Risk-Informed Security: Summary of Three Workshops

Similar documents
Security Requirements for Spent Fuel Storage Systems 9264

Information Technology

How To Write A Cyber Security Risk Analysis Model For Research Reactor

Terrorist Protection Planning Using a Relative Risk Reduction Approach*

Spreading the Word on Nuclear Cyber Security

PRIORITIZING CYBERSECURITY

How To Improve Safety At A Nuclear Power Plant

Human Dimension in Cyber Operations Research and Development Priorities

Understanding Enterprise Risk Management. Presented by Dorothy Gjerdrum Arthur J Gallagher

REGULATORY GUIDE OFFICE OF NUCLEAR REGULATORY RESEARCH. REGULATORY GUIDE (Draft was issued as DG-1226, dated August 2009)

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

Business Continuity, Risk Management & Pandemic Planning

A Risk Assessment Methodology (RAM) for Physical Security

Introductions: Dr. Stephen P. Schultz

Enterprise Risk Management

WMD Terrorism Risk Assessment in the Department of Homeland Security. Why Risk Assessment? Probabilistic Risk Assessment

Best Practices to Improve Breach Readiness

Supplemental Tool: Executing A Critical Infrastructure Risk Management Approach

Establishing A Secure & Resilient Water Sector. Overview. Legislative Drivers

How to achieve excellent enterprise risk management Why risk assessments fail

GENERATING VALUE WITH CONTINUOUS SECURITY TESTING

Appendix V Risk Management Plan Template

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

Security for Independent Spent Fuel Storage Installations (ISFSI)

How To Write A Book On Risk Management

A Regulatory Approach to Cyber Security

Fundamentals of Laboratory Biosecurity and Biosafety Risk Assessments

NETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

STANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices

BUSINESS CONTINUITY PLANNING

Business Continuity for Cyber Threat

Module 6 Fire Probabilistic Risk Assessment (PRA) Methodology for Nuclear Power Facilities

2012/2013 Programme Specification Data. Engineering

Enterprise-Wide Risk Assessment

Using Vulnerable Hosts to Assess Cyber Security Risk in Critical Infrastructures

Integrated Risk Management:

RESPONSIBLE CARE SECURITY CODE OF MANAGEMENT PRACTICES

The PNC Financial Services Group, Inc. Business Continuity Program

NRC s Program for Remediating Polluted Sites J.T. Greeves, D.A. Orlando, J.T. Buckley, G.N. Gnugnoli, R.L. Johnson US Nuclear Regulatory Commission

CARVER+Shock. Jeffrey J. Danneels Department Manager Sandia National Laboratories Albuquerque, NM

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Analyzing Risks in Healthcare. February 12, 2014

QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT

Improving Residual Risk Management Through the Use of Security Metrics

Executive Director for Operations AUDIT OF NRC S CYBER SECURITY INSPECTION PROGRAM FOR NUCLEAR POWER PLANTS (OIG-14-A-15)

During the Clinton administration, the

Options for Cyber Security. Reactors. April 9, 2015

WORKSHOP Rethinking Cyber Security for Industrial Control Systems

OVERVIEW OF THE OPERATING REACTORS BUSINESS LINE. July 7, 2016 Michael Johnson Deputy Executive Director for Reactor and Preparedness Programs

NATIONAL NUCLEAR SECURITY ADMINISTRATION

Audit of NRC s Network Security Operations Center

NASA OFFICE OF INSPECTOR GENERAL

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

CPNI VIEWPOINT CYBER SECURITY ASSESSMENTS OF INDUSTRIAL CONTROL SYSTEMS

Announcement of a new IAEA Co-ordinated Research Programme (CRP)

Security Vulnerability Assessment

Down the SCADA (security) Rabbit Hole. Alberto Volpatto

ESKISP Manage security testing

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

September 4, appearing before you today. I am here to testify about issues and challenges in providing for

Preparing for the Convergence of Risk Management & Business Continuity

Policy : Enterprise Risk Management Policy

Project Risk Management

Risk Management at Chevron

NIST Cybersecurity Framework & A Tale of Two Criticalities

Nettitude Ltd. (FHEQ) level 7] MSc Postgraduate Diploma Postgraduate Certificate. British Computer Society (BCS) Master s Degree in Computing

OECD PROJECT ON CYBER RISK INSURANCE

SECURITY METRICS: MEASUREMENTS TO SUPPORT THE CONTINUED DEVELOPMENT OF INFORMATION SECURITY TECHNOLOGY

NIST Cybersecurity Framework What It Means for Energy Companies

One version of true: Improving Performance Metrics in Clinical Trials by Mark Donaghy, 2010

Metrics, methods and tools to measure trustworthiness

Section A: Introduction, Definitions and Principles of Infrastructure Resilience

FERC Engineering Guidelines Risk-Informed Decision Making

Help for the Developers of Control System Cyber Security Standards

Cyber Security and the Board of Directors

Bradford J. Willke, CISSP

Cyber Security and Privacy - Program 183

Performing Effective Risk Assessments Dos and Don ts

Cyber Security R&D (NE-1) and (NEET-4)

ESKISP Direct security testing

OVERVIEW OF THE ADMINISTRATION S FY 2005 REQUEST FOR HOMELAND SECURITY By Steven M. Kosiak

Transcription:

Risk-Informed Security: Summary of Three Workshops N. Siu Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Presented at INMM/ANS Workshop on Safety-Security Risk-Informed Decision-Making Sun Valley, ID, USA; April 26, 2015 1

