Pub1527_web

Software Básico

•

UFC

Caio Erick

13.11.2012

Esta é uma pré-visualização de arquivo. Entre para ver o arquivo original

Technical Guidance
Reference Manual
IAEA Nuclear Security Series No. 17
Computer Security
at Nuclear Facilities
INTERNATIONAL ATOMIC ENERGY AGENCY
VIENNA
ISBN 978–92–0–120110–2
ISSN 1816–9317
This publication seeks to create awareness of the
importance of incorporating computer security as
a fundamental part of the overall security plan for
nuclear facilities. It further aims to provide guidance
to nuclear facilities on implementing a computer
security programme, and provide advice on evaluating
existing programmes, assessing critical digital assets
and identifying appropriate risk reduction measures.
IA
E
A
N
uclear S
ecurity S
eries N
o
. 17 C
o
m
p
uter S
ecurity at N
uclear Facilities
11-34841_P1527_cover.indd 1 2011-11-22 10:40:14
RELATED PUBLICATIONS
www.iaea.org/books
NUCLEAR SECURITY RECOMMENDATIONS ON PHYSICAL
PROTECTION OF NUCLEAR MATERIAL AND NUCLEAR FACILITIES
(INFCIRC/225/REVISION 5)
IAEA Nuclear Security Series No. 13
STI/PUB/1481 (62 pp.; 2011)
ISBN 978–92–0–111110–4 Price: €28.00
DEVELOPMENT, USE AND MAINTENANCE OF
THE DESIGN BASIS THREAT
IAEA Nuclear Security Series No. 10
STI/PUB/1386 (30 pp.; 2009)
ISBN 978–92–0–102509–8 Price: €18.00
PREVENTIVE AND PROTECTIVE MEASURES
AGAINST INSIDER THREATS
IAEA Nuclear Security Series No.8
STI/PUB/1359 (25 pp.; 2008)
ISBN 978–92–0–109908–2 Price: €20.00
NUCLEAR SECURITY CULTURE
IAEA Nuclear Security Series No. 7
STI/PUB/1347 (37 pp.; 2008)
ISBN 978–92–0–107808–7 Price: €30.00
INTERNATIONAL LEGAL FRAMEWORK FOR NUCLEAR SECURITY
IAEA International Law Series No. 4
STI/PUB/1486 (30 pp.; 2011)
ISBN 978–92–0–111810–3 Price: €26.00
THE MANAGEMENT SYSTEM FOR FACILITIES AND ACTIVITIES
IAEA Safety Standards Series No. GS-R-3
STI/PUB/1252 (27 pp.; 2006)
ISBN 92–0–106506–X Price: €25.00
APPLICATION OF THE MANAGEMENT SYSTEM
FOR FACILITIES AND ACTIVITIES
IAEA Safety Standards Series No. GS-G-3.1
STI/PUB/1253 (123 pp.; 2006)
ISBN 92–0–106606–6 Price: €31.00
INSTRUMENTATION AND CONTROL SYSTEMS IMPORTANT
TO SAFETY IN NUCLEAR POWER PLANTS
IAEA Safety Standards Series No. NS-G-1.3
STI/PUB/1116 (91 pp.; 2002)
ISBN 92–0–110802–8 Price: €14.50
SOFTWARE FOR COMPUTER BASED SYSTEMS IMPORTANT
TO SAFETY IN NUCLEAR POWER PLANTS
IAEA Safety Standards Series No. NS-G-1.1
STI/PUB/1095 (89 pp.; 2000)
ISBN 92–0–101800–2 Price: €14.50
THE IAEA NUCLEAR SECURITY SERIES
Nuclear security issues relating to the prevention and detection of, and response
to, theft, sabotage, unauthorized access and illegal transfer or other malicious acts
involving nuclear material and other radioactive substances and their associated
facilities are addressed in the IAEA Nuclear Security Series of publications. These
publications are consistent with, and complement, international nuclear security
instruments, such as the amended Convention on the Physical Protection of Nuclear
Material, the Code of Conduct on the Safety and Security of Radioactive Sources,
United Nations Security Council Resolutions 1373 and 1540, and the International
Convention for the Suppression of Acts of Nuclear Terrorism.
CATEGORIES IN THE IAEA NUCLEAR SECURITY SERIES
Publications in the IAEA Nuclear Security Series are issued in the following
categories:
• Nuclear Security Fundamentals contain objectives, concepts and principles of
nuclear security and provide the basis for security recommendations.
• Recommendations present best practices that should be adopted by Member
States in the application of the Nuclear Security Fundamentals.
• Implementing Guides provide further elaboration of the Recommendations in
broad areas and suggest measures for their implementation.
• Technical Guidance publications include: Reference Manuals, with detailed
measures and/or guidance on how to apply the Implementing Guides in specific
fields or activities; Training Guides, covering the syllabus and/or manuals for
IAEA training courses in the area of nuclear security; and Service Guides, which
provide guidance on the conduct and scope of IAEA nuclear security advisory
missions.
DRAFTING AND REVIEW
International experts assist the IAEA Secretariat in drafting these publications.
For Nuclear Security Fundamentals, Recommendations and Implementing Guides,
open-ended technical meeting(s) are held by the IAEA to provide interested Member
States and relevant international organizations with an appropriate opportunity to
review the draft text. In addition, to ensure a high level of international review and
consensus, the Secretariat submits the draft texts to all Member States for a period of
120 days for formal review. This allows Member States an opportunity to fully express
their views before the text is published.
Technical Guidance publications are developed in close consultation with
international experts. Technical meetings are not required, but may be conducted,
where it is considered necessary, to obtain a broad range of views.
The process for drafting and reviewing publications in the IAEA Nuclear Security
Series takes account of confidentiality considerations and recognizes that nuclear
security is inseparably linked with general and specific national security concerns. An
underlying consideration is that related IAEA safety standards and safeguards activities
should be taken into account in the technical content of the publications.
11-34841_P1527_cover.indd 2 2011-11-22 10:40:15
COMPUTER SECURITY AT
NUCLEAR FACILITIES
The following States are Members of the International Atomic Energy Agency:
The Agency
IAEA held at Uni
Headquarters of the
contribution of atom
AFGHANISTAN
ALBANIA
ALGERIA
ANGOLA
ARGENTINA
ARMENIA
AUSTRALIA
AUSTRIA
AZERBAIJAN
BAHRAIN
BANGLADESH
BELARUS
BELGIUM
BELIZE
BENIN
BOLIVIA
BOSNIA AND HERZ
BOTSWANA
BRAZIL
BULGARIA
BURKINA FASO
BURUNDI
CAMBODIA
CAMEROON
CANADA
CENTRAL AFRICAN
REPUBLIC
CHAD
CHILE
CHINA
COLOMBIA
CONGO
COSTA RICA
CÔTE D’IVOIRE
CROATIA
CUBA
CYPRUS
CZECH REPUBLIC
DEMOCRATIC REPU
OF THE CONGO
DENMARK
DOMINICAN REPUB
ECUADOR
EGYPT
EL SALVADOR
ERITREA
ESTONIA
ETHIOPIA
FINLAND
FRANCE
GABON
GEORGIA
GERMANY
GHANA
GREECE
GUATEMALA
HAITI
HOLY SEE
HONDURAS
HUNGARY
ICELAND
INDIA
INDONESIA
IRAN, ISLAMIC REPUBLIC OF
IRAQ
IRELAND
ISRAEL
NIGER
NIGERIA
NORWAY
OMAN
PAKISTAN
PALAU
PANAMA
PARAGUAY
PERU
PHILIPPINES
POLAND
PORTUGAL
QATAR
REPUBLIC OF MOLDOVA
’s Statute was approved on 23 October 1956 by the Conference on the Statute of the
ted Nations Headquarters, New York; it entered into force on 29 July 1957. The
Agency are situated in Vienna. Its principal objective is “to accelerate and enlarge the
ic energy to peace, health and prosperity throughout the world’’.
