Powered by Indico
v3.2.9
Since 18 of December 2019 conferences.iaea.org uses Nucleus credentials. Visit our help pages for information on how to Register and Sign-in using Nucleus.
The International Atomic Energy Agency (IAEA) is organizing the third International Conference on Nuclear Security: Sustaining and Strengthening Efforts (ICONS 2020) — at its headquarters in Vienna, Austria, from 10 to 14 February 2020.
The Conference will feature:
The previous conference, held in 2016, attracted over 2000 participants, including 47 government ministers, from 139 Member States and 29 intergovernmental and non-governmental organizations.
The conference will provide a forum for ministers, policymakers, senior officials and nuclear security experts to formulate and exchange views on experiences and achievements, current approaches, future directions and priorities for nuclear security.
The conference will:
Participants are encouraged not to discuss any sensitive nuclear security information.
Anyone wishing to present a paper at the conference — either orally or in the form of a poster — must submit a synopsis of between 400 and 800 words in electronic format through the "Call for Abstracts" page linked on your left. Paper copies cannot be accepted. Please refer to the updated guidelines on this process, linked at the bottom of this page.There is also a video tutorial explaining how to upload your synopsis.
Please refer to the Announcement for a full list of technical topic areas for the submissions.
The quantity and capability of cyber-attacks targeting Industrial Control System (ICSs) is growing rapidly. The integration of digital technology and communication channels in Nuclear Power Plants (NPPs) introduces vulnerabilities to cyber-attacks that may threaten the safety and operation of nuclear power facilities. Current efforts in developing and deploying cybersecurity solutions have focused largely on intrusion prevention, but focus is now turning toward detecting cyber-attacks and ICS intrusions.
Assuming that Intrusion Detection Systems (IDSs) based on host system and network data fail to detect the evidence of a cyber-attack, detection models based on process data (sensor data and control data) can detect deviations from normal operation, which could be a potential cyber-attack. However, most of these process data-based IDSs focus on detecting abnormal signals based on the relationship between the various signals measured by different types of sensors in NPPs. Therefore, these models are unable to detect cyber-attacks where the attacker intelligently tampers with most or all of the signals used in an analysis; if the attacker can tamper with one signal, it is reasonable that they can also tamper other signals simultaneously. In a replay attack, for example, an attacker masks the malicious activity by replaying older measurements. This paper proposes a localized cybersecurity strategy to address cyber-attack detection under scenarios where the sensors are compromised. This proposed strategy excludes the measurements that may be compromised.
The proposed strategy integrates a Kalman Filter into the controller itself to use the command it issued at time t and the state values at time t−1 to predict the expected response of the state values of t+1. This expected response is compared with measurements at t+1; deviations between these values that are greater than a threshold are considered anomalous and potentially caused by a cyber-attack. A Hardware-In-the-Loop (HIL) testbed, which consists of an NPP simulator and a Programmable Logic Controller (PLC), was built to evaluate the effectiveness of the proposed method. The PLC is programmed to control the Steam Generator (SG) water level at the desired set point, by adjusting the feedwater pump speed. A false data injection attack was launched towards the PLC, in which the attacker altered the SG water level measurement using a Man-In-The-Middle (MITM) attack. The altered water level measurement received by the PLC shows that the water level is higher than the set point, which leads the PLC to output commands to lower the feedwater pump speed and subsequently the measured water level. Assuming that the attacker tampered with the SG water level measurement at time t, the model implemented in the controller takes the command issued at time t, which is not compromised, and the state values at time t−1 as inputs, to predict the expected state values at time t+1. By comparing the expected value and the measurements of the state values, which are tampered by attacker at time t+1, the anomaly may be detected. The results of the Kalman Filter implemented in the PLC will be presented in the full paper.
One challenge of the risk management process for cyber security within nuclear facilities is understanding how to create scenarios to test deployed security controls that are representative of how threat actors operate. The challenge to creating these scenarios is centered on three issues. First, the complexity of systems and components (assets) at nuclear facilities makes for an expansive attack surface, so the number of viable attack pathways is difficult to approach with any confidence. Second, the nature of cyber-attacks and cyber-campaigns has evolved to include cyber-enabled physical attacks and physical-enabled cyber-attacks, which blends together attack types which have traditionally been treated separately. Third, threat actor capabilities vary depending upon the resources they have available to them and their domain experience. Our paper provides for a methodology to create blended threat nuclear-cyber scenarios for use during research, assessments, and exercises in support of risk management and training objectives.
Our methodology was derived through a series of International Atomic Energy Agency (IAEA) consultancy series and a multi-year research project on detecting events within nuclear facilities that may indicate that a cyber-attack is taking place. The first step in our methodology was to agree upon an attack and defense framework that would allow us to describe each scenario in a common way. This normalized scenario development vocabulary is critical for adoption. The next step was to choose an approach to representing the tactics and techniques used by cyber actors (both attackers and defenders) and so we integrated the MITRE ATT&CK model into our scenario development process. This vocabulary is abstractly represented such that both cyber and physical attacks can be represented across a common attack and defense framework. The third step in our methodology was to develop a series of interactions that would be created using the framework objects as defined. The last step of the methodology was to provide reference implementations for research, field assessments, and exercises such that specific threat actor capabilities can be layered on top of each step of the methodology.
This work presents the development of a nuclear power plant (NPP) simulator suitable for cyber security assessment. The NPP model is based on a pressurized water reactor (PWR) implemented using Matlab/Simulink. The Matlab/Simulink model, the Asherah NPP Simulator (ANS), simulates nuclear processes and controller’s system dynamics. ANS has been developed by the University of Sao Paulo, Brazil, under the International Atomic Energy Agency (IAEA) Coordinated Research Project (CRP) Enhancing Computer Security Incident Response at Nuclear Facilities (J02008).
The ANS core design is based on a 2,772 MWt PWR Babcock & Wilcox (B&W), which is well known by several studies published after the Three Mile Island (TMI) Unit 1 accident [1]. The main NPP parameters may be found in the Nuclear Energy Agency/Organization for Economic Co-operation and Development (NEA/OECD) study [2]. The use of the TMI core facilitates the use of the previous developed RELAP/PARCS core model for benchmark, verification and validation activities [3] [4]. The ANS comprises the Nuclear Steam Supply System (NSSS): reactor core, pressurizer, reactor coolant pumps and u-tube steam generator (primary side); and the Balance of the Plant (BOP): u-tube steam generator (secondary side), turbine, generator, condenser, feed water system. The NSSS and BOP comprehends their subsystems’ controllers where needed. Control logics used in real NPP have been implemented within software or hardware controllers.
The ANS can run standalone, i.e. within a computer or a virtual machine, or in a hardware-in-the-loop (HIL) distributed architecture test bed. It is the heart of a comprehensive simulation environment, the ANS Test Bed (ATB), with advanced instrumentation and control (I&C) capabilities. The ATB allows digital operational technology (OT) and information and technology (IT) researching and cyber security assessment.
ANS features include network connection by means of the open communication protocol Modbus and of the open cross-platform machine-to-machine OPC Unified Architecture (OPC-UA) protocol. The research team developed two ANS interfaces that allows communication among plant processes and any hardware embedded controllers or processes. The PROC I/O INTERFACE and the CTRL DATA INTERFACE are Matlab/Simulink drivers that send and receive signals to assigned equipment within the ATB. These interfaces may be user configured so any of the simulated subsystems can be replaced by their real counterparts. Therefore, the ANS processes and controllers’ subsystems may be exchanged by programmatic logic controller (PLC), field programmable gate array (FPGA) or other real world physical equipment. Thus, specific sub systems, which perform dedicated safety or security functions within the plant, may be tested against cyber attack within the ATB. For example, the ANS integration capabilities include the exchange of the ANS pressurizer level controller by it is embedded real world physical counterpart within the ATB. Similar strategy can be applied to any controller or major process function.
Besides the ATB, a Configuration & Attack Terminal (CAT), integrated with the ANS, has been developing for attack initiation, data collection, data analysis and training purposes. The CAT preliminary cyber attack scenarios, implemented using the current ANS version, considered a model-based and hardware-based schemes. Besides I&C components, both preliminary schemes comprehend standard IT equipment. Exploratory results indicate that the ANS may be a valuable tool not only for digital research and cyber security assessment, but also for computer security measures development, training and information sharing.
REFERENCE
[1] U.S. Nuclear Regulatory Commission (NRC). Backgrounder on the Three Mile Island Accident. www.nrc.gov/reading-rm/doc-collections/fact-sheets/3mile-isle.html. Accessed on September, 16 2017.
[2] K.N. Ivanov et al. Pressurized Water Reactor Main Steam Line Break (MSLB) Benchmark. Volume I: Final Specifications. Organization for Economic Co-Operation and Development (OECD), Nuclear Energy Agency (NEA) (1999).
[3] Busquim e Silva, R.A., “Implications of advanced computational methods for reactivity initiated accidents in nuclear reactors”, University of Sao Paulo, PhD Thesis, 2015.
[4] Busquim e Silva, R.; Ferreira Marques, A.L.; Cruz, J.J.; Marques, R.P.; Piqueira, J.R.C. Use of State Estimation Methods for Instrumentation and Control Cyber Security Assessment in Nuclear Facilities. International Conference on Nuclear Security: Commitments and Actions, Vienna – Austria, 2016.
Cyber security has been object of study since the beginning of the digital era. However, until the 2010 Stuxnet case in the Iran's enrichment facility at Natanz, most of world’s cyber security concerns were directed to the theft of sensitivity information. Due to its specially designed attributes, Stuxnet is considered the first “weapons grade computer virus” [1] [2] [3].
