Cyber and Information Security from a Regulatory Viewpoint Cyber Security for Nuclear Newcomer States - PowerPoint PPT Presentation

About This Presentation

Cyber and Information Security from a Regulatory Viewpoint Cyber Security for Nuclear Newcomer States


Cyber and Information Security from a Regulatory Viewpoint Cyber Security for Nuclear Newcomer States Dr. Farouk Eltawila Chief Scientist Federal Authority for ... – PowerPoint PPT presentation

Number of Views:3971
Avg rating:3.0/5.0
Slides: 23
Provided by: DELATTRED
Learn more at:


Transcript and Presenter's Notes

Title: Cyber and Information Security from a Regulatory Viewpoint Cyber Security for Nuclear Newcomer States

Cyber and Information Security from a Regulatory
ViewpointCyber Security for Nuclear Newcomer
Dr. Farouk Eltawila Chief Scientist Federal
Authority for Nuclear Regulation
Senior Regulators Meeting International Atomic
Energy Agency Vienna, Austria 19 September 2013
Presentation Outline
  • The Nuclear Energy Policy of the UAE
  • International Commitments and Cooperation
  • Cooperation with the IAEA
  • Licensing the First NPP in the UAE
  • Cyber Security Regulatory Framework
  • National Allocation of Resources
  • Information Security
  • Cyber Security
  • Conclusion

UAE Policy on the Evaluation and Potential
Development of Peaceful Nuclear Energy
  • Complete operational transparency
  • Highest standards of non-proliferation
  • Highest standards of safety and security
  • Close cooperation with the IAEA
  • Partnership with governments and firms of
    responsible nations
  • Long-term sustainability

The UAE Concluded all Relevant International
  • Convention on Nuclear Safety
  • Joint Convention on the Safety of Spent Fuel
    Management and the Safety of Radioactive Waste
  • Conventions on Early Notification and Assistance
  • Vienna Convention on Civil Liability for Nuclear
  • Convention on Physical Protection of Nuclear
    Material (and CPPNM Amendment)
  • Comprehensive Safeguards Agreement with IAEA
  • Additional protocol to the Safeguards Agreement

Cooperation with IAEA
  • The UAE Nuclear Law codified the essential
    principles and priorities in the Nuclear Policy
  • Implementation of safety, security, safeguards
    regulation (3S)
  • Use of IAEA guidance
  • Milestones in the Development of a National
    Nuclear Infrastructure
  • Safety Standards
  • Security Series
  • Technical Cooperation Programme
  • Workshops, training, technical assistance
  • Peer review and expert missions
  • INIR, IRRS, siting review

FANR Organisation
Construction Licence Application/License
  • Preliminary Safety Analysis Report
  • 21 Chapters and supplements and addenda covering
    Safety, Security and Safeguards
  • Physical Protection Plan for construction
  • Preliminary Safeguards Plan
  • Preliminary Probabilistic Safety Assessment
    Report Summary
  • Severe Accident Analysis Report
  • Aircraft Impact Analysis Report
  • Construction Licence for Barakah Units1 2 (July
    17, 2012)
  • Application received (February 2013) for
    construction of Barakah Units 34

General Principles of Cyber Security Regime
  • Fundamental Principle A The responsibility for
    establishment, implementation, and maintenance of
    a Physical Protection Regime within the State
    rests entirely with the State
  • National allocation of responsibilities
  • Establish a Cyber Security Regulatory Framework
  • Realistic, proportionate, and flexible to
    implement requirements
  • Including cyber security threats in the physical
  • Cyber threat is continually changing
  • Sustained attacks can go without detection
  • Maintain skilled cyber security workforce
  • Engagement of senior leadership in cyber security
    risk management
  • Identifying, Protecting, Detecting, Responding,
    and Recovering from cyber security events
  • Capitalize on built-in safety measures (DiD,
    Diversity, )
  • Cyber security measures and safety measures
    should not compromise one another
  • Provide Cyber Security awareness and training to
    all users
  • Combating insiders threats using technical,
    administrative, and physical measures.
  • Managing supply chain risk and other dependencies

