Computer security must be an essential element in nuclear security to guard against increasingly sophisticated online threats in a digitally dependent and interconnected environment, concluded participants of an IAEA conference held last week.
“The enduring conference theme is that computer security is a necessary component in an effective and robust nuclear security regime,” said Jazi Eko Istiyanto President of the International Conference on Computer Security in a Nuclear World held in Vienna, Austria from 1 to 5 June 2015. “Computer security and nuclear security must be a continual and holistic process, but it does not need to be a solitary process. The IAEA, the cooperating organizations for this conference, and the community of interest that has gathered this week, provide a wealth of resources and experience that can and should be leveraged in forging a secure nuclear future globally.”
More than 700 computer experts, system designers, policymakers, operators, managers and users from 92 Member States and 17 organizations participated in keynote and technical sessions that highlighted the close convergence of computer security and nuclear security. Topics included computer security threats in nuclear security, computer security and system designs, computer security coordination in a nuclear security regime, nuclear security regulatory approaches, computer security programmes, computer security management and computer security culture and capacity.
“The high number of stakeholders present and their level of participation sends the important message that the international community is serious about enhancing global efforts to protect nuclear and other radioactive material – and associated activities and facilities – from malicious acts which are either computer–based, or targeted at computers,” Istiyanto said.
Other Key Findings
The executive summary of the Conference President’s findings also highlighted the following points:
- The conference has been successful in providing a global forum for discussion of computer security. However, the momentum developed this week must be fostered and sustained.
- The IAEA must continue to grow in its leadership role in supporting Member States by developing timely international nuclear security guidance that addresses computer security.
- Computer systems and their interconnectivity represent a growing complexity, which will only increase. Coordinated research and information exchange are needed to support both the prevention and response to attacks on computer security.
- Regulation must address information technology systems, industrial control systems and physical protection systems used within the nuclear industry.
- Human capacity development, including programmes in education, training, and knowledge management are practical measures that can help to sustain computer expertise in the nuclear security domain. These are all programmes the IAEA is again encouraged to foster as a means to support Member States upon request.
When virtual meets physical protection
A highlight of the conference was a special computer security demonstration in the afternoon of 1 June. This was organized by the IAEA in cooperation with a team of international computer security experts.
Developed to promote awareness and encourage discussion during the conference, the demonstration played out a computer security threat scenario and the potential impact of such an attack to nuclear security.
The hypothetical scenario involved coordinated online attacks on both a competent authority and a nuclear power plant, and presented an overview of types of techniques that an adversary might use in such a computer security attack. It showed how an adversary can take advantage of seemingly isolated but unprotected networks — like closed circuit camera units (CCTVs) and Bluetooth devices — to gain access to local networks, disable physical protection measures and ultimately compromise nuclear plant instrumentation and control systems.
“The scenario is a vignette of stories and real technology pieced together from the public domain,” Mark Fabro, Chief Security Scientist of Canadian security firm, Lofty Perch Inc., told the watching delegates. “Their use in the context of computer security is to show how they can impact physical security.”
Every attack shown in the demonstration can also be mitigated by best practices, recommendations, and guidance provided by the IAEA through published international standards, Fabro added.
The demonstration also discussed industry-proven mitigation efforts based on IAEA guidance, international standards, and good practices that could assist in the prevention, detection, and response to such attacks.
The remaining technical sessions provided opportunity for detailed discussion, were highly interactive, and explored the analysis of threat and consequence. They also addressed mitigation elements ranging from regulatory experiences to good practices in the technical implementation of computer security.
One session, for example, discussed the December 2014 computer security attack at Korea Hydro and Nuclear Power (KHNP), and was presented by Min Baek, Director General of Radiation Emergency Bureau, Nuclear Safety and Security Commission, Republic of Korea, and Gahm Yong Kim, Vice President of KHNP’s Information Technology Office. While the 1 June demonstration illustrated the concepts of a computer security attack, the KHNP event presented the reality of the threat environment, the impact of the attack, and the benefits of a holistic approach to computer security.
Enhancing computer security
Member States have expressed concern over emerging risks associated with the convergence of physical and virtual systems through computer security attacks and their potential impact on nuclear security. The previous two IAEA General Conference Resolutions on Nuclear Security have expressed the need for the IAEA to promote awareness and international cooperation on computer security. The Agency has responded by organizing and hosting this conference on computer security.
“The conference has reaffirmed that computer security must be considered as part of a national nuclear security regime,” said Khammar Mrabit, Director of the IAEA’s Division of Nuclear Security. “It must be an ongoing process to address new technologies and growing adversary capabilities.”
Through avenues like this conference and its extensive library of guidelines and recommendations, the IAEA is working to help States to enhance nuclear security, including computer security.