After the Natanz attack, digital specialists - and countries - changed their attentions to digital attacks against real world physical systems, most of them aiming sabotage. Therefore, in the last few years, cyber defense exercises and training courses improvised simplified test beds with information technology (IT) and operational technology (OT) equipment. However, due to the complexity of nuclear power plants (NPP), the University of Sao Paulo (USP), under the International Atomic Energy Agency (IAEA) Coordinated Research Project (CRP) Enhancing Computer Security Incident Response at Nuclear Facilities (J02008), has been developing a hardware-in-the-loop (HIL) simulator, the Asherah NPP Simulator (ANS). The ANS allows a better understanding of a cyber-attack facility impact. Besides that, a control room human-machine-interface (HMI) has been developed by the Tsinghua University and integrated with the ANS. This HMI aims to allow training exercises under the operator perspectives. Other institutes, like the Austrian Institute of Technology (AIT) and the University of Magdeburg have been integrating and developing anomaly detection tools using the ANS.
The CRP J02008 coordination led to the definition of three main roles: 1) System Builders; (2 Threat Modelers; and 3) Capability Providing Organizations [4]. USP, AIT and Tsinghua University are system builders. Capability providers and threat modellers organizations are developing threat model/scenario approach for research of test cases to mimic good computer security practices in regulatory regimes
Many OT simulators use industrial tank liquid level controllers as cyber security training tool. Tank level controllers are common to industries such as energy, oil & gas, chemical and metallurgy. These controllers maintain the level of boilers, condensers or pressurized tanks. They usually work by having a piece of software checking and adjusting the balance between inputs and outputs: digital controllers simulate pumps and valves that maintain the level between predefined values. Therefore, tank level controllers are the tools-of-choice to represent the effects of a cyber-attack in a real world equipment.
However, NPP are complex systems that must be represented by complex simulators. With the massive use of digital technology, NPP are becoming more tightly integrated. Even analogue legacy processes have been including digital systems that needed to be well-suited to cyber security challenges. Therefore, the ANS is the heart of a HIL test bed where real control equipment can be interfaced with the model to determine the consequences of sabotage from the exploitation of vulnerabilities resulting in loss of confidentiality, integrity and availability.
The CRP J02008 research activities are based on the premise that, usually, existing simulators do not survive or provide accurate results of the effects arising from simulated cyber-attacks; are not designed to account for cyber-attacks; do not capture the data needed for intensive computer security forensics and analysis; and they do not allow hardware/software integration for testing purposes. Therefore, preliminary research results suggest that going from tank levels to facility functions the development of computer security measures to prevent and protect against cyber-attacks on this equipment and systems.
REFERENCES
[1] Sklyar, V. Cyber Security of Safety-Critical Infrastructures: A Case Study for Nuclear Facilities. Information & Security, Vol.28, No. 1, pp. 98-107, 2012.
[2] Stuxnet: Leaks or Lies? http://spectrum.ieee.org/podcast/computing/embedded-systems/stuxnet-leaks-or-lies. Accessed on May 12, 2019.
[3] Busquim e Silva, R.A.; Marques, A. L. F. Digital Instrumentation & Control (I&C) Systems and Cyber Security: Is Supply Chain the Weak Link? International Conference on Nuclear Security: Enhancing Global Efforts, Vienna-Austria, 2013.
[4] Rowland, M.T.; Busquim e Silva, RA. IAEA Coordinated Research Project on Enhancing Incident Response at Nuclear Facilities. 11th Nuclear Plant Instrumentation, Control and Human-Machine Interface Technologies. Orlando-Florida, 2019.
Nuclear power plants are complex systems with critical controls and measures implemented by computers and dedicated programmable logic controllers. These end devices are grouped into different security levels and zones and are connected by computer networks forming a complex trust relationship between the entities. The boundaries of the zones are separated by specialized security systems, e.g. gateways, firewalls, network diodes and other security devices. The thorough testing of these security devices before deployment is a crucial task of the IT staff. In this paper we propose a virtualization-based testing solution, where the stability, security and reliability of the tested devices can be measured in realistic scenarios.
In the first part of the paper we briefly introduce the different kinds of virtualization techniques. Virtualization is a technique which enables the operation of several virtual computers (called virtual machines) running on one or on a limited number of physical hosts. After that we present the concept of Infrastructure as Code (IaC). This concept allows us to store and deploy the configuration of any computer or network of computers as code. Using the two techniques together is an efficient way to deploy large scale computer networks on demand. We demonstrate the capabilities of the technique by designing and deploying a simplified version of a nuclear power plant’s security level 4 and 5 systems.
In the second part of the paper, we briefly introduce the concept of defense in depth for the design of the network, in which the systems are separated by distributing them in different layers from lower to higher security requirements and in sub zones, in which diverse controls must be applied to ensure communication and access between systems and at the same time collect the necessary information to detect intrusions. With this information we can take another important step in the direction of defense in depth, which is the early detection of incidents and consequently early response to them, thus protecting the zones and layers of our system.
By applying a list of pre-selected controls from IEC 63096 (Nuclear power plants - Instrumentation and control-systems - Security controls) we evaluate different security solutions with open source software such as firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), proxies and security incident and event monitoring systems (SIEM). In order to determine the ideal set of solutions to be used on an end device or network infrastructure equipment, we use the realistic network deployed by the technique discussed in the first part of this paper. The work described in this paper is supported by the International Atomic Energy Agency (IAEA) under the collaborative research project CRP-J02008.
Defensive Computer Security Architectures (DCSA) are a vital element in the application of computer security to nuclear facilities. The DCSA should provide higher degrees of protection to digital assets performing more significant functions. This will increase the difficulty to the adversary as they will need to overcome multiple, diverse, and independent measures to successfully complete an attack.
Basing the DCSA specification on a well-established trust model, allows for effective application of good computer security practices in . Current US Regulation mandates a trust model similar to Biba which prioritizes reliability (e.g. integrity and availability requirements) over confidentiality. This leverages the existing Nuclear I&C architecture for safety which allows for measures such as data-diodes, and restrictive procedures (such as requiring independence and channelization) to be put into place. Implementing a DCSA can be very effective against a cyber attack that could result in sabotage potentially leading to unacceptable radiological consequences (URC).
Current DCSA and its underlying trust model does had not been applied sufficiently to physical protection systems (PPS) where the current practice is to assign all devices to a single security level and apply a ‘large zone’ around all the components of the PPS. This requires extra effort to physically protect networks and components, as well as provide administrative controls to control access.
PPS contain both personally identifiable information (biometrics) and other confidential information as well as have to operate reliably. With these requirements on the system, the trust model in use for Nuclear I&C (Biba), with its emphasis on integrity and availability is unsuitable.
This paper will aim to propose use of well-established trust models to apply to the DCSA specification for PPS. The trust models to be considered are (1) Biba; (2) Bell-LaPadula; (3) Clark Wilson; and (4) Brewer and Nash. The comparison will (1) identify significant functions performed and/or sensitive data managed by an example PPS; (2) identify the underlying tasks or activities that are required to be successfully achieved to delivery the security function or to protect the data (information); (3) indicate the priority of the Confidentiality, Integrity and Availability (CIA) requirements for each task; and (4) for each task, evaluate each trust model as to whether the information flows they allow are effective or ineffective in providing security.
The increasing use of digital instrumentation and control (DI&C) systems in nuclear power plants (NPP) presents new challenges to traditional security and protection measures. The current focus of cyber security-related research on protecting sensitive information or privileged networks from state-of-the-art “hacker” attacks struggles to adequately address protection needs for digital controls over physical processes. Thus, there is a need for cyber security research to move beyond an “anti-hacker” approach and more systematically identify and describe potential hazards that can be experienced in physical space but initiated (or implemented) in digital space. As is a common struggle across all cyber security efforts, the large number of potential failure modes from DI&C systems challenge the efficacy of deterministic approaches to identify critical digital assets or probabilistic risk assessments (PRA)-based analysis. This suggests that a risk-informed approach is necessary to properly assess the importance of DI&C systems to the criteria outlined in international cyber security best practices and better protect nuclear fuel cycles facilities (and activities) as pieces of critical global infrastructure.
Research funded by the Electric Power Research Institute (EPRI) in the U.S.—in collaboration with the Complex Hazards Analysis for Risk Management (CHARM) Team at Sandia National Laboratories—developed a response founded on key systems engineering concepts as “holistic” system characterization, describing new interactions enabled by DI&C, and illustrating interdependencies between DI&C and non-DI&C elements. Using these concepts, the CHARM team evaluated the appropriateness and adequacy of both traditional (e.g., Fault Tree Analysis, FTA) and novel (e.g., Systems-Theoretic Process Analysis, STPA) hazards analysis techniques for addressing these cyber security challenges. The CHARM team concluded that combining STPA and FTA leverages the benefits and overcomes the shortcomings of the individual methodologies to meet the criteria for risk-informed cyber security methodology—resulting in the Hazards and Consequence Analysis of Digital Systems (HAZCADS) technique. HAZCADS merges the system-theoretic principles of STPA with the probabilistic elements of FTA to efficiently and methodically identify, categorize, and assess hazards that can emerge from digital systems in NFC activities.
HAZCADS better incorporates both the direct and indirect roles of digital components in potential failure pathways and expand upon traditional cyber security approaches by incorporating: (1) the uniqueness and complexity of DI&C components; and (2) newly identified digital failure modes, including those from component interactions that still result with no component failure occurring. This paper will briefly summarize the core tenets of both FTA and STPA, provide a detailed description of how to develop SIFTs, and introduce the overall HAZCADS methodology. Next, a review of several examples of applying HAZCADS will be provided, including a comparison of lessons learned. Finally, this paper discuss several key implications for this new cyber security approach, including more effective application of limited cyber security resources on more vulnerable areas and higher fidelity (and flexible) digital hazard identification approach for NFC activities consistent with international best practices.
SAND2019-6257 A. Sandia National Laboratories is a multimission laboratory managed and operated by National Technology and Engineering Solutions of Sandia, LLC., a wholly owned subsidiary of Honeywell International, Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA-0003525.
Usually information is classified into different levels of sensitiveness which will dictate the measures for its protection. Information protection measures include barriers for access such as people clearances, cyber security, physical access controls, etc
Also, Design Based Threat, or DBT, is a common principle for physical and cyber protection, which is based on threat assessments. Then, the security will be planed based on the risk assessment.
