Defensive Computer Security Architectures For Facilities With Radioactive Materials

The cybersecurity of physical protection systems protecting radioactive material should be based on solid fundamentals. Defensive Computer Security Architectures (DCSAs) are a key element for the provision of defense-in-depth (DiD). Specifically, DCSAs provide protection against previously unknown or undisclosed attacks (e.g., zero-day attacks). Many Nuclear Power Plants (NPP) have implemented DCSAs either as required to comply with regulatory requirements (e.g., NEI 08-09 Rev 6) or to adopt international best practices and standards (e.g., IEC 62645). Facilities with radioactive materials typically have fewer resources than NPPs and consequently may not be able to implement the same complex and expensive DCSAs as NPPs. Many facilities with radioactive materials may face some or all of these challenges: (1) they treat physical protection systems as a monolithic/single zone system at one level of security which precludes application of a graded approach or DiD; (2) they have multiple regulations and legal requirements (e.g., US Health Insurance Portability and Accountability Act (HIPAA), EU General Data Protection Requirements (GDPR)) that must be met; and (3) they may utilize contracted support for information technology and security which involves risk transfer and sharing agreements that require appropriate management. Effective DCSAs are established through specification and implementation. The specification process results in the DCSA requirements based on a graded approach. These requirements are applied to the boundaries of systems and networks that contribute to the protection of radioactive materials. DCSA implementation involves the construction, operation, and maintenance of the DCSA. It is through implementation of the DCSA requirements that DiD is established. We will discuss the theoretical basis for DCSAs and propose a practical implementation of DCSAs and the graded approach for physical protection systems at facilities with radioactive materials. We will describe how this was implemented in physical protection systems at facilities with radioactive materials that are supported by National Nuclear Security Administration’s Office of Radiological Security. Finally, we will provide insights into the regulatory considerations of this approach, including considerations from the Canadian Nuclear Safety Commission, and provide an evaluation of the impact of the arrangements with contractors or outside organizations.