NSS 17
National Allocation of Responsibilities
  • In the early planning stages, the UAE government
    identified key competent authorities and their
  • Nuclear Law Federal Law by Decree No 6 of 2009
    Concerning Peaceful Uses of Nuclear Energy
  • Established FANR provided the legal framework
    for Safety, Security, Safeguards (3S)
  • Establish and maintain a state system of
    accounting for and control of nuclear material
  • Establishment, implementation, and maintenance of
    an effective, sustainable nuclear security
  • Allows for other competent authorities in the
    State to provide security to vital facilities
  • Determine Civil and criminal penalties
  • unauthorized disclosure of information that
    affects the Physical Protection System
  • any act that breaches the provisions of the
    International Convention for the Suppression of
    Acts of Nuclear Terrorism
  • Cooperation with authorities with relevant
  • Critical Infrastructure and Coastal Protection
    Authority (CICPA),
  • National Electronic Security Authority (NESA),
  • National Crisis Emergency Management Authority
  • UAE Telecommunications Regulatory Authority
    (Computer Emergency Response Team (CIRT), etc.

Performance Objectives
  • High assurance that critical digital assets
    (CDAs)are protected against cyber attacks
  • Safety and security are implemented in integrated
    manner so as one does not adversely impact the
  • CDAs are treated as vital equipment that if
    failed or destroyed could lead to core / spent
    fuel damage
  • located within double barriers of the Physical
    Protection Program
  • controlled access
  • included within target set as elements, and
  • included within security guard surveillance
  • Capitalize on facility design and operation
  • Defence-in-depth, diversity, redundancy
  • Measures to mitigate the consequences of
    accidents and failures
  • Cyber security features included in safety
    systems should be developed and qualified to the
    same level as the systems they reside in

Physical Protection/Cyber Security
RegulationIAEA Recommended Requirements
  • FANR Security Regulation conforms with IAEA
    INFCIRC/225Revision5 (NSS13)
  • Requires operator to establish and maintain a
    Cyber Security Plan as part of the Physical
    Protection Plan to ensure that
  • Computer based systems used for physical
    protection, nuclear safety, emergency response,
    and nuclear material accountancy and control
    should be protected against compromise (e.g.
    cyber attack, manipulation or falsification)
    consistent with the threat assessment)
  • Implementation Documents
  • FANR Regulation (REG-008) Regulatory Guide (RG
  • IAEA Security Series (NSS 17)
  • USNRC Regulatory Guide 5.71
  • National Institute of Standards and
    TechnologyCyber Security Framework
  • Nuclear Energy Institute Guidance NEI 10-04
  • World Institute of Nuclear Security (Security of
    IT and IC Systems at Nuclear Facilities)

Implementation of FANR-REG-08
(Roles and Responsibilities)
FANR Federal Law
FANR Implementing Regulations
CICPA Command Mandated Critical Infrastructre
  • Classified DBT was established by CICPA
  • Training and exchange of Expertise.
  • Ease of Access to FANRs IAEAs Inspectors.
  • Inspections (joint / separate).

FANR regulatory activities
CICPAs Nuclear Physical Protection Department
ENEC Cyber Activities
Design Implementaion of PPP
FANR Review Approval of PPP
Protection of Information and Information Systems
  • States Role
  • Implement a resilient IT infrastructure and cyber
  • Issued Federal Law by Decree On Combating
  • Established
  • The National Electronic Security Authority (NESA)
    for Reducing Cyber Risks to critical
  • Organize the protection of the communication
    network and information systems in the UAE
  • Set network security standards
  • Supervise their execution
  • Established the UAE Telecommunications Regulatory
  • Computer Emergency Response Team (CERT) for
    detecting and preventing cyber-crime and
    safeguard critical national computer
  • Using a graded protection, State Security
    determines the trustworthiness policy, with
    consideration of UAE laws, regulations, and job