While we acknowledge the importance of the DBT, we argue that following this line of reasoning may limit our ability to grasp other vulnerabilities the system may have, because this follows the assumptions that:
a) The system will react according to the way we think it should, based on a predetermined fashion.
b) If each component of the system is reliable, then the system will be reliable.
However, nowadays technology evolves at fast pace, and the complexity of the systems is always increasing, with computer intensive machinery, allowing for interactions that had never been experienced before. Therefore, there are not enough data for statistical decision making. Also, very often we see accidents that could not be attributed to a single obvious cause, or root cause. The complexity of the interactions between the components of a system can lead to unwanted consequences due to unintended interactions, even if each individual component is working as it was supposed to.
Alternatively, systems theory assumes that accidents are caused by a number of systemic factors, and not by a single root-cause, generally a failure, that starts a chain of events leading to the accident.
Therefore, accidents are a problem of control of the interactions between the components of the system rather than a problem of finding root causes. The control of the interactions is represented by a hierarchical control structure, which is basically a representation of the system as a hierarchic structure where the higher levels control the interactions of the lower levels in order for the system to achieve the desired levels of safety and security.
A cyber security system can be approached as a socio-technical complex system, and in such humans are as part of the system as the computerized controls. In fact, human factors are present in every component of a socio-technical system, since all technological aspect is designed by humans. Therefore, of particular importance are the human factors, such as safety and security culture, and its effects on the interactions between all components.
Safety and security cultures are part of the organizational culture. The organizational culture permeates the entire system, as mentioned above, affecting decisions and, consequently, the interactions between the components.
Weak safety and security cultures will eventually contribute for the system to shift from a safe and secure state to hazardous states and, therefore, leading to losses or accidents.
This work analyzes the roles of organizational, safety and security cultures, as underlying factors that can lead to the deterioration of the hierarchical control structure, which is supposed to keep the interactions between the components of the system within desirable constraints.
Abstract: The stable operation of the ICS (ICS) directly affect the safety of nuclear power plants and cyber security has become an important factor affecting nuclear safety. With the continuous development of the digitalization and networking of modern industry, the cyber security of ICS in nuclear power plants is facing unprecedented challenges. Therefore, it is necessary to take cyber security into consideration from the construction stage in nuclear power plants. From the perspective of the business owner, we analyze the cyber security risks faced by ICS during the construction phase and propose the technical defense architecture for newly built and being built nuclear power plants respectively combining the related international standards and guidelines. Further, we propose to build ICS cyber security test platform to verify the feasibility of the defense architecture.
1. Introduction
It was considered in the past that the ICS of nuclear power plants was relatively safe because it was isolated with outsider world and used specialized hardware and software to run proprietary protocols. However, with the higher degree of industrial digitalization and networking, the Windows platform and industrial Ethernet based on IEEE802.3 have been widely used in ICS. The ICS become open and face unprecedented security threats. From the " Stuxnet" incident in Iran to the recent power blackout in Venezuela, the cyber security of ICS in power plants is facing more and more challenges. Cyber security has become an essential part of production safety and the key ICS of a nuclear power plant will directly cause reactor shutdown events, which will lead to nuclear safety issues. Therefore, it is necessary to take cybersecurity into consideration from the construction stage, analyze the cyber security risks during the construction phase, and build targeted technical protection solutions for under construction and new nuclear power plants.
2. Related standards
2.1 RG 5.71
2.2 IAEA NSS
2.3 IEC 62443
2.4 IEC 62645
2.5 IEC 63096
3. Cyber security risk analysis of ICS in the construction stage of nuclear power plant
3.1 requirements for cyber security in nuclear power project management
This chapter introduces the main works of construction stage in nuclear power plants and analyzes the cyber security requirements in "information and document management" which is one of the seven fields of nuclear power project management.
3.2 Critical Digital Assets Identification
According to the requirements of RG 5.71, this chapter addresses how to identify the critical digital assets of ICS in nuclear power plant.
3.3 external threats analysis of critical ICS
This chapter analyzes the external threats to the critical digital assets identified in 3.2(critical ICS,) in the construction phase of nuclear power plants.
3.4 vulnerability analysis of critical ICS
This chapter analyzes the possible vulnerability of critical digital assets identified in 3.2 during the nuclear power plant construction phase.
4. Technical defense architecture research
Because of the long construction cycle of nuclear power plant, it will take huge cost to change the defense architecture after it was confirmed in the design phase. Therefore, this chapter studies the cyber security defense architecture of ICS in newly built and being built nuclear power plants respectively.
4.1 Technical defense architecture for critical ICS in newly built nuclear power plants
In this chapter, we propose the technical defense architecture based on trusted computing for critical ICS in newly built plants. We analyze the difference between trusted computing and traditional defense method, and explore how to use trusted computing technology to construct a defense architecture with active immune function.
4.2 Technical defense architecture for critical ICS in nuclear power plants being built
Because of the insufficient design of cyber security, we must take the cost and schedule into consideration as for the defense architecture for plants being built. We propose a semi-active defense architecture based on network isolation, protocol analysis for ICS and intrusion detection technology, which can detect and block threats in time.
4.3 Cyber security test platform for ICS in nuclear power plants
ICS have high requirement for high availability and some ICS with real-time control function, such as the protection system, will directly cause reactor shutdown events. Therefore, the cyber security technical defense architecture of critical ICS must be fully tested and verified. In this chapter we introduce the digital twin technology, and discuss the feasibility and advantages of constructing the cyber security test platform for ICS based on digital twin technology.
5. Conclusion
6. References
The identification of digital assets and their classification (i.e. assignment to security levels) within computer security programmes at nuclear facilities has historically been a complex process. The current approaches use a system or asset-centric approach with the aim of applying cyber-security retro-actively. A example of such an approach is provided in US NRC Reg Guide 5.71 [1] whereby Licensee systems are classified as critical systems if they have meet one or more of the following criteria: (1) Performs Safety, Security or Emergency Preparedness (SSEP) functions; (2) Affects critical systems, functions or pathways; or (3) Supports critical systems.
This paper outlines a simplified approach for identification and classification of digital assets, and provides opportunities to identify strategic improvements and efficiencies in achieving the computer security goals. The paper outlines a 4-element process: (1) identify and enumerate the nuclear security goals; (2) identify the functions that provide, support, or assist in realizing the security goals; (3) identify the digital assets (or systems) that perform or support these functions; (4) assign a computer security level to the digital assets upon the potential consequence as well as thelevel of support the digital asset provides (i.e. directly performs function, supports function, or indirectly supporting function/auxiliary); and (5) evaluate the effects of compromise using an adversary profile and characterization.
The paper will provide a description of key steps stressing the importance of security by design that is encapsulated in elements (1) through (4) above. The objective of these steps is to establish a baseline using analysis of facility systems and digital assets that perform or support functions that are important to achieving security goals. This analysis can lead to highly accurate outputs that justify assigning a high degree of confidence to the identification and classification. This approach mirrors with safety analysis as the threat is not considered, simply the security goals that are achieved through the provision of functions.
No matter how capable the team performing the analysis, or how accurate the results are, compromise of digital assets can lead to indeterminate effects (ref NSS 33-T). Indeterminate effects reduce the confidence in the functional analysis that dominates elements (1) to (4) , and necessitates element (5) . The process for element (5) is to bound the potential for compromise resulting in indeterminate effects to those that are bound to an adversary profile and to a credible scenario. This process will never be as accurate as the results of analysis of (1) to (4) since both the scope bounding the adversary and the credible scenarios will not have high confidence, but when used to verify element (4) it is effective. The paper argues that (4) should only be used to confirm the assignment of a security level or raise the level, it should not be used to lower the level.
References:
[1] United States Nuclear Regulatory Commission, Regulatory Guide 5.71, Cyber Security Programs for Nuclear Facilities, January 2010.
A physical protection system (PPS) integrates people, procedures, and equipment for the protection of assets or facilities against theft, sabotage, diversion, or other malevolent intruder attacks.
The PPS functions are detection, delay and response, before the design of the PPS we must see what we must protect (facility categorization), what I must protect against (against which the PPS must be designed) and level of protection is adequate (facility categorization and data base threats).
The design of the PPS can be implemented during the design of the facility or nuclear material. Before that we can trust the PPS we must make assessment and evaluation of the system to verify the effectiveness and see if the PPS verify the functions (detection, delay and response)
Before that we can trust if the PPS is adequate and effective, it must first be verified that it fulfills the essential functions: detection, delay and response.
This can be done with an assessment and depending on the response, an update is carried out. The assessment and overview must be done on different elements of the PPS and periodically and then evaluates the proposed design to determine how well it meets the objectives. In this work, we can see the assessment of different elements and if necessary the updates of equipment’s or procedures...
Small quantities of nuclear and other radioactive materials are used in educational institutions worldwide in education, research, health care, agriculture and industry. In practice it is often desirable to protect the critical infrastructure (buildings, materials and equipment) from malicious acts caused by humans and the protection is usually provided by complex Physical Protection System (PPS). The PPS is a security system which integrates people, procedures and equipment for the protection of assets against theft, sabotage or any other malicious acts. It is designed to achieve a set of objectives according to a plan and must be analyzed to ensure that it meets the objectives of physical protection. The objective of the study is to create an Adversary Sequence Diagram (ASD) and evaluate the PPS effectiveness for the Most Vulnerable Path (MVP) into the research laboratory. The effectiveness of PPS (PE) is the metric for a PPS performance and it is defined as the product of two probabilities: Probability of Interruption (PI) and Probability of Neutralization (PN). The value of PI can be determined by a software namely, Estimate of Adversary Sequence Interruption (EASI). The detection and delay components of the PPS, along with the respective value of Probability of Detection (PD), mean delay time (tD), and Probability of Communication (Pc) are measured along a specific adversary path and are used as inputs in the Adversary Sequence Diagram (ASD). The Response Force Time (RFT) is used to decide the Critical Detection Point (CDP) in the ASD. The CDP is defined as that point along the path to the target, detection beyond which might result in the success of the adversary. The estimation of PN requires data on the threat and the response force. Threat data include threat type, number of adversaries and their capabilities and a specific target. The response force data contain the information about weapons, number of guards and response time for each target. In the present work, the evaluation of PPS designed for a research laboratory in a university campus against sabotage is presented. Adversary’s intent is to reach the radioactive material storage vault in the research laboratory and conduct sabotage. The analysis includes the path travelled by the adversary from fence or gate (off-site) to the target through various detection and delay elements of the PPS. The assumed RFT is 110 seconds and PC is 0.95. The CDP is set at 133 seconds at the lab door. The calculated value of PI is 0.98. The high value of PI represents that adversary’s success probability will be very small if they attack through this path. For the PN calculation, we assume adversary is an insider with a pistol. The response force includes one watchman with pistol and two persons in alarm response team. With these inputs the value of PN = 0.96. Therefore PE will be 0.94 i.e. the PPS is 94% effective. So, the effectiveness of the PPS at a research laboratory in a university campus is evaluated by estimating PI and PN. The considered sabotage scenario and the evaluation of the PPS effectiveness serve as an academic exercise which was found useful to demonstrate to the students about how PPS evaluation can be done.