Workshops Risk-Informed Security Regulation Albuquerque, NM September 14-15, 2010 Risk-Informed Security Stone Mountain, GA February 11-12, 2014 Reducing the Risk Washington, DC March 17-18, 2015 2

Albuquerque Workshop on Risk-Informed Security Regulation (RISR) Overview Location (Dates): Sandia National Laboratories (September 14-16, 2010) Sponsor: USNRC/RES Objective: Identify opportunities for improving risk-informed security regulation Discussion groups PRA Large facilities and transportation Small facilities and transportation Design Basis Threat vs. Graded Security Protection Participants: 52 (National Labs, Government Agencies, Universities) Workshop summary report sensitivity level: OUO 3

Albuquerque Workshop on RISR Conclusions* Six areas of opportunity and associated recommendations Examine the initiating event and its uncertainties Utilize simulation tools to supplement current approaches Promote collaboration Take a long-term approach to cyber security Establish security metrics for regulation Consider a security risk analysis effort equivalent to WASH-1400 *See P. Pohl et al., Risk Informed Security Regulation (RISR) Workshop, presented to the INMM Risk Informing Security Workshop, Stone Mountain, GA, February 11, 2014. 4

Albuquerque Workshop on RISR Additional Observations Participants generally accepting of risk-informed concept, recognized commonalities Challenges Initiating event likelihood Dependencies Information sharing Alternate approaches to risk management Conditional risk Difficulty/consequence-based Simpler methods for small facilities Need to recognize different regulatory applications Field is dynamic ongoing developments may be helpful 5

Stone Mountain INMM Workshop on Risk-Informed Security Overview Location (Dates): Stone Mountain, GA (February 11-12, 2014) Keynote presentation: Commissioner G. Apostolakis (USNRC) Technical Sessions Safety/security risk approaches Material categorization Initiating events/attack frequency Vulnerability assessment simulation tools Cyber security Security risk management methods Participants: ~75 registered (National Labs, Government Agencies, Industry, Universities, International) Presentations http://www.inmm.org/risk_informed_security_workshop1.htm 6

Stone Mountain INMM Workshop on Risk-Informed Security Conclusions* Risk assessment is a useful tool to support security-related decision making Frameworks, methods, models, and tools exist and are being used There remain considerable uncertainties in key parameters (e.g., likelihood of attack) Useful to benchmark available simulation models to better understand how and where their results differ Need to avoid stovepiped analyses Need to better communicate results and insights of security-related risk assessments Alternative risk management approaches (e.g., fix vulnerabilities as they re identified, prioritize based on attack difficulty and consequences rather than risk) may be useful in practical applications. *See J. Rivers, et al., Risk Informed Security Workshop, Institute of Nuclear Materials Management (INMM) Annual Meeting, Atlanta, GA, July 20-24, 2014. 7

Stone Mountain INMM Workshop on Risk-Informed Security Additional Observations Keynote speech Risk-informed security should be a goal Need to identify/focus on important scenarios, avoid excessive conservatism There are many challenges and limited resources; need to start thinking Practitioners not necessarily enthused about assessing absolute likelihoods of initiating events but many (not all) still do it Virtues of systematic, integrated analysis with explicit consideration uncertainties well appreciated Integrate expertise from multiple disciplines Explicit assumptions Identify and explore large number of possibilities Generate potential surprises Facilitate benchmarking and validation 8

Washington, DC INMM Workshop on Reducing the Risk Overview Location (Dates): Elliot School of International Affairs, George Washington University (March 17-18, 2015) Keynote presentation: Dr. D. Huizenga (USDOE) Technical Sessions Perception of nuclear risk Global nuclear summit: the changing relations with Russia Reappraising nuclear security strategy Insider mitigation Cyber security Participants: ~45 (National Labs, Government Agencies, Industry, Universities, Public Interest, International) Presentations: will be available from www.inmm.org House rules: no attribution outside of workshop 9

Washington, DC INMM Workshop on Reducing the Risk Observations International interest in risk-informing safeguards as well as safety and security General agreement: need to use risk to focus on right things Sample viewpoints Probabilities can be used when data are available; otherwise put heavier weight on consequences. Explicit recognition of uncertainties and analysis transparency are critical. Scenario likelihood can be difficult to communicate. Important to communicate qualitatively, but easy to poke holes; need quantitative analysis. 10

Washington, DC INMM Workshop on Reducing the Risk Observations (cont.) Sample viewpoints (cont.) Terrorism is just another initiator. Regarding human behavior and insider threat, too many equations to solve. Focus on prevention. There is a significant amount of technical and behavioral data on (non-nuclear) insider threat, lots of observables. Need to be careful using incident data; potential problem with false positives. Risk = f(threat, vulnerability, consequence). Graded approach needed in cyber; need to figure out what critical digital assets matter. Need to distinguish between easy and difficult attacks. Threats are changing. Area is spending insufficient effort on biggest cyber risks. 11

A similar trajectory? Debate within NRR appears to have moved beyond whether risk insights should be integrated into NRR activities, to discussion of how and when to implement risk-informed approaches. - Wight, et al., 2002 E. Wight, L. Peterson, M. Caruso, A. Spector, S. Magruder, R. Youngblood, and K. Green, Report on Interviews and Focus Group Discussions on Risk-Informed Activities in the NRC Reactor Program, Prepared for Nuclear Regulatory Commission Under Contract No. NRC-03-00-003, 2002. (ADAMS ML022460161) 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information