1. IAEA International Atomic Energy Agency Functional and Security Domains Presented by:

2. IAEA Content Computer Security Overview Functional domains: Operations Domain Business Domain Safety Domain Physical Protection Domain Emergency Response Domain Security domains 2

3. IAEA Objectives At the end of this presentation the participants should be able to: identify and describe each of the 5 functional domains identify and describe each of the 11 security domains 3

4. IAEA Computer Security Overview Computer Security consists of many individual elements called security domains. An assessment will likely examine in detail only a sampling of the domains across the spectrum of systems during one assessment. Along with the security domains, four overarching areas have been identified that are recommended to always be reviewed in light of the security domains as indicators of the overall “health” of the Computer Security Programme. These are: The Management Approach; Computer Security Processes; Implementation of the Graded Approach; and Threat and Consequence Management. 4

5. IAEA Management Approach This area concerns the Management’s commitment and implementation of the Computer Security Programme. Indicators include: Senior management commitment Computer security objectives are clearly defined Clear roles and responsibilities sufficient to ensure the computer security processes Access to adequate resources (human, economical, time allocation, skills, etc.) Compliance with regulatory framework is ensured 5

6. IAEA Computer Security Processes Computer Security Processes examines how the facility or organization has actually implemented the computer security principles and controls into actual operating processes and procedures. Indicators include: Existing computer security plan(s) Structured, formalized, documented set of processes Processes in place that allow for a continuously effective computer security posture, with enhancement if necessary (Periodic reviews, audits, clear maintenance procedures, self-assessments, etc.). Processes should be proactive and not reactive to the largest degree possible. 6

7. IAEA Graded Approach The graded approach – the application of protection measures proportional to the potential consequence of a malicious act This is one of the core security principles for the nuclear security and security in general. Indicators Is computer security based on a graded approach? In particular, security levels should be assigned along clear processes / rules (e.g., based on safety, DBT, potential consequences analysis). Are these processes / rules actually applied? How do risk/threat assessments influence the graded approach? Note: Refer to NSS 17 for a discussion on the graded approach and the zone model implementation. 7

8. IAEA Threat and Consequence Management This area concerns Threat and Consequence Management – how does an organization stay current regarding emerging threats and how does it continually inform its computer security processes based upon these threats. Organizations may have individual processes to evaluate these areas including risk assessment and risk management processes. An alternative method is to look at impact analysis. Indicators Does the organization have a mature management process in place that addresses threats, vulnerabilities and potential consequences? What references and methodology are used? What is the scope (organization, part of organization, system...)? How was the analysis performed, documented, and used in conjunction with baseline security controls? Are residual risks identified, documented and accepted by the management? Does the process include regular reviews and updates? 8

9. IAEA International Atomic Energy Agency Functional Domains

10. IAEA Functional Domains From a general perspective, computer systems at nuclear facilities can be mapped to one or more of the five functional domains[1]. The assessment should be tailored to cover one or more of the functional domains. A complete assessment would cover the five domains. 1. Operations Domain: computer systems that are used for operating the assessed entity. These systems include instrumentation, control, and data acquisitions systems. 2. Business Domain: computer systems that are used in management and business oriented operation of the entity. A typical example is a work permit system. Business domain typically has connections to external networks that might also be relevant to other domains. 10

11. IAEA Functional Domains 3. Safety Domain: computer systems that are vital for operating the assessed entity and provide protection for people and environment against radiation risks, and the safety of facilities and activities that give rise to radiation risks. These systems include prevention and protection systems used for the shutdown of a nuclear power plant (NPP) facility, for example. 4. Physical Protection Domain: computer systems that are used for protecting and monitoring nuclear and radiological materials of the assessed entity. These systems include access control systems and physical protection systems for perimeter monitoring and material accountability systems. 5. Emergency Response Domain: computer systems that are used for the detection, response, and mitigation of emergency incidents which threaten public safety, health, and the environment. Computer systems may be used in radiation and environmental monitoring, fire alarm and suppression, and emergency communications. 11

12. IAEA Operations Operations Domain Process control systems: instrumentation and control (I&C) systems for plant control Control room I&C including the alarm systems Process computer systems that collect and prepare information for the control room Fuel handling and storage I&C systems Configuration management/maintenance Voice and data communication infrastructure 12

13. IAEA Business Business Domain Voice and data communication infrastructure Human Resource Management systems and data repositories Technical/engineering systems 13

14. IAEA Safety Safety Domain Protection systems: Instrumentation and control (I&C) systems that are used for automatically initiated reactor and plant protection actions Safety actuation systems: I&C systems that accomplish safety actions, which are initiated by the protection systems and by manual actuations Safety system support features: I&C for emergency power supply systems. 14

15. IAEA Physical Protection Physical Protection Domain Perimeter monitoring/ intrusion detection Physical access control systems Accountancy and Inventory Control system Nuclear material accountancy and control systems Voice and data communication infrastructure Alarm systems Security clearance database: used to ensure that persons hold the appropriate security 15

