Slides from a talk at the NATO Advanced Workshop on Preparedness for Radiological and Nuclear Threats

1. Talk
for
the
NATO
Advanced
Workshop
on
Preparedness
for
Nuclear
and
Radiological
Threats
Focusing on the Threats to the Detriment of the
Vulnerabilities: A Vulnerability Assessor’s Perspective
Roger
G.
Johnston,
Ph.D.,
CPP
Vulnerability
Assessment
Team
Argonne
Na=onal
Laboratory
630-­‐252-­‐6168
rogerj@anl.gov
hJp://www.ne.anl.gov/capabili=es/vat

2. This is a plea for more, earlier, better,
and more imaginative vulnerability
assessments for nuclear and
radiological security/safeguards
and emergency response.

3. Argonne Vulnerability Assessment Team
The
VAT
has
done
vulnerability
assessments
on
over
1000
different
security
and
safeguards
devices,
systems,
&
programs.
Sponsors
•
DOE
•
DoD
•
DOS
•
IAEA
•
NNSA
•
private
companies
•
intelligence
agencies
•
public
interest
organiza:ons

4. Argonne Vulnerability Assessment Team
• biometrics
• courier
bags
• GPS
spoofing
• access
control
• cargo
security
• reverse
engineering
• warehouse
security
• product
tampering
• product
counterfei=ng
• medical
device
security
• consul=ng
&
training
• physical
security
R&D
• security
guard
turnover
• insider
threat
mi=ga=on
• security
of
sealed
sources
• security
of
drug
test
kits
• human
factors
in
security
• vulnerability
assessments
• tamper/intrusion
detec=on
• RFID
spoofing/counterfei=ng
• tags
&
tamper-­‐indica=ng
seals
• microprocessor
&
wireless
systems
• elec=on
&
vo=ng
machine
security
• countermeasures
to
security
theater
• countermeasures
to
perceptual
blindness
• nuclear
safeguards
&
monitoring
equipment
• countermeasures
to
sleight-­‐of-­‐hand
&
misdirec=on

5. Definitions
Threat: Who might attack, why, when, and how,
and with what resources and probabilities.
Threat Assessment (TA): Attempting to
identify threats.

6. Definitions
Vulnerability: A security weakness that can be
exploited to cause undesirable consequences.
Vulnerability Assessment (VA): Discovering and
demonstrating ways to defeat a security device,
system, or program. Often includes suggesting
countermeasures and security improvements.

7. Things That Often
Get Confused with Vulnerabilities
² Assets
² Threats
² Attack Scenarios
² Delay Paths
² Features

8. Threats vs. Vulnerabilities
Threat Assessments (TAs) are speculations about
groups and people who may or may not exist, their
goals, motivations, and resources. TAs are often
reactive in nature, i.e., focused on past incidents.
Vulnerabilities are right in front of you (if you will
open your eyes and mind), and are often testable.
VAs are typically proactive in nature.
Oddly, however, TAs are usually
much more reproducible than VAs!

9. Purpose
The purpose of a VA is to:
1. Improve security or
emergency response.
2. Serve as one of the inputs to overall
Risk Management.

10. • list
of
assets
to
protect
• asset
valua=on/priori=za=on
• overall
security
goals
• consequences
of
successful
aJack(s)
• threat
assessment
• vulnerability
assessment
• available
resources
&
possible
security
measures
• general
security
philosophy/strategy
• psychological
tolerance
for
risk
• various
es=mated/guessed
probabili=es
• acceptable
tradeoffs
in
produc=vity
vs.
security,
reputa=on
vs.
security,
morale
vs.
security,
safety
vs.
security,
and
liberty/privacy
vs.
security
Modern
Risk
Management
• What
INPUT
PARAMETERS
OUTPUT
PARAMETERS:
to
protect
• How
to
protect
it
• How
à
to
deploy
security
resources
op=mally
DECISION
MAKING
PROCESS
Value
Judgments
Objec=ve
Analysis
Subjec=ve
Analysis
Experience
&
Exper=se
Intui=on
&
Hunches

11. Not the Purpose
The purpose of a VA is not to:
• “Validate”
• Pass a test
• Generate metrics
• Justify the status quo
• Praise or accuse anybody
• Check against some standard
• Claim there are no vulnerabilities
• Engender warm & happy feelings
• Test security or do performance testing
• Rationalize the research & development
• Apply a mindless, bureaucratic stamp of approval
• Endorse a security product or program, or certify it as
“good” or “ready for use”

12. Techniques Often Mistaken for VAs
• security survey (walking around with a checklist)
• security audit (are the rules being followed?)
• feature analysis
• threat assessment
• Design Basis Threat
• fault or event tree analysis (from safety engineering)
• Delphi Method (method for getting a decision from a
panel of experts)

13. Techniques Often Mistaken for VAs
• vulnerability “modeling”
• software assessment tools
• 3D representations of the facility
• CARVER Method (DoD & law enforcement)
• performance testing
• Risk Management
• delay path analysis

14. Vulnerabilities Are the Threat Maxim:
Security (and emergency response) typically fails not
because the threats were misunderstood, but because the
vulnerabilities were not recognized and/or not mitigated.