EGOVINA

BLIC 
LIC
ITALY
JAMAICA
JAPAN
JORDAN
KAZAKHSTAN
KENYA
KOREA, REPUBLIC OF
KUWAIT
KYRGYZSTAN
LAO PEOPLE’S DEMOCRATIC
REPUBLIC
LATVIA
LEBANON
LESOTHO
LIBERIA
LIBYA
LIECHTENSTEIN
LITHUANIA
LUXEMBOURG
MADAGASCAR
MALAWI
MALAYSIA
MALI
MALTA
MARSHALL ISLANDS
MAURITANIA
MAURITIUS
MEXICO
MONACO
MONGOLIA
MONTENEGRO
MOROCCO
MOZAMBIQUE
MYANMAR
NAMIBIA
NEPAL
NETHERLANDS
NEW ZEALAND
NICARAGUA
ROMANIA
RUSSIAN FEDERATION
SAUDI ARABIA
SENEGAL
SERBIA
SEYCHELLES
SIERRA LEONE
SINGAPORE
SLOVAKIA
SLOVENIA
SOUTH AFRICA
SPAIN
SRI LANKA
SUDAN
SWEDEN
SWITZERLAND
SYRIAN ARAB REPUBLIC
TAJIKISTAN
THAILAND
THE FORMER YUGOSLAV 
REPUBLIC OF MACEDONIA
TUNISIA
TURKEY
UGANDA
UKRAINE
UNITED ARAB EMIRATES
UNITED KINGDOM OF 
GREAT BRITAIN AND 
NORTHERN IRELAND
UNITED REPUBLIC 
OF TANZANIA
UNITED STATES OF AMERICA
URUGUAY
UZBEKISTAN
VENEZUELA
VIETNAM
YEMEN
ZAMBIA
ZIMBABWE
C
I
IAEA NUCLEAR SECURITY SERIES No. 17
TECHNICAL GUIDANCE
OMPUTER SECURITY AT
NUCLEAR FACILITIES
REFERENCE MANUAL
NTERNATIONAL ATOMIC ENERGY AGENCY
VIENNA, 2011
IAEA
Comp
—
n
S
I
I
1
3. C
Age
IAE
COPYRIGHT NOTICE
All IAEA scientific and technical publications are protected by the terms of
the Universal Copyright Convention as adopted in 1952 (Berne) and as revised in
1972 (Paris). The copyright has since been extended by the World Intellectual
Property
Organization (Geneva) to include electronic and virtual intellectual
property. Permission to use whole or parts of texts contained in IAEA
publications in
to royalty ag
translations are
should be addr
Marketin
Internatio
Vienna In
PO Box 1
1400 Vie
fax: +43
tel.: +43
email: sa
http://ww
Library Cataloguing in Publication Data
uter security at nuclear facilities : reference manual : technical guidance.
Vienna : International Atomic Energy Agency, 2011.
p. ; 24 cm. — (IAEA nuclear security series, ISSN 1816–9317 ;
o. 17)
TI/PUB/1527
SBN 978–92–0–120110–2
ncludes bibliographical references.
. Nuclear facilities — Security measures. 2. Computer security.
omputer networks — Security measures. I. International Atomic Energy
ncy. II. Series.
AL 11–00703
printed or electronic form must be obtained and is usually subject
reements. Proposals for non-commercial reproductions and
welcomed and considered on a case-by-case basis. Enquiries
essed to the IAEA Publishing Section at:
g and Sales Unit, Publishing Section
nal Atomic Energy Agency
ternational Centre
00
nna, Austria
1 2600 29302
1 2600 22417
les.publications@iaea.org
w.iaea.org/books
© IAEA, 2011
Printed by the IAEA in Austria
December 2011
STI/PUB/1527
FOREWORD
The possibility that nuclear or other radioactive material could be used for
malicious purposes cannot be ruled out in the current global situation. States have
responded to this risk by engaging in a collective commitment to strengthen the
protection and control of such material and to respond effectively to nuclear
security events. States have agreed to strengthen existing instruments and have
established ne
worldwide. Nu
technologies an
used or transpo
Through
establish, main
has adopted a
an effective na
relevant inter
protection; ma
trafficking in s
With its Nuclea
and sustaining
The IA
Fundamentals,
nuclear secur
Technical Guid
Each Stat
provide for the
facilities and ac
transport; to c
material; and to
This publ
Security Series
on national ex
computer secu
consideration b
The prep
been made po
Member State
included consu
then circulated
suggestions. T
considered in t
w international legal instruments to enhance nuclear security
clear security is fundamental in the management of nuclear
d in applications where nuclear or other radioactive material is
rted.
its Nuclear Security Programme, the IAEA supports States to
tain and sustain an effective nuclear security regime. The IAEA
comprehensive approach to nuclear security. This recognizes that
tional nuclear security regime builds on: the implementation of
national legal instruments; information protection; physical
terial accounting and control; detection of and response to
uch material; national response plans; and contingency measures.
r Security Series, the IAEA aims to assist States in implementing
such a regime in a coherent and integrated manner.
EA Nuclear Security Series comprises Nuclear Security
which include objectives and essential elements of a State’s
ity regime; Recommendations; Implementing Guides; and
ance.
e carries the full responsibility for nuclear security, specifically: to
security of nuclear and other radioactive material and associated
tivities; to ensure the security of such material in use, storage or in
ombat illicit trafficking and the inadvertent movement of such
be prepared to respond to a nuclear security event.
ication is in the Technical Guidance category of the IAEA Nuclear
, and deals with computer security at nuclear facilities. It is based
perience and practices as well as publications in the fields of
rity and nuclear security. The guidance is provided for
y States, competent authorities and operators.
aration of this publication in the IAEA Nuclear Security Series has
ssible by the contributions of a large number of experts from
s. An extensive consultation process with all Member States
ltants meetings and open-ended technical meetings. The draft was
to all Member States for 120 days to solicit further comments and
he comments received from Member States were reviewed and
he final version of the publication.
This repor
omissions on the
Although g
this publication,
consequences wh
The use o
judgement by the
their authorities a
The mentio
registered) does
construed as an e
EDITORIAL NOTE
t does not address questions of responsibility, legal or otherwise, for acts or
part of any person.
reat care has been taken to maintain the accuracy of information contained in
neither the IAEA nor its Member States assume any responsibility for
ich may arise from its use.
f particular designations of countries or territories does not imply any
publisher, the IAEA, as to the legal status of such countries or territories, of
nd institutions or of the delimitation of their boundaries.
n of names of specific companies or products (whether or not indicated as
not imply any intention to infringe proprietary rights, nor should it be
ndorsement or recommendation on the part of the IAEA.
CONTENTS
1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1. Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2. Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2.
1.2.
1.3. Con
1.4. Stru
1.5. Me
1.6. Key
PART I. MAN
2. REGULA
2.1. Leg
2.2. Reg
2.3. Site
2.3.
2.3.
2.3.
2.4. Ass
3. MANAG
4. ORGANI
4.1. Aut
4.1.
4.1.
4.1.
4.1.
4.1.
4.2. Com
4.2.
1. Nuclear security and computer security objectives. . . . . 1
2. Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
ditions specific to nuclear facilities . . . . . . . . . . . . . . . . . . . 3
cture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
thodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
AGEMENT GUIDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
TORY AND MANAGEMENT CONSIDERATIONS . . . . 9
islative considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
ulatory considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
security framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1. Computer security policy . . . . . . . . . . . . . . . . . . . . . . . . 12
2. Computer systems at nuclear facilities . . . . . . . . . . . . . . 13
3. Defence in depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
essing the threat environment . . . . . . . . . . . . . . . . . . . . . . . . 13
EMENT SYSTEMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
ZATIONAL ISSUES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
horities and responsibilities. . . . . . . . . . . . . . . . . . . . . . . . . . 16
1. Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2. Computer Security Officer . . . . . . . . . . . . . . . . . . . . . . . 17
3. Computer security team . . . . . . . . . . . . . . . . . . . . . . . . . 18
4. Other management responsibilities . . . . . . . . . . . . . . . . . 18
5. Individual responsibilities . . . . . . . . . . . . . . . . . . . . . . . . 18
puter security culture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1. Computer security training programme . . . . . . . . . . . . . 20
PART II. IMPLEMENTATION GUIDE . . . . . . . . . . . . . . . . . . . . . . . . . 21
5. IMPLEMENTING COMPUTER SECURITY . . . . . . . . . . . . . . . . . . 23
5.1. Computer security plan and policy . . . . . . . . . . . . . . . . . . . . . . . 23
5.1.1. Computer security policy . . . . . . . . . . . . . . . . . . . . . . . . 23
5.1.2. Computer security plan . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.1.
5.2. Inte
5.2.
5.2.
5.3. Ass
5.4. Com
5.4.
5.4.
5.5. Gra
5.5.
5.5.
5.5.
5.5.
6. THREAT
6.1. Bas
6.2. Ris
6.3. Thr
6.3.
6.3.
6.3.
