A Worst Practices Guide to Insider Threats: Lessons from Past Mistakes

Insider threats are perhaps the most serious challenges that nuclear security systems face. All of the cases of theft of nuclear materials where the circumstances of the theft are known were perpetrated either by insiders or with the help of insiders; given that the other cases involve bulk material stolen covertly without anyone being aware the material was missing, there is every reason to believe that they were perpetrated by insiders as well. Similarly, disgruntled workers from inside nuclear facilities have perpetrated many of the known incidents of nuclear sabotage. The most recent example of which we are aware is the apparent insider sabotage of a diesel generator at the San Onofre nuclear plant in the United States in 2012; the most spectacular was an incident three decades ago in which an insider placed explosives directly on the steel pressure vessel head of a nuclear reactor and then detonated them.While many such incidents, including the two just mentioned, appear to have been intended to send a message to management, not to spread radioactivity, they highlight the immense dangers that could arise from insiders with more malevolent intent. As it turns out, insiders perpetrate a large fraction of thefts from heavily guarded non-nuclear facilities as well. Yet organizations often find it difficult to understandand protect against insider threats. Why is this the case?Part of the answer is that there are deep organizational and cognitive biases that lead managers to downplay the threats insiders pose to their nuclear facilities and operations. But another part of the answer is that those managing nuclear security often have limited information about incidents that have happened in other countries or in other industries, and the lessons that might be learned from them.The IAEA and the World Institute for Nuclear Security (WINS) produce"best practices" guides as a way of disseminating ideas and procedures that have been identified as leading to improved security. Both have produced guides on protecting against insider threats.5 But sometimes mistakes are even moreinstructive than successes.Here, we are presenting a kind of "worst practices" guide of serious mistakes made in the past regarding insider threats. While each situation is unique, and serious insider problems are relatively rare, the incidents we describe reflect issues that exist in many contexts and that every nuclear security manager should consider. Common organizational practices -- such as prioritizing production over security, failure to share information across subunits, inadequate rules or inappropriate waiving of rules, exaggerated faith in group loyalty, and excessive focus on external threats -- can be seen in many past failures to protect against insider threats

Integration of Nuclear Safeguards and Security at the JRC

At political level, security and safeguards remain in separate hands. Safeguards are implemented by international and national authorities through an international treaty, while security is an important national responsibility. At a technical level the synergies between safeguards and security lead to their integration allowing better optimization of the resources and important benefit from exchange of experience and expertise between the two systems. In this paper, we will illustrate this integration process between nuclear security and safeguards. Many examples will be presented such as: non destructive assay (NDA) in nuclear safeguard /detection and identification of illicit nuclear and radioactive materials, destructive analysis (DA) and environmental sampling in nuclear safeguards/ nuclear forensic, use of seals in nuclear security for containers, combined camera and gamma/neutron source for source localisation in luggage, Open source information, export controls are also areas were the integration is possible.JRC.E.9-Nuclear security (Ispra

Regulatory Perspective on Nuclear Cyber Security: The Fundamental Issues

We are living in a digital and information-driven age; hence need to retain information on virtually every aspect of our lives, nuclear information inclusive. Security in computer systems is strongly related to the notion of dependability. For such system to be reliable and secure in a nuclear facility, unauthorized logic changes must be prevented - confidentiality, field device inputs and outputs must remain immutable throughout their usable lifetime - integrity, and everything should remain in an operable state - availability. The dynamic and complex nature of cyber threats has made it a serious challenge to secure computer systems in nuclear facilities. Despite the adoption of varied cyber security services, policies, mechanisms, strategies and regulatory frameworks like confidentiality, integrity, availability, non-repudiation, encipherment, defence-in-depth, design basis threat, IAEA technical guidance documents such as: GS-R-1, GS-R-2, NSS13, NSS17, NST036, NST045, and NST047, IEEE standard 7-4.3.2-2010, NIST SP 800-53, NIST SP 800-82, NEI 08-09 and country-specific requirements such as: 10 CFR 73.54, 10 CFR 73.1, RG 5.71 (USNRC), KINS/RG-N08.22 (South Korea) respectively, the threats remain persistent. This paper is aimed at providing a regulatory perspective on nuclear cyber security, its relationship to nuclear safety and security, regulatory requirements and cyber security global best practice recommendations and strategies to prevent its occurrence. This is imperative as Nigeria prepares to join the league of countries with operational nuclear power plants and reactors by its approval and adoption of the nuclear power programme roadmap in 2007

