Dr. Krist - PowerPoint PPT Presentation

About This Presentation
Title:

Dr. Krist

Description:

presented by. Dr.Krist fHorv th. Deputy Director General. Hungarian Atomic Energy Authority. Based on the Guideline developed by. the WG on Computer . Protection – PowerPoint PPT presentation

Number of Views:92
Avg rating:3.0/5.0
Slides: 15
Provided by: wwwnsIae
Learn more at: http://www-ns.iaea.org
Category:

less

Transcript and Presenter's Notes

Title: Dr. Krist


1
Hungarys Experience in the Regulation of
Cyber and Information Security
  • presented by
  • Dr. Kristóf Horváth
  • Deputy Director General
  • Hungarian Atomic Energy Authority
  • Based on the Guideline developed by
  • the WG on Computer Protection

2
History 2005-2008
  • Well developed
  • requirements and regulatory system for peaceful
    applications (NM and RM)
  • radiation protection requirements and regulatory
    system
  • nuclear safety requirements and regulatory system
  • system for materials out of regulator control
  • emergency preparedness and response for safety
    events
  • Ad-hoc
  • physical protection requirements
  • physical protection as part of radiation
    protection and nuclear safety
  • All nuclear related sensitive information
    protected as State Secret

2005-2008
3
International Instruments (the frame)
  • Ratified international conventions
  • CPPNM
  • Amendment to CPPNM
  • Nuclear terrorism convention
  • Mode-specific transport agreements
  • UN Council resolutions
  • EU regulations and directives
  • IAEA Code of Conduct and Guidance

2005-2008
4
And thenFundamental objective
  • The fundamental safety-security-safeguards
    objective of regulatory control
  • To protect people and environment
  • from harmful effects of (any harm of)
  • ionizing radiation (generated by various
    applications of atomic energy).
  • without unduly limiting the operation of
    facilities or the conduct of activities.

3S
2009
5
Goals of regulatory control
  • To protect people and environment through
  • Prevention
  • Regulations, licensing, vetting, registration .
  • Detection
  • Inspection, reporting, monitoring
  • Response
  • Enforcement, contingency/emergency planning
  • Common legal and technical principles to be
    applied
  • E.g. responsibility, independence
  • E.g. design basis, graded approach, defence in
    depth

2009
6
New regulations
  • Four level approach
  • Classification and protection of information
  • Restricted, Confidential, Secret, Top Secret
  • Physical protection governmental decree
  • Based on threat assessment
  • DBT defined by HAEA with concerned gov organs
  • Performance based approach with performance
    requirements for facilities
  • Prescriptive requirements for NM and RM
  • Updated safety code

2009-2011
7
Cyber and information secuirty
2011
Availability
Confidentiality
  • General security and safety requirements for
  • allocation of IC components and their cabelling
    acc to PP zones
  • one-way direction from vital areas
  • credibility of input to be checked
  • availability of systems
  • interaction cannot hinder safety functions

Integrity
8
WG establishment
  • Instead of
  • Requesting the NPP to recommend a cyber DBT
  • Recognition that computer protection is a joint
    safety/security issue
  • Very similar threats
  • Almost identical protection
  • Identical protectors
  • WG participation
  • HAEA, Police, MVM Electricity Trust, NPP,
    new-built, university, experts
  • To develop a guideline on
  • The protection of programmable systems and
    components

2012-2013
9
Guideline on the protection requirements for
computer systems
  • Taking into consideration
  • Lessons learned from IAEA NSS 17
  • Principles from IEC 62645 Ed.1
  • Existing safety requirements
  • Existing security requirements

2013
10
Guideline on the protection requirements for
computer systems
2013
Graded approach Classification from safety as
well as from security aspects, then the more
rigorous requirements shall be applied
Level of protection measures
11
Guideline on the protection requirements for
computer systems
  • Summary about international and domestic
    recommendations
  • Protection policy for programmable systems and
    components
  • Organizational and management aspects,
    responsibilities
  • Inventory of systems (systems, networks,
    applications and their interfaces)
  • Definition of protection levels
  • Protection classification of systems and
    components
  • Risk assessment (threat analysis, vulnerability
    analysis, risk evaluation)
  • Defence in depth principles
  • Physical access aspects
  • Training and education

2013
12
Guideline on the protection requirements for
computer systems
  • According to the Guideline, nuclear operators
    should
  • Categorize the computer systems to Level-5,4,3,2
  • Analyse the vulnerabilities of existing computer
    systems
  • Establish additional protection measures (if
    required) to meet the safety and security
    requirements
  • Propose a cyber design basis threat

2013
13
Regulation development
  • Based on experience on the application of the
    guideline
  • Issue regulations for the NPP
  • Develop regulations and guidance to other
    applications where programmable systems and
    components are in use

2013-
14
Köszönöm a figyelmet!
I thank You for your kind attention!
Write a Comment
User Comments (0)
About PowerShow.com