6.4. Sim
7. SPECIAL
7.1. Fac
7.2. Dif
ind
7.3. Dem
rela
7.4. Con
7.5. Sec
7.6. Thi
3. CSP components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
raction with other domains of security . . . . . . . . . . . . . . . . . 25
1. Physical security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2. Personnel security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
et analysis and management . . . . . . . . . . . . . . . . . . . . . . . . . 26
puter system classification . . . . . . . . . . . . . . . . . . . . . . . . . 26
1. Safety importance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2. Security or security related systems . . . . . . . . . . . . . . . . 29
ded approach to computer security . . . . . . . . . . . . . . . . . . . . 29
1. Security levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2. Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3. Example of the application of a security level model . . . 31
4. Decoupling zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
S, VULNERABILITIES AND RISK MANAGEMENT. . . 35
ic concepts and relationships . . . . . . . . . . . . . . . . . . . . . . . . 36
k assessment and management . . . . . . . . . . . . . . . . . . . . . . . 36
eat identification and characterization . . . . . . . . . . . . . . . . . 37
1. Design basis threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2. Attacker profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3. Attack scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
plified outcomes of risk assessment . . . . . . . . . . . . . . . . . . . 43
CONSIDERATIONS FOR NUCLEAR FACILITIES. . . . 43
ility lifetime phases and modes of operation. . . . . . . . . . . . . 45
ferences between IT systems and
ustrial control systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
and for additional connectivity and
ted consequences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
siderations on software updates . . . . . . . . . . . . . . . . . . . . . . 47
ure design and specifications for computer systems . . . . . . . 48
rd party/vendor access control procedure . . . . . . . . . . . . . . . 48
REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
BIBLIOGRAPHY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
ANNEX I: ATTACK SCENARIOS AGAINST SYSTEMS 
IN NUCLEAR FACILITIES . . . . . . . . . . . . . . . . . . . . . . . . . 55
ANNEX II: A METHODOLOGY FOR IDENTIFYING
C
ANNEX III: T
C
DEFINITIONS
OMPUTER SECURITY REQUIREMENTS . . . . . . . . . . . 59
HE ROLE OF HUMAN ERROR IN
OMPUTER SECURITY . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
1. INTRODUCTION
1.1. BACKGROUND
Attention to computer security has intensified in the last decade as clear and
recurring proof of the vulnerabilities of computer systems has come to light.
Malicious expl
frequency and
occurrences o
infrastructure h
and issue new
requirements, w
stages of opera
creating a rich
which the ISO/
The IAEA
other standards
specific condit
need for a publ
solutions was
experience of
security guida
infrastructure.
and lessons lea
the context of
applicable indu
1.2. OBJECT
1.2.1. Nucle
Nuclear s
criminal or in
material, othe
activities, and
harmful conseq
Compute
objectives are a
improvement o
1
oitation of these vulnerabilities has been witnessed with growing
impact. In an increasingly complex threat scenario, the possible
f cyberterrorism as a means of attacking a State’s critical
as prompted a number of national authorities to prepare defences
regulations. Such regulations establish computer security
hich affect nuclear facilities at multiple levels and at the various
tion. In parallel, information security has itself evolved rapidly,
set of international best practices and standard documents among
IEC 27000 series [1–5] is rapidly achieving prominence.
, while recognizing the core validity of the ISO 27000 series and
across industries and business, wishes to focus attention on the
ions affecting computer security at nuclear facilities. Thus, the
ication recognizing and compiling relevant guidance and adequate
identified. This publication brings together the knowledge and
specialists who have applied, tested and reviewed computer
nce and standards within nuclear facilities and other critical
It compiles and describes those special provisions, best practices
rned which apply within the nuclear discipline and puts them in
a security programme consistent with other IAEA guidance and
strial standards.
IVE
ar security and computer security objectives
ecurity involves the prevention of, detection of, and response to,
tentional, unauthorized acts involving or directed at nuclear
r radioactive material, associated facilities, or associated
other intentional acts that could directly or indirectly produce
uences to persons, property, society or to the environment.
r security plays an increasingly vital role in ensuring that these
chieved. Thus, this publication will address the establishment and
f programmes to protect those computer systems, networks and
2
other digital systems that are critical for the safe and secure operation of the
facility and for preventing theft, sabotage and other malicious acts.
All other systems required for the operation of the facility, or any support or
business system whose unauthorized modification or change could compromise
the security posture or operability will be covered by extending the provisions in
this publication to those systems.
In this context, malicious acts involving computer systems and relevant to
nuclear security
— Informati
malicious
— Attacks
computer
— Comprom
modes of
Compute
confidentiality,
systems and pr
systems that ca
nuclear facilitie
1.2.2. Scope
The prim
of incorporatin
plan for nuclea
The pub
facilities on im
presenting so
procedures de
achieving and
strategy and co
This refe
programmes, a
reduction meas
may be grouped as:
on gathering attacks aimed at planning and executing further
acts;
disabling or compromising the attributes of one or several
s crucial to facility security or safety;
ise of one or several computers combined with other concurrent
attack, such as physical intrusion to target locations.
r security objectives are commonly defined as protecting the
integrity and availability attributes of electronic data or computer
ocesses. By identifying and protecting these attributes in data or
n have an adverse impact on the safety and security functions in
s, the security objectives can be met.

ary aim of this publication is to create awareness of the importance
g computer security as a fundamental part of the overall security
r facilities.
lication further aims to provide guidance specific to nuclear
plementing a computer security programme. This is achieved by
me suggested approaches, structures and implementation
signed for nuclear facilities. Together, these are crucial for
maintaining the level of protection defined in the site security
nforming to national nuclear security objectives.
rence manual also aims to provide advice on evaluating existing
ssessing critical digital assets and identifying appropriate risk
ures.
1.3. CONDITIONS SPECIFIC TO NUCLEAR FACILITIES
The need for guidance addressing computer security at nuclear facilities is
supported by the special conditions characterizing the industry. The following list
is a sample of these conditions, which will be dealt with in full in this publication:
— Nuclear facilities must abide by requirements
set by their national
regulator
systems o
— Nuclear f
not comm
induced b
— Compute
requirem
limited ra
or an enti
those af
Section 7
1.4. STRUCT
The guid
includes policy
with security r
to all stages of
operations and
This publ
— Part I (Se
judgemen
managem
the regula
— Part II (S
the imple
1.5. METHOD
The basic
methodologies
3
y bodies which may directly or indirectly regulate computer
r set guidance.
acilities may have to protect against additional threats which are
only considered in other industries. Such threats may also be
y the sensitive nature of the nuclear industry.
r security requirements in nuclear facilities may differ from
ents in other concerns. Typical business operations involve only a
nge of requirements. Nuclear facilities need to take a wider base
rely different set of considerations into account than, for example,
fecting e-commerce, banking or even military applications.
highlights and explains these differences in detail.
URE
ance in this publication is intended for a wide audience that
makers, nuclear security regulators, facility management, staff
esponsibilities, technical staff, vendors and contractors. It applies
the facility’s systems life cycle, including design, development,
maintenance.
ication is divided into two parts:
ctions 2–4) is intended to support managers in making balanced
ts and informed decisions concerning policy, design and
ent of computer security within facilities. It provides guidance on
tory and managerial provisions of computer security.
ections 5–7) addresses technical and administrative guidance in
mentation of a comprehensive computer security plan.
OLOGY
methodology used to implement computer security is similar to
used to ensure nuclear security and safety. This highlights the
4
need and the advantage of integrating computer security within the overarching
facility security plans from the beginning.
Successful protection of computer systems may be achieved by adapting
the best practice methods and tools developed within the wider computer security
community while taking into account the specificities of the nuclear industry.
The following logical process, described in detail in Section 5, highlights
how a nuclear facility can develop, implement, maintain and improve computer
security:
— Follow n
— Examine
— Ensure se
— Define a
— Identify t
nuclear s
— Create a c
— Perform r
— Select, de
— Integrate
— Regularly
This pub
methodology w
computer secur
existing nation
publication).
