Key Russian regulation for cybersecurity of nuclear security systems goes public.
Nuclear security in Russia is governed by documents issued by regulatory bodies. According to Russian legislation, these documents, with rare exceptions, are public. These documents establish performance goals and define critical mandatory requirements. However, more detailed technical guidance is provided in regulations issued by “managing agencies,” such as Rosatom or the Ministry of Industry and Trade, which manages the nuclear shipbuilding industry. Most of these documents are not secret, but managing agencies do not bother publishing them beyond industry distribution lists, as the legislation does not require this. Thus, we learn about such documents on occasion.
Chepetsk Mechanical Plant (CMP), one of Rosatom’s enterprises manufacturing non-nuclear materials for nuclear fuel assemblies and handling substantial amounts of natural or depleted uranium from legacy production of metal uranium, announced the procurement of software for access control and management equipment, installation of this software, and moving the data necessary for system operation into the updated system. Statement of work requires compliance with Rosatom’s regulation “Physical Protection Systems of Nuclear Sites. Automated Physical Protection Systems. Protection of Information from Unauthorized Access. Requirments to Information Security” (Requirements). The appendix to the statement of work contains the full text of this document. These Requirements were developed with U.S. financial and technical support and enacted by Rosatom’s order in August 2011. While this document is not secret, it is the first time I have seen it published in a publicly available information system. This article provides a summary of the Requirements.
Physical protection system (PPS) developers must use this document to establish the information protection requirements for PPS, and inspection authorities must use it to control the status of PPS and the protection of PPS information. This regulation is developed based on the document establishing requirements for information protection issued by the Russian information security regulator (FSTEC – Federal Service for Technical and Export Control) and on the ISO/IEC 15408 standard “Information security, cybersecurity and privacy protection—Evaluation criteria for IT security,” which is also adopted as a national standard in Russia. The Requirements elaborate on these documents to apply their provisions to information protection in physical protection systems for nuclear sites.
The Requirements implement a graded approach to defining protection measures in any specific case. Protection measures are established depending on the consequences of access to protected information for the security of protected nuclear materials or vulnerable elements of the nuclear facility and the secrecy of information handled in PPS per the classification established by the legislation. According to the Requirements, equipment, and software for use in PPS must be certified for compliance with information protection requirements, and specific systems implemented at a nuclear site are subject to acceptance certification.
The Requirements allow two approaches to defining information protection requirements and certification for compliance. The first, the “classification” approach, follows requirements established by FSTEC. The second approach, the ISO/IEC approach, uses the concept of “protection profiles” and “security targets” introduced in ISO/IEC 15408.
The “classification” approach fits into a legacy prescription-based regulation widely accepted in the Soviet Union. Under the “classification” approach, PPS is assigned to one of two protection classes. Classification criteria include a category of protected area (“protected,” “internal,” or “vital”), consequences of unauthorized action against protected information in terms of the impact on the security of nuclear material and site, and secrecy of information. The Requirements also provide a detailed outline of PPS features that must be considered during classification. The Requirements further establish technical and organizational measures that must be provided for the protection of Class 1 and 2 PPS and validated during the certification of components and acceptance certification of the implemented system.
The ISO/IEC approach, known as “Common Criteria,” is more performance-based. Under this approach, protection requirements are defined in “protection profiles” and “security targets.” A “protection profile” is a document, typically created by a user or user community, which identifies security requirements for a class of security devices relevant to that user for a particular purpose. A “security target” is a document specifying a specific product's security properties subject to evaluation. This specific product is evaluated against the exact security functional requirements established in the security target for this product. The security target can use the protection profile as a template or reflect all the requirements of the relevant protection profile. The vendor usually publishes a security target so that potential customers can determine the specific security features that have been certified by the evaluation. The Requirements provide some guidance for the use of the Common Criteria approach to information protection in PPS, as well as for components certification and system acceptance certification.
The Requirements provide a good understanding of Russian nuclear industry approaches to the cybersecurity of nuclear security systems.