Since 18 of December 2019 uses Nucleus credentials. Visit our help pages for information on how to Register and Sign-in using Nucleus.
10-14 February 2020
Europe/Vienna timezone

Addressing IT security in nuclear security regulation and implementation with respect to interim storage facilities in Germany

Not scheduled
Interactive Content Presentation CC: Information and computer security considerations for nuclear security


Alice Wiesbaum (Federal Office for the Safety of Nuclear Waste Management, Germany)


There are currently 16 interim storage facilities for spent nuclear fuel in Germany in use. As IT-security is getting more and more relevant for nuclear installations, specific regulations regarding IT-security were integrated into the regulatory guideline for the storage of nuclear material. The responsibilities for interim storage facilities in terms of computer security in Germany, the BSI Act, which gives main regulations for critical infrastructure in the energy sector in Germany, the specific regulations for nuclear installations and their implementation are discussed in this contribution.

In 2013, a design base threat (DBT) especially for IT-security came into force in Germany. Based on this cyber-DBT, a completely new guideline for the protection of IT-systems, called “Guideline for the Protection of Computer Based Systems in Nuclear Facilities of Nuclear Category I and II against Malicious Acts”, was created. This guideline includes IT-specific general objectives of nuclear security and addresses the computer security organization, the computer security concept and requirements for protection measures.

Essential measures resulting from the cyber-DBT, on the regulatory side as well as the practical realization in the licensing process are described. As a result, a process was initiated and is still ongoing in which IT-security is comprehensively addressed for all IT systems sensitive to IT-security.

Between 2013 and 2016 a plan with three mile-stones for the implementation of IT-security for all facilities of nuclear security category I, such as interim storage facilities for nuclear spent fuel, was designed. In 2014, the licence holder had to create a concept including an IT structure analysis. One year later a concept for the determination of computer security requirements and computer security zones had to be submitted. In 2016, the licence holder had to submit a complete computer security concept including the measures taken by the license holder. To specify the standards for the classification of the IT-systems by the operator, the Federal Ministry for the Environment, Nature Conservation and Nuclear Safety established additional exploratory notes.

As the starting point the IT structure analysis is a complete list of all sensitive computer systems of the interim storage facility including all interfaces and processes between these systems. During the second step of determining the computer security requirements, the computer systems were classified into four security levels (very high, high, increased and normal). Additionally, computer systems with the same security level could be summarized to computer security zones, to reduce the amount of separate systems for which special requirements have to be defined and fulfilled. In the final step the complete security concept should include the results of the former analysis as well as substantiated proposals by the operator for all measures taken against malicious acts.

The presentation concludes with a short outlook on future challenges in this field in Germany.

Gender Female
State Germany

Primary author

Alice Wiesbaum (Federal Office for the Safety of Nuclear Waste Management, Germany)

Presentation Materials