1.6. KEY TER
As word
practice, this s
throughout this
In the co
to the comput
make up func
desktop compu
level compone
controllers). In
may be suscept
ational legal and regulatory requirements;
relevant IAEA and other international guidance;
nior management support and adequate resources;
computer security perimeter;
he interactions between computer security and facility operation,
afety and other aspects of site security;
omputer security policy;
isk assessment;
sign and implement protective computer security measures;
computer security within the facility’s management system;
audit, review and improve the system.
lication will examine in greater detail those steps in the
here specific provisions for nuclear facilities exist. Other stages of
ity methodology may be implemented through direct reference to
al and international standards (see the references at the end of this
MINOLOGY
s assume different meanings within different communities of
ection clarifies the meaning of certain important terms as used
publication.
ntext of this publication, computers and computer systems refer
ation, communication, instrumentation and control devices that
tional elements of the nuclear facility. This includes not only
ters, mainframe systems, servers, network devices, but also lower
nts such as embedded systems and PLCs (programmable logic
essence, this publication is concerned with all components that
ible to electronic compromise.
Throughout this publication the term computer security will be used to
cover the security of all computers as defined above and all interconnected
systems and networks formed by the sum of the elements. The terms IT security
and cyber security are, for the purpose of this publication, considered synonyms
of computer security and will not be used in this publication.
Computer security as defined here is a subset of information security
(as defined, for example in ISO/IEC 27000 [1]) with which it shares many of the
goals, methodo
Definitio
end of this man
5
logy and terminology.
ns of additional terms used in this publication are provided at the
ual.
.
Part I
MANAGEMENT GUIDE
.
2. REGULATORY AND
MANAGEMENT CONSIDERATIONS
This section highlights the core components of the high level framework for
computer security in nuclear facilities. In particular, it addresses issues relevant to
the legislative and regulatory bodies as well as to facilities’ management and
security strateg
normative inst
computer secur
2.1. LEGISLA
A key ro
security as w
9
y. Figure 1 shows a simplified visualization of the hierarchy of
ruments relevant to the establishment and implementation of a
ity programme in a nuclear facility.
TIVE CONSIDERATIONS
le of the State is in establishing the legal framework for nuclear
ell as for computer security in general. These should, when
FIG. 1. Relevant normative instruments.
10
adequately implemented, have a major impact on the safety and security of
nuclear facilities. The State legal system should at least provide the legislative
and regulatory framework that covers protection of sensitive information and
addresses any activity that might precipitate breaches of nuclear security.
Owing to the specificity of its issues, computer security may need special
legislative provisions to take into account the unique crimes and modes of
operation associated with computer systems. States should carefully consider
whether their c
perpetrated wit
influence comp
— Laws con
— Laws on
— Laws on
— Laws ma
— Laws on
It is imp
updated to inc
other potentia
Given th
carry out mal
boundaries and
of formulation
relevance dedic
the Convention
2.2. REGULA
The regu
guidance and m
interpreting an
indicate releva
publications.
The acti
explicitly reco
material and
regulations for
preparing regu
urrent legislation adequately covers malicious acts that may be
h the aid of computers. Among others, important laws that may
uter security and its implementation include:
cerning computer offences;
terrorism;
the protection of critical national infrastructure;
ndating disclosure of information;
privacy and handling of personal information.
ortant that State legislation is continuously reviewed and
lude provisions for new and emerging criminal activities and
l threats to computer security.
e nature of computer networks, it is possible for adversaries to
icious acts within a State while located outside its physical
thus potentially out of reach of the State legal system. At the time
of this publication the only international legal instrument of
ated to regulating international cooperation on computer crimes is
on Cybercrime of the Council of Europe [6].
TORY CONSIDERATIONS
latory body should take relevant legislation into account in its
ake available to operators the tools and the means for correctly
d implementing legal obligations. Regulators could also select or
nt guidance of reference such as ISO standards or IAEA
vities of regulators in relation to computer security should
gnize the objective of protection against the theft of nuclear
sabotage resulting in possible radiological release. Therefore,
nuclear security and safety should also be considered when
lations on computer security.
It is advisable that State regulatory bodies (where more than one body is
involved) collaborate to achieve harmonized views on necessary requirements to
be placed.
The State regulatory bodies could, at a minimum,
provide a high level
statement of computer security regulatory requirements. More detailed regulatory
requirements could also include provisions for:
— Managem
— Compute
of Compu
— Compute
(Section
• Compu
• Risk ide
• Risk ma
• Compu
• Continu
— Audit and
regulator
Requirem
development m
instead focus o
dependent.
Facilitie
requirements t
equivalent or
requirements
2.3. SITE SEC
Site secur
management, t
through the im
All discip
computer) inte
posture as ma
disciplines of
requirements o
11
ent commitment for computer security (Section 4).
r security programme ownership including designation of the roles
ter Security Officer(s) and team(s) (Section 4).
r security policy, implementation plan, and enforcement plan
5), including:
ter security perimeter identification;
ntification;
nagement strategy;
ter security training and awareness programme;
ity of operations plan.
review process, whether internal, external or carried out by the
s themselves.
ents should not prescribe detailed technical solutions, because
ay rapidly make such details obsolete. Requirements could
n expected outcomes as these can be written to be less technology
s may be required to demonstrate conformity to national security
hrough an approved overall site security plan (SSP) or any
set of documents. State regulatory bodies should issue
for computer security as part of the requirements for the SSP.
URITY FRAMEWORK
ity is primarily a management responsibility, specifically of senior
o ensure that legislative and regulatory requirements are fully met
plementation of the SSP.
lines of security (including personnel, physical, information and
ract and complement each other to establish a facility’s security
y be defined in the SSP (see Fig. 2). A failure in any of the
security could impact the other domains and cause extra
n the remaining aspects of security. Computer security is a
12
cross-cutting d
nuclear facility
All prov
regard to the gr
taking into con
It is also
the various dis
appropriate le
2.3.1. Comp
Managem
increasingly us
has brought mu
ensure the corr
adequate and b
acts without un
All nucle
which is endor
specifies the o
A compu
and should b
responsibilities
and human reso
iscipline that has interactions with all other areas of security in a
.
isions in this publication should be implemented with constant
eater framework of the SSP. The SSP should likewise be designed
sideration computer security from its inception.
management’s responsibility to ensure proper coordination of
ciplines of security and integration of computer security at the
vel.
uter security policy
ent should be aware that computer technology is being
ed for many vital functions at nuclear facilities. This development
ltiple benefits to operational safety and efficiency. Nonetheless, to
ect functionality of a computer system, they are required to have
alanced security barriers to maximize protection against malicious
necessarily hampering system operations.
ar facilities should therefore have a computer security policy,
sed and enforced by the site’s most senior manager. The policy
verall computer security goals at the facility.
ter security policy should be part of the overall site security policy
e negotiated and coordinated with other relevant security
. When establishing a computer security policy, its impact on legal
urces should also be considered.
FIG. 2. Interplay of the different domains of security.
Computer security policy and the associated plan are discussed in greater
detail in Section 5.
2.3.2. Computer systems at nuclear facilities
The computer systems and networks supporting nuclear facility operations
include many non-standard information technology (IT) computer systems in
terms of archite
can include spe
alarm and trac
security and e
proprietary imp
differences sti
considered wh
uniqueness of
Section 7.
2.3.3. Defen
Protectio
methods of pro
have to be ove
objectives.
The prim
security breac
primarily throu
levels of prote
system compro
the subsequent
defence in dept
could lead to co
that could giv
independent ef
of defence in d
2.4. ASSESS
The com
scenario. Whi
13
cture, configuration, or performance requirements. These systems
cialized industrial control systems (ICSs), access control systems,
king systems, and information systems pertaining to safety and
mergency response. While ICSs have evolved from strictly
lementations to more mainstream computer architecture, striking
ll exist between ICSs and standard IT systems that must be
en preparing the site security plan. A full discussion of the
computer systems associated with nuclear facilities is located in
ce in depth
n requirements should reflect the concept of multiple layers and
tection (structural, technical, personnel and organizational) that
rcome or circumvented by adversaries in order to achieve their
ary means of preventing and mitigating the consequences of
hes is ‘defence in depth’. Defence in depth is implemented
gh the combination of a number of consecutive and independent
ction that would have to fail or be defeated before a computer
mise could occur. If one level of protection or barrier were to fail,
level or barrier would be available. When properly implemented,
h ensures that no single technical, human or organizational failure
mputer system compromise, and that the combinations of failures
e rise to a computer incident are of very low probability. The
fectiveness of the different levels of defence is a necessary element
epth.
ING THE THREAT ENVIRONMENT
puter security threat environment is a fast changing, evolving
le a good computer security programme will ensure its own
14
durability, specific controls in place against the most prevalent threats at the
present time do not guarantee protection against tomorrow’s threats.
