Cyber Security for Nuclear Newcomer States

Cyber and Information Security
from a Regulatory Viewpoint
Cyber Security for Nuclear Newcomer States
Dr. Farouk Eltawila
Chief Scientist
Federal Authority for Nuclear Regulation
Senior Regulators’ Meeting
International Atomic Energy Agency
Vienna, Austria
19 September 2013
Presentation Outline
The Nuclear Energy Policy of the UAE
International Commitments and Cooperation
Cooperation with the IAEA
Licensing the First NPP in the UAE
Cyber Security Regulatory Framework
National Allocation of Resources
Information Security
Cyber Security
UAE Policy on the Evaluation and Potential Development
of Peaceful Nuclear Energy
Complete operational
Highest standards of nonproliferation
Highest standards of safety and
Close cooperation with the IAEA
Partnership with governments
and firms of responsible nations
Long-term sustainability
The UAE Concluded all Relevant International Agreements
Convention on Nuclear Safety
Joint Convention on the Safety of Spent Fuel Management and the Safety of
Radioactive Waste Management
Conventions on Early Notification and Assistance
Vienna Convention on Civil Liability for Nuclear Damage
Convention on Physical Protection of Nuclear Material (and CPPNM
Comprehensive Safeguards Agreement with IAEA
Additional protocol to the Safeguards Agreement
Cooperation with IAEA
The UAE Nuclear Law codified the
essential principles and priorities in the
Nuclear Policy
Implementation of safety, security,
safeguards regulation (3S)
Use of IAEA guidance
− Milestones in the Development of a National
Nuclear Infrastructure
− Safety Standards
− Security Series
Technical Cooperation Programme
− Workshops, training, technical assistance
Peer review and expert missions
− INIR, IRRS, siting review…
FANR Organisation
Construction Licence Application/License
Preliminary Safety Analysis Report
− 21 Chapters and supplements and
addenda covering Safety, Security and
Physical Protection Plan for construction
Preliminary Safeguards Plan
Preliminary Probabilistic Safety
Assessment Report Summary
Severe Accident Analysis Report
Aircraft Impact Analysis Report
Construction Licence for Barakah Units1
& 2 (July 17, 2012)
Application received (February 2013) for
construction of Barakah Units 3&4
General Principles of Cyber Security Regime
Fundamental Principle A: The responsibility for establishment, implementation, and
maintenance of a Physical Protection Regime within the State rests entirely with the
NSS 17
National allocation of responsibilities
Establish a Cyber Security Regulatory Framework
─ Realistic, proportionate, and flexible to implement requirements
Including cyber security threats in the physical DBT
─ Cyber threat is continually changing
─ Sustained attacks can go without detection
Maintain skilled cyber security workforce
Engagement of senior leadership in cyber security risk management
─ Identifying, Protecting, Detecting, Responding, and Recovering from cyber security events
Capitalize on built-in safety measures (DiD, Diversity, …)
Cyber security measures and safety measures should not compromise one another
Provide Cyber Security awareness and training to all users
Combating insiders threats using technical, administrative, and physical measures.
Managing supply chain risk and other dependencies
National Allocation of Responsibilities
In the early planning stages, the UAE government identified key competent
authorities and their responsibilities
Nuclear Law; Federal Law by Decree No 6 of 2009 Concerning Peaceful Uses of
Nuclear Energy
─ Established FANR; provided the legal framework for Safety, Security, Safeguards
─ Establish and maintain a state system of accounting for and control of nuclear
─ Establishment, implementation, and maintenance of an effective, sustainable
nuclear security infrastructure
• Allows for other competent authorities in the State to provide security to vital facilities
─ Determine Civil and criminal penalties
• unauthorized disclosure of information that affects the Physical Protection System
• any act that breaches the provisions of the International Convention for the Suppression of
Acts of Nuclear Terrorism
─ Cooperation with authorities with relevant responsibilities
» Critical Infrastructure and Coastal Protection Authority (CICPA),
» National Electronic Security Authority (NESA),
» National Crisis Emergency Management Authority (NCEMA),
» UAE Telecommunications Regulatory Authority (Computer Emergency Response Team
(CIRT), etc.
Performance Objectives
High assurance that critical digital assets (CDAs)are protected
against cyber attacks
Safety and security are implemented in integrated manner so as
one does not adversely impact the other
CDAs are treated as vital equipment that if failed or destroyed
could lead to core / spent fuel damage
located within double barriers of the Physical Protection Program ;
controlled access
included within target set as elements, and
included within security guard surveillance rounds
Capitalize on facility design and operation
− Defence-in-depth, diversity, redundancy
− Measures to mitigate the consequences of accidents and failures
Cyber security features included in safety systems should be
developed and qualified to the same level as the systems they
reside in
Physical Protection/Cyber Security Regulation
IAEA Recommended Requirements
FANR Security Regulation conforms with IAEA INFCIRC/225Revision5 (NSS13)
Requires operator to establish and maintain a Cyber Security Plan as part of the
Physical Protection Plan to ensure that
Computer based systems used for physical protection, nuclear safety,
emergency response, and nuclear material accountancy and control should be
protected against compromise (e.g. cyber attack, manipulation or falsification)
consistent with the threat assessment)
Implementation Documents
FANR Regulation (REG-008) & Regulatory Guide (RG 011)
IAEA Security Series (NSS 17)
USNRC Regulatory Guide 5.71
− National Institute of Standards and Technology—Cyber Security Framework
− Nuclear Energy Institute Guidance NEI 10-04
− World Institute of Nuclear Security (Security of IT and IC Systems at Nuclear
Implementation of FANR-REG-08
(Roles and Responsibilities)
FANR Federal
FANR Review
& Approval
of PPP
- Classified DBT was established by
- Training and exchange of Expertise.