The Office of Radiological Security Alarm Response Training (ART) program provides a unique, quality training experience for sites participating in the voluntary security program. The training course is designed to cultivate interoperability of various response elements and offer the opportunity to discuss, develop, and refine their organizations' response plans and strategies.
The three day ORS ART course is held at the Y-12 National Security Complex in Oak Ridge, TN provides the participating site approximately ten slots. The ten slots are divided among on-site security, radiation safety, and local law enforcement personnel to ensure each response agency directly involved is represented. This “diversity of group” is essential in fostering an atmosphere of collaboration and is an element that consistently receives positive feedback in course critiques. However, because each site participating at the Y-12 site is limited to approximately ten slots, the majority of an area’s response personnel, particularly the law enforcement officers most likely to respond, are not afforded the opportunity of attending the training. Often, key leaders ( e.g., police chiefs, city managers, and facility administrators) are unable to attend due to the schedule challenges presented by a weeklong training event held away from their jurisdiction.
Out of this request, the Customized Alarm Response Training Course (cART) was developed. The cART efforts complement, not supplant, the resident Y-12 program as the course often provides the first opportunity for participating sites to create and exercise tactics, techniques, and procedures (TTP’s). cART is strategically conducted in select cities across the U.S. In addition to providing on-site training, the cost for attending the cART is less than the current resident ART course since logistical support for approximately 40 participants is not be required.
The cART program also provides the Local Law Enforcement Agency (LLEA) with a mock irradiator and supporting equipment. An example of equipment required includes a mobile camera system to provide central alarm station setups, observer rooms, and the ability to conduct after-action participant reviews.
The ORS program has implemented cART in through 2020 Cities Initiative. The 2020 Cities Initiative focuses on securing the top 20 cities by the year 2020. This paper will present the best practices and lessons learned from these select eve
This paper describes the application of a risk management performance-based approach, and compares a security project using three areas of nuclear security: physical protection, information security and accounting and control of nuclear material. This approach uses probabilistic threat parameters, equipment, systems and response forces used to prevent, dissuade and deter malicious acts against the integrity of nuclear facilities and its materials contained therein. Today, in Brazil, nuclear risk management uses a traditional prescriptive-based approach. This methodology does not take into account the current capabilities of the different internal or external threats to facilities. In addition, it does not provide system performance metrics in the face of such threats. Once the plans and systems that currently exist in real facilities must remain confidential, a hypothetical facility was developed, contemplating a small modular reactor. The use of the methodology made it possible to identify vulnerabilities of the model itself, given the needs of each of the areas of Nuclear Security. The results obtained shown us that the adoption of a performance-based methodology represents a significant evolution in the evaluation of physical protection systems, but it is not enough without being integrated with the areas of cyber-security and nuclear material accounting and control.
Provision of nuclear materials and nuclear facilities physical protection is an essential part of nuclear activity. This statement mentioned in many IAEA International Documents.In particular those documents also mentioned that modern physical protection systems (PPS) creation should be based on their effectiveness evaluation. It is necessary to understand how nuclear materials and nuclear facilities protection have been enhanced for some financial and human resources investment into PPS upgrading. This paper analyzes IAEA Nuclear Security Series (NSS) documents (NSS 13 “Nuclear security recommendations on physical protection of nuclear material and facilities (INFCIRC/225/Rev.5)”, NSS 14 “Nuclear security recommendations on radioactive material and associated facilities”, NSS 27 “Physical Protection of Nuclear Material and Nuclear Facilities (implementation of INFCIRC/225/Revi.5)”) requirements concerning physical protection systems effectiveness evaluation. The paper views methods that were developed under Coordination Research Project (CRP) “Nuclear Security Assessment Methodology (NUSAM)” (2014-2016). Russian theoretical and practical experience in this area viewed as an example. It’s also mentioned evaluation methods were developed only in relation to physical protection systems but similar methods for following nuclear security subsystems (cyber-security etc.) are absent. Besides necessity of such methods development here viewed other perspective research trends. In particular here proposed to considermodern threats in detail (for example, unmanned airborne vehicles, divers, modern software/hardware used by intruder etc.) and their influence on nuclear facilities physical protection effectiveness. Furthermorethe paper encourages other perspective research trends in this area: distribution of developed effectiveness evaluation methods to radioactive materials and associated facilities, human factors taking into account in physical protection systems effectiveness evaluation, optimization methods development for PPS design process (for example, by “cost-effectiveness” criteria), risk assessment methods development etc.
Key words: nuclear material, nuclear facility, physical protection, physical protection system, effectiveness evaluation
As the number of cancer cases and deaths in Africa continues to rise, African states are racing to get ahead of this wave by acquiring additional radiotherapy machines. In doing so, these countries not only face financial challenges, but considerations of whether to use linear accelerators, which both offer better cancer care and reduce radiological security risks, or cobalt-60 machines, which are inferior on both counts, but often cost less and operate more consistently in more challenging environments.
To be sure, the trend line is clear: better-off African countries, such as South Africa and Nigeria, have moved almost entirely to LINAC based treatment. This shift can be attributed not only to the superior performance of these machines, but rising terrorist attacks and threats in Africa, enhancing radiological security concerns. Nonetheless, more than eighteen African countries still have co-60 machines, while thirty-nine generally poorer African countries lack a single teletherapy machine and may consider purchasing additional co-60 machines.
There currently are hundreds of thousand cancer-related deaths each year in Africa, projections indicate that could rise to a 1.4 million new cancer cases and 1 million cancer deaths in Africa annually by 2030. In light of the increasing terrorist threat, it is becoming extremely difficult to ignore the serious security threat that would be created by countries that plan to address the current shortfall of more than 4000 radiotherapy machines by establishing or upgrading radiotherapy facilities with high-risk cobalt-60 units. The specific current and future radiation therapy equipment needs met by high-activity radioactive sources may over time selectively be met by alternative technologies based on lower activity sources or no radioactive sealed sources at all.
Many governments and organizations in Africa have undertaken initiatives to facilitate the adoption and sustained use of security risk-free LINAC-based radiotherapy machines. Many of the research studies conducted to date on the cobalt-to-linac transition in Africa have been descriptive in nature addressing obstacles and making recommendations, but not instructive. The aim of this paper is to critically describe the transition process and lessons learned from the African experience and perspective. The research data analyzed in this study are drawn from four main sources: the IAEA Directory of Radiotherapy Centres, the Federation of African Medical Physics Organizations, Elekta and Varian (two manufacturers). Our findings have significant implications regarding the impact of introducing alternative radiotherapy technologies to enhance the “treatment” and reduce the “terror” in the treatment not terror paradigm.
Physical security at nuclear facilities is an important licensing and design consideration. The ultimate objective of the physical protection system (PPS) is to prevent the accomplishment of unauthorized overt or covert actions to nuclear facilities and nuclear materials. When a physical protection system is applied to a nuclear facility or to nuclear materials, its objective is to prevent radiological sabotage of facilities and theft of nuclear materials. Thus an effective system of physical protection also plays an important role in preventing illicit trafficking of nuclear materials. One of the main pillars of physical protection is controlling personnel access to facilities via Identification technology Systems. Identification technology is changing as fast as the facilities, information, and communication it protects. Recent years have seen a rapid adaptation of using various biometric systems for trusted human automatic recognition and controlling personnel access to nuclear facilities attributed to its high accuracy performance, discriminability, difficulty to be imitated and faked, and stability. Biometrics refers to the physiological or behavioral characteristics of an individual. Many physical characteristics, such as face, fingerprints, iris and behavioral characteristics, such as voice and gait are believed to be unique to an individual. With the exponential growth of using biometric systems, there is an increasing concern that the privacy anonymity of individuals can be compromised by biometric technologies. Unlike passwords and credit cards, which can be revoked and replaced when compromised, biometrics is always associated with a person and cannot be reissued. Biometrics is not secret; the iris of individual can be observed anywhere they look, people leave their fingerprints on everything they touch, and the person will not realize that his/her biometric is disclosed. Biometrics absolutely are sensitive information, therefore biometrics should be protected, because it may be misused by any attacker. To overcome the vulnerabilities of biometric systems, a number of recent strategies can be used such as biometric watermarking, visual cryptography, Steganography and cancelable biometrics. In this article, we provide an overview of various methods for preserving the privacy and security of the individual’s biometrics data.
Blood Irradiators are often used to irradiate blood and blood components prior to transfusion to prevent the proliferation of certain types of T lymphocytes that can inhibit the immune response and cause graft-versus-host disease. Morristown Medical Center, which is part of Atlantic Health System based in the northern part of New Jersey, USA, employed a Cesium-137 Blood Irradiator for about 20 years.
On November 14, 2005, the U.S. Nuclear Regulatory Commission (NRC) issued Order EA-05-0902, imposing increased controls for certain high-risk radioactive materials such as those contained in the Blood Irradiators. On December 5, 2007, the NRC issued Order EA-07-3053, imposing fingerprinting and criminal history records check requirements for unescorted access to certain radioactive material. These increased control (IC) requirements were imposed on radioactive materials of concern4 such as Cesium-137 (Cs-137) with activities greater than or equal to 27 Ci (1 TBq).