The responsible State authority should periodically issue a threat evaluation
including threats to the security of computer systems and information on current
attack vectors related to the security of computer systems used at nuclear
facilities. A typical tool used to determine threat levels and as a basis for
developing a security posture is the design basis threat (DBT, see Section 6.3.1).
It is vit
assessment, w
Section 6
sources of attac
and methodolo
A mana
objectives and
manner. Manag
culture. Many
systems. These
and economic
mutually reinfo
Managem
compliance wi
by nature dyna
environment;
continuous ass
management p
This sect
with the necess
that should be
computer secur
— Informati
— Formal ri
— Legislativ
al that facilities maintain an active and ongoing threat
hich is regularly briefed to management and operations.
contains a detailed, but non-exhaustive, description of potential
k and associated attack mechanisms relevant to nuclear facilities,
gies used to evaluate and identify threats.
3. MANAGEMENT SYSTEMS
gement system is responsible for establishing policies and
enabling the objectives to be achieved in an efficient and effective
ement systems are a vital support element to a nuclear security
activities at nuclear facilities are controlled by management
ideally integrate security, safety, health, environmental, quality
elements in a single management tool or a set of integrated and
rcing systems [7, 8].
ent systems must be reviewed to ensure completeness and
th site security policies. More generally, management systems are
mic and must adapt to changing conditions in the facility and in the
they cannot be implemented as a one-off measure but need
essment and improvement. Figure 3 illustrates the life cycle of
rocesses.
ion aims to supplement present guidance on management systems
ary details for computer security management. The key elements
reviewed or added to integrate the necessary provisions for
ity are:
on assets identification and classification;
sk analysis;
e and regulatory compliance;
— Business
— Compete
— Business
— Logical a
— System
li
— Configur
— Amendm
— Implemen
— Acceptan
— Complian
15
operational requirements;
ncy requirements for key persons;
continuity;
ccess management;
fe cycle security;
ation management;
ent and approval of computer security measures;
tation of identified computer security measures;
ce of implemented computer security measures;
ce with approved computer security measures;
FIG. 3. The security management life cycle.
16
— Immediate analysis of computer security incidents and appropriate
reporting;
— Regular reporting on compliance;
— Regular reviews of implemented security measures (audits) by internal and
external parties;
— Awareness training;
— New risks and changes to identified risks;
— Changes
— Medium
The proc
all phases of
detailed in the
4.1. AUTHOR
The secti
and the specia
programme suc
4.1.1. Mana
A facility
an adequate p
should:
— Assume o
— Define th
— Ensure co
— Set the ri
— Assign or
— Ensure ad
— Ensure an
— Provide
programm
to legislative and regulatory requirements;
term plans for information security.
esses above should be seen as ongoing activities that run through
system life cycles. The specifics of implementation should be
computer security plan discussed in Section 5.
4. ORGANIZATIONAL ISSUES
ITIES AND RESPONSIBILITIES
ons that follow detail the minimum requirements for management
list staff needed to establish and maintain a computer security
cessfully.
gement
’s senior management initiates computer security by establishing
rocess and support organization. To achieve this, management
verall responsibility for all aspects of computer security;
e facility’s security objectives;
mpliance with laws and regulations;
sk acceptance level for the facility;
ganizational computer security responsibilities;
equate communication between different aspects of security;
enforceable computer security policy is established;
adequate resources to implement a viable computer security
e;
— Ensure periodic audits and updates of computer security policy and
procedures;
— Ensure support for training and awareness programmes.
Generally, implementation of the permanent computer security process is
delegated to specialists within the organization.
4.1.2. Comp
Compute
important to as
body. In this pu
other instances
‘Information S
approach is use
should be kept
clear and acces
The CSO
knowledge of o
are knowledge
integrate peopl
The typic
— Advising
— Leading t
— Coordina
activities
guideline
— Coordina
discipline
— Identifyin
computer
equipmen
— Conducti
— Conducti
security b
— Developi
— Developi
emergenc
organizat
17
uter Security Officer
r security touches almost all facility activities. It is therefore
sign overarching computer security oversight to one well defined
blication, the title ‘Computer Security Officer’ (CSO) is used; in
this function may be referred to as ‘IT Security Officer’ or
ecurity Officer’, or may be assigned to multiple roles. Whichever
d, this function should be closely coordinated across the facility,
independent of the implementing departments, and should have
sible reporting lines to senior management.
should have in-depth knowledge of computer security and good
ther aspects of security in nuclear facilities. Further requirements
of nuclear safety and project management, and the ability to
e coming from different disciplines into an efficient team.
al responsibilities of a CSO or equivalent include:
the company’s management on computer security.
he computer security team.
ting and controlling the development of computer security
(e.g. implementing security policy, directives, procedures,
s, measures).
ting with physical security and other security and safety
s to plan security measures and response to security incidents.
g systems critical to computer security within a facility (i.e. the
security baseline). Asset owners should be informed of their
t’s role in computer security.
ng periodic computer security risk assessments.
ng periodic inspections, audits and reviews of the computer
aseline and providing status reports to top management.
ng and implementing computer security training and evaluation.
ng and leading incident response for relevant computer security
ies, including coordination with relevant internal and external
ions.
18
— Investigating computer security incidents and developing post-incident
procedures and preventive actions.
— Participating in site security assessment initiatives.
— Participating in requirement analysis in the acquisition/development of new
systems.
4.1.3. Computer security team
It is esse
expertise assoc
as well as phy
computer secu
organization. T
responsibilities
4.1.4. Other
The vario
appropriate lev
responsibilities
— Operating
— Providing
computer
security,
— Notifying
computer
or proces
— Ensuring
issues rel
— Ensuring
contractin
— Tracking
— Enforcing
4.1.5. Indivi
Each per
computer secur
ntial for the CSO to have access to adequate interdisciplinary
iated with computer security, facility safety, and plant operations
sical and personnel security. This may consist of a dedicated
rity team or ad hoc access to specific expertise within the
he goal of this team is to support the CSO in fulfilling his/her
.
management responsibilities
us levels of management within an organization must ensure the
el of computer security within their areas of responsibility. Typical
include:
within the guidance of the site computer security plan;
operational requirements and feedback to the CSO relevant to
security and resolving potential conflicts between operational,
and safety requirements;
the CSO of any conditions that may lead to changes in the
security posture, such as personnel changes, equipment changes,
s changes;
that staff are sufficiently trained and briefed on computer security
evant to their roles;
that subcontractors and third party vendors working for the
g unit operate within the context of the site security plan;
, monitoring and reporting events of security relevance;
personnel security measures.
dual responsibilities
son within an organization is responsible for carrying out the
ity plan. Specific responsibilities include:
— Knowledge of the baseline computer security procedures;
— Knowledge of job specific computer security procedures;
— Operating within the parameters of the computer security policies;
— Notifying management of any changes that may lead to a reduced computer
security posture;
— Notifying management of any incidents or possible incidents involving a
compromise of computer security;
— Attending
4.2. COMPUT
A robust
effective secur
security aware
characteristics
management s
security progra
by those that h
facilities or act
that a credible
information on
is a subset of t
above characte
Experien
incidents are h
largely on the
errors that cou
developed thro
and increase c
discussions, tra
periodically m
indicators can
organization:
— Compute
understoo
— Clear and
systems b
— Staff mem
the contro
19
initial and refresher security training on a regular basis.
ER SECURITY CULTURE
computer security culture is an essential component of any
ity plan. It is important for management to ensure that computer
ness is fully integrated into the overall site security culture. The
of nuclear security culture are the beliefs, attitudes, behaviour and
ystems, the assembly of which lead to a more effective nuclear
mme. The foundation of nuclear security culture is recognition —
ave a role to play in regulating, managing or operating nuclear
ivities or even those that could be affected by these activities —
threat exists and that nuclear security is important. (For more
nuclear security culture, see Ref. [9].) Computer security culture
he overall security culture and is based on an application of the
ristics to computer security awareness.
ce has demonstrated that the majority of computer security
uman related and the security of any computer system depends
behaviour of all its users. Annex III provides examples of human
ld lead to security compromise. The computer security culture is
ugh a collection of many activities designed to inform personnel
omputer security awareness (e.g. posters, notices, management
ining, tests, etc.). Computer security culture attributes should be
easured, reviewed, and continuously improved. The following
be used to evaluate the computer security culture in an
r security requirements are clearly documented and well
d by staff.
effective processes and protocols exist for operating computer
oth inside and outside the organization.
bers understand and are aware of the importance of adhering to
ls within the computer security programme.
