What Goes into Making a Computer Security Programme

Facilities handling nuclear material or other radioactive material, and undertaking associated activities, are critical infrastructure which require high levels of safety and security. By taking a comprehensive and proactive approach to computer security, organizations can protect the sensitive information assets and computer-based systems in these facilities against compromise. The foundation of the IAEA-recommended approach to computer security lies in States establishing requirements for national strategy or policy; and enabling confidentiality and the protection of sensitive information and computing systems related to physical protection, nuclear safety, and nuclear material accounting and control. These requirements can also take the form of national regulations that provide for the development and implementation of a computer security programme (CSP)*.

A CSP is an overarching framework that includes key elements of an effective plan for implementing computer security policies and procedures that will be used throughout the lifetime of a nuclear facility or facility with radioactive sources. It aims to protect sensitive information assets and computer-based systems critical to maintaining safety and security functions from cyberthreats in order to mitigate the impact of cyberattacks.

A comprehensive and effective computer security strategy requires a systematic approach that integrates various elements, including regulations, programmes, security protective measures and response capabilities to sustain national nuclear security regimes.

Effective regulations provide a legal framework for protecting sensitive computer-based systems and ensure that organizations have established CSPs with the proper controls in place.

Roles and responsibilities

Organizational roles and responsibilities with accountability are vital for effective management, especially in the case of critical infrastructure. Awareness of the organizational hierarchy and clear lines of authority and reporting structure are necessary to instill efficient and effective collaboration and synergy within CSPs.

Risk, vulnerability and compliance management

Computer security risk management involves evaluating vulnerabilities and potential consequences of sensitive digital assets and computer-based systems to implement computer security controls using a graded approach to defend against cyberattacks. The level of security measures applied should be commensurate with the level of risk associated with the information and/or computer-based systems being protected. By considering the consequence of the vulnerability or threat, organizations can determine the level of security measures needed to mitigate the risk.

Security design and management

Computer security design is a critical aspect of protecting against cyberthreats. Fundamental design principles include a graded approach and defence in depth, where multiple layers of zoned security controls are implemented to prevent and mitigate attacks. Requirements for security must also be incorporated throughout the system development life cycle including third-party organizations being governed by clear policies and agreements to ensure security measures are consistent and effective.

Digital assets management

Effective computer security relies on a systematic process to identify a comprehensive list of all facility functions, assets, and systems including sensitive digital assets that are essential to protect nuclear operations or to maintain safe and secure use of nuclear and other radioactive material. Such a list also provides data flow and interdependencies that are significant to the organization to support access controls, backups and other security measures to protect these assets from sabotage or theft.

Security procedures

Operational nuclear security policies and procedures provide the direction with accountability to prevent of theft, sabotage, or unauthorized use of nuclear material and facilities. These policies ensure that access to sensitive information and assets is tightly controlled, and that individuals with access are screened and trained appropriately.

Personnel management

Trustworthiness, awareness, and training are critical for personnel management in the nuclear industry. Evaluations of trustworthiness should be conducted to ensure that personnel are reliable, competent, and free from any conflicts of interest that could compromise safety or security. Maintaining qualified and trustworthy personnel is critical to ensure nuclear safety and security.

*More details are included in IAEA Nuclear Security Series No. 17-T (Rev. 1), Computer Security Techniques for Nuclear Facilities.