IAEA Division of Nuclear Security Computer Security Activities Overview

The Changing Face of Nuclear Security Nuclear security is the protection of nuclear material, other radioactive material, associated facilities, and associated activities, including transport security. Nuclear security measures are designed to support the prevention of, detection of, and response to, criminal or intentional unauthorized acts involving or directed at such materials, facilities, operations. A new security expert is in town GATES GUARDS GUNS GEEKS Main points: Nuclear security has traditionally been driven the need to guard against the physical threat. These security measures will affectionately call Gates, Guards, and Guns. The threat however has added cyber capabilities to their arsenal. Now Gates, Guards, and Guns are no long sufficient. Computer security must now be embraced as a new element of nuclear security.

IAEA Role in Computer Security “Computers play an essential role in all aspects of the management and safe and secure operation of nuclear facilities, including maintaining physical protection. It is vitally important that all such systems are properly secured against malicious intrusions. Staff responsible for nuclear security should know how to repel cyber- attacks and to limit the damage if systems are actually penetrated. The IAEA is doing what it can to help governments, organizations, and individuals adapt to evolving technology-driven threats from skilled cyber adversaries. I am confident that, by working together and sharing experience, all of us can help to ensure computer security in the nuclear world.” The cyber attacks of 2014 highlight the threat from computer based attacks that nuclear facilities faces. The Division of Nuclear Security (NSNS) seeks to support Member States in enhancing their computer security with their nuclear security regime through the development of guidance documents, expert meetings, training and supporting activities. The resolution GC(57)/RES/10 of the 57th General Conference which noted the IAEA’s efforts to raise awareness of the threat of cyber-attacks and their potential impact on nuclear security, and encouraged the IAEA to make further efforts to improve international cooperation in this regard. Remarks at International Conference on Computer Security in a Nuclear World, Vienna Austria, 1 June 1 2015 by IAEA Director General Yukiya Amano

IAEA Role in Computer Security The Division of Nuclear Security (NSNS) seeks to support Member States in enhancing their computer security with their nuclear security regime through the development of guidance documents, expert meetings, training and supporting activities. The resolution GC(57)/RES/10 of the 57th General Conference which noted the IAEA’s efforts to raise awareness of the threat of cyber-attacks and their potential impact on nuclear security, and encouraged the IAEA to make further efforts to improve international cooperation in this regard. The cyber attacks of 2014 highlight the threat from computer based attacks that nuclear facilities faces. The Division of Nuclear Security (NSNS) seeks to support Member States in enhancing their computer security with their nuclear security regime through the development of guidance documents, expert meetings, training and supporting activities. The resolution GC(57)/RES/10 of the 57th General Conference which noted the IAEA’s efforts to raise awareness of the threat of cyber-attacks and their potential impact on nuclear security, and encouraged the IAEA to make further efforts to improve international cooperation in this regard.

Goal – Protection of Sensitive Information 28.04.2017 Goal – Protection of Sensitive Information Convention on the Physical Protection of Nuclear Material (CPPNM) Amendment Fundamental Principle L: Confidentiality The State should establish requirements for protecting the confidentiality of information, the unauthorized disclosure of which could compromise the physical protection of nuclear material and nuclear facilities.

Goal – Protection of nuclear facilities Nuclear Security Series No 13 (INFCIRC/225/Revision 5) The protection of nuclear materials centres on developing security measures to To protect against unauthorized removal; To locate and recover missing nuclear material; To protect against sabotage; and To mitigate or minimize effects of sabotage.

Goal – Protection of Radioactive Material 28.04.2017 Goal – Protection of Radioactive Material Radioactive material is used throughout the world for a wide variety or organizations: industry, medicine, research, agriculture and education. Computer are a part of each step in the lifecycle of radioactive materials. Security measures, including computer security measures, are needed to prevent the acquisition of such material and the sabotage of associated equipment

28.04.2017 Goal – Security of MORC The security of nuclear and other radioactive material out of regulatory control is supported by: Prevention, Detection, and Response Measures In many of these cases, sensitive digital assets make-up or support these systems Computer security is needed to support the confidentiality of sensitive information, the integrity of detection systems, and the availability of response measures, such as communication and forensics processes.