15. Vulnerabilities Trump Threats Maxim:
If you understand your threats but are clueless about your
vulnerabilities, you’re in trouble. One the other hand, if you
understand your vulnerabilities and try to mitigate them,
you might be ok, even if you get your threats wrong
(which is quite possible).

16. Examples of Vulnerabilities Being the Problem
• Hurricane
Katrina,
2005
• Breach
of
the
Y-­‐12
nuclear
facility
by
an
82-­‐year-­‐old
nun
and
two
other
protesters,
2012
• Target
stores
credit
card
hack,
2013
• White
House
fence
jumper,
2014

17. Michener’s Maxim:
We are never prepared for what we expect.

18. Waylayered Security Maxim:
Layered security will fail stupidly.

19. For 170 other security maxims:
https://www.scribd.com/doc/46333208/Security-Maxims-October-2014

20. So why are threats more popular
• There
than vulnerabilities?
are
fewer
threats
than
vulnerabili=es
• TAs
are
reproducible
&
reac=ve
• Formalis=c,
objec=ve
methods
work
fairly
well
for
TAs
• VAs
require
imagina=on,
subjec=ve
judgment,
and
“thinking
like
the
bad
guys”
• No
security
or
emergency
response
program
claims
zero
threats,
but
there
is
strong
cogni=ve
dissonance
about
vulnerabili=es
• Vulnerabili=es
depend
cri=cally
on
local
details

21. Thinking Like the Bad Guys
Bad Guys Don’t Do:
TAs, DBT, security audits, etc.
They do something closer to VAs.
So if we are going to predict what they
might do, we need to do creative VAs as
well!

22. Creative Vulnerability Assessments!
• Perform a mental coordinate transformation
and pretend to be the bad guys (or VAers).
(This is much harder than you might think.)
• Be much more creative than the
adversaries. They need only stumble upon
1 vulnerability, the good guys have
to worry about all of them.

23. Creative Vulnerability Assessments!
• Don’t let the good guys & the existing
security infrastructure and tactics define the
problem.
• Gleefully look for trouble, rather than
seeking to reassure yourself that everything
is fine.

24. We need to be more like these expert fault
finders. They find problems because they
want to find problems, and because they are
skeptical:
• bad guys
• therapists
• movie critics
• computer hackers
• scientific peer reviewers
• mothers-in-law

25. Where Vulnerability!
Ideas Come From!
The Vulnerability Pyramid

26. Warning!
“Fear of NORQ” is not a valid reason to try to
force-fit formalistic methods onto VAs!
The…
Non-­‐Objec=ve
Non-­‐Reproducible
Non-­‐Quan=fiable
NORQ
All
effec=ve
security
and
risk
management
is
ul=mately
subjec=ve,
no
maJer
how
much
we
may
wish
to
pretend
it
isn’t.

27. Emergency Response
Two Kinds of Vulnerabilities:
- flaws in the response
- vulnerability to attacks on the response
Are we properly prepared for attacks
during emergency response, attacks by
the original attackers or by a different
set of attackers?
(Wait & Pounce is a very
effective attack strategy!)

28. Nuclear & Radiological Security Problems
from a Vulnerability Assessor’s Perspective
• Poor tags & seals, poor use protocols, poor
tamper detection for monitoring and security devices
• Confusing inventory functions with security functions: why
GPS, RFIDs, MC&A programs often provide poor security
• VAs not done, not done early, not done iteratively, not done
well, not done by the right people
• VA myths & blunders
• Poor or not-existent Chain of Custody for procured
hardware & software

29. Warning: Chain of Custody
The
importance
of
a
cradle-­‐to-­‐grave,
secure
chain
of
custody:
Most
security
devices
(locks,
tags,
seals,
access
control
&
biometrics
devices,
monitoring
equipment,
etc.)
can
usually
be
compromised
in
~15
seconds,
at
the
factory
or
vendor,
on
the
loading
dock,
in
transit,
in
the
receiving
department,
before
or
aler
being
installed.
Most
“security”
and
nuclear
safeguards
devices
have
liJle
built-­‐in
security
or
significant
ability
to
detect
intrusion/tampering.

30. Nuclear & Radiological Security Problems
from a Vulnerability Assessor’s Perspective
• Security as a last-minute “Band-Aid”
• Lack of insider threat mitigation
• Lack of research-based practice
• Few countermeasures for groupthink & cognitive dissonance
• Compliance-Based Security and “Security by Obscurity”
• Confusing Safety & Security

31. Safety & Security are 2 Relatively Unrelated Problems!
Example: March 2012 Recall of 900,000
Safety 1st Push N’ Snap Cabinet Locks
140 reports of babies/toddlers defeating
the locks, resulting in 3 poisonings
Security: All about intentional nefarious adversaries.
Safety: No adversaries.

32. Problem: Lack of Research-Based Security Practice"
The Journal of Physical Security
A free, non-profit, online
peer-reviewed R&D journal
http://jps.anl.gov

33. For More Information…
rogerj@anl.gov
http://www.ne.anl.gov/capabilities/vat