Beyond Physical Protection

For almost thirty years, the IAEA’s International Physical Protection Advisory Service (IPPAS) has been used by countries for peer review to ensure the physical protection of all types of facilities where nuclear and other radioactive materials are used, including nuclear power plants and hospital radiotherapy units. However, owing to advances in technology, digital systems are now at the heart of operations for these facilities. This has led to many new nuclear security challenges.

In response to the real threat of cyberattacks on facilities, including nuclear facilities, information and computer security for physical protection was added to the scope of IPPAS in 2012. Since then, countries have increasingly requested this module as part of the IPPAS review, in order to support their work in counteracting cybersecurity threats.

As a core component of the IAEA’s nuclear security programme, IPPAS is an advisory service that reviews a country’s existing practices against relevant international instruments and IAEA nuclear security guidance. It assists countries, upon request, in strengthening their national nuclear security regimes, systems and measures by providing advice on implementing international legal instruments.

“Twenty-seven years after the first IPPAS mission, the service has evolved to address modern challenges and needs,” said Heather Looney, Head of the Nuclear Security of Materials and Facilities Section at the IAEA’s Division of Nuclear Security. “Physical protection against the theft, sabotage or unauthorized use of nuclear and other radioactive material cannot be ensured without computer security measures. By inviting an IPPAS mission, countries can benefit from advice on what can be improved, and how,” she added.

IPPAS follows a modular approach and offers five modules, which cover the following: a national review of the nuclear security regime for nuclear material and nuclear facilities; a review of security systems and measures at nuclear facilities; a review of the transport security for material; a review of the security of radioactive material, associated facilities and activities; and a review on information and computer security. In total, 97 IPPAS missions have been conducted to date since the first one in 1996, and 22 countries have requested the inclusion of the information and computer security module in the IPPAS review.

As a first step, an IPPAS team of international nuclear security experts examines how national policies relating to information and computer security programmes have been set up and managed. The team will then look at the legislative and regulatory framework by comparing the procedures and practices in place in the country with the obligations specified under the Convention on the Physical Protection of Nuclear Material and its 2005 Amendment, as well as with the guidance provided in relevant IAEA Nuclear Security Series publications. In this way, they are able to determine whether countries have the necessary policies and procedures in place to enable adequate computer security in critical nuclear and radiological facilities.

At the facility level, the computer security review will look at computer security management, computer security programme, access controls, defensive computer security architecture, and the detection of and response to computer security events. The team may also assess cross-cutting areas, such as risk management, graded approaches, nuclear security culture and human resource management.

Japan hosted an IPPAS mission and its follow-up mission in 2015 and 2018, respectively. “It was a valuable experience for Japan to review the current status of computer security measures and to promote their enhancement based on the reviewers’ suggestions,” said Hiroyuki Sugawara, Director for International Nuclear Security in the Division of Nuclear Security at Japan’s Nuclear Regulation Authority (NRA). “In response to the IPPAS findings, we decided to strengthen the computer security measures and increase the number of inspectors with expertise in the field. In addition, the NRA incorporated computer security threats in its national threat assessment and required licensees to take robust computer security measures, as well as to enhance the content of their computer security plans by incorporating countermeasures against cyberattacks.”

In France, following an IPPAS mission in 2018, the visibility of computer security was strengthened in the national nuclear security framework. “The IPPAS mission required a strong commitment from the various stakeholders giving the opportunity for France to consolidate its nuclear security regime and to stimulate its implementation,” said Frédéric Boën, Computer Security Project Leader in the Ministry of Energy Transition, Defense and Security Directorate, Nuclear Security Office. “The staff dedicated to computer security was increased and regulatory guidelines were established in line with the international standards and the IAEA nuclear security guidance.”

The IAEA has maintained the IPPAS Good Practices Database since 2016 to share the findings of such missions with the international nuclear security community, thus enhancing the impact of the assistance offered by the IAEA to countries around the world. “Maintaining this database and sharing such examples extends the benefits of IPPAS missions beyond the host country to the international nuclear security community, and multiplies the impact of the assistance offered by the IAEA to its Member States,” said Looney.

The majority of the State-level good practices relate to nuclear security management, which provides the foundation for computer security and coordination. In addition, there are 40 good practices relating to computer security both at State and facility level that are accessible for IAEA Member States through designated points of contact.

The IAEA continues to support countries in enhancing their national nuclear security regimes; demand from countries to receive IPPAS missions in 2023 and in 2024 remains high.