Computer and Information Security Focus The NSNS Computer and Information Security programme is focused on preventing malicious computer acts that could directly or indirectly lead to: unauthorized removal of nuclear/other radioactive material sabotage against nuclear material or nuclear facilities theft of nuclear sensitive information . The Division of Nuclear Security has developed the Computer and and Information Security programme with focus on three specific areas of interest. Which is the prevention and mitigation of computer acts that could directly or indirectly lead to: unauthorized removal of nuclear/other radioactive material sabotage against nuclear material or nuclear facilities theft of nuclear sensitive information The focus therefor is does not specifically address issues such as business continuity and general IT systems unless they could impact nuclear security objectives. 9

Computer versus Cyber Security Computers and computer systems refer to the computation, communication, instrumentation and control devices that make up functional elements of the nuclear facility. This includes not only desktop computers, mainframe systems, servers, network devices, but also lower level components such as embedded systems and PLCs (programmable logic controllers). In essence, the concern is all components that may be susceptible to electronic compromise. Computer Security = Cyber Security . The term “Computer/Cyber security” is an attempt to describe the protection of a very complex and expanding set of programmable electronic devices and their supporting architecture. NSNS guidance will normally use the term “Computer Security” Other terms frequently used in this area include IT (Information Technology) Security and ICT (Information and Communications Technology) Security. 10

NSNS Computer Security Activities 2016 Priority Action Items NSS guidance development Coordinated research in computer security incident response Development of hands-on training curriculums to support specialized computer security training for the protection ICS Investigation of information sharing for computer security incident information, security notices on system vulnerabilities and threats relevant for nuclear security. Expert meetings to support global information exchange and training. 11

NSNS Computer Security Activities Hosting and coordination of expert meetings Nuclear security guidance development Organization and conduct of training Sponsorship of Coordinated Research Activities Support for national and international nuclear security exercises Information Sharing and Analysis Framework Development Outreach and engagement activities. 12

The Nuclear Security Series (NSS) Address nuclear security issues relating to the prevention and detection of, and response to, theft, sabotage, unauthorized access and illegal transfer or other malicious acts involving nuclear material and other radioactive substances and their associated facilities.

IAEA Basis - Computer Security Nuclear Security Series No 13 (INFCIRC/225/Revision 5) “4.10. Computer based systems used for physical protection, nuclear safety, and nuclear material accountancy and control should be protected against compromise (e.g. cyber attack, manipulation or falsification) consistent with the threat assessment or design basis threat.” 14

Information and Computer Security for Nuclear Security IAEA Publications: Nuclear Security Series Documents & Others NSS 20 Objective and essential of a State’s nuclear security regime NSS Recommendations NSS 13 Nuclear Material and Nuclear Facilities NSS 14 - Radioactive Material and Associated Facilities NSS 15 Nuclear and other Radioactive MORC NSS Computer Security Implementing Guides NSS 23-G - Security of Nuclear Information NST045 (2017 est) - Computer Security for Nuclear Security NSS Computer Security Technical Guides NSS 17 - Computer Security Nuclear Facilities NST047 (2017 est) Computer Security Techniques for Nuclear Facilities NST036 (2016 print) Computer Security for I&C Systems at Nuclear Facilities Documents Outside Nuclear Security Series NST037 (2016 Print) Conducting Computer Security Assessments NST038 (2016 Print) Incident Response Planning for Computer Security Events KEY

Information Security (INFOSEC) NSS 23-G, Security of Nuclear Information Provides guidance on implementing the principles of confidentiality, integrity and availability. Bridges the gap between existing government and industry standards on information security, with the concepts and considerations that apply to nuclear security. Assists in the identification, classification, and assignment of appropriate security controls to information that could adversely impact nuclear security if compromised.

