Talk

for the NATO Advanced Workshop on

Preparedness for Nuclear and Radiological Threats

Focusing on the Threats to the Detriment of the

Vulnerabilities: A Vulnerability Assessors Perspective

Roger G. Johnston, Ph.D., CPP

Vulnerability Assessment Team

Argonne Na=onal Laboratory

630-252-6168 rogerj@anl.gov
hJp://www.ne.anl.gov/capabili=es/vat

This is a plea for more, earlier, better,

and more imaginative vulnerability
assessments for nuclear and
radiological security/safeguards
and emergency response.

Argonne Vulnerability Assessment Team

Sponsors

DOE
DoD

The VAT has done vulnerability

assessments on over 1000
dierent security and safeguards
devices, systems, & programs.

DOS
IAEA
NNSA
private companies
intelligence agencies
public interest organiza:ons

Argonne Vulnerability Assessment Team

biometrics
courier bags
GPS spoong
access control
cargo security
reverse engineering
warehouse security
product tampering
product counterfei=ng
medical device security
consul=ng & training
physical security R&D
security guard turnover
insider threat mi=ga=on

security of sealed sources

security of drug test kits
human factors in security
vulnerability assessments
tamper/intrusion detec=on
RFID spoong/counterfei=ng
tags & tamper-indica=ng seals
microprocessor & wireless systems
elec=on & vo=ng machine security
countermeasures to security theater
countermeasures to perceptual blindness
nuclear safeguards & monitoring equipment
countermeasures to sleight-of-hand & misdirec=on

Definitions

Threat: Who might attack, why, when, and how,

and with what resources and probabilities.

Threat Assessment (TA): Attempting to

identify threats.

Definitions

Vulnerability: A security weakness that can be

exploited to cause undesirable consequences.

Vulnerability Assessment (VA): Discovering and

demonstrating ways to defeat a security device,
system, or program. Often includes suggesting
countermeasures and security improvements.

Things That Often

Get Confused with Vulnerabilities

Assets
Threats
Attack Scenarios
Delay Paths
Features

Threats vs. Vulnerabilities

Threat Assessments (TAs) are speculations about
groups and people who may or may not exist, their
goals, motivations, and resources. TAs are often
reactive in nature, i.e., focused on past incidents.
Vulnerabilities are right in front of you (if you will
open your eyes and mind), and are often testable.
VAs are typically proactive in nature.
Oddly, however, TAs are usually
much more reproducible than VAs!

Purpose
The purpose of a VA is to:
1. Improve security or
emergency response.
2. Serve as one of the inputs to overall
Risk Management.

INPUT PARAMETERS

Modern Risk Management

list of assets to protect

asset valua=on/priori=za=on
overall security goals
consequences of successful aJack(s)
threat assessment
vulnerability assessment
available resources & possible security measures
general security philosophy/strategy
psychological tolerance for risk
various es=mated/guessed probabili=es
acceptable tradeos in produc=vity vs. security,
reputa=on vs. security, morale vs. security, safety
vs. security, and liberty/privacy vs. security

OUTPUT PARAMETERS:
What to protect
How to protect it
How to deploy security resources op=mally

DECISION MAKING
PROCESS

Value Judgments
Objec=ve Analysis
Subjec=ve Analysis
Experience & Exper=se
Intui=on & Hunches

Not the Purpose

The purpose of a VA is not to:
Validate
Pass a test
Generate metrics
Justify the status quo
Praise or accuse anybody
Check against some standard
Claim there are no vulnerabilities
Engender warm & happy feelings
Test security or do performance testing
Rationalize the research & development
Apply a mindless, bureaucratic stamp of approval
Endorse a security product or program, or certify it as
good or ready for use

Techniques Often Mistaken for VAs

security survey (walking around with a checklist)
security audit (are the rules being followed?)
feature analysis
threat assessment
Design Basis Threat
fault or event tree analysis (from safety engineering)
Delphi Method (method for getting a decision from a
panel of experts)

Techniques Often Mistaken for VAs

vulnerability modeling
software assessment tools
3D representations of the facility
CARVER Method (DoD & law enforcement)
performance testing
Risk Management
delay path analysis

Vulnerabilities Are the Threat Maxim:

Security (and emergency response) typically fails not
because the threats were misunderstood, but because the
vulnerabilities were not recognized and/or not mitigated.