An Approach to a New Network Security Architecture of Nuclear and Research Facilities

With the growth of information technology (IT) systems, network security is rapidly becoming a critical business concern. Due to the interconnectivity of IT systems, a comprehensive description of all of the key elements and relationships that make up an organization2019;s network security is needed, which can be referred as network security architecture. The value of this architecture is often questioned by organizations in terms of its practical application. This paper has presents a new approach to the network security architecture by using the Zachman Framework capabilities. The network security architecture of nuclear and academic facilities academic centers is discussed to show how a conceptual model can be applied to a real organization. This new approach makes any Local Area Network LAN more secure and more flexible than any conventional security procedures without affecting the performance of the LAN. Applying Zachman matrix provides the answers to what data assets the nuclear and research facilities controls, how they are used, and where they are located

Cyber Security training tools for the nuclear energy sector

Nowadays, cyber security should be a priority for everyone when they connect their laptop to the internet; however, not many internet users have sufficient knowledge about cyber security. A cyberattack on an individual’s computer could result in the loss of personal information, financial information, or other resources. The damage from a cyberattack on a nuclear facility or other critical infrastructure could have much greater consequences. The attackers could impact the confidentiality of data, the availability of key systems, or the integrity of those safety or operating systems. Therefore, the National Nuclear Security Administration has tasked Pacific Northwest National Laboratory with developing eLearning modules for teaching cyber security to nuclear plant personnel. The eLearning modules are designed to increase cyber security knowledge and awareness for nuclear facility decision makers, regulators, workers, and stakeholders. The modules are designed along the lines of a university curriculum with foundation courses (100 level), and more in-depth courses (200 to 400 level). In general, eLearning modules need to have many interactive activities in order to grab and maintain the learners’ attention. Storyline 2TM is used as our eLearning management system for developing and presenting eLearning content. It provides many features that allow developers to create interactive learning activities. These include drag-and-drop, timeline, and knowledge testing products; moreover, Storyline 2TM allows pictures and videos to be displayed. Content developers are able to publish their Storyline 2TM products into many different formats, including CD, Web, and Word documents. This work focuses on the development of three 200 level courses covering cyber security threats, vulnerabilities, and consequences using Storyline. Gearhead is an activity to provide information on how the adversaries steal information of the employee. Gearhead provides a full freedom to users to discover different ways of attack from adversaries, and Gearhead contains many pictures to make an activity more interesting. Introduction timeline is a product that included a narration voice and drag-and-drop activity, so users have to drag the circle along the timeline to see the picture, listen to the audio, and read the information. By the end of each topic, users will receive some type of assessment to check their knowledge, and Storyline allows to create a test bank questions that we can use for multiple question quiz and drag-and-drop activity. Using Storyline 2TM is a good tool for developing effective cyber security eLearning modules. Beyond this specific training objective this project provided an opportunity for the author to learn education software and techniques useful in modern classrooms and curriculum

Комп‘ютерна безпека на ядерних об’єктах в Україні: області взаємодії між ядерною безпекою та захищеністю

Розглянуто проблематику комп’ютерної та інформаційної безпеки у площині фізичного захисту, а також нормативно-правове забезпечення комп’ютерної безпеки на ядерних об’єктах в Україні. Основний акцент зроблено на комп’ютерну безпеку інформаційних та керуючих систем (ІКС), важливих для ядерної безпеки. Надано приклад інтегрованого підходу до розгляду вимог з ядерної безпеки та захищеності з урахуванням взаємодії сфер забезпечення захищеності ІКС та ядерної безпеки. Наведено рекомендації та плани на майбутнє щодо вдосконалення комп’ютерної безпеки на ядерних об’єктах в Україні.Рассматрены проблематика компьютерной и информационной безопасности в плоскости физической защиты, а также нормативно-правовое обеспечение компьютерной безопасности на ядерных объектах в Украине. Основной акцент сделан на компьютерной безопасности информационных и управляющих систем (ИУС), важных для ядерной безопасности. Приведен пример интегрированного подхода к рассмотрению требований к ядерной безопасности и защищенности с учетом взаимодействия сфер обеспечения защищенности ИУС и ядерной безопасности. Представлены рекомендации и планы на будущее по совершенствованию компьютерной безопасности на ядерных объектах в Украине.Active introduction of information technology, computer instrumentation and control systems (I&C systems) in the nuclear field leads to a greater efficiency and management of technological processes at nuclear facilities. However, this trend brings a number of challenges related to cyber-attacks on the above elements, which violates computer security as well as nuclear safety and security of a nuclear facility. This paper considers regulatory support to computer security at the nuclear facilities in Ukraine. The issue of computer and information security considered in the context of physical protection, because it is an integral component. The paper focuses on the computer security of I&C systems important to nuclear safety. These systems are potentially vulnerable to cyber threats and, in case of cyber-attacks, the potential negative impact on the normal operational processes can lead to a breach of the nuclear facility security. While ensuring nuclear security of I&C systems, it interacts with nuclear safety, therefore, the paper considers an example of an integrated approach to the requirements of nuclear safety and security

