iaea titansem 091102010 - vtt.fi · manuals for iaea training courses in the area of nuclear ......
TRANSCRIPT
ISSRC Information Systems Security
Research Center
University of Oulu, Department of Information Processing Science
T.Wiander, M.Siponen
Esittely Tutkimus Opetus Yhteistyö Tiedekunnat
TIMO WIANDER M.Sc (IS), B.Sc (Marketing)
• Project Manager ISSRC
• ISO/IEC 9000 Lead Auditor • Practical experience 18+ years
• ISO/IEC 27001 Lead Auditor • Practical experience 14+ years
• Contract Auditor (Department of Defence) • CISA
• Country representative in IAEA TM-group (Security) on behalf of STUK
Esittely Tutkimus Opetus Yhteistyö Tiedekunnat
Sponsors
Our sponsors include: • STUK (Radiation and Nuclear Safety Authority)
Fortum Corp. TVO (Teollisuuden Voima Oyj Outokumpu Oyj Nokia Corp. Elisa Corp. Elektrobit Corp. F-Secure Corp Itella SOK (Suomen Osuuskauppojen keskuskunta) City of Oulu
Esittely Tutkimus Opetus Yhteistyö Tiedekunnat
Categories in the IAEA Nuclear Security Guidelines
• Nuclear Security Fundamentals contain objectives, concepts and principles of nuclear security and provide the basis for security recommendations.
• Recommendations present best practices that should be adopted by Member States in the application of the Nuclear Security Fundamentals.
Esittely Tutkimus Opetus Yhteistyö Tiedekunnat
Categories in the IAEA Nuclear Security Guidelines
• Implementing Guides provide further elaboration of the Recommendations in broad areas and suggest measures for their implementation.
• Technical Guidance publications comprise: Reference Manuals, with detailed measures and/or guidance on how to apply the Implementing Guides in specific fields or activities; Training Guides, covering the syllabus and/or manuals for IAEA training courses in the area of nuclear security; and Service Guides, which provide guidance on the conduct and scope of IAEA nuclear security advisory missions.
Esittely Tutkimus Opetus Yhteistyö Tiedekunnat
Esittely Tutkimus Opetus Yhteistyö Tiedekunnat
Computer Security at Nuclear Facilities
• Techical Guidance -Reference Manual • Recommendation status under consideration
• Consists of 3 parts: Introduction, Requirements and Implementation guidance
• Development started 2004, initialisation 8/2003 • Re-start 2006 due to organisational changes • Workshops, expert review, balloting • Estimated publication 12/2010 • Will be available on iaea.org/publications
Esittely Tutkimus Opetus Yhteistyö Tiedekunnat
Table of Contents
• 1 Introduction • 1.1 Background • 1.2 Objectives
• 1.2.1 Document objectives • 1.2.2 Nuclear security and computer security
objectives • 1.3 Requirements specific to nuclear facilities • 1.4 Intended audience and document structure • 1.5 Methodology • 1.6 Definitions
Esittely Tutkimus Opetus Yhteistyö Tiedekunnat
Table of Contents
• 2 Regulatory and Management considerations (PART 1) • 2.1 Legislative considerations • 2.2 Regulatory considerations • 2.3 Site Security framework
• 2.3.1 Computer Security • 2.3.2 Computer systems at nuclear facilities • 2.3.3 Defence in depth
• 2.4 Assessing the threat environment
Esittely Tutkimus Opetus Yhteistyö Tiedekunnat
Table of Contents
• 3 Management systems • 4 Organizational issues
• 4.1 Authorities and responsibilities • 4.1.1 Management • 4.1.2 Computer Security Officer • 4.1.3 Computer Security Team • 4.1.4 Organizational Management
Responsibilities • 4.1.5 Individual Responsibility
• 4.2 Computer security awareness culture • 4.2.1 Computer Security Training Programme
Esittely Tutkimus Opetus Yhteistyö Tiedekunnat
Table of Contents
• 5 Implementing computer security (PART 2) • 5.1 Computer Security Plan (CSP) and Policy
• 5.1.2 Components of the CSP • 5.2 Interaction with other domains of security
• 5.2.1 Personnel security • 5.3 Assets Analysis and Management • 5.4 Computer systems classification
• 5.4.1 Safety classification • 5.4.2 Security or security related systems
• 5.5 Graded approach to computer security
Esittely Tutkimus Opetus Yhteistyö Tiedekunnat
Table of Contents
• 6 Threats, Vulnerabilities and Risk Management • 6.1 Basic concepts and relationships • 6.2 risk assessment and management • 6.3 Threats identification and characterisation
• 6.3.1 Design Basis Threat • 6.3.2 Attacker profiles • 6.3.3 Attack Scenarios
• 6.4 A simplified outcome of a risk assessment
Esittely Tutkimus Opetus Yhteistyö Tiedekunnat
Table of Contents
• 7 Special Considerations for Nuclear Facilities • 7.1 Facility lifetime phases and modes of operation • 7.2 Differences between it systems and control systems • 7.3 Demand for additional connectivity and related
consequences • 7.4 considerations on software updates • 7.5 Secure design and specifications for computer
Systems. • 7.6 Third party/Vendor access control procedure
Esittely Tutkimus Opetus Yhteistyö Tiedekunnat
Table of Contents
• 8 Glossary & Abbreviations • 9 Appendix I. An example of zone model implementation • 10 Appendix II. Scenarios for imaginable attacks against
systems in nuclear facilities • 10.1.1 Information gather to support a malicious act
scenario • 10.1.2 Attack disabling or compromising one or several
computer systems • 10.1.3 Computer systems compromise as a tool of
coordinated attack
Esittely Tutkimus Opetus Yhteistyö Tiedekunnat
Table of Contents
• 11 Appendix III. A methodology for identifying computer security requirements
• 12 Appendix IV. The role of Human Error in Computer Security
• 13 Appendix V.Bibliography • 13.1 IAEA guidance of relevance • 13.2 International standards • 13.3 Web resources • 13.4 Other relevant literature
Esittely Tutkimus Opetus Yhteistyö Tiedekunnat
Table of Contents
• 14 Document evolution • 14.1.1 Record of changes • 14.1.2 Contributors to drafting and review • 14.1.3 Consultants’ Meetings
Esittely Tutkimus Opetus Yhteistyö Tiedekunnat
State of Art
• IAEA Nuclear Security Series (15)
• IAEA Safety Series (85) • IAEA Safety Standards Series (125) • Safety Reports Series (59)
Number of publications
Security Safety
Esittely Tutkimus Opetus Yhteistyö Tiedekunnat
(Un)Lucky Accident
• STUXNET
• Technical issue vs. management of security?
Esittely Tutkimus Opetus Yhteistyö Tiedekunnat
Further Development
• Revised version 4/2011? (TECHNICAL MEETING in FIN) • Web resources? • Supporting tools and methods? • Sharing of Best Practices?
Esittely Tutkimus Opetus Yhteistyö Tiedekunnat
More information
• Project Manager Timo Wiander, [email protected]; 040 532 7872
• http://issrc.oulu.fi
• http://www.iaea.org/Publications/