make up functional elements of the nuclear facility. Computer Security is used to cover the security of all computers and all interconnected systems and networks formed by the sum of the elements. The terms IT security and cyber security are, considered synonyms of computer security within IAEA NSS guidance.

16. IAEA For Additional Information For Additional Information, Please Contact: Donald Dudenhoeffer Nuclear Security Information Officer International Atomic Energy Agency Tel: +43 (1) 2600-26424 d.dudenhoeffer@iaea.org 16