1. INTRODUCTION
Background
1.1. Computer based systems play an essential role in all aspects of the safe and secure operation of facilities and activities using, storing and transporting nuclear material and other radioactive material, including maintaining physical protection, and in measures for detection of and response to material out of regulatory control. All such computer based systems therefore need to be secured against criminal or intentional unauthorized acts. As technology advances, the use of computer based systems in all aspects of operations, including nuclear security and safety, is expected to increase.
1.2. The Nuclear Security Fundamentals [1] stress the importance of information security, including computer security, within a nuclear security regime, and the need for assurance activities to identify and address issues and factors that might affect the capacity to provide adequate nuclear security, including computer security.
1.3. The security of sensitive information is a component of Essential Element 3 for a national nuclear security regime. Reference [1] states that: “The legislative and regulatory framework, and associated administrative measures … Provide for the establishment of regulations and requirements for protecting the confidentiality of sensitive information and for protecting sensitive information assets”. The security of sensitive information and sensitive information assets implies protecting the confidentiality, integrity and availability of such information and assets. The Amendment to the Convention on the Physical Protection of Nuclear Material [2] also identifies the protection of the confidentiality of information as its Fundamental Principle L.
1.4. Paragraph 4.10 of the Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities (INFCIRC/225/Revision 5) [3] states:
“Computer based systems used for physical protection, nuclear safety, and nuclear material accountancy and control should be protected against compromise (e.g. cyber attack, manipulation or falsification) consistent with the threat assessment or design basis threat.”
1.5. The Nuclear Security Recommendations on radioactive material and associated facilities [4] and on nuclear and other radioactive material out of regulatory control [5] also stress the need to prevent unauthorized access to sensitive information and to protect it from compromise. Suggested Recommendations level guidance, intended to supplement the recommendations on computer security in Refs [3–5] pending future revision of these publications, is provided in Annex I.
1.6. When computer based systems are used to process, transmit and store sensitive information in digital form, its confidentiality, integrity and availability need to be sufficiently protected through the implementation of computer security measures throughout the life cycle of such digital assets. Computer security includes the measures necessary for the prevention and detection of, response to and recovery of computer based systems from cyber-attacks.
1.7. Nuclear security threats have identified cyber-attacks as a means to target computer based systems to carry out or facilitate malicious acts, whether directly or in combination with more conventional means such as physical access and insiders. Such acts could result in unauthorized removal of nuclear or other radioactive material or sabotage potentially leading to unacceptable radiological consequences. Cyber-attacks could also be used to facilitate other criminal or intentional unauthorized acts, such as trafficking of nuclear or other radioactive material out of regulatory control.
1.8. To address the full range of potential nuclear security threats, therefore, a nuclear security regime needs to include the means to address threats who have or can acquire skills for targeting computer based systems with cyber-attacks. Furthermore, nuclear security threats who do not themselves have such skills can induce individuals who do have them (for example, by payment or by duress) to assist.
1.9. Maintaining effective computer security at facilities handling nuclear material or other radioactive material, and in associated activities such as transport, is a significant challenge, owing to the substantial and rapidly evolving threat. Many of the essential elements of a State’s nuclear security regime depend upon, or are supported by, computer based systems and therefor...