IAEA Titansem 091102010 - vtt.fi · manuals for IAEA training courses in the area of nuclear ......

ISSRC Information Systems Security

Research Center

University of Oulu, Department of Information Processing Science

T.Wiander, M.Siponen

Esittely Tutkimus Opetus Yhteistyö Tiedekunnat

TIMO WIANDER M.Sc (IS), B.Sc (Marketing)

•  Project Manager ISSRC

•  ISO/IEC 9000 Lead Auditor •  Practical experience 18+ years

•  ISO/IEC 27001 Lead Auditor •  Practical experience 14+ years

•  Contract Auditor (Department of Defence) •  CISA

•  Country representative in IAEA TM-group (Security) on behalf of STUK


Sponsors

Our sponsors include: •  STUK (Radiation and Nuclear Safety Authority)

Fortum Corp. TVO (Teollisuuden Voima Oyj Outokumpu Oyj Nokia Corp. Elisa Corp. Elektrobit Corp. F-Secure Corp Itella SOK (Suomen Osuuskauppojen keskuskunta) City of Oulu


Categories in the IAEA Nuclear Security Guidelines

•  Nuclear Security Fundamentals contain objectives, concepts and principles of nuclear security and provide the basis for security recommendations.

•  Recommendations present best practices that should be adopted by Member States in the application of the Nuclear Security Fundamentals.


Categories in the IAEA Nuclear Security Guidelines

•  Implementing Guides provide further elaboration of the Recommendations in broad areas and suggest measures for their implementation.

•  Technical Guidance publications comprise: Reference Manuals, with detailed measures and/or guidance on how to apply the Implementing Guides in specific fields or activities; Training Guides, covering the syllabus and/or manuals for IAEA training courses in the area of nuclear security; and Service Guides, which provide guidance on the conduct and scope of IAEA nuclear security advisory missions.


Computer Security at Nuclear Facilities

•  Techical Guidance -Reference Manual •  Recommendation status under consideration

•  Consists of 3 parts: Introduction, Requirements and Implementation guidance

•  Development started 2004, initialisation 8/2003 •  Re-start 2006 due to organisational changes •  Workshops, expert review, balloting •  Estimated publication 12/2010 •  Will be available on iaea.org/publications


Table of Contents

•  1 Introduction •  1.1 Background •  1.2 Objectives

•  1.2.1 Document objectives •  1.2.2 Nuclear security and computer security

objectives •  1.3 Requirements specific to nuclear facilities •  1.4 Intended audience and document structure •  1.5 Methodology •  1.6 Definitions


Table of Contents

•  2 Regulatory and Management considerations (PART 1) •  2.1 Legislative considerations •  2.2 Regulatory considerations •  2.3 Site Security framework

•  2.3.1 Computer Security •  2.3.2 Computer systems at nuclear facilities •  2.3.3 Defence in depth

•  2.4 Assessing the threat environment


Table of Contents

•  3 Management systems •  4 Organizational issues

•  4.1 Authorities and responsibilities •  4.1.1 Management •  4.1.2 Computer Security Officer •  4.1.3 Computer Security Team •  4.1.4 Organizational Management

Responsibilities •  4.1.5 Individual Responsibility

•  4.2 Computer security awareness culture •  4.2.1 Computer Security Training Programme


Table of Contents

•  5 Implementing computer security (PART 2) •  5.1 Computer Security Plan (CSP) and Policy

•  5.1.2 Components of the CSP •  5.2 Interaction with other domains of security

•  5.2.1 Personnel security •  5.3 Assets Analysis and Management •  5.4 Computer systems classification

•  5.4.1 Safety classification •  5.4.2 Security or security related systems

•  5.5 Graded approach to computer security


Table of Contents

•  6 Threats, Vulnerabilities and Risk Management •  6.1 Basic concepts and relationships •  6.2 risk assessment and management •  6.3 Threats identification and characterisation

•  6.3.1 Design Basis Threat •  6.3.2 Attacker profiles •  6.3.3 Attack Scenarios

•  6.4 A simplified outcome of a risk assessment


Table of Contents

•  7 Special Considerations for Nuclear Facilities •  7.1 Facility lifetime phases and modes of operation •  7.2 Differences between it systems and control systems •  7.3 Demand for additional connectivity and related

consequences •  7.4 considerations on software updates •  7.5 Secure design and specifications for computer

Systems. •  7.6 Third party/Vendor access control procedure


Table of Contents

•  8 Glossary & Abbreviations •  9 Appendix I. An example of zone model implementation •  10 Appendix II. Scenarios for imaginable attacks against

systems in nuclear facilities •  10.1.1 Information gather to support a malicious act

scenario •  10.1.2 Attack disabling or compromising one or several

computer systems •  10.1.3 Computer systems compromise as a tool of

coordinated attack


Table of Contents

•  11 Appendix III. A methodology for identifying computer security requirements

•  12 Appendix IV. The role of Human Error in Computer Security

•  13 Appendix V.Bibliography •  13.1 IAEA guidance of relevance •  13.2 International standards •  13.3 Web resources •  13.4 Other relevant literature


Table of Contents

•  14 Document evolution •  14.1.1 Record of changes •  14.1.2 Contributors to drafting and review •  14.1.3 Consultants’ Meetings


State of Art

•  IAEA Nuclear Security Series (15)

•  IAEA Safety Series (85) •  IAEA Safety Standards Series (125) •  Safety Reports Series (59)

Number of publications

Security Safety


(Un)Lucky Accident

•  STUXNET

• Technical issue vs. management of security?


Further Development

•  Revised version 4/2011? (TECHNICAL MEETING in FIN) •  Web resources? •  Supporting tools and methods? •  Sharing of Best Practices?


More information

•  Project Manager Timo Wiander, [email protected]; 040 532 7872

•  http://issrc.oulu.fi

•  http://www.iaea.org/Publications/

IAEA Titansem 091102010 - vtt.fi · manuals for IAEA training courses in the area of nuclear ......

Documents

Transcript of IAEA Titansem 091102010 - vtt.fi · manuals for IAEA training courses in the area of nuclear ......