Alice Wiesbaum Federal Office for the Safety of Nuclear Waste Management Germany International Conference on Nuclear Security Sustaining and Strengthening Efforts ICONS 2020 xx022020 IAEA Headquarters Vienna ID: 1038313
Download Presentation The PPT/PDF document "Adressing IT-Security in nuclear securi..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. Adressing IT-Security in nuclear security regulation and implementation with respect to interim storage facilities in GermanyAlice WiesbaumFederal Office for the Safety of Nuclear Waste Management, GermanyInternational Conference on Nuclear Security: Sustaining and Strengthening Efforts (ICONS 2020)xx.02.2020, IAEA Headquarters, Vienna
2. Nuclear facilities in Germanyhttps://www.bfe.bund.de32 nuclear facilities in operation (category I or II)6 NPP‘s6 research reactors16 interim storage facilities4 of them centralized2 repositories (for low and medium radioactive waste)1 uranium enrich facility1 fuel assembly fabrication plant
3. The federal republic of Germanyhttps://www.weltkarte.com/typo3temp/images/bundeslaender.pngAbout GermanyFederal republic16 federal states = (Bundes-) LänderResponsibility for nuclear facilities is shared between federation (Bund) and LänderTo store or use nuclear material in Germany a licence is needed!
4. Responsibilities in the field of nuclear energyTSOsFederal MinistryBMULänder MinistriesTSOsFederal OfficeBASETSOsInterim StoragesNPPs, Research Reactors, etc.RegulationsOversightReportingSupervisionLicensingLicensingInspection
5. The regulatory framework
6. The regulatory frameworkIn the field of nuclear energy the basis is built by:CPPNM and it’s amendmentsThe „Act of the Peaceful Utilization of Nuclear Energy and the Protection against its Hazards” (Atomic Energy Act) In § 6, para. 2, no. 4 AtG it is written: “A licence shall be granted if there is a need for such a storage and […] if the necessary protection has been provided against disruptive action or other interference by third parties. […]”. The „Act on Protection against the Harmful Effects of Ionising Radiation” (Radiation Protection Act)
7. Computer security in GermanyCyber DBTMalicious Acts Guidelinefor Computer Based Systems (SK I/II)DRAFTMalicious Acts Guidelinefor Computer Based Systems SK IIIExplanatory Notes for NPPsAtomic Energy Act (AtG)Explanatory Notes for Interim Storages
8. Computer security in GermanyThe guidelines for computer security – Cyber-DBT:As an result of the frequently done threat assessment, Germany has DBT‘sAll German DBT’s are classified as confidentialGermany has an own DBT for computer security called „Cyber-DBT“The Cyber-DBT is created in a working group:Chaired by the federal ministry Consisting members of national security agencies, the licensing and supervisory authorities and the Federal Office for Information Security (BSI)The Cyber-DBT is reevaluated every 3 years and ad-hoc due to new findings
9. Computer security in GermanyThe guidelines for computer security – Malicious Acts Guideline:Is valid for all nuclear facilities of category I or IIIs an restricted documentIt Contains:the principles and the General Objective of computer securityRequirements on Computer Security OrganizationHow to plan a computer security conceptRequirements for Protection Measures depending on the security level
10. Computer security in GermanyUnauthorized Removal(„Theft“)Prevent:8General Objectives:Computer Security Objectives:Sensitive computer based systems and the associated processes have to be protected against malicious acts in accordance with their security requirements so that neither a direct nor an indirect violation of the general objectives of nuclear security can be affected. Unacceptable Radiolocial Consequences of a Sabotage Act(„Sabotage“)Unacceptable Radiological Consequences after Unauthorized Removal („Diversion“)
11. Computer security in GermanyThe guidelines for computer security – general recommendations:In the Malicious Acts Guideline for Computer Based Systems, the BSI-standards are taken into accountThe BSI gives information about how to protect computer based systemsThe main document is called “BSI-Grundschutz”It is an open document and available on the internethttps://www.bsi.bund.de/EN/Topics/ITGrundschutz/itgrundschutz_node.htmlIt is written for authorities as well as companiesIt meets the international standards ISO/IEC 27001
12. Implementation of computer securityHow to create a computer security concept: IT structure analysis and classificationClassification into sensitive and non-sensitive computer systems Classification and clusteringClassification of sensitive computer systems into computer security levelsClustering into zones and determination of computer security requirementsDefinition of concrete security measures
13. Implementation of computer securitysensitive computer based systemsnon-sensitive computer based systemsIT structure analysis1. IT structure analysis
14. Implementation of computer securitysensitive computer based systemsnon-sensitive computer based systemsvery highhighincreasednormalIT structure analysiscomputer security levelsSK I/II2.1 computer security levels
15. Implementation of computer security2.2 Zones of sensitive computer based systems:Zones can contain computer systems which are:Physically close to each otherConnected due to their operationsSecurity level zone = security levels computer systems in the zoneLinks between zones are only allowed between zones of the same security level
16. Implementation of computer security3. The security concept for computer based systems:The security concept shows the current situation at the facilityIt is reevaluated constantlyAt least every year for systems classified as “very high” or “high”At least every three years for systems “increased” or “normal”It covers the whole lifetime of all computer based systems In every licensing process the current security concept for computer based systems is singed in
17. Implementation of computer securityThe Implementation was done in 3 steps over a time period of 3 years
18. Thank You for Your Attention!