- Ease of Access to FANR’s & IAEA’s
- Inspections (joint / separate).
ENEC Cyber
CICPA Command
Critical Infrastructre
CICPA’s Nuclear
Design &
of PPP
Protection of Information and Information Systems
State’s Role
Implement a resilient IT infrastructure and cyber security
Issued Federal Law by Decree “On Combating Cybercrime”
− The National Electronic Security Authority (NESA) for Reducing Cyber Risks to
critical infrastructure
• Organize the protection of the communication network and information
systems in the UAE
• Set network security standards
• Supervise their execution
− Established the UAE Telecommunications Regulatory Authority
 Computer Emergency Response Team (CERT) for detecting and preventing
cyber-crime and safeguard critical national computer infrastructure
Using a graded protection, “State Security” determines the trustworthiness
policy, with consideration of UAE laws, regulations, and job requirements
Protection of Information and Information Systems
FANR’s Role
Issued (in collaboration with CICPA) Information Protection
Programme Operating Manual
Operator’s Role
Protect against unauthorised access to sensitive nuclear information
and cyber intrusion of digital computer systems, communication
systems and networks
─ important to the safety and operation of the facility
─ support the physical protection system,
─ emergency planning and communication
Selection and implementation of Security Controls:
─ To protect the confidentiality, integrity, and availability of
information system, and the information processed, stored, and
transmitted by those systems; and
─ To mitigate the risk of using information and information systems to
achieve the desired or required level of assurance
Cyber Security
FANR’s Role
Issues regulatory requirement to
─ Improve security
─ Increase reliability and resiliency in the delivery of services critical
to cyber security
─ Non prescriptive ; encourage more innovation and effective
─ Ensure compliance and enforcement
─ Prevent unauthorised access to computer systems or
communications equipment
Operator’s Role
Establish/maintain Cyber Security Plan:
─ Prevent unauthorised access to computer systems
─ Response and reconstitution of critical infrastructure
─ Combating insiders threats using technical, administrative, and
physical measures.
Cyber Security Plan
Critical Digital Assets
Safety – related and important-to-safety functions
Security Functions
Emergency Preparedness functions, including offsite communication functions and networks
Information technology functions
Material Accounting and Control functions
Support systems and equipment that, if compromised, would adversely impact safety, security, or
emergency preparedness functions
Physical Protection
Critical Digital Assets should reside in a configuration that includes multiple layers of physical
Access (Physical and Remote)
System Integrity
Unauthorized entry detection
Virus/malware detection
User roles and responsibilities (Designated Authority and separation of duties)
Use of wireless and portable computing devices
Incident Response and Mitigation
Restoration (continuity of operation)
Defence-in-depth architecture
Network Intrusion
Detection & Prevention
• Corporate Accessible Area
• Technical Data Management,
• Owner Controlled Area
• Real Time Supervisory
• Protected Area
• (Operational Control/Security)
• Vital Area
• (Safety/Security)
Gateway that Enforces
Security Policy
• Public Accessible Area
• Office Automation
The State should incorporate a defence-in-depth strategy (which is fundamental to safety of
nuclear facility) requiring multiple layers of physical protection of nuclear material and facilities
(INFCIRC/225/Revision 5)
Identification of Critical Systems and Critical Digital Assets
(Source—USNRC RG 5.71, Cyber Security Programme)
Cyber Incident Response Team-Source NIST 800-61Rev 2
Preparation, detection and analysis, response, containment and eradication, recovery, and follow-up
Establishing and training an incident
response team
Develop Implementation Plan
Develop Incident Response Policy
Detection of security breach
Restore and resume system operation
Issue report about steps to be taken to
prevent future incident
Preservation of evidence
Incident response team should communicate, whenever appropriate,
with outside parties
• Law enforcement
• Vendor of venerable software
• Other incident response team
• Establish policy and procedures regarding information sharing
Concluding Remarks
UAE established comprehensive legal & regulatory framework to
regulate the nuclear sector conforming to IAEA standards/guidance
Cyber threat is real; continually changing
− UAE is committed to high standards of safety & security
− Maintaining strong safety and security culture
− Incorporation of cyber element(s) in the DBT allows for a
comprehensive, holistic assessments of all threats
Nuclear facilities employ:
− “DiD” protective strategies; make them resilient to cyber attacks R
− Rredundant and diverse capabilities to detect, prevent, respond
to, and recover from cyber attacks; make them invulnerable to the
failure of a single protective strategy
Measures to defend against cyber threats must be appropriate,
proportionate, and flexible to implement
IAEA Nuclear Security Series and implementation guides are important
to member states, particularly new entrants
Abu Dhabi Development
‫‪Thank you‬‬