During the time of the IC orders, Morristown Medical Center’s Blood Irradiator contained approximately 1400 Ci (52 TBq).
Security enhancements, as well as response protocols were set in place, in order to comply with the USNRC Increased Control Orders, as well as 10 CFR 37. These included, but were not limited to, “trustworthiness and reliability” background checks, fingerprinting, FBI identification, criminal history records check, reinvestigation every 10 years for any individual with unescorted access, establishment of security zones and continuous physical barriers, continuous monitoring and detection of all unauthorized entries into security zones, and initial and annual training for the Security staff and Local Law Enforcement Agencies.
The facility eventually came to the decision to replace the Cesium irradiator with an X-ray Irradiator. Factors such as irradiator performance, prohibitive regulations, security issues and cost savings, that affected the decision, will be elaborated on. It is worth noting that the switch from a Cesium irradiator to an X-ray irradiator resulted in a quicker turnaround time and increased irradiation capacity per unit time, among other advantages.
A few factors that typically deter facilities from switching to X-ray technologies, will be discussed. These factors are generally rendered obsolete by updated technology as well as outweighed by the incurred advantages of switching.
Finally, a visual description of the day when our Cesium Irradiator was picked up for disposal, will be presented.
It is hoped that our experience will engage other facilities to do the same in terms of replacing their Cs-137 irradiators with technologies that yield better performance and result in much less vulnerability from theft and sabotage involving high-activity radioactive materials.
Ensuring a Stable Supply of Mo-99 in the U.S. without the use of HEU
Technetium-99m (Tc-99m) is a radioisotope used in approximately 80% of all medical imaging procedures across the globe. With a half-life of approximately six hours, this important medical radioisotope cannot be stockpiled and must be either used immediately upon direct production or repeatedly milked from generators bearing the parent isotope, molybdenum-99 (Mo-99), which has a half-life of approximately 66 hours. Historically, Mo-99 has been produced in research reactors by the irradiation of targets bearing highly-enriched uranium (HEU) followed by chemical separation and purification. In order to minimize the proliferation risks posed by medical isotope production, the U.S. National Nuclear Security Agency (NNSA) has funded a multi-year program to accelerate the deployment of technologies to produce Mo-99 without the use of HEU. Internationally, this work has focused on replacing HEU targets with low-enriched uranium (LEU) equivalents. Within the U.S., operating under a full cost-recovery paradigm, NNSA has directly funded the research and development of accelerator-based technologies and reactor target-based technologies via cost-sharing Cooperative Agreements with potential commercial producers.
One of the Cooperative Agreement partners, NorthStar Medical Radioisotopes (NorthStar), is pursuing a dual production pathway for Mo-99: irradiation of enriched Mo-98 targets in the University of Missouri Research Reactor (MURR) and electron beam accelerator-based production using Mo-100 targets at their production site in Wisconsin. NorthStar’s production method supplants the traditional generator-based supply chain by use of the NorthStar RadioGenix system in radiopharmacies.
Another Cooperative Agreement partner, SHINE Medical Technologies (SHINE), uses a deuteron beam accelerator and tritium gas target to produce high-energy neutrons. These neutrons are thermalized and multiplied before irradiation of a liquid LEU target solution in a subcritical configuration. After each production cycle, the Mo-99 is extracted from the LEU solution, which is reconditioned and recycled to minimize total uranium usage. The SHINE production method is designed to be compatible with the existing Tc-99m generator manufacturer supply chain.
The third Cooperative Agreement partner, NorthWest Medical Isotopes (NWMI), produces Mo-99 using LEU solid targets that are able to be irradiated in multiple research reactors and shipped to their target processing facility in Missouri for dissolution and Mo-99 extraction and purification. Like SHINE Medical Technologies, the NWMI production method is designed to be compatible with the existing Tc-99m generator manufacturer supply chain.
The fourth Cooperative Agreement partner, Niowave Inc. (Niowave), uses a superconducting electron linear accelerator to irradiate a neutron-generating target surrounded by LEU production targets. After each production cycle, the targets are dissolved and Mo-99 is extracted and purified. Like SHINE and NWMI, the Mo-99 produced by Niowave is designed to be compatible with the existing Tc-99m generator manufacturer supply chain.
The organization also provides technical support by making resources from the U.S. Department of Energy National Laboratories available to potential commercial producers. In addition to the Cooperative Agreement partners, U.S. National Laboratory assistance has been provided to both international producers and U.S. potential producers who have not been directly-funded by NNSA. An overview of the U.S. National Laboratory technical support will also be given.
In the last few years, distributed ledger technology (widely recognized in the form of blockchain) has demonstrated practical benefits beyond the development and exchange of cryptocurrencies. Blockchain solutions are being implemented in the fields of international development, healthcare, and education, predominantly as an information-sharing platform that enable parties to interact in a trusted environment. The strength of blockchain stems from its cryptographically-secure properties: when data is recorded onto the blockchain by any user, it is automatically copied onto other connected nodes (or participants) on the chain, as opposed to storing it directly into a centralized database. Consequently, the information has “no single point of failure” in a blockchain; any changes to the information – an attempt to extract or manipulate sensitive data, for instance – will be logged.
Thus, blockchain’s ability to preserve the integrity of data could potentially help enhance security measures across businesses, including the nuclear sector. For instance, blockchain technology could make it difficult for a malevolent actor to reconfigure files or install code that could linger in a computer network undetected, among other applications. This paper outlines the exploratory research the Stimson Center conducted in the Fall of 2019 – including expert interviews with blockchain developers and nuclear facility operators – to better understand the possible applications for nuclear security. The paper examines use cases that could potentially prevent or mitigate security vulnerabilities in nuclear facilities that could be exploited by cyber and insider threats. Moreover, the paper discusses potential difficulties in applying blockchain for nuclear security, and the ways in which the use of this technology could alter security considerations -- for better or worse – at the national and operational level.
Radioactive materials play an important role in commercial, medical, and research facilities across the world. However, the benefits of these sources must be balanced with sufficient security to prevent radiological materials from falling into the wrong hands. In its efforts to prevent high-activity radiological materials from being used in acts of terrorism, the Department of Energy’s (DOE) National Nuclear Security Administration (NNSA) Office of Radiological Security (ORS) helps reduce the global reliance on high-activity radioactive sources by leading efforts to support the adoption and development of non-radioisotopic alternative technologies. ORS engages in efforts internationally to exchange technology information with users of cesium-137 based irradiators who are interested in converting to viable non-radioisotopic alternatives and understand and reduce obstacles preventing the transition to an alternative technology.
As the maturation of technology has led to the availability of non-radioisotopic alternative technologies, many countries are exploring the transition from cesium-based blood irradiators to x-ray based blood irradiators. Today, there are six x-ray irradiator models that have been approved for use in this application in the U.S. and European Union, facilitating this transition.
The first such alternative technology project under the ORS program has been replacement of a cesium chloride blood irradiator at the Espanola Hospital in Montevideo, Uruguay. In this case, both because it was a project implemented outside the U. S. and because of circumstances unique to Uruguay, implementation of the project presented a unique set of challenges. Those challenges, and how the site and the relevant Uruguayan regulatory agencies addressed those challenges, have provided policymakers, regulators and site operators with lessons learned and tools to assist in implementation of future international alternative technology projects.
These tools have come about because of the need to address a range of issues and requirements, including:
1) The participation and agreement of the relevant in-country regulatory agencies and the need to satisfy regulatory requirements for licensing and operation of a new medical device.
2) The need to work with the site facilities personnel, in addition to the medical personnel, to establish clear requirements for infrastructure modifications required to install the x-ray device, including electrical and cooling requirements;
3) The proper pathway and paperwork necessary to have the x-ray device clear Customs once it arrives in-country;
4) Ensuring the availability of timely local technical support in case problems should arise with the replacement device either before or following delivery and for follow-on preventive maintenance. In some cases, this may involve factory authorized training for a local or regional service provider; and
5) Confirmation of a safe and secure disposition pathway for the existing cesium or cobalt unit, which would include having licensed companies be able to remove the device inside or outside the country, remove the sources safely and securely and dispose of them according to relevant regulations.
Sandia National Laboratories is a multimission laboratory managed and operated by National Technology & Engineering Solutions of Sandia, LLC, a wholly owned subsidiary of Honeywell International Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA0003525. SAND2019-XXXX A
Abstract
The International Physical Protection Advisory Services (IPPAS) mission has been conducted by IAEA for the Egyptian Atomic Energy Authority (EAEA) in December 2005. The purpose of the IPPAS has been to provide advice and assistance to strengthen the effectiveness of the physical protection systems of Egypt’s second research reactor (ETRR-2) nuclear complex. The purposes of that work is to development and finalize an action plan for the technical upgrade of the physical protection system, and contribute in the implementation of IPPAS mission recommendation, of ETRR-2.
The main objective of this paper is to introduce the upgrading process of the physical protection systems at ETRR-2 nuclear complex, the work determines and recovering for the weakness points in security systems on site and insure the sustainability of the physical protection system to verify; it meets the Regulatory and IAEA requirements.
This paper will present the processes and approaches adopted by the Egypt’s second research reactor for inspecting and evaluating nuclear security aspects and interface of inspection with safety
This paper determines the operational requirements for the physical protection system; devices, equipment, and the systems needed to be upgraded as a part of ETRR-2 overall physical protection systems. The paper will explain how to create the statement of work (SOW), which includes the required specification and the system issues; protection, detection, surveillance television, alarm and access control. The works shows the central alarm station management, security grating barriers and entry check-point’s equipment and devices used in inspection deepening on the regulatory requirements.