20
— Computer systems are maintained to ensure that they are secure and
operated in accordance with computer security baseline and procedures.
— Management are fully committed to and supportive of security initiatives.
4.2.1. Computer security training programme
A strong training programme is one of the cornerstones of a computer
security culture
on the importa
security.
The awar
— Successfu
programm
Training
expected
— Enhanced
security
managers
— Training
procedure
— Staff shou
responsib
The train
security awar
improvement o
. It is crucial to educate staff, contractors and third party vendors
nce of observing security procedures and maintaining a culture of
eness programme should include the following requirements:
l completion of a computer security training and/or awareness
e should be a precondition for access to computer systems.
should be commensurate with system security levels and the
role of users.
training/qualifications should be provided to individuals with key
responsibilities (e.g. CSO, computer security team, project
, IT administrators).
should be repeated periodically for all staff to include new
s and emerging threats.
ld be required to acknowledge that they understand their security
ilities.
ing programme should include metrics to evaluate computer
eness, training effectiveness, and processes for continuous
r retraining.
Part II
IMPLEMENTATION GUIDE
.
5. IMPLEMENTING COMPUTER SECURITY
This publication does not establish minimum standards of acceptable risk or
a specific set of mitigation measures that could be used. Any set of specific
standards would be rapidly outdated as digital systems change, new threats
emerge, new mitigation tools become available and regulatory requirements
change. Part II
and concrete
computer secur
These rec
be used as guid
achieve the de
objectives [10–
5.1. COMPU
5.1.1. Comp
As introd
level compute
appropriate re
should be facto
and control pol
— Enforcea
— Achievab
— Auditable
5.1.2. Comp
The com
the form of o
specifies and d
facility and is a
The plan
vulnerabilities,
measures to est
facilitate recov
23
of the publication focuses on compiling a set of methodological
recommendations to support and guide the implementation of
ity in nuclear facilities.
ommendations are neither prescriptive nor definitive and should
ance; where appropriate, alternative measures may be adopted to
sired defence in depth and other fundamental nuclear security
12].
TER SECURITY PLAN AND POLICY
uter security policy
uced in Section 2.3.1, a computer security policy sets the high
r security goals of an organization. The policy must meet
gulatory requirements. Computer security policy requirements
red into lower level documents, which will be used to implement
icy. Additionally, the policy must be:
ble;
le;
.
uter security plan
puter security plan (CSP) is the implementation of that policy in
rganizational roles, responsibilities, and procedures. The plan
etails the means for achieving the computer security goals at the
part of (or linked to) the overall SSP.
should contain the primary actions in terms of susceptibility to
protective measures, consequence analysis and mitigation
ablish and maintain the nuclear facility’s acceptable cyber risk and
ery to a safe operational state.
24
5.1.3. CSP components
Based on the established computer security policy, each individual plan
component tries to achieve its distinct goals and objectives. The minimum
content and itemization of the CSP is suggested in the subsections below:
(a) Organization and responsibilities:
(1) Orga
(2) Resp
(3) Perio
(b) Asset ma
(1) List o
(2) List o
(3) Netw
syste
(c) Risk, vul
(1) Secur
(2) Self-a
(3) Audi
(4) Regu
(d) System s
(1) Fund
(2) Requ
(3) Form
vendo
(4) Full l
(e) Operation
(1) Acce
(2) Data
(3) Comm
(4) Platfo
(5) Syste
(6) Com
(7) Incid
(8) Busin
(9) Syste
(f) Personne
(1) Vettin
(2) Train
(3) Quali
(4) Term
nizational charts;
onsible persons and reporting responsibilities;
dic review and approval process.
nagement:
f all computer systems;
f all computer systems applications;
ork diagram, including all connections to external computer
ms.
nerability, and compliance assessment:
ity plan review and reassessment periodicity;
ssessment (including penetration testing procedures);
t procedures and deficiency tracking and correction;
latory and legislative compliance.
ecurity design and configuration management:
amental architecture and design principles;
irements related to the different security levels;
alization of computer security requirements for suppliers and
rs;
ife cycle security.
al security procedures:
ss control;
security;
unication security;
rm and application security (e.g. hardening);
m monitoring;
puter security maintenance;
ent handling;
ess continuity;
m backup.
l management:
g;
ing;
fication;
ination/transfer.
The above provides a framework for developing a CSP. Many references
are available to fill out this framework, the main international references being
ISO/IEC 27001 [2] for information security management systems, and
ISO/IEC 27002 [3] for implementation recommendations.
While the majority of components listed above are consistent across
computer security plans for any business or industry, certain nuances do exist for
its implementation within nuclear facilities. These components of the CSP are
described in g
assessment are
Section 5.3.
5.2. INTERA
As stated
the framework
computer secu
protection, saf
reviewed and u
operational exp
5.2.1. Physic
The phys
Computerized
electronic com
protection func
electronic and
and of the CSP
consistency of
5.2.2. Perso
Besides
handled within
consistent com
appropriate le
procedures and
between the co
with key secu
require a highe
25
reater detail in Section 7. Risk, vulnerability, and compliance
addressed in Section 6. Asset analysis is further detailed in
CTION WITH OTHER DOMAINS OF SECURITY
in Section 2.3, the CSP should be operated and maintained within
of the facility’s overall protection plan. The facility specific
rity plan should be developed in close consultation with physical
ety, operations and IT specialists. The CSP must be regularly
pdated to reflect security events from any domain of security and
erience from the site security system.
al security
ical security plan and the CSP should complement each other.
assets have physical access control requirements and likewise,
promise can lead to degradation or loss of certain physical
tions. Attack scenarios may well include the coordination of both
physical attack. The teams in charge of the physical security plan
should inform each other and coordinate their efforts to ensure
plans during the development and review process.
nnel security
awareness and training, other aspects of security — usually
the domain of personnel security — are essential for instituting
puter security. The necessary provisions for establishing an
vel of vetting, confidentiality undertakings, and termination
for defining required job competencies should be coordinated
mputer and personnel security managements. In particular, staff
rity responsibilities (system administrators, security team) may
r level of vetting.
26
5.3. ASSET ANALYSIS AND MANAGEMENT
Interaction between computer systems in nuclear facilities may affect
security in non-obvious ways. It is therefore important that the security plan
identifies all assets and includes a more comprehensive inventory of those
assets critical to facility security and safety functions. The inventory could
include data, computer systems, their interfaces and their owners.
The follo
(a) Relevant
in order t
(b) The inter
(c) The relev
related sy
The comp
A compr
includes:
— Functions
systems;
— Identifica
— Dataflow
and why;
— Procedur
protocols
— Compute
— Analysis
— Ownersh
— Correspo
It is assu
already be avai
information inc
5.4. COMPUT
As define
computer syste
sensing device
Computer func
wing methodology satisfies the above needs:
information about existing computer systems should be compiled
o create a complete list of assets;
connection between the identified assets should be mapped out;
ance to safety functions and identified safety systems, safety
stems and security systems should be identified and evaluated.
leteness of each step is a crucial prerequisite for the next steps.
ehensive analysis of computer systems in a nuclear facility
/tasks and operational modes of all existing computerized
tion of relevant interconnections, including power supplies;
analysis, to determine what communicates with what, and how
es that initiate communication, frequency of communication and
;
r systems and equipment location;
of user groups;
ip (for data and computerized systems);
nding security level (see Section 5.5, graded approach).
med that much of the information needed for the analysis would
lable, but it should be collated and organized. Sources of relevant
lude system specifications and documentation.
ER SYSTEM CLASSIFICATION
d in Section 1.6, in the context of this publication, computer and
ms refer to computation, communication, instrumentation and
s that make up functional elements of the nuclear facility.
tions of prime concern are control and data processes associated
with safety and
support to thes
or indirect effe
Below is
nuclear faciliti
separately cla
importance. B
defining the a
assessment ana
both as safety a
5.4.1. Safety
IAEA sa
equipment acco
Plant equipmen
— Systems
• Safety s
— Prote
used
— Safet
whic
— Safet
syste
plant equipment
items important to safetya items not important to safetya
safety related itemsa safety systems
a In this context,
27
security. Other computer functions may be a concern in terms of
e functions, of possible compromise of security through secondary
cts or of overall plant productivity.
a non-exhaustive list of computer systems that can be found at
es, and are relevant to the objectives of this guidance. They are
ssified according to their safety importance and security
oth of these classifications should be taken into account when
ppropriate security level to apply (Section 5.5) and in the risk
lysis (Section 6.2). Note also that some functions clearly overlap
nd security concerns.
importance
fety standards (e.g. Refs [13–15]) categorize nuclear facility
rding to their function, as illustrated in Fig. 4.
t
important to safety
ystems
ction systems: Instrumentation and control (I&C) systems that are
for automatically initiated reactor and plant protection actions.
y actuation systems: I&C systems that accomplish safety actions,
h are initiated by the protection systems and by manual actuations.
y system support features: I&C for emergency power supply
ms.
protection system safety actuation
system
safety system
support features
an ‘item’ is a structure, system or component.
