Крючков Фундаменталс оф Нуцлеар Материалс Пхысицал Протецтион 2011
.pdfThere are three processes involved in checking the performance quality of different project stages: tests, debugging and testing. Tests and checks take place at all project stages to identify errors as early into the development process as possible. Defects may occur at any project stages, e.g. some of the required functions may be neglected at the requirements review stage or mutually incompatible requirements may be introduced.
Reviews and inspections are used to localize defects at the development stage. These are performed by teams of experts other than involved directly in the given development work. There is no fixed standard so respective reports may have any form.
Testing and debugging take place during and immediately after the coding stage. Debugging is different from testing in that the programmer who does debugging corrects the error, if any, while testing just records inaccuracies. Testing begins during planning, the earliest design development stage. As the development goes on, the software testing program is generated or updated for each stage. Unit testing takes place at the coding stage. After the product is completed, system testing is performed, this including detection and correction of inaccuracies. Finally, the software system undergoes user acceptance testing when installed for the customer. Final testing is subject to documentation. Practical evidence exists that testing, however careful, can never completely eliminate all the defects within real designs. Testing, on the average, identifies about half of the existing errors. The rest are identified and, where possible, removed as late as at the software maintenance stage. There are special firms in the USA providing services in independent testing of software.
Commissioning of A&C systems
Deployment is a frequently used alternative term for this, as viewed by US experts, important software lifecycle stage. The following principles are identified which make it possible for the process to run smoothly.
Realization of how important the early and careful deployment process planning is. This is of special importance to the client/server environment. Keeping in mind the future deployment when at the design and testing stages will help avoiding a great deal of painful problems when a designed and carefully tested system fails to perform as efficiently as required in a real environment. The cause for this is that the system was debugged on other equipment, on more powerful computers or on a more productive network.
371
∙There should be an understanding that deployment is a scheduled process and must not violate normal cause of business.
∙There should be one person responsible for the deployment.
There is an example to illustrate the complexities involved in deployment of software. It took Mitsubishi, California, two years to deploy a software product instead of one year planned initially. This raised the cost of deploying the Oracle system to nearly 3 times as high as that of the software development effort.
So what are the problems involved in software deployment? The major of these are:
∙Cost of network equipment, DBMS and so on.
∙No computer hardware and software standards on the client’s side.
∙Personnel training in new user interface standards.
∙Incorporation of software that changes standard work procedures.
∙Unfriendly user.
This leads to recommendations on how some of the said concerns to be removed. The simplest and one of the most efficient ways is to have particular users involved in the system creation process since its earliest phases. User training needs to be started well in advance with equipment and software standards to be phased in as the system development process goes on (management of configuration). The user must be a partner.
Deployment stages:
∙Analytical phase. Starts in parallel with the development of requirements and runs continuously until the deployment begins. The following should be defined at this stage:
–the user qualification level and presence of hard ware/software;
–requirements to parameters of existing computers;
–operating environment, access and security contro l requirements;
–the need for conversion of the existing data;
–roles, duties and costs for the maintenance phase ;
–if new hardware and software should be acquired a nd license rights granted.
∙Construction phase. Hardware and software is acquired in this step. Data conversion systems are tested. User, operation and other manuals are compiled.
∙Training is a very important activity given special emphasis in the USA. Timely training is essential. Skills may be lost if acquired too early, while the user may not accept innovations if the training was late. Rather a great spending is required (course preparation, training logistics).
372
∙Deployment phase. All documents are released, training is given, data is converted and the system begins to operate.
∙Closing phase. The powers of servicing the system are delegated.
Servicing, maintenance and decommissioning
Servicing is the personnel activities on ensuring normal operations in the stage of production. Servicing includes support of performance, support of data accessibility, support of information security and fallback recovery.
Servicing of a system requires a particular staff of personnel. These include systems administrators, database administrators, security experts, network administrators and operators.
Maintenance means the developer’s activities on correction of errors, as well as on the system upgrading and evolution after delivery to consumer. This is a very important activity. As analytical survey data shows, software maintenance in the USA accounts for 70% of the corporate spending on software. Only 30% is spent to purchase new software. The following maintenance types are identified:
∙corrective (emergency and routine);
∙adaptive (new hardware and software as conditions change);
∙perfection;
∙preventive.
It should be remembered that an intervention with the software operations bears the risk of an error. This stage normally involves the minimum volume of testing with no minor changes documented. No earlier standards are observed. Hence the best strategy is to minimize maintenance. Maintenance should be largely reduced to emergency maintenance. User demands for the system updates should be accumulated and lead to a new release of the system. Updates should be dealt with as new designs with the maximum volume of testing and documentation for all updates.
Where the system maintenance cost goes in excess of the gain from the system’s operations, the time is ripe for having this decommissioned. Normally, the existing system is replaced by a similar but a more advanced system.
373
References
1.Стандарт отрасли. Оснащение программно– аппаратное систем учета и контроля ядерных материалов. Общие требования. ОСТ 95 10537–97.
2.Веске Дж. Л., Гандерлоу М., Чипмен М. Access и SQL. Руководство разработчика: Пер. с англ. М.: Лори, 1997.