The work introduces the issues and challenges currently faced and explain the possible solutions. The work presents the techniques and strategy has been used for developing the physical protection systems in order to assist, the second reactor complex, in enhancing its facilities capabilities in nuclear security and improving the nuclear security regimes
Keywords: Central Alarm Stations (CASs), Isolation zone strengthen, Contraband systems, Intrusion Detection system, Access control system
KAMAL H. LATEEF
Iraqi Radioactive Sources Regulatory Authority
Baghdad Iraq
Chairman@irsra.gov.iq
FADHIL H. MIZBAN
Iraqi Radioactive Sources Regulatory Authority
Baghdad Iraq
fadhil_res@irsra.gov.iq
Abstract
The security of radioactive sources, nuclear materials and the facilities they contain is related to the provision of factors related to the human role, while others are related to the technical aspect in a way that provides the following security elements: deterrence, detection, delay, response and security management.
The human role represents the administrative procedures which consist of monitoring, guards, alarms evaluation and conversion to declaration of detection status followed by disability and delay to provide the necessary time to respond and security management.
An important part of the deterrence concerns the human role. The presence of security elements in the specific location can provide sufficient deterrence. The assessment of alarms is carried out through a human element, up to the announcement of a detection situation. The work of disability and response is carried out by the human role to a large extent. This task cannot be accomplished without the human role.
In the same context, the technical factors require activation to be provided to the main and alternative sources of energy, as the means of deterrence and detection (cameras, sensors of movement, padlock, etc.) all require continuous supply of electrical energy and the loss of energy sources eliminates the full existence of the technical role. The integration of the work of technical and human role is required to be carried out within the framework of a comprehensive security system or community stability in general. The occurrence of abnormal events such as loss of state control and the collapse of the system, the occurrence of severe environmental disaster or the occurrence of wide range military operations that would lead to the loss of the human role or leads to loss of technical role as well. Which is happening in the city of Mosul where the selection of ISIS gangs calling for the medical complex as an area of operations led to the medical complex to the consequences and severe damage to buildings, electrical power supply and infrastructure , which led to the loss of the human and technical role, thus the loss of all elements of security elements (deterrence, detection, delay and impediment, response and security management), Unauthorized access to the therapeutic source (the cobalt-60 unit) had happened and fortunately the unauthorized arrivals were thieves who were looking for any simple material theft so they stealing electrical connections and some operation components of the device, so can be imagine the sabotage scenario if the adversary are terrorists and they have the capability and intention, with presence of attractiveness, and ease to access to the radioactive source, by making a simple threat assessment, according to practical information regarding to the security situation and terrorist capabilities, the conclude is threat assessment rating is very high.
In order to prepare for such situations, the role of the technical factor should be greater and work independently of the human role, such as providing teletherapy treatment rooms or any rooms containing high-level radioactive sources from first or second categories with automatic doors operated by an independent power supply and closed in special cases such as earthquakes, explosions, war operations, hurricanes and floods, or if they are activated by the security official when they feel that a certain danger is imminent. The opening of these doors should be difficult without special codes that are equipped exclusively for those authorized person.
A long established methodology for determining the effectiveness of an overall physical protection system (PPS) is through a healthy and robust performance testing program. Performance tests are vital because they provide essential information used in the determination of asset risk and the analysis of protection effectiveness. By establishing and verifying detection, assessment, response, interruption, and neutralization data, one can determine baseline protection effectiveness and consider upgrade scenarios and improving effectiveness. Performance testing also addresses the needs of multiple stakeholders, including the vulnerability assessment teams, site/facility personnel, and safety, and provides management with an independent, objective assessment of overall physical protection systems.
Performance testing can be applied to any layer of PPS at a fixed site or any mode of transport. In an example of road transport by box truck, we can test one layer of a PPS. In this example, we will focus on the delay associated with breaching times of different types of tie down mechanism used to secure containers while in transit. This test will be limited scope in nature and will use three different methods of breaching (mechanical, ballistic, and explosive). During the test, we will attempt to breach the tie down chains and the locking mechanism multiple times with each method.
At the conclusion of the test, objectives and evaluation criteria will be analyzed to ensure the system is performing as required, deficiencies are identified, and stakeholders are provided with feedback/results. For example, the results from this particular set of tests can be used to determine figures of merit associated with delay mechanisms to determine response time needs in relation to the delay associated with breaching the tie downs.
This paper and presentation will discuss adapting fixed facility performance testing plans to transport, best practices for transport performance testing, and how to implement analyses in to protection strategies.
Large Panoramic Irradiators (LPI) are widely used to sterilize medical supplies, food products, spices, cosmetics, and other consumable goods. LPIs typically use a large array of cobalt (Co-60) sources to expose the products to gamma radiation. Co-60 is desirable to terrorist and criminal organizations that are interested in developing a radiological dispersal device (RDD) or radiological exposure device (RED). It is often believed that the LPI Co-60 provides an adequate level of self-protection because of the large radiation dose associated with the source array. This is not true in all scenarios and operational conditions. One typical LPI site with a one-source pool may contain up to 3 million curries (Ci) of cobalt. Approximately 50 commercial irradiators are in operation in the United States and over 200 are in operation worldwide. The United States Department of Energy/National Nuclear Security Administration’s Office of Radiological Security (ORS) is collaborating with LPI facilities to protect Co-60 with the goal of preventing the unwanted removal and misuse of the source material.
This paper will focus on the efforts by ORS to protect LPI sites from a successful theft of Co-60 and will include key lessons learned. These efforts include improving the performance of detection and delay systems to provide local law enforcement the ability to respond to an attack on the facility in a timely manner, which will prevent the removal of the source material. The protection strategy is to develop continuous and balanced layers of security measures. This objective is achieved through security upgrades to access control, intrusion and detection systems, and delay features.
ORS is currently working with several LPI industrial partners to implement the protection strategy. ORS worked with LPI partners over several years to develop a mutually acceptable base-line design and implementation process. The design is based on facility assessments, system analysis, component testing, and prudent security practices. For each facility, ORS and partners consider the operational aspects of each facility to develop protection enhancements that minimize any impact to efficiency and effectiveness of the LPI production process.
Sandia National Laboratories is a multimission laboratory managed and operated by National Technology & Engineering Solutions of Sandia, LLC, a wholly owned subsidiary of Honeywell International Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA0003525.
Modelling and Simulation (M&S) in nuclear safety applications is commonplace, for example to underpin and inform criticality, dose and shielding assessment. However, the adoption of modelling and simulation for nuclear security has not seen the uptake that many anticipated. This is despite significant advances being made in the capability of equivalent tools for nuclear security, coupled with the potentially significant cost savings that could be achieved. Further, despite workshops/initiatives by organisations such as the institute of Nuclear Materials Management (INMM), and development of best practice guides by the World Institute of Nuclear Security, evidence of M&S tools being used to inform decisions in the nuclear sector are not well publicised.
This paper intends to present the results of work undertaken jointly by the National Nuclear Laboratory on behalf of Magnox Limited and the Nuclear Decommissioning Authority (NDA) to provide evidence upon which future land use and security infrastructure decisions can be made. Magnox Limited are responsible for the management and decommissioning of the early UK Magnox reactor fleet, and a number of early UK nuclear programme research and development sites. These sites are owned by the Nuclear Decommissioning Authority, who sponsored this application of modelling and simulation to this project.
The ARES Security Corporation. AVERT product was utilised for conducting a programme of work to assess potential future changes to a site perimeter, and also its policing and guarding arrangements. The outcome of this work is to be used to inform future investment decisions on infrastructure modifications with the intention of being able to reduce the overall footprint of the site and release land back for redevelopment. Coupled with this will be the necessary changes to the policing and guarding posture commensurate with providing the guarding and response for a smaller site.
The site has been re-created in 3-dimensions using existing engineering models built in CAD, along with options for future potential layouts/configurations. The work utilises the UK Design Basis Threat known as the Nuclear Industries Malicious Capabilities and Planning Assumptions (NIMCA) document to derive the postulated scenarios and adversarial capabilities that the site is required to mitigate against. These have been integrated into modelled scenarios to determine overall security system effectiveness as a measure for comparison between the options. The scenarios that are being assessed are also aligned to those used in the Vital Area Identification process.
Analysis of the comprehensive model output files enables interrogation of key scenarios and key events. This provides an unrivalled insight to the progression of an adversarial attack, their interaction with the integrated Physical Protection System (PPS), and determine the effectiveness of the various layers and components.
The paper will present comparative results arising from the work and their use in aiding decision making on future land-use, and the associated policing and guarding arrangements. Key challenges and benefits associated with the use of modelling and simulation will also be presented to further inform the debate and development of these innovative approaches.
Acknowledgements:
Our appreciation and thanks are extended to the Nuclear Decommissioning Authority for their sponsorship of this work, and to Magnox Limited for their engagement and participation in the successful delivery of the project.
The present paper summarizes the work conducted by the authors working on the International Atomic Energy Agency (IAEA) Coordinated Research Project (CRP) on “Nuclear Security for Research Reactors and Associated Facilities (RRAFs)-J02006” and more specifically, Task 2 activities: “Comprehensive Measurement of Security Risk for Research Reactors and Associated Facilities (RRAF)”. Task 2 aims to determine a methodology to estimate/inform on the holistic security risk posed by the suite of radiological and nuclear targets at a RRAF. This methodology will allow comparison of risks posed by buildings within a site and sites within a country.
The work focused on analysing the “likelihood” dimension of risk and more specifically, identifying the attractiveness of the nuclear and radiological material as potential theft and sabotage targets. Attractiveness addresses the ease of access and simplicity of initiation of unacceptable consequences without considering the local threat environment or security system of the RRAF. Concerning the “consequences” element of risk, the focus of the work thus far has been on the health and economic impacts of an event.
The proposed approach assesses the attractiveness and potential consequences of the nuclear and radiological materials and then proceeds to aggregate on building level and for the entire facility. Since RRAFs typically contain multiple potential targets, we propose a methodological framework to identify which materials / buildings and facilities are at higher risk, by comparing dissimilar events and types of material.
The application of the proposed methodology is applied to the IAEA Hypothetical Atomic Research Institute – HARI and is presented.
The security of research reactors and associated facilities are subject to regulatory assessment. This oversight is designed to ensure that the security system meets the required regulatory standards nationally and internationally. Though the intention of this is to prove that the systems will work against a defined adversary stated in regulations, it does not always be fully assured that it will work perfectly. The reasons could be the differing judgments on the effectiveness of certain measures and the fact that there is no one straight security measure that is likely to be wholly effective against that method and may not always be clear how other measures compensate for any such deficiency.