FIG. 4. Plant equipment in terms of safety function.
28
• Safety related systems
— Process control systems: I&C systems for plant control.
— Control room I&C including the alarm systems.
— Process computer systems that collect and prepare information for the
control room.
— Fuel handling and storage I&C systems.
— Fire
— Acce
— Voic
— Systems
• Control
deminer
Considera
necessarily with
Non-plant equi
— Office au
• Work pe
of work
• Enginee
plant op
• Configu
plant co
nuclear
• Docume
informa
• Intranet
technica
normall
— External
• Email: A
• Public w
about th
protection systems.
ss control systems.
e and data communication infrastructure.
not important to safety
systems for functions that are not important to safety (e.g.
alization)
tion should also be given to computer systems that are not
in the scope of plant equipment but nevertheless can impact safety.
pment
tomation
rmit and work order systems: Systems that provide coordination
activities to provide a sound working environment.
ring and maintenance systems: Systems that handle details of
eration, maintenance and technical support.
ration management systems: Systems intended to keep track of
nfiguration including models, versions and parts installed at the
facility.
nt management systems: Systems used to store and retrieve plant
tion, e.g. drawings, minutes of meetings.
: System that allows access to all plant documentation — both
l and administrative — on a need to know basis. The access is
y read only.
connectivity
system that is used to transfer information to external parties.
eb site: A system that is used to give Internet users information
e facility.
• Remote access/third party access: Systems that allow strictly controlled
access from the outside to certain functions within a site.
5.4.2. Security or security related systems
An established security classification for security systems comparable to
the safety classification does not yet exist. Nevertheless, it should be an important
part of the asse
facility. The fo
— Physical
authorize
perform;
— Voice and
— Security
appropria
informati
— Security
alarms on
— Compute
— Nuclear a
5.5. GRADED
The secu
where security
of an attack.
categorize com
applied for eac
zone. The assig
based on their r
risk assessmen
graded approa
5.5.1. Secur
Security
protection requ
graded approac
29
t analysis to compile such a classification for the systems in the
llowing list may support such classification:
access control systems: systems used to ensure that only
d persons enter areas of a site appropriate to the function they
data communication infrastructure;
clearance database: used to ensure that persons hold the
te security clearance to obtain access to a part of site or
on held on the site;
alarm monitoring and control systems: used to monitor all security
the site and assist with assessment of the alarm;
r and network security components;
ccountancy and control systems.
APPROACH TO COMPUTER SECURITY
rity of computer systems should be based on a graded approach,
measures are applied proportional to the potential consequences
One practical implementation of the graded approach is to
puter systems into zones, where graded protective principles are
h zone based on the level of security requirement assigned to the
nment of computer systems to different levels and zones should be
elevance to safety and security (see Section 5.4). Nonetheless, the
t process should be allowed to feed back into and influence the
ch.
ity levels
levels are an abstraction that defines the degrees of security
ired by various computer systems in a facility. Each level in a
h will require different sets of protective measures to satisfy the
30
security requirements of that level. Some protective measures apply to all
computer systems in all levels, while others are specific to certain level(s).
The security level model allows easier assignment of protective measures to
various computer systems, based on the categorisation of the system (assigning it
to a level) and the definition of the set of protective measures appropriate to that
level.
The levels and their associated protective measures should be appropriately
documented in
5.5.2. Zones
Zones are
administration,
model allows c
secure
operatio
application of p
The app
guidelines:
— Each zon
for the fa
— Systems
measures
— Different
internal c
— Zone bor
dependen
— Zones ca
Because
importance for
indicating the p
zone. However
level may hav
same degree of
systems, while
The zone
an overview of
crossings and a
the CSP.
a logical and physical concept for grouping computer systems for
communication and application of protective measures. The zone
omputers with the same or similar importance concerning safe and
n of the plant to be grouped together for administration and
rotective measures.
lication of a zone model should comply with the following
e comprises systems that have the same or comparable importance
cility’s security and safety;
belonging to one zone have similar demands for protective
;
computer systems belonging to one zone build a trusted area for
ommunication within that zone;
ders require decoupling mechanisms for data flow built on zone
t policies;
n be partitioned into subzones to improve the configuration.
zones are comprised of systems with the same or comparable
facility safety and security, each zone can have a level assigned,
rotective measures to be applied for all computer systems in that
, the relationship between zones and levels is not one-to-one; a
e multiple zones assigned to it when multiple zones require the
protection. Zones are a logical and physical grouping of computer
levels represent the degree of protection required.
model should be appropriately documented in the CSP, to include
all computer systems, all relevant communication lines, all zone
ll external connections.
5.5.3. Exam
An exam
below. This is j
choice of leve
according to t
dedicated secu
In this im
— Generic l
— Security
protection
— The meas
may be re
Generic level
For appli
be applied:
— Policies a
— Security
31
ple of the application of a security level model
ple of security measures applied at different levels is presented
ust one possible implementation of the graded approach; the exact
ls and their constitutive security measures should be tailored
he considered environment, the facility specificities, and the
rity risk analysis.
plementation:
evel measures should apply to all computer systems.
levels range from level 5 (least protection needed) to level 1 (most
needed), as illustrated in Fig. 5.
ures corresponding to each level are not cumulative (thus, there
petitions).
cable systems and levels, the following generic measures should
nd practices are defined for each level.
operating procedures are written for and read by all users.
FIG. 5. Level of security/strength of measures.
32
— Staff permitted access to the system must be suitably qualified and
experienced and security cleared where necessary.
— Users are given access only to those functions on those systems that they
require for carrying out their jobs.
— Appropriate access control and user authentication are in place.
— Anomaly detection systems or procedures are in place.
— Application and system vulnerabilities are monitored, and appropriate
measures
— System v
— Removab
procedure
— Compute
— Compute
intrusion
network (
— Appropri
— Physical
functions
Level 1
In additio
used for syste
require the high
— No netwo
from syst
systems.
this kind
integrity
also that t
even wi
discourag
supported
1 A virtual
means to connec
authorized users c
2 Transmis
3 Some Me
are taken.
ulnerability assessments are undertaken periodically.
le media must be controlled in accordance with security operating
s.
r and network security components should be strictly maintained.
r and network security components (e.g. security gateways,
detection systems, intrusion prevention systems, virtual private
VPN)1 servers) are strictly logged and monitored.
ate backup/recovery procedures are in place.
access to components and systems is restricted according to their
.
n to the generic measures, level 1 protective measures should be
ms, e.g. protection systems, which are vital to the facility and
est level of security. These measures may include the following:
rked data flow of any kind (e.g. acknowledgment, signalization)
ems in weaker security levels should be authorized to enter level 1
Only strictly outward communication should be possible. Note that
of strict one-way communication does not ensure reliability and
natively (redundancy/error corrections may be considered). Note
his excludes any sort of ‘handshake’ protocols (including TCP/IP2),
th controlled connection directions. Exceptions are strongly
ed and may only be considered on a strict case by case basis and if
by a complete justification and security risk analysis.3
private network (VPN) is a network constructed using public communication
t nodes, with encryption and other security mechanisms to ensure that only
an access the network and that the data cannot be intercepted.
sion Control Protocol/Internet Protocol — data transmission protocols.
mber States feel strongly that exceptions should not be allowed in any case.
— Measures to ensure the integrity and availability of the systems are typically
explained as a part of the safety cases.
— No remote maintenance access is allowed.
— Physical access to systems is strictly controlled.
— The number of staff given access to the systems is limited to an absolute
minimum.
— The two person rule is applied to any approved modifications made within
the comp
— All activi
— Every da
basis.
— Strict or
modificat
modificat
Level 2
In additio
used for system
security. These
— Only an o
to level 3
signal me
TCP/IP).
— Remote m
a defined
measures
— The num
a precise
— Physical
— All reaso
systems h
— Vulnerab
or proces
beds, spa
outages.
