Cyber and Information Security from a Regulatory Viewpoint

Cyber Security for Nuclear Newcomer States

1

Senior Regulators’ MeetingInternational Atomic Energy Agency

Vienna, Austria19 September 2013

Dr. Farouk EltawilaChief Scientist

Federal Authority for Nuclear Regulation

Presentation Outline

The Nuclear Energy Policy of the UAEInternational Commitments and CooperationCooperation with the IAEALicensing the First NPP in the UAECyber Security Regulatory FrameworkNational Allocation of ResourcesInformation SecurityCyber SecurityConclusion

2

UAE Policy on the Evaluation and Potential Development of Peaceful Nuclear Energy

Complete operational transparencyHighest standards of non-proliferationHighest standards of safety and securityClose cooperation with the IAEAPartnership with governments and firms of responsible nationsLong-term sustainability

3

The UAE Concluded all Relevant International Agreements

Convention on Nuclear SafetyJoint Convention on the Safety of Spent Fuel Management and the Safety of Radioactive Waste ManagementConventions on Early Notification and AssistanceVienna Convention on Civil Liability for Nuclear DamageConvention on Physical Protection of Nuclear Material (and CPPNM Amendment)Comprehensive Safeguards Agreement with IAEAAdditional protocol to the Safeguards Agreement

4

Cooperation with IAEA

The UAE Nuclear Law codified the essential principles and priorities in the Nuclear PolicyImplementation of safety, security, safeguards regulation (3S)Use of IAEA guidance− Milestones in the Development of a National

Nuclear Infrastructure− Safety Standards − Security SeriesTechnical Cooperation Programme− Workshops, training, technical assistancePeer review and expert missions− INIR, IRRS, siting review…

5

IAG/NSR

FANR Organisation

6

IAG/NSR

Construction Licence Application/License

Preliminary Safety Analysis Report − 21 Chapters and supplements and

addenda covering Safety, Security and Safeguards

Physical Protection Plan for constructionPreliminary Safeguards PlanPreliminary Probabilistic Safety Assessment Report SummarySevere Accident Analysis ReportAircraft Impact Analysis ReportConstruction Licence for Barakah Units1 & 2 (July 17, 2012)Application received (February 2013) for construction of Barakah Units 3&4

7

General Principles of Cyber Security Regime

Fundamental Principle A: The responsibility for establishment, implementation, and maintenance of a Physical Protection Regime within the State rests entirely with the StateNational allocation of responsibilitiesEstablish a Cyber Security Regulatory Framework

─ Realistic, proportionate, and flexible to implement requirementsIncluding cyber security threats in the physical DBT

─ Cyber threat is continually changing─ Sustained attacks can go without detectionMaintain skilled cyber security workforceEngagement of senior leadership in cyber security risk management

─ Identifying, Protecting, Detecting, Responding, and Recovering from cyber security events– Capitalize on built-in safety measures (DiD, Diversity, …)– Cyber security measures and safety measures should not compromise one another– Provide Cyber Security awareness and training to all users– Combating insiders threats using technical, administrative, and physical measures.– Managing supply chain risk and other dependencies

8

NSS 17

National Allocation of ResponsibilitiesIn the early planning stages, the UAE government identified key competent authorities and their responsibilities

Nuclear Law; Federal Law by Decree No 6 of 2009 Concerning Peaceful Uses of Nuclear Energy

─ Established FANR; provided the legal framework for Safety, Security, Safeguards (3S)─ Establish and maintain a state system of accounting for and control of nuclear

material─ Establishment, implementation, and maintenance of an effective, sustainable

nuclear security infrastructure• Allows for other competent authorities in the State to provide security to vital facilities

─ Determine Civil and criminal penalties • unauthorized disclosure of information that affects the Physical Protection System• any act that breaches the provisions of the International Convention for the Suppression of

Acts of Nuclear Terrorism─ Cooperation with authorities with relevant responsibilities

» Critical Infrastructure and Coastal Protection Authority (CICPA), » National Electronic Security Authority (NESA),» National Crisis Emergency Management Authority (NCEMA), » UAE Telecommunications Regulatory Authority (Computer Emergency Response Team

(CIRT), etc.

9

Performance ObjectivesHigh assurance that critical digital assets (CDAs)are protected against cyber attacks Safety and security are implemented in integrated manner so as one does not adversely impact the otherCDAs are treated as vital equipment that if failed or destroyed could lead to core / spent fuel damage

− located within double barriers of the Physical Protection Program ; − controlled access− included within target set as elements, and − included within security guard surveillance rounds

Capitalize on facility design and operation− Defence-in-depth, diversity, redundancy− Measures to mitigate the consequences of accidents and failures

Cyber security features included in safety systems should be developed and qualified to the same level as the systems they reside in

10

Physical Protection/Cyber Security RegulationIAEA Recommended Requirements

FANR Security Regulation conforms with IAEA INFCIRC/225Revision5 (NSS13)Requires operator to establish and maintain a Cyber Security Plan as part of the Physical Protection Plan to ensure that− Computer based systems used for physical protection, nuclear safety, emergency

response, and nuclear material accountancy and control should be protected against compromise (e.g. cyber attack, manipulation or falsification) consistent with the threat assessment)

Implementation DocumentsFANR Regulation (REG-008) & Regulatory Guide (RG 011)IAEA Security Series (NSS 17)USNRC Regulatory Guide 5.71− National Institute of Standards and Technology—Cyber Security Framework− Nuclear Energy Institute Guidance NEI 10-04− World Institute of Nuclear Security (Security of IT and IC Systems at Nuclear

Facilities)

11

ENEC Cyber Activities

MoU

CICPA Law

- Classified DBT was established by CICPA

- Training and exchange of Expertise.