Computer Security (COMSEC) NSS17 Computer Security at Nuclear Facilities Seeks to create awareness of the importance of incorporating computer security as a fundamental part of the overall security plan for nuclear facilities. Provides guidance to nuclear facilities on implementing a computer security programme, and on evaluating existing programmes, assessing critical digital assets and identifying appropriate risk reduction measures. Provides guidelines to personnel designing, implementing, and managing Instrumentation and Control (I&C) and Information systems and networks at nuclear facilities. 17

NSS and TECDOCs in Development Document Status TECDOC – NST037 Conducting Computer Security Assessments Provides good practices for organizing and conducting computer security assessments associated with nuclear security Document Completed. Publication in 2015 TECDOC – NST038 Computer Security Incident Response Provides good practices for implementing computer security incident response processes between competent authorities, operators, and technical support organizations. NSS Technical Guidance - NST036 Computer Security of I&C Systems at Nuclear Facilities. Provides guidance on implementing computer security controls across the life cycle of nuclear instrumentation and control systems. Approved for 120 day Member State Review. Publication in 2015/2016 NSS Implementing Guide – NST045 Computer Security for Nuclear Security. Provides overarching guidance to assist Member States in implementing computer security as a part their nuclear security regime. Under development NSS Technical Guidance – NST047 Computer Security Techniques for Nuclear Facilities. Provides discussion on good practices for implementing computer security associated digital technologies at nuclear facilities.

NTC & RTC Computer Security Topics Primary Training Courses Basic Information and Computer Security Awareness Conducting Computer Security Assessments (new 2013) Advanced Course in Information and Computer Security (new 2014) Computer Security for Nuclear Industrial Control Security (ICS) and Instrumentation and Control (I&C) Systems (2016) Courses can be adjusted to fit national or regional needs. Basic Awareness Course Topics Threat and Consequence awareness Basic concepts Laws / Regulations / Regulatory Guidance Policy / requirements Interplay with other security domains Sensitive information management Threat / Risk – Methodologies Programme assessment Security Culture/Training programme Security Control Concepts Security design Cryptography and Encryption Component/node security Network security Instrumentation and Control (I&C) security Access control System planning and acceptance Physical Protection Document and Media protection Methods of compromise Incident response / management Personnel security 19

Profession Development Course Nuclear Security Series No. 12 Educational Programme in Nuclear Security Goal the development of a comprehensive nuclear security human resource development programme NS22 Computer Security for Nuclear Security Professionals university course consisting of a peer-reviewed textbook, and instructional material, including exercises Supports Computer Security concepts and awareness training in the nuclear security professional community, Developed with the International Nuclear Security Education Network (INSEN) NS22 Textbook NS22 Course currently being taught at the Monterey Institute of International Studies 20

eLearning Training Series Future courses on Information Security Conducting Assurance Activities Security of I&C Systems Incident Response http://elearning.iaea.org/m2/course/index.php?categoryid=53 21

2015 Cyber Security Conferences International Conference on Computer Security in a Nuclear World: Expert Discussion and Exchange IAEA Headquarters, Vienna, Austria, 1–5 June 2015 Provided a global forum for information exchange for competent authorities, operators, system and security vendors, and other entities engaged in computer security activities relevant to nuclear security. Statistics Registered Participants: > 700 Member States: 92 International Organizations: 17 Speakers and Presenters: > 200 Over 87% of countries with fuel cycle facilities represented. Conference materials available on NUSEC

Cyber Security User’s Group IAEA’s information portal for cyber security https://nusec.iaea.org/portal/UserGroups/CyberSecurity/CyberSecurityOverview/tabid/503/Default.aspx 23

2016 IAEA Security Conference Planned Technical Sessions: National legislative and regulatory framework for nuclear security; Regulatory oversight for nuclear security; Threat and risk assessment; Information security and computer security; Physical protection of nuclear material and nuclear facilities. Submission of Synopsis by 13 May 2016 Grant Applications by 13 May 2016 Notification of authors – July 2016 Submission of full papers – October 2016 Full Programme available – November 2016 Ministerial Segment – 5 December 2016 Conference – 5-9 December 2016 Conference website: http://www-pub.iaea.org/iaeameetings/50809/International-Conference-on-Nuclear-Security-Commitments-and-Actions 24

Questions Donald D. Dudenhoeffer Nuclear Security Information Officer International Atomic Energy Agency Vienna International Centre A-1400 Wien Austria Tel: +43 (1) 2600-26424 Fax: +43 (1) 2600-29299 d.dudenhoeffer@iaea.org 25