Vulnerabilities Trump Threats Maxim:

If you understand your threats but are clueless about your
vulnerabilities, youre in trouble. One the other hand, if you
understand your vulnerabilities and try to mitigate them,
you might be ok, even if you get your threats wrong
(which is quite possible).

Examples of Vulnerabilities Being the Problem

Hurricane Katrina, 2005

Breach of the Y-12 nuclear facility by
an 82-year-old nun and two other protesters,
2012

Target stores credit card hack, 2013
White House fence jumper, 2014

Micheners Maxim:
We are never prepared for what we expect.

Waylayered Security Maxim:

Layered security will fail stupidly.

For 170 other security maxims:

https://www.scribd.com/doc/46333208/Security-Maxims-October-2014

So why are threats more popular

than vulnerabilities?
There are fewer threats than vulnerabili=es
TAs are reproducible & reac=ve
Formalis=c, objec=ve methods work fairly well
for TAs
VAs require imagina=on, subjec=ve judgment,
and thinking like the bad guys
No security or emergency response program
claims zero threats, but there is strong cogni=ve
dissonance about vulnerabili=es
Vulnerabili=es depend cri=cally on local details

Thinking Like the Bad Guys

Bad Guys Dont Do:
TAs, DBT, security audits, etc.
They do something closer to VAs.
So if we are going to predict what they
might do, we need to do creative VAs as
well!

Creative Vulnerability Assessments!

Perform a mental coordinate transformation

and pretend to be the bad guys (or VAers).
(This is much harder than you might think.)

Be much more creative than the

adversaries. They need only stumble upon
1 vulnerability, the good guys have
to worry about all of them.

Creative Vulnerability Assessments!

Dont let the good guys & the existing

security infrastructure and tactics define the
problem.

Gleefully look for trouble, rather than

seeking to reassure yourself that everything
is fine.

We need to be more like these expert fault

finders. They find problems because they
want to find problems, and because they are
skeptical:

bad guys
therapists
movie critics
computer hackers
scientific peer reviewers
mothers-in-law

The Vulnerability Pyramid

Where Vulnerability!
Ideas Come From!

Warning!

Fear of NORQ is not a valid reason to try to

force-fit formalistic methods onto VAs!

NORQ
All eec=ve security and risk management is
ul=mately subjec=ve, no maJer how much we
may wish to pretend it isnt.

The
Non-Objec=ve
Non-Reproducible
Non-Quan=able

Emergency Response
Two Kinds of Vulnerabilities:
- flaws in the response
- vulnerability to attacks on the response

Are we properly prepared for attacks

during emergency response, attacks by
the original attackers or by a different
set of attackers?

(Wait & Pounce is a very

effective attack strategy!)

Nuclear & Radiological Security Problems

from a Vulnerability Assessors Perspective

Poor
tags & seals, poor use protocols, poor
tamper detection for monitoring and security devices

Confusing inventory functions with security functions: why

GPS, RFIDs, MC&A programs often provide poor security
VAs not done, not done early, not done iteratively, not done
well, not done by the right people
VA myths & blunders
Poor or not-existent Chain of Custody for procured
hardware & software

Warning: Chain of Custody

The importance of a cradle-to-grave, secure chain of custody:

Most security devices (locks, tags, seals, access control &
biometrics devices, monitoring equipment, etc.) can usually be
compromised in ~15 seconds, at the factory or vendor, on the loading
dock, in transit, in the receiving department, before or aler being
installed.

Most security and nuclear safeguards devices have liJle built-in
security or signicant ability to detect intrusion/tampering.

Nuclear & Radiological Security Problems

from a Vulnerability Assessors Perspective
Security as a last-minute Band-Aid

Lack of insider threat mitigation

Lack of research-based practice
Few countermeasures for groupthink & cognitive dissonance
Compliance-Based Security and Security by Obscurity
Confusing Safety & Security

Safety & Security are 2 Relatively Unrelated Problems!

Example: March 2012 Recall of 900,000

Safety 1st Push N Snap Cabinet Locks
140 reports of babies/toddlers defeating
the locks, resulting in 3 poisonings

Security: All about intentional nefarious adversaries.

Safety: No adversaries.

Problem: Lack of Research-Based Security Practice"

A free, non-profit, online

peer-reviewed R&D journal

http://jps.anl.gov

The Journal of Physical Security

For More Information

rogerj@anl.gov

http://www.ne.anl.gov/capabilities/vat