- Ease of Access to FANR’s & IAEA’s Inspectors.

- Inspections (joint / separate).

12

(Roles and Responsibilities)Implementation of FANR-REG-08

FANR FederalLaw

FANRImplementing

Regulations

CICPA CommandMandated

Critical Infrastructre Protection

FANR regulatoryactivities

CICPA’s Nuclear Physical

Protection Department

Design & Implementaion

of PPP

FANR Review & Approval

of PPP

NESA

Protection of Information and Information Systems

State’s RoleImplement a resilient IT infrastructure and cyber security Issued Federal Law by Decree “On Combating Cybercrime” Established:− The National Electronic Security Authority (NESA) for Reducing Cyber Risks to

critical infrastructure • Organize the protection of the communication network and information

systems in the UAE• Set network security standards• Supervise their execution

− Established the UAE Telecommunications Regulatory Authority Computer Emergency Response Team (CERT) for detecting and preventing

cyber-crime and safeguard critical national computer infrastructure

Using a graded protection, “State Security” determines the trustworthiness policy, with consideration of UAE laws, regulations, and job requirements

13

Protection of Information and Information Systems

FANR’s RoleIssued (in collaboration with CICPA) Information Protection Programme Operating Manual

Operator’s RoleProtect against unauthorised access to sensitive nuclear information and cyber intrusion of digital computer systems, communication systems and networks

─ important to the safety and operation of the facility─ support the physical protection system,─ emergency planning and communication

Selection and implementation of Security Controls:─ To protect the confidentiality, integrity, and availability of

information system, and the information processed, stored, and transmitted by those systems; and

─ To mitigate the risk of using information and information systems to achieve the desired or required level of assurance

14

Cyber SecurityFANR’s Role

Issues regulatory requirement to ─ Improve security─ Increase reliability and resiliency in the delivery of services critical

to cyber security─ Non prescriptive ; encourage more innovation and effective solution─ Ensure compliance and enforcement─ Prevent unauthorised access to computer systems or

communications equipmentOperator’s Role

Establish/maintain Cyber Security Plan:─ Prevent unauthorised access to computer systems ─ Response and reconstitution of critical infrastructure ─ Combating insiders threats using technical, administrative, and

physical measures.

15

Cyber Security Plan Critical Digital Assets

Safety – related and important-to-safety functionsSecurity FunctionsEmergency Preparedness functions, including offsite communication functions and networksInformation technology functionsMaterial Accounting and Control functionsSupport systems and equipment that, if compromised, would adversely impact safety, security, or emergency preparedness functions

Physical ProtectionCritical Digital Assets should reside in a configuration that includes multiple layers of physical protectionAccess (Physical and Remote)

System IntegrityUnauthorized entry detectionVirus/malware detectionUser roles and responsibilities (Designated Authority and separation of duties)CompartmentalizationUse of wireless and portable computing devices

Incident Response and MitigationDetectionCorrectingRestoration (continuity of operation)

16

WWW

Defence-in-depth architecture

17

Level-2 • Owner Controlled Area• Real Time Supervisory

Level-1 • Corporate Accessible Area• Technical Data Management,

Gateway that Enforces Security Policy G

G

G

G

G

Network Intrusion Detection & Prevention

The State should incorporate a defence-in-depth strategy (which is fundamental to safety of nuclear facility) requiring multiple layers of physical protection of nuclear material and facilities

(INFCIRC/225/Revision 5)

Identification of Critical Systems and Critical Digital Assets(Source—USNRC RG 5.71, Cyber Security Programme)

18

Incident response team should communicate, whenever appropriate, with outside parties•Law enforcement •ISP•Vendor of venerable software•Other incident response team•Establish policy and procedures regarding information sharing

19

Cyber Incident Response Team-Source NIST 800-61Rev 2

• Establishing and training an incident response team

• Develop Implementation Plan• Develop Incident Response Policy• Detection of security breach• Restore and resume system operation• Issue report about steps to be taken to

prevent future incident• Preservation of evidence

Preparation, detection and analysis, response, containment and eradication, recovery, and follow-up

Concluding RemarksUAE established comprehensive legal & regulatory framework to regulate the nuclear sector conforming to IAEA standards/guidanceCyber threat is real; continually changing

− UAE is committed to high standards of safety & security− Maintaining strong safety and security culture− Incorporation of cyber element(s) in the DBT allows for a

comprehensive, holistic assessments of all threatsNuclear facilities employ:

− “DiD” protective strategies; make them resilient to cyber attacks R− Rredundant and diverse capabilities to detect, prevent, respond

to, and recover from cyber attacks; make them invulnerable to the failure of a single protective strategy

Measures to defend against cyber threats must be appropriate, proportionate, and flexible to implementIAEA Nuclear Security Series and implementation guides are important to member states, particularly new entrants

20

Abu Dhabi Development

21

شكــــــــراThank you

22