Some questions also arise because of the inevitable compromises that have to be made to accommodate conflicting priorities and because of the complexity of the systems involved. This starting point of the Methodology is, therefore, the existing regulatory framework, policies and guidance on which the security system is based. If, as a result of the Assessment, a security system is deemed insufficient it needs to be borne in mind that the failure may be, at least in part, in the Regulations not just their application.
This paper summarizes the work conducted by the authors working on the International Atomic Energy Agency (IAEA) Coordinated Research Project (CRP) on “Nuclear Security for Research Reactors and Associated Facilities (RRAFs)-J02006” and more specifically, Task 1. A Hypothetical Atomic Research Institute (HARI) was established to serve as the State’s premier nuclear energy research facility. HARI’s purpose is to build scientific expertise and capacity for the country. The Institute houses a research reactor facility, radioisotope production facility, fuel element fabrication facility, gamma irradiation facility, waste processing and storage facility, and administrative and facility support facilities. The study only considered the research reactor facility in the HARI.
The main objective of this paper is to apply NUSAM results which are a performance-based methodological framework in a systematic, structured, comprehensive and appropriately transparent manner on Research Reactors and Associated facilities. The framework will be used to assess the nuclear security of nuclear and other radioactive materials, as well as associated facilities and activities within regulatory control. It is also to determine which methodology to apply, Simple, Complex or both, for RRAFs ensuring alignment between the NUSAM and RRAF CRPs and to develop “case study/ies” for RRAFs. The objective is to provide an environment for the sharing and transfer of knowledge and experience, and to provide guidance on, and practical examples of good practice in assessing the security of RAFFs and activities.
The intent of the Research Reactor Case Study was to evaluate the assessment methodology outlined as part of the NUSAM Methodological Framework. This case study focuses upon the use of a tabletop approach, which normally produces qualitative results, an alternate approach should include the use of a complementary tool for neutralization, which produces quantitative results. The tabletop proved adequate for the application of evaluating the effectiveness of the physical protection system at a research reactor facility. The following represents the conclusions of the working group team: 1) Tabletop prove useful, however with the absence of site-specific performance tested data, analysis would be difficult. 2) Tabletops have great impact if all stakeholders are involved and provide relevant information in the conduct of the tabletop analysis.
Given the rising threat of radiological and nuclear terrorism, it is imperative to assess if radiological facilities, such as universities and medical centers, have the means to fully understand and evaluate the security of their radioactive sources. In this context, risk assessment is a function of threat, vulnerability and consequences. This study aims to develop and demonstrate a methodology to compute a risk index for a higher education institution (university), based on the probability of occurrence of a Threat Event (TE) and its subsequent magnitude of incurred loss. This risk index provides a quantitative value for comparing risk and making decisions towards radiological security improvements. The index employs the triplet definition of risk, structured as a set of threats, vulnerabilities, and consequences. These were used to construct a single composite number by weighing the threat scenario probabilities, relative attractiveness and characteristics of the radioactive material, multiple parameters elevating vulnerability of source security, and the consequence net loss. The risk decomposition is based on the Factor Analysis of Information Risk (FAIR) ontology. Probability density functions and event trees were then used to simulate scenarios to estimate the probability of successfully completing a malicious act at the university, such as theft of the source. For this study, a higher education institution that uses a number of radioactive materials for research and teaching, was analyzed using the risk index model. Specifically, three facilities housing nuclear or radioactive sources at the university were compared: a research reactor, Co-60 irradiator, and radiopharmaceutical laboratory. The emphasis of the study is on the research reactor, but the other facilities were also analyzed for comparison. The research reactor facility houses a 10-kW swimming pool type reactor containing plate type uranium/aluminum fuel. The irradiator facility contains both Co-60 and Cs-137 sources with Ci amounts of activity. The radiopharmaceutical facility contains a number sealed and unsealed sources with mCi amounts of activity. Two proposed attack scenarios (theft and sabotage) were simulated for each facility. The radiopharmaceutical laboratory sources yielded the highest probability of successful sabotage and theft outcomes while the reactor facility yielded the highest consequences in the sabotage scenario. The contribution of the proposed research is significant as it allows for a new tool in the field of radiological source security-one that is expected to introduce, analyze and numerically test a methodology that yields a facility level risk index.
The NRC licenses and provides oversight of the civilian use of special nuclear materials (SNM) used at research reactors. Regulatory oversight seeks to protect public health and safety, promote the common defense and security, and protect the environment.
The existing SNM physical protection regulatory requirements at research reactors are graded using a material categorization approach similar to that found in “Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Materials” (INFCIRC/225/Revison5). The application of a graded approach is essential given the wide diversity among the regulated community of research reactors. The NRC regulates 31 research reactors, some are located on federal government campuses, some are privately owned, but most are located at universities. While some of the university research reactors are located off campus in remote locations, many are in classroom buildings in the middle of campus.
The regulations identify requirements for physical protection of SNM, depending on its Category, using a defense is depth approach. The ease of separability of SNM from other radioactive materials and external radiation levels is also considered to a varying degree in assigning different physical protection requirements or in exempting certain materials from physical protection requirements. Finally, security requirements are applied based on power level, with research reactors of higher power level requiring additional measures to protect against sabotage.
This presentation will discuss the NRC regulatory framework as it applies to research reactors and their unique environments. It will also show how the NRC applies security requirements on a site-specific basis using a graded approach. The presentation will also discuss lessons learned and effective practices identified regarding the implementation of regulations and interagency initiatives as they apply to research reactors. Some of which were highlighted in 2013 when the NRC hosted an International Physical Protection Advisory Service Mission (IPPAS).
This paper introduces the main concepts of the project management strategy for upgrading the Physical Protection System (PPS) at nuclear facilities. The project scope is redesigning the security systems to enhance the security measures to fulfill the requirements and recommendations of IAEA and the vision of the member state. The most challenging of security project is the successful management of project and solving the problems such as lack of resources, budget, and qualified contractors. However, failure in managing project causes waste of resources and delays the closing, which affect the reliability of protection and increase the threat likelihood. This work gives an integrated model for the project phases based on the project management standard and the Project Management Institute (PMI) models.
Synopsis
This paper will outline the potential benefits of taking a business-orientated approach to nuclear security and the opportunities and challenges that may offer. It draws on experiences of UK industry and activities conducted under the UK Government’s Global Nuclear Security Programme (GNSP) (formerly Global Threat Reduction Programme, GTRP), which has been designing and delivering international nuclear security education, training and support for more than 20 years. This work forms the basis of the Nuclear Security Culture Programme (NSCP), an industry-academic consortium dedicated to supporting operators, regulators, academics and government agencies around the world. Led by King’s College London since 2014, the NSCP is increasingly recognising the application of concepts from the field of business administration and strategic management to nuclear security. Reflecting this new approach, the NSCP’s workshops and other activities now often include business-orientated topics such as risk management, leadership and business assurance.
The recent Nuclear Security Summit process led to an unprecedented level of attention directed towards nuclear security and helped to consolidate an international consensus at the governmental level on the need to mitigate the risk of nuclear terrorism. However, since the summit process ended the political momentum driving reforms and innovations has slowed. Government commitment and leadership remain vital to maintain the international nuclear security framework, but it is increasingly evident that this also requires the active participation of industry actors and the private sector.
Nuclear and radiological source licensees around the world are demonstrating ever greater responsibility and commitment to securing nuclear and radioactive materials and sensitive information. This is a commendable achievement, and a development that is reframing the normative context for nuclear security practices and behaviours. However, there remains a major obstacle to further progress: namely, nuclear security still tends to be regarded as an economic burden for operators. Rather than nuclear security being viewed as an enabler in disseminating the peaceful uses of nuclear technology, this aspect of the nuclear enterprise is too often considered as a drain on the bottom line. This presents challenges for nuclear security personnel trying to negotiate security budgets with the management level or governing board within nuclear organisations. The relatively low level of recorded security incidents exacerbate such complacency, despite it being widely accepted that calculations on risk must also factor in likely consequences of a given scenario; in the case of a nuclear terrorism event, these would be catastrophic.
Drawing on interviews with nuclear security managers and other personnel, the paper will explore implementation challenges faced by stakeholders charged with responsibility for nuclear security. In so doing, it will propose new ways of conceptualising nuclear security as a business enabler. The paper will detail the approach of the NSCP to its international workshops and other activities, with a focus on how business and strategic management concepts can be articulated to reframe nuclear security as a core business function providing value. The development of these workshops is not a simple endeavour in view of the difference in civil nuclear programmes, the range of licensees and the diverse national contexts and regulatory systems*. Nevertheless, the NSCP has observed that a business-orientated approach has worldwide relevance. Indeed, the evolution in funding mechanisms for new nuclear power plants is likely to bring core business functions and their associated costs under greater scrutiny as part of the commissioning and construction process. Likewise, shareholders are increasingly concerned by broader issues such as reputational damage and corporate social responsibility.
In particular, the paper will focus on the topic of risk management which now features across the NSCP workshops and other training and educational activities. A risk management approach emphasises how risk identification, risk assessment, risk reduction planning and risk audits are key business assurance processes. These processes are designed to ensure that security arrangements are proportionate, appropriate and affordable. Nuclear operators are encouraged to create links between the component parts of the risk framework, namely: critical asset and vital area identification; threat assessment and risk appetite; and risk reduction treatment. In so doing, business value is placed on the reduction of security risks. There is also an emphasis on leadership, management and governance within this context, enabling risk management to be positively enforced across the organisation. The paper will present an innovative and interdisciplinary approach to the area of nuclear security, providing new insights on what might be termed a ‘virtuous circle’** in aligning security best practice with business value.
*Participants at NSCP workshops include stakeholders from nuclear power plants, the regulator, government bodies and research, as well as those working with radiological sources at universities, healthcare, oil and gas companies, and other industries.