16. IAEA Emergency Response Emergency response Domain Environmental monitoring Radiation monitoring Fire protection systems Voice and data communication infrastructure 16

17. IAEA International Atomic Energy Agency Security Domains

18. IAEA Computer Security Domains Computer Security Domains identify the core elements of a comprehensive security programme. The domains to be discussed have been derived from ISO-27001:2005[2]. Other categorizations may identify the domains slightly differently, but the objective is to ensure coverage of the individual elements constituting the programme. An assessment should cover at least a sampling of observations in each domain to ensure that any potential “weak links” are identified that could potentially compromise the other security efforts. 18

19. IAEA Security Domains The following Security Domains (or equivalent domains) are recommended for evaluation during an assessment: 1. Security Policy 2. Organizing Information Security 3. Asset Management 4. Human Resources Security 5. Physical and Environmental Security 6. Communications and Operations Management 7. Access Control 8. Acquisition, Development and Maintenance 9. Computer Security Incident Management 10. Continuity Management 11. Compliance 19

20. IAEA 1. SECURITY POLICY This domain provides management direction and support for computer security in accordance with nuclear safety and security, as well as relevant laws, regulations and business requirements. Management should set a clear policy direction in line with nuclear safety and security, and business objectives and demonstrate support for, and commitment to, computer security through the issue and maintenance of a computer security policy across the organization. A computer security policy should be defined, communicated, documented and periodically reviewed. This computer security should take into account all the nuclear functional domains: operation, business, safety, physical protection and emergency response. 20

21. IAEA 2. ORGANIZING SECURITY Management should approve the computer security policy, assign roles and responsibilities and review the implementation of computer security across the organization. 21

22. IAEA 3. ASSET MANAGEMENT The goal of this domain is to protect organizational assets and includes: responsibility for asset management, inventory of authorized hardware and software, list of unauthorized hardware and software, and computer classification (systems important to safety and/or security). All assets should have a dedicated owner who is responsible for assigning appropriate controls. 22

23. IAEA 4. HUMAN RESOURCE Employees, contractors and third party users understand their roles and responsibilities. Personnel vetting should be conducted for all candidates for employment, contractors and third party users as appropriate to their access to sensitive data and systems. Computer security awareness building program. 23

24. IAEA 5. PHYSICAL & ENVIRONMENTAL SEC This domain seeks to prevent unauthorized physical access to systems, sabotage, and disruption or denial of services or information flow. Prevention and security controls should be based on a risk- assessed and the graded approach. 24

25. IAEA 6. COMMs and OPs MANAGEMENT The objective of this security domain is to: control the exfiltration and infiltration of data from and to computer systems within the computer security program to protect against introduction of new vulnerabilities and to control the operational procedures to ensure that the systems operate and protect as intended. 25

26. IAEA 7. COMPUTER ACCESS CONTROLS The objective is to control logical access to computer systems or electronic information in the facility. This domain addresses requirements for: access control, user access management, user responsibilities, network access control, operating system access control, application and information access control, and mobile computing and teleworking. Username: Password: Username│ ● ● ● ● 26

27. IAEA 8. ACQUISITION, DEV., and MAINT. The objective of this security domain is to ensure that the security and integrity of the computer systems being acquired are maintained until they are delivered to the facility. The security controls covered under this security domain include supply chain protection, correctness of software, integration of security capability, factory testing, and acceptance testing. 27

28. IAEA 9. INCIDENT MANAGEMENT The objective of this security domain is to ensure processes are in place to effectively mitigation potential impact and to effectively communicate computer security incidents. This domain focuses on the activities concurrent with and following the security incident which both ensure and restore critical functions. 28

29. IAEA 10. CONTINUITY MANAGEMENT The general objective of this security domain is continuity and restoration of critical functions to a facility following major disruptions to normal computer systems and processes. This includes disruptions caused by natural hazards, human error, and malicious intent. Note that the previous section dealt with the initial response and mitigation of the incident, this domain’s focus is continuity and recovery process. 29

30. IAEA 11. COMPLIANCE Member States may have relevant legal, statutory, regulatory or contractual obligations pertaining to computer security that should also be considered for compliance during this assessment. The objective of this security domain is to check that the computer security programme is in line with such relevant legal, statutory, regulatory or contractual obligations. 30

31. IAEA Facility Assessment Matrix An objective of the review process is to ensure an adequate sampling across areas to develop an good understanding of the Computer Security Programme implementation. Developing an Assessment Matrix may be one tool to use to ensure coverage of the different security domains. 31

32. IAEA Summary Discussed Computer Security The Management Approach Computer Security Processes Implementation of the Graded Approach Threat and Consequence Management Described Functional domains Described 11 Security domains 32

33. IAEA Questions? 33

34. IAEA References [1] International Atomic Energy Agency (IAEA), NST037 TECDOC, Conducting Computer Security Assessments, Draft 4 Nov 2013 [2] International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO/IEC 27001 "Information technology - Security techniques - Information security management systems - Requirements“, 2005-10-15. 34