Since 18 of December 2019 conferences.iaea.org uses Nucleus credentials. Visit our help pages for information on how to Register and Sign-in using Nucleus.

10–14 Feb 2020
Europe/Vienna timezone

Open-Source vs. Proprietary Software: A Case Study in Trust and Security

Not scheduled
15m
Poster CC: Information and computer security considerations for nuclear security

Speaker

Keith S. Morgan (Los Alamos National Laboratory)

Description

Software plays an ever-increasing trusted role in all aspects of life: from door locks to self-driving cars to fish tanks. We† trust the software in our smart locks to keep intruders out of our houses. We† trust the software in self-driving cars to get us to our destination safely. We† even trust the software in our smart fish tank to feed our goldfish. The software running nuclear facilities is no exception, it requires trust – trust in the functionality, trust in the quality, trust in the security etc. As the use of digital systems continues to rise in nuclear facility systems, trust in the software powering those systems plays an increasingly important role in nuclear security.

In this paper we examine the trustworthiness and security of open-source vs. proprietary software. As open-source software has grown and become mainstream, there is now often a choice between an open-source and a proprietary solution. We attempt to enumerate the advantages and disadvantages of each, particularly with respect to trust and security. In order to do that, we define each in terms of licensing models, source release models, development models, business models and so forth. We discuss how each variable impacts trust and security. Finally, we present a case study in the software powering virtual private network (VPN) devices, important network security components specifically recommended for nuclear security applications in the International Atomic Energy Agency’s (IAEA) Nuclear Security Series [1] and in a report to the United States (U.S.) Nuclear Regulatory Commission (NRC) [2] regarding security at nuclear power plants.

[1] International Atomic Energy Agency, 2011. IAEA Nuclear Security Series No. 17. Computer Security at Nuclear Facilities.

[2] J. T. Michalski, F. J. Wyant, and D. Duggan, Secure Network Design Techniques for Safety System Applications at Nuclear Power Plants. Sandia National Laboratories, 2010.

LA-UR-19-24911 - Approved for public release; distribution is unlimited.

†Perhaps, more accurately, “some of us”.

State United States

Primary authors

Keith S. Morgan (Los Alamos National Laboratory) Paul S. Graham (Los Alamos National Laboratory)

Presentation materials