Speaker
Ingo Naumann
(IAEA)
Description
The IAEA’s nuclear safeguards instruments must be frequently evaluated against attack vectors, which are extremely varied and, at first approximation, may seem inconsequential, but are not. To accurately analyse the impact of attacks on a multi-component system requires a highly structured and well-documented assessment. Tree structures, such as fault trees, have long been used to assess the consequences of selecting potential solutions and their impact on risk. When applied to security threats by introducing threat agents (adversaries) and vulnerabilities, this approach can be extremely valuable in uncovering previously unidentified risks and identifying mitigation steps.
This paper discusses how attack trees can be used for the security analysis of nuclear safeguards instruments. The root node of such a tree represents an objective that negatively impacts security such as disclosing and/or falsifying instrument data or circumventing safeguards methods. Usually, this objective is rather complex and attaining it requires a combination of several security breaches which may vary on how much funding or what capabilities are required in order to execute them. Thus, it is necessary to break the root objective into smaller, less complex units. Once a leaf node describes a reasonably comprehensible action, it is the security experts’ task to allocate levels of difficulty and funding to this node. Eventually, the paths from the leaf nodes to the root node describe all possible combinations of actions necessary to carry out a successful attack. The use of a well-structured attack tree facilitates the developer in thinking like the adversary providing more effective security solutions.
| Country or International Organization | IAEA |
|---|---|
| EPR Number (required for all IAEA-SG staff) | 695 |
Primary author
Ingo Naumann
(IAEA)
Co-author
Bernard Wishard
(iaea)