**For more on this concept, see Laura S. H. Holgate, ‘Virtuous Circles: Linking Business and Nuclear Security’, paper presented at the High-Level Panel on Nuclear Security, Norwegian Nobel Institute (8-10 June 2017).
Today’s nuclear institutions are facing major security issues; consequently, they need several specially trained personnel to attain the desired security. This personnel may make human mistakes that might affect the level of security. The human face plays an important role in social interaction, identifying people. Using the human face as a key to security, face recognition technology has received considerable attention, very popular and it is used more widely because it does not require any form of physical contact between the users and the device. This system is composed of two parts: the hardware part and software part. The hardware part consists of a camera and a motorized microcontroller system, while the software part consists of face-detection and face-recognition algorithms software. A camera scans the person's face and matches it to a database for verification. In this paper, we present an access control entering system to a must highly secured environments like nuclear/radiation environments. First, when a person enters to the zone in question, a real-time video stream is run by the camera and sent to the software to be analyzed and compared with an existing database of trusted people, and we propose an algorithm to detect and recognize the face of the person who wants to enter to the secured area and verify if he is allowed. The access door will be opened if the user is recognized and an alarm goes off if the user is not recognized.
The internet, which for years has been viewed as a global online commons with standardized protocols but few regulations, is, according to some experts, starting to mirror the contentious political and commercial contours of the physical world.
A number of problems, including data breaches, privacy debates, cyber enabled attacks on critical infrastructure, government surveillance operations, theft of intellectual property, and manipulation of electoral processes, have contributed to a growing skepticism in many states that an open internet will naturally serve the best interests of users, communities, countries, and the global economy. In addition, the rapidly emerging and increasingly lucrative power of data has global superpowers eager to protect their informational sovereignty as an urgent matter of national security.
Recognizing some of the problems associated with an open internet, a number of States have begun making efforts to isolate their domestic internet for politic, economic, or social reasons. This trend towards a more fractured internet, or “splinternet,” has courts and governments embarking on what some call a "legal arms race" to impose a maze of national or regional rules, often conflicting, in the digital realm.
There is a need to evaluate the possible security implications if the internet does indeed fracture into a number of smaller, nationally-administered internets organized along geopolitical boundaries. While the status quo is not without its own vulnerabilities, a new structure may present new or different threats to the physical protection systems and cyber security measures that currently protect nuclear facilities and material worldwide.
Considering a potential future “splinternet,” this paper will specifically assess how a fractured internet may affect the various nuclear security systems operating around the world. Specific questions could include:
• Will fractured monitoring of malware threats increase the severity of malware outbreaks?
• Could less comprehensive evaluation of vulnerabilities further erode trust in safety/security systems?
• Will it be more difficult to provide robust configuration management across unique application domains?
• What are the safety and security implications for industrial control systems (PLCs and similar) if they become less standardized?
• If the Internet fractures along national borders, will it lead to new protocols and architectures for large networks?
• Will it enable or hinder attribution of bad actors in the digital realm?
Abstract
Nuclear security is facing great challenges nowadays due to the rapid development of technology, and Drones are one of among the major growing new technology which are currently considered the biggest threat to nuclear facilities, and I focused in these study on a type of Drones called small Unmanned Aerial Vehicles where it became spreading at everywhere, have many commercial applications, and anyone can easy own it.
These Paper addressed the potential threats, risks and the impact of the incident of the widespread use of Drones and the impact of these spreading to the security of nuclear facilities. Threats will clearly differ from country to country, region to region and location to location but I focused on the middle east area to show several examples of using Drones by terrorists for attacking facilities and individuals in Iraq and Syria. And these sure that terrorists and any one have malicious intents may be using Drones for attacking Nuclear Facilities in the near future and there is not nuclear security system currently have anti_drones to prevent the expected Drones attacks
In these study I took in my consideration International Atomic Energy Authority nuclear security recommendations when I introduced sum of solutions and suggests to mitigate the threats of Drones, by improvement the current legislation which regulate the use of Drone, and the imposition of sanctions on those who violate the law of their use, and enhancement Nuclear Security System to prevent, detect, delay, and response (neutralization) of Drones attacks at nuclear facilities on time and upgrading physical protection systems for all nuclear and radio-logical nuclear facilities.
It will a revolution in the manufacture of the Drones during the next five years and the Drones will develop fast and have a big capability to arrive long distance, carry explosive materials and it will have advanced artificial intelligence systems help it to do tasks at any time, so that, we should build strong nuclear security systems flexible to be able to for facing the expected threats of Drones in the near future.
Keywords: nuclear security, Drones, Threats, Risks. Unmanned Aerial Vehicle
Cyber incidents are the norm in every industry, and the nuclear industry is no different. However, the effects of an incident are different in the nuclear sector, where consequences are heightened by fears of radiation releases and material diversion. In an era of fake news that often spreads on social networks quicker than accurate official reports, incident planning needs to be prioritized and given a fresh look.
That was just one finding from a workshop on nuclear cyber risks held in Vienna, Austria, in late 2018. The Fissile Materials Working Group (FMWG) - a coalition of 80 organizations from around the world working to keep the world safe from nuclear terrorism - in collaboration with the Stimson Center brought together cybersecurity experts and stakeholders to consider cyber risks in the civil nuclear industry and how to address them. The workshop report, Nuclear Cybersecurity: Risks and Remedies, details 10 findings.
Since the time of that report, FMWG and Stimson have been working with expert stakeholders to further assess those risks, to consider new emerging risks, and to prioritize actions needed to better manage them.
In the cyber incident management example, it was found that more scenario-driven exercises are needed, as well as joint development of possible approaches to misinformation and the creation of an “accurate news” repository. With artificial intelligence (AI) now assisting the development of “deepfakes,” disinformation has become an even greater challenge to officials looking to convey appropriate emergency information after a nuclear/radiological event. Efforts to develop good approaches to this challenge should be coordinated with IAEA emergency response work and could be exercised through both new and existing forums, such as the Global Initiative to Counter Nuclear Terrorism (GICNT) exercises.
The issue of secrecy in security also presents a sector challenge, with management of nuclear security being more close hold than in some other sectors. One way to address the requirement for secrecy is the establishment of an anonymized database comprising lessons learnt regarding security incidents, be they accidental/intentional or cyber/physical/combined. An “operator database” resource should be developed from opensource reporting and voluntary sharing and may include safety incidents with cyber-components. The database should also include incidents on industrial control systems from other industries that could affect the nuclear sector.
New approaches are needed to reduce risks. Some, for example, have suggested nontargeting of nuclear power plants including via cyber intrusions. But to enforce agreement on this, cyber attribution would be needed. This paper will detail some new work being done in the private sector and civil society to help with attribution.
The paper will also consider new technologies. Unmanned aerial vehicles and wearable digital devices already threaten information security and potentially nuclear facility operations. Some even newer technologies can also be a help to security as well as a threat. For example, robotics and remotely-operated weapon systems all can assist in making security more cost efficient and could be an effective attack deterrent. However, these also present additional attack surfaces for cyber intrusion. An understudied factor is any catastrophic incidents occurring from the misuses of new technologies and machine intelligence, which are so unknown, will almost certainly be unpreventable and beyond the design basis threat of any nuclear facility.
What is the nuclear industry to do? And what can governments do to help address these risks?
The original work of the first FMWG-Stimson workshop – an assessment of nuclear cyber risks and recommendations for addressing those risks – is in the process of being analyzed with input from dozens of expert stakeholders. This paper presents an updated analysis that considers even newer risks, recounts some of the work being done to address nuclear cyber risks and presents recommendations for actions to be undertaken to manage these risks.
Nuclear Facility Low Altitude Threat and Defense Technology
——Identification, Comparison and best practise sharing
With the rapid development of high and new technology, Low-altitude, Slow-speed and Small-sized Aircraft(Hereinafter to be referred as LSSA), represented by UAV, paraglider, hot air balloon and other light aircraft, are becoming more and more widely used. However, due to the fact that the corresponding regulations and technical measures still lag behind, the rapid development of LSSA brings lots of serious new challenges to nuclear security issues.
There are lots of concerns regarding the boundary of a facility’s anti-aircraft capacity. So the first chapter of this paper discusses the potential consequence of different type of malicious acts with LSSA, such as technical investigation, illegal transportation, direct sabotage, public-opinion influence, uncontrolled falling, electromagnetic interference and intrusion assistance. This chapter also analyses the low-altitude threat situations based on the research above and sorts out the threat forms and protection strategies that different nuclear facilities should focus on accordingly.
The second chapter aims at introducing the regulatory system and legislation actions of Chinese central government concerning the "LSSA threat" of most valuable facilities, as well as the problems and solutions of corresponding law enforcement practices conducted by some local governments. In addition, the technical criterion framework under the exiting legal system for low-altitude defense of nuclear facilities compiled by the State Nuclear Security Technology Center (SNSTC) is also presented in this part of the paper.
In the third chapter, I elaborates the advantages and disadvantages of some available detecting technology, including radar, intelligent video, frequency spectrum surveillance, sonar, and TDOA. Sequentially, this chapter analyzes the pros and cons of available response(suppression) technology like laser, micro-wave, net capture, protocol decoding, navigation trick, and frequency disturbance. According to the analysis of various technical paths, this chapter puts forward a systematized solution that consists suitable detect and response technical measures. In addition, this chapter provides some details regarding how State Nuclear Security Technology Center (SNSTC) inspects and verifies these technical measures.
At present, there are some nuclear power plants in China that have already enhanced their capacity to prevent and mitigate low altitude threat. In fourth chapter, the author takes NPPs in Yangjiang, Ningde and Changjiang as three examples so as to introduce different experience and feedback in different stages, including operation, construction and preparation of LSSA defense practice. This chapter introduces a Symposium on Nuclear Facility Low-altitude Threat and Mitigation, which was jointly held by Chinese Nuclear Society, State Nuclear Security Technology Center(SNSTC), undertook by China Nuclear Power Engineering Co in 2019. Some consensus and achievements of the symposium are demonstrated in this chapter.
In last chapter, a conclusion as well as some expectations and proposals are put forward .