Cyber and Information Security from a Regulatory Viewpoint Cyber Security for Nuclear Newcomer States Dr. Farouk Eltawila Chief Scientist Federal Authority for Nuclear Regulation Senior Regulators’ Meeting International Atomic Energy Agency Vienna, Austria 19 September 2013 1 Presentation Outline The Nuclear Energy Policy of the UAE International Commitments and Cooperation Cooperation with the IAEA Licensing the First NPP in the UAE Cyber Security Regulatory Framework National Allocation of Resources Information Security Cyber Security Conclusion 2 UAE Policy on the Evaluation and Potential Development of Peaceful Nuclear Energy Complete operational transparency Highest standards of nonproliferation Highest standards of safety and security Close cooperation with the IAEA Partnership with governments and firms of responsible nations Long-term sustainability 3 The UAE Concluded all Relevant International Agreements Convention on Nuclear Safety Joint Convention on the Safety of Spent Fuel Management and the Safety of Radioactive Waste Management Conventions on Early Notification and Assistance Vienna Convention on Civil Liability for Nuclear Damage Convention on Physical Protection of Nuclear Material (and CPPNM Amendment) Comprehensive Safeguards Agreement with IAEA Additional protocol to the Safeguards Agreement 4 Cooperation with IAEA The UAE Nuclear Law codified the essential principles and priorities in the Nuclear Policy Implementation of safety, security, safeguards regulation (3S) Use of IAEA guidance − Milestones in the Development of a National Nuclear Infrastructure − Safety Standards − Security Series Technical Cooperation Programme − Workshops, training, technical assistance Peer review and expert missions − INIR, IRRS, siting review… 5 FANR Organisation IAG/NSR IAG/NSR 6 Construction Licence Application/License Preliminary Safety Analysis Report − 21 Chapters and supplements and addenda covering Safety, Security and Safeguards Physical Protection Plan for construction Preliminary Safeguards Plan Preliminary Probabilistic Safety Assessment Report Summary Severe Accident Analysis Report Aircraft Impact Analysis Report Construction Licence for Barakah Units1 & 2 (July 17, 2012) Application received (February 2013) for construction of Barakah Units 3&4 7 General Principles of Cyber Security Regime Fundamental Principle A: The responsibility for establishment, implementation, and maintenance of a Physical Protection Regime within the State rests entirely with the State NSS 17 National allocation of responsibilities Establish a Cyber Security Regulatory Framework ─ Realistic, proportionate, and flexible to implement requirements Including cyber security threats in the physical DBT ─ Cyber threat is continually changing ─ Sustained attacks can go without detection Maintain skilled cyber security workforce Engagement of senior leadership in cyber security risk management ─ Identifying, Protecting, Detecting, Responding, and Recovering from cyber security events Capitalize on built-in safety measures (DiD, Diversity, …) Cyber security measures and safety measures should not compromise one another Provide Cyber Security awareness and training to all users Combating insiders threats using technical, administrative, and physical measures. Managing supply chain risk and other dependencies 8 National Allocation of Responsibilities In the early planning stages, the UAE government identified key competent authorities and their responsibilities Nuclear Law; Federal Law by Decree No 6 of 2009 Concerning Peaceful Uses of Nuclear Energy ─ Established FANR; provided the legal framework for Safety, Security, Safeguards (3S) ─ Establish and maintain a state system of accounting for and control of nuclear material ─ Establishment, implementation, and maintenance of an effective, sustainable nuclear security infrastructure • Allows for other competent authorities in the State to provide security to vital facilities ─ Determine Civil and criminal penalties • unauthorized disclosure of information that affects the Physical Protection System • any act that breaches the provisions of the International Convention for the Suppression of Acts of Nuclear Terrorism ─ Cooperation with authorities with relevant responsibilities » Critical Infrastructure and Coastal Protection Authority (CICPA), » National Electronic Security Authority (NESA), » National Crisis Emergency Management Authority (NCEMA), » UAE Telecommunications Regulatory Authority (Computer Emergency Response Team (CIRT), etc. 9 Performance Objectives High assurance that critical digital assets (CDAs)are protected against cyber attacks Safety and security are implemented in integrated manner so as one does not adversely impact the other CDAs are treated as vital equipment that if failed or destroyed could lead to core / spent fuel damage − − − − located within double barriers of the Physical Protection Program ; controlled access included within target set as elements, and included within security guard surveillance rounds Capitalize on facility design and operation − Defence-in-depth, diversity, redundancy − Measures to mitigate the consequences of accidents and failures Cyber security features included in safety systems should be developed and qualified to the same level as the systems they reside in 10 Physical Protection/Cyber Security Regulation IAEA Recommended Requirements FANR Security Regulation conforms with IAEA INFCIRC/225Revision5 (NSS13) Requires operator to establish and maintain a Cyber Security Plan as part of the Physical Protection Plan to ensure that − Computer based systems used for physical protection, nuclear safety, emergency response, and nuclear material accountancy and control should be protected against compromise (e.g. cyber attack, manipulation or falsification) consistent with the threat assessment) Implementation Documents FANR Regulation (REG-008) & Regulatory Guide (RG 011) IAEA Security Series (NSS 17) USNRC Regulatory Guide 5.71 − National Institute of Standards and Technology—Cyber Security