The development of a biometric keystroke authentication framework to enhance system security

Computer systems have proven to be essential to achieving our daily tasks such as managing our banking accounts, managing our health information and managing critical information systems such as drinking water systems or nuclear power plant systems. Such distributed systems are networked and must be protected against cyber threats. This research presents the design and implementation of a stand alone web based biometric keystroke authentication framework that creates a user\u27s keystroke typing profile and use it as a second form of authentication. Several biometric models were then bench marked for their accuracy by computing their EER. By using keystroke biometrics as a second form of authentication the overall system\u27s security is enhanced without the need of extra peripheral devices and without interrupting a user\u27s work-flow

cyber attack taxonomy for digital environment in nuclear power plants

With the development of digital instrumentation and control (I&C) devices, cyber security at nuclear power plants (NPPs) has become a hot issue. The Stuxnet, which destroyed Iran's uranium enrichment facility in 2010, suggests that NPPs could even lead to an accident involving the release of radioactive materials cyber-attacks.However, cyber security research on industrial control systems (ICSs) and supervisory control and data acquisition (SCADA) systems is relatively inadequate compared to information technology (IT) and further it is difficult to study cyber-attack taxonomy for NPPs considering the characteristics of ICSs. The advanced research of cyber-attack taxonomy does not reflect the architectural and inherent characteristics of NPPs and lacks a systematic countermeasure strategy.Therefore, it is necessary to more systematically check the consistency of operators and regulators related to cyber security, as in regulatory guide 5.71 (RG.5.71) and regulatory standard 015 (RS.015). For this reason, this paper attempts to suggest a template for cyber-attack taxonomy based on the characteristics of NPPs and exemplifies a specific cyber-attack case in the template. In addition, this paper proposes a systematic countermeasure strategy by matching the countermeasure with critical digital assets (CDAs). The cyber-attack cases investigated using the proposed cyber-attack taxonomy can be used as data for evaluation and validation of cyber security conformance for digital devices to be applied, and as effective prevention and mitigation for cyber-attacks of NPPs. Keywords: Cyber-attack taxonomy, Cyber security, Nuclear power plant, ICS, SCAD

Resilient and Trustworthy Dynamic Data-driven Application Systems (DDDAS) Services for Crisis Management Environments

Future crisis management systems needresilient and trustworthy infrastructures to quickly develop reliable applications and processes, andensure end-to-end security, trust, and privacy. Due to the multiplicity and diversity of involved actors, volumes of data, and heterogeneity of shared information;crisis management systems tend to be highly vulnerable and subjectto unforeseen incidents. As a result, the dependability of crisis management systems can be at risk. This paper presents a cloud-based resilient and trustworthy infrastructure (known as rDaaS) to quickly develop secure crisis management systems. The rDaaS integrates the Dynamic Data-Driven Application Systems (DDDAS) paradigm into a service-oriented architecture over cloud technology and provides a set of resilient DDDAS-As-A Service (rDaaS) components to build secure and trusted adaptable crisis processes. The rDaaS also ensures resilience and security by obfuscating the execution environment and applying Behavior Software Encryption and Moving Technique Defense. A simulation environment for a nuclear plant crisis management case study is illustrated to build resilient and trusted crisis response processes

Resilience, reliability, and coordination in autonomous multi-agent systems

Acknowledgements The research reported in this paper was funded and supported by various grants over the years: Robotics and AI in Nuclear (RAIN) Hub (EP/R026084/1); Future AI and Robotics for Space (FAIR-SPACE) Hub (EP/R026092/1); Offshore Robotics for Certification of Assets (ORCA) Hub (EP/R026173/1); the Royal Academy of Engineering under the Chair in Emerging Technologies scheme; Trustworthy Autonomous Systems “Verifiability Node” (EP/V026801); Scrutable Autonomous Systems (EP/J012084/1); Supporting Security Policy with Effective Digital Intervention (EP/P011829/1); The International Technology Alliance in Network and Information Sciences.Peer reviewedPostprin