International Conference on Nuclear Security 2020

Creation and Enactment of a Computer Security Regulation for the Nuclear Industry in Kazakhstan

Not scheduled

15m

Paper CC: National nuclear security regulations

Speaker

Mr Alan Aralbayev (Ministry of Energy, Republic of Kazakhstan)

Description

The Kazakhstan Regulation on Cybersecurity of the Nuclear Industry was enacted in December 2018. This regulation was the result of a multi-year cooperative agreement between the Republic of Kazakhstan’s Committee of Atomic and Energy Supervision and Control and the USA Department of Energy. This paper will provide the motivation for the creation of the regulation, overarching goals of the regulation, the processes and history of the project, and lessons learned during and after enactment.
The goal of this regulation was to create an efficient and effective computer security program at facilities which have nuclear material and/or radioactive sources. The regulation is intended to provide clear requirements for operators/licensees to follow. These requirements also provide clear expectations for the regulator to perform assessments of operators’ computer security programs. The regulation will be used to create consistency between each of operators’ computer security programs. The regulation also provides guidance and technical background where appropriate. This helps operators understand the motivations behind specific sections in the regulation. The financial and manpower burden on the operators who implement the computer security program were some of the primary design requirements of the regulation. Additionally, the financial burden on the regulator to enforce compliance was also a chief consideration. The regulation requires the regulator to assess the effectiveness of each operator’s computer security program and provide capabilities for nuclear and radiological industries in the areas of information sharing and incident response. It is also important for the regulation to assist the operator’s in the creation of long term, sustainable computer security programs.
We highlight key sections and requirements of the regulation. We will describe how this will satisfy the overarching goal of increasing the security of nuclear and radiological material. This process started with clearly understanding the goals of the regulation and the current state of computer security programs by the operators. The process required senior management representing the regulator to identify appropriate government and operator personnel to join the regulatory development team. The team required a wide array of expertise in order to ensure regulatory effectiveness. The team is included computer security experts, regulators, operators, and regulatory development experts.
Once the team was formed, the group collected and evaluated existing regulations and laws to gain an understanding of how they would interact with this new regulation. A draft regulation was then written by the team. After this, the draft regulation was shared with key stakeholders. Comments and revisions were collected and reviewed by the regulation development team. This led to more mature and complete versions of the regulation. This process was repeated until consensus was reached. We will discuss the process of getting the regulation approved and enacted. We describe how the regulation has been communicated with nuclear material and radiological sites. We will discuss lessons learned from this process. Finally, we will emphasize the importance of a robust revision process when developing national regulations.