Framework − Nuclear Energy Institute Guidance NEI 10-04 − World Institute of Nuclear Security (Security of IT and IC Systems at Nuclear Facilities) 11 Implementation of FANR-REG-08 (Roles and Responsibilities) FANR Federal Law FANR Implementing Regulations FANR regulatory activities FANR Review & Approval of PPP CICPA Law MoU - Classified DBT was established by CICPA - Training and exchange of Expertise. - Ease of Access to FANR’s & IAEA’s Inspectors. - Inspections (joint / separate). NESA ENEC Cyber Activities CICPA Command Mandated Critical Infrastructre Protection CICPA’s Nuclear Physical Protection Department Design & Implementaion of PPP 12 Protection of Information and Information Systems State’s Role Implement a resilient IT infrastructure and cyber security Issued Federal Law by Decree “On Combating Cybercrime” Established: − The National Electronic Security Authority (NESA) for Reducing Cyber Risks to critical infrastructure • Organize the protection of the communication network and information systems in the UAE • Set network security standards • Supervise their execution − Established the UAE Telecommunications Regulatory Authority Computer Emergency Response Team (CERT) for detecting and preventing cyber-crime and safeguard critical national computer infrastructure Using a graded protection, “State Security” determines the trustworthiness policy, with consideration of UAE laws, regulations, and job requirements 13 Protection of Information and Information Systems FANR’s Role Issued (in collaboration with CICPA) Information Protection Programme Operating Manual Operator’s Role Protect against unauthorised access to sensitive nuclear information and cyber intrusion of digital computer systems, communication systems and networks ─ important to the safety and operation of the facility ─ support the physical protection system, ─ emergency planning and communication Selection and implementation of Security Controls: ─ To protect the confidentiality, integrity, and availability of information system, and the information processed, stored, and transmitted by those systems; and ─ To mitigate the risk of using information and information systems to achieve the desired or required level of assurance 14 Cyber Security FANR’s Role Issues regulatory requirement to ─ Improve security ─ Increase reliability and resiliency in the delivery of services critical to cyber security ─ Non prescriptive ; encourage more innovation and effective solution ─ Ensure compliance and enforcement ─ Prevent unauthorised access to computer systems or communications equipment Operator’s Role Establish/maintain Cyber Security Plan: ─ Prevent unauthorised access to computer systems ─ Response and reconstitution of critical infrastructure ─ Combating insiders threats using technical, administrative, and physical measures. 15 Cyber Security Plan Critical Digital Assets Safety – related and important-to-safety functions Security Functions Emergency Preparedness functions, including offsite communication functions and networks Information technology functions Material Accounting and Control functions Support systems and equipment that, if compromised, would adversely impact safety, security, or emergency preparedness functions Physical Protection Critical Digital Assets should reside in a configuration that includes multiple layers of physical protection Access (Physical and Remote) System Integrity Unauthorized entry detection Virus/malware detection User roles and responsibilities (Designated Authority and separation of duties) Compartmentalization Use of wireless and portable computing devices Incident Response and Mitigation Detection Correcting Restoration (continuity of operation) 16 Defence-in-depth architecture WWW Network Intrusion Detection & Prevention Level-0 G Level-1 • Corporate Accessible Area • Technical Data Management, Level-2 • Owner Controlled Area • Real Time Supervisory Level-3 • Protected Area • (Operational Control/Security) Level-4 • Vital Area • (Safety/Security) G G Gateway that Enforces Security Policy G G • Public Accessible Area • Office Automation The State should incorporate a defence-in-depth strategy (which is fundamental to safety of nuclear facility) requiring multiple layers of physical protection of nuclear material and facilities (INFCIRC/225/Revision 5) 17 Identification of Critical Systems and Critical Digital Assets (Source—USNRC RG 5.71, Cyber Security Programme) 18 Cyber Incident Response Team-Source NIST 800-61Rev 2 Preparation, detection and analysis, response, containment and eradication, recovery, and follow-up • • • • • • • Establishing and training an incident response team Develop Implementation Plan Develop Incident Response Policy Detection of security breach Restore and resume system operation Issue report about steps to be taken to prevent future incident Preservation of evidence Incident response team should communicate, whenever appropriate, with outside parties • Law enforcement • ISP • Vendor of venerable software • Other incident response team • Establish policy and procedures regarding information sharing 19 Concluding Remarks UAE established comprehensive legal & regulatory framework to regulate the nuclear sector conforming to IAEA standards/guidance Cyber threat is real; continually changing − UAE is committed to high standards of safety & security − Maintaining strong safety and security culture − Incorporation of cyber element(s) in the DBT allows for a comprehensive, holistic assessments of all threats Nuclear facilities employ: − “DiD” protective strategies; make them resilient to cyber attacks R − Rredundant and diverse capabilities to detect, prevent, respond to, and recover from cyber attacks; make them invulnerable to the failure of a single protective strategy Measures to defend against cyber threats must be appropriate, proportionate, and flexible to implement IAEA Nuclear Security Series and implementation guides are important to member states, particularly new entrants 20 Abu Dhabi Development 21 ً شكــــــــرا Thank you 22