Protection of Information and Information Systems
  • FANRs Role
  • Issued (in collaboration with CICPA) Information
    Protection Programme Operating Manual
  • Operators Role
  • Protect against unauthorised access to sensitive
    nuclear information and cyber intrusion of
    digital computer systems, communication systems
    and networks
  • important to the safety and operation of the
  • support the physical protection system,
  • emergency planning and communication
  • Selection and implementation of Security
  • To protect the confidentiality, integrity, and
    availability of information system, and the
    information processed, stored, and transmitted by
    those systems and
  • To mitigate the risk of using information and
    information systems to achieve the desired or
    required level of assurance

Cyber Security
  • FANRs Role
  • Issues regulatory requirement to
  • Improve security
  • Increase reliability and resiliency in the
    delivery of services critical to cyber security
  • Non prescriptive encourage more innovation and
    effective solution
  • Ensure compliance and enforcement
  • Prevent unauthorised access to computer systems
    or communications equipment
  • Operators Role
  • Establish/maintain Cyber Security Plan
  • Prevent unauthorised access to computer systems
  • Response and reconstitution of critical
  • Combating insiders threats using technical,
    administrative, and physical measures.

Cyber Security Plan
  • Critical Digital Assets
  • Safety related and important-to-safety
  • Security Functions
  • Emergency Preparedness functions, including
    offsite communication functions and networks
  • Information technology functions
  • Material Accounting and Control functions
  • Support systems and equipment that, if
    compromised, would adversely impact safety,
    security, or emergency preparedness functions
  • Physical Protection
  • Critical Digital Assets should reside in a
    configuration that includes multiple layers of
    physical protection
  • Access (Physical and Remote)
  • System Integrity
  • Unauthorized entry detection
  • Virus/malware detection
  • User roles and responsibilities (Designated
    Authority and separation of duties)
  • Compartmentalization
  • Use of wireless and portable computing devices
  • Incident Response and Mitigation
  • Detection
  • Correcting

Defence-in-depth architecture 
Network Intrusion Detection Prevention
  • Corporate Accessible Area
  • Technical Data Management,

  • Owner Controlled Area
  • Real Time Supervisory

Gateway that Enforces Security Policy
The State should incorporate a defence-in-depth
strategy (which is fundamental to safety of
nuclear facility) requiring multiple layers of
physical protection of nuclear material and
facilities (INFCIRC/225/Revision 5)
Identification of Critical Systems and Critical
Digital Assets(SourceUSNRC RG 5.71, Cyber
Security Programme)
Cyber Incident Response Team-Source NIST
800-61Rev 2
Preparation, detection and analysis, response,
containment and eradication, recovery, and
  • Establishing and training an incident
    response team
  • Develop Implementation Plan
  • Develop Incident Response Policy
  • Detection of security breach
  • Restore and resume system operation
  • Issue report about steps to be taken to prevent
    future incident
  • Preservation of evidence
  • Incident response team should communicate,
    whenever appropriate, with outside parties
  • Law enforcement
  • ISP
  • Vendor of venerable software
  • Other incident response team
  • Establish policy and procedures regarding
    information sharing

Concluding Remarks
  • UAE established comprehensive legal regulatory
    framework to regulate the nuclear sector
    conforming to IAEA standards/guidance
  • Cyber threat is real continually changing
  • UAE is committed to high standards of safety
  • Maintaining strong safety and security culture
  • Incorporation of cyber element(s) in the DBT
    allows for a comprehensive, holistic assessments
    of all threats
  • Nuclear facilities employ
  • DiD protective strategies make them resilient
    to cyber attacks R
  • Rredundant and diverse capabilities to detect,
    prevent, respond to, and recover from cyber
    attacks make them invulnerable to the failure of
    a single protective strategy
  • Measures to defend against cyber threats must be
    appropriate, proportionate, and flexible to
  • IAEA Nuclear Security Series and implementation
    guides are important to member states,
    particularly new entrants

Abu Dhabi Development
(No Transcript)
Write a Comment
User Comments (0)