Background
Nuclear materials and facilities cannot be considered secure without the effective integration of interfaces between different aspects of security. Whereas physical security is concerned with provisions designed to prevent unauthorised access to facilities, and to protect personnel and property from damage or harm, cybersecurity is made up of technologies, processes and practices designed to protect networks, computers, and data from attack, damage or unauthorised access. However, because individuals in charge of security may have dissimilar backgrounds and employ different methodologies, they do not always work together as effectively as possible.
Modern physical security systems are fully digitised and often networked, to the point that they have become vulnerable to crippling attacks through cyber vectors, potentially opening the facility to physical intrusions. At the opposite end of the spectrum, some digital assets – such as control room terminals – may rely entirely on restricted physical access for their security. Many other systems are protected through a blend of physical and digital controls, requiring a careful balance and good understanding of synergies.
The effective security of nuclear materials and associated facilities also depends on understanding how physical and cyber assets are connected, and how the vulnerabilities of these assets could be exploited by both physical and cyber threats. When assessing security measures, the following questions need to be considered: what are the potential weaknesses of computer-based physical protection systems and how can they be mitigated? Who is responsible for responding to cybersecurity incidents, and how do they interface with response arrangements in case of physical intrusion? How robust is the IT infrastructure against physical attacks?
For a security programme, developing effective objectives, goals, methodologies and – even more importantly – a language that is shared across its sub-disciplines are the key elements to support the consistent integration and interoperability between its different aspects. At the highest level, all elements of security share the same goal: protecting the assets of a facility from compromise and attacks. The cultural and specific knowledge of physical and cybersecurity may differ broadly, and there are still relatively few specialists who have an in-depth understanding of both fields. Nonetheless, integration is the only path towards comprehensive security, and understanding the building blocks of both disciplines is the first step along that path.
Integration – while an undeniable challenge – should also be seen as an opportunity. It reduces costs, increases operational efficiencies, streamlines the management of security breaches in both domains, allows for more effective forensic investigations, and, crucially, puts the organisation in a stronger position to protect against current and future blended threats.
Objectives
The purpose of this webinar was to:
- Highlight the interdependence between physical and cybersecurity;
- Review cyber and physical threats and discuss how to develop a comprehensive threat picture;
- Explain some potential cyber vulnerabilities of physical security systems;
- Describe good practices for protecting physical security systems against cyber threats;
- Support the development of an integrated and comprehensive security programme.
Agenda
The agenda for this webinar consisted of selected speakers who are experts in their field.
- Introduction to the interdependence of physical and cybersecurity
- Examples of blended cross-discipline attacks
- Best practices in integration
- Focus: access control (biometrics, physical vs logical, attacks)
Our special guests for the webinar were:
- Paula Karhu - Principal Advisor at STUK - Radiation and Nuclear Safety Authority – Säteilyturvakeskus.
- Paul Smith - Senior Scientist with the Center for Digital Safety and Security at AIT Austrian Institute of Technology and a Visiting Researcher at Lancaster University, UK.
Process
Date: Thursday, 10 June 2021 at 10:00 AM (CEST)
Duration: 60 minutes
Language: English
Recording: The webinar recording is available here.
