Cyber Security Defense in Depth for the Protection of Radioactive Material

Greg White - Lawrence Livermore National Laboratory
Michael Rowland - Sandia National Laboratories
The cybersecurity of physical protection systems protecting radioactive material should apply the principles of a graded approach and Defense-in-Depth (DiD). Implementing and maintaining DiD for cybersecurity is challenged by the complexity and interconnectedness of digital systems relied upon for both physical protection and radiation detection coupled with zero-day (previously unknown or undisclosed) vulnerabilities such as CVE-2021-44228 (Apache Log4j). These risks can be treated through the application of ORS’ Best Practices and establishment of a holistic Defensive Computer Security Architectures (DCSAs). Specifically, DCSAs provide protection against zero-day vulnerabilities and the attacks aiming to exploit them. Effective DCSAs are established through specification and implementation. The specification process results in the DCSA requirements based on a graded approach. These requirements are applied to the boundaries of systems and networks that contribute to the protection of radioactive materials. DCSA specification needs to consider all digital and systems and components that provide physical security of radioactive material which includes both security access and control, intrusion detection, and radiation monitoring systems. This requires a comprehensive assessment of the cyber interdependencies and interactions of these systems that include (1) informational dependency, (2) engineering or physical resource dependency, (3) policy or procedural dependencies, and (4) proximity effects. This paper will discuss key analysis steps to specify a DCSA taking into account these interdependencies between systems relied upon for the protection of radioactive sources to enhance cybersecurity DiD.