33
uter systems.
ties should be logged and monitored.
ta entry to the systems is approved and verified on a case by case
ganizational and administrative procedures apply to any
ions, including hardware maintenance, updates and software
ions.
n to the generic measures, level 2 protective measures should be
s, e.g. operational control systems, which require a high level of
measures may include the following:
utward, one way networked flow of data is allowed from level 2
systems. Only necessary acknowledgment messages or controlled
ssages can be accepted in the opposite (inward) direction (e.g. for

aintenance access may be allowed on a case by case basis, and for
working period. When used, it must be protected with strong
, and users must respect a defined security policy (contractual).
ber of staff given access to the systems is kept to a minimum, with
distinction between users and administrative staff.
connections to the systems should be strictly controlled.
nable measures to ensure the integrity and availability of the
ave been taken.
ility assessment involving actions on the systems may lead to plant
s instability, and should therefore only be considered using test
re systems, during factory acceptance tests or during long planned
34
Level 3
In addition to the generic measures, level 3 protective measures should be
used for supervision real time systems not required for operations, e.g. process
real time supervision systems in a control room, which have a medium severity
level for various cyber threats. These protective measures may include the
following:
— Access to
— Logging
— Security
traffic fro
— Physical
— Remote m
it is robu
defined s
— System f
mechanis
this princ
by other m
Level 4
In additio
technical data
management r
specification fo
management),
Level 4 measur
— Only app
systems.
— Access to
adequate
— Security
traffic fr
activities
— Physical
— Remote m
and user
controlled
the Internet from level 3 systems is not allowed.
and audit trails for key resources are monitored.
gateways are implemented to protect this level from uncontrolled
m level 4 systems, and to allow only specific and limited activity.
connections to systems should be controlled.
aintenance
access is allowed on a case by case basis provided that
stly controlled; the remote computer and user must respect a
ecurity policy, contractually specified.
unctions available to users are controlled by access control
ms, and based on the ‘need to know’ principle. Any exception to
iple has to be carefully studied and protection should be ensured
eans (e.g. physical access).
n to the generic measures, level 4 measures should be used for
management systems used for maintenance or operation activity
elated to components or systems required by the technical
r operation (e.g. work permit, work order, tag out, documentation
which have moderate severity level for various cyber threats.
es include the following:
roved and qualified users are allowed to make modifications to the
the Internet from level 4 systems may be given to users provided
protective measures are applied.
gateways are implemented to protect this level from uncontrolled
om external company or site networks, and to allow specific
which are controlled.
connections to systems should be controlled.
aintenance access is allowed and controlled; the remote computer
must respect a defined security policy, contractually specified and
.
— System functions available to users are controlled by access control
mechanisms. Any exception to this principle has to be carefully studied and
protection should be ensured by other means.
— Remote external access is allowed for approved users provided that
appropriate access control mechanisms are in place.
Level 5
Level 5
technical contr
have low sever
following:
— Only app
systems.
— Access to
protective
— Remote
appropria
5.5.4. Decou
Zone bor
prevent unauth
zone with lowe
Technica
have to be ge
connecting pas
6
The secti
computer syste
systems life cy
Section 6.2 of
35
measures should be used for systems not directly important to
ol or operational purposes, e.g. office automation systems, which
ity level for various cyber threats. Level 5 measures include the
roved and qualified users are allowed to make modifications to the
the Internet from level 5 systems is allowed provided adequate
measures are applied.
external access is allowed for authorized users provided that
te controls are in place.
pling zones
ders require decoupling mechanisms for data flow in order to
orized access and also to prevent errors from propagating from a
r protection requirements to a zone with higher ones.
l and administrative measures ensuring the decoupling of zones
ared to the individual demands of protective levels. A direct
sage through several zones should not be allowed.
. THREATS, VULNERABILITIES AND
RISK MANAGEMENT
on below presents the basic concepts used in risk management for
ms. Risk management is relevant at all stages of the facility's
cle, including design, development, operations and maintenance.
fers an overview of the steps needed in a comprehensive risk
36
management methodology. Sections 6.3 and 6.4 focus on stages where the
nuclear industry presents specific features.
6.1. BASIC CONCEPTS AND RELATIONSHIPS
Risk in the computer security context is the potential that a given threat will
exploit vulnera
organization. I
event and the s
Figure 6
concepts of thr
6.2. RISK AS
Risk asse
allocate resour
their exploitati
It is a pro
impact are ide
devised. The th
the countermea
against comput
FIG. 6. Sec
bilities of an asset or group of assets and thereby cause harm to the
t is measured in terms of a combination of the likelihood of an
everity of its consequences.
is a flow chart showing the multiple interconnections between the
eat, vulnerability and risk [16].
SESSMENT AND MANAGEMENT
ssment is an important tool for determining the best location to
ces and effort in addressing vulnerabilities and the likelihood of
on.
cess by which particular combinations of threat, vulnerability and
ntified and documented, and appropriate protective controls are
reat and vulnerability assessment provides the basis for preparing
sures required to prevent or mitigate the consequences of attacks
er systems.
urity concepts and relationship (adapted from ISO 13335-1 2004 [16]).
The basic steps of a risk assessment and management methodology are:
— Perimeter and context definition;
— Threat identification and characterization;
— Vulnerability assessment;
— Attack scenario elaborations;
— Likelihood of successful exploitation;
— Evaluatio
— Counterm
In order
assessment, a w
has to be used
tools have reac
have met with
common conce
— Information
methodology is
assessment me
their own.
An intere
undertaken by
Agency), whic
The nece
frequency of up
terms of their
conducting a n
occur. The int
change in opera
threats and vul
interconnected
When it i
use of best prac
6.3. THREAT
Figure 7
sophistication
Computer secu
that covers a ve
37
n of level of risk;
easure definition.
to implement a systematic and consistent risk analysis and
ell defined process that can comply with the existing standards
. Numerous risk assessment or management methodologies and
hed maturity and can structure such a process efficiently, and thus
acceptance by a broad audience. Most of them are based on
pts and logic. The current international standard is ISO/IEC 27005
Security Risk Management [4]. Another specific example of a
given in Annex II. National authorities may require a specific risk
thodology or policy to be used and facilities may additionally have
sting panorama of risk assessment methods and tools has been
ENISA (the European Network and Information Security
h devoted a special web page for this survey [17].
ssity of evaluating systems, the depth of the assessment and the
dating risk analyses depend upon the importance of the system in
safety and security function. Consideration must be given to
ew analysis or at least a review when modifications to the system
roduction of new equipment, software, procedures, or a major
tor skill sets may all fulfil this condition. The number of potential
nerabilities usually increases as with progress from stand-alone to
systems.
s impractical to perform a risk analysis against specific threats, the
tices and good engineering principles is recommended.
IDENTIFICATION AND CHARACTERIZATION
highlights the continuous trend towards growing attack
and decreasing knowledge required to launch such an attack.
rity programmes should strive to maintain a level of assessment
ry broad range of possible attack scenarios.
38
Publicatio
found at major
picture of the s
additional awa
recently starte
Response Team
security comm
weaknesses. 4
Therefo
initial steps in
understanding
scenarios. A p
listing credible
profile matrix
following subs
6.3.1. Design
An impor
for developing
statement abou
4 LIPSON
Policy Issues, Spe
Pa
Disabling Audits
Sweepers
Distributed Attack Tools
Denial of Service
GUI
Network Management Diagnostics
Automated Probes/Scans
WWW Attacks
“Stealth”/Advanced
Scanning Techniques
1980
In
tr
ud
er
K
no
w
le
dg
e
High
Low
Back Doors
Zombies
BOTS
Morphing
Malicious Code
A
tta
ck
S
op
hi
st
ic
at
io
n
Pa
Disabling Audits
Sweepers
Distributed Attack Tools
Denial of ServiceDenial of Service
GUIGUI
Network Management Diagnostics
Automated Probes/Scans
WWW Attacks
“Stealth”/Advanced
Scanning Techniques
1980
In
tr
ud
er
K
no
w
le
dg
e
High
Low
Back Doors
Zombies
BOTS
Morphing
Malicious Code
A
tta
ck
S
op
hi
st
ic
at
io
n
FIG.
ns about industrial control system vulnerability are regularly
hackers events. Considering that they generally give a delayed
tate of the art of real hackers’ skills and interests, this should be an
reness raising factor. Moreover, ICS software vulnerabilities have
d to be published by national CERTs (Computer Emergency
s), reinforcing exposure to the public opinion and the computer
unity, and focusing interest in such solutions and product
re, after having established