3.Fedorov A., Francis B., Harrison R. et al. Professional Active Server Pages 2.0/ Wrox Press Ltd, 1998.
4.Гостехкомиссия России. Министерство Российской Федерации по атомной энергии. Руководящий документ. Требования по защите от несанкционированного доступа к информации в автоматизированных системах учета и контроля ядерных материалов. М., 1997.
5.Государственный стандарт Российской Федерации. ГОСТ Р ИСО/МЭК 15408–1–2001. Информационная технология. Методы и средства обеспечения безопасности критерии оценки безопасности информационных технологий. Часть 1. Введение и общая модель.
6.Государственный стандарт Российской Федерации. ГОСТ Р ИСО/МЭК 15408–2–2001. Информационная технология. Часть 2.
7.Государственный стандарт Российской Федерации. ГОСТ Р ИСО/МЭК 15408–2–2001. Информационная технология. Часть 3.
8.Пискарев А.С., Шеин А.В. О состоянии и перспективах использования Общих критериев оценки безопасности информационных технологий в России для оценки применяемых в СУиК программных средств. – Материалы 5 международного рабочего семинара «Разработка Федеральной автоматизированной информационной системы учета и контроля ядерных материалов России», г. Новоуральск, Свердловской обл., 26–30 мая 2003 г.
9.Федосеев В.Н., Мизин П.П., Шанин О.И. Проблемы и перспективы развития СУиК ЯМ в России с точки зрения системного программного обеспечения. – Материалы 7 международного рабочего семинара «Разработка Федеральной автоматизированной информационной системы учета и контроля ядерных материалов России», г. Звенигород, 11–15 сентября 2006 г.
10.Гостехкомиссия России. Руководящий документ. Средства вычислительной техники. Защита от несанкционированного доступа к информации. Показатели защищенности от несанкционированного доступа к информации. М., 1992.
11.Зегжда Д.П., Ивашко А.М. Основы безопасности информационных систем. М.: Горячая линия – Телеком, 2000.
374
12.Руссинович М., Соломон Д. Внутреннее устройство Microsoft Windows: Windows Server 2003, Windows XP и Windows 2000. Мастер класс./ Пер. с англ. – 4– е изд. М.: Издательско– торговый дом «Русская редакция», 2005.
13.Уинкуп С. Microsoft SQL Server 6.5 в подлиннике: Пер. с англ. СПб.: BHV – Санкт– Петербург, 1998.
14.Андреев А.Г. и др. Windows SQL Server 2000. Русская версия / Под общ. ред. А.Н. Чекмарева и Д.Б. Вишнякова. С– Пб.: БХВ, 2003.
15.Шмидт В. Microsoft Visual Basic 5.0 – М.: ABF, 1997.
16.Иванова Е.Б., Вершишнин М.М. Java 2, Enterprise Edition.
Технология проектирования и разработки. С– Пб.:, 2003.
17.Посполит А.В. Visual Studio.NET: разработка приложений баз данных. СПб.: БХВ – Санкт– Петербург, 2003.
18.Коннэлл Дж. Visual Basic 6. Введение в программирование баз данных: Пер. с англ. М.: ДМК, 2000.
19.Сеппа Д. Microsoft ADO.NET: Пер. с англ. М.: Издательско– торговый дом «Русская редакция»; 2003.
20.Ерыгин А.И., Кушнарев М.С. Интеграция систем учета и контроля ядерных материалов. Проблемы и перспективы. – Материалы 7 международного семинара «Разработка Федеральной автоматизированной системы учета и контроля ядерных материалов России». Звенигород, 11–15 сентября 2006 г.
21.Румянцев А.Н. От учета и контроля – к управлению. Компьютерная СУиК ЯМ, радиоактивных веществ и радиационных источников РНЦ «Курчатовский институт» – система КИ– МАКС // Новости Фис. Информационный бюллетень, №5, 2004.
22.Кондаков В.В. Компьютеризированные системы учета и контроля ядерных материалов: Учеб. пособие. М.: МИФИ, 2001.
23.Кондаков В.В., Ожерельев С.А. Опыт эксплуатации и перспективы развития системы учета и контроля ядерных материалов МИФИ – Материалы 7 международного семинара «Разработка Федеральной автоматизированной системы учета и контроля ядерных материалов России». Звенигород, 11–15 сентября 2006 г.
375
CHAPTER 8
INFORMATION SECURITY OF COMPUTERIZED NM A&C
SYSTEMS
8.1. Secure information processing systems
Integrity of information and information access security are two of the critical aspects involved in design and operation of automated nuclear material accounting and control systems. Information security is given top priority in NM A&C systems which are established to handle national security information. Any intentional or unpremeditated loss, distortion or theft of information in these systems may have harmful effects, so the industry standard that regulates hardware support for NM A&C systems [1] requires any NM A&C system to have an information protection system as its integral part. All NM A&C system’s operation stages need to involve information protection ensured through a combination of measures taken to avoid leakage of information or exclude influences thereon to be exerted over technical channels, as well as to prevent premeditated software and hardware impacts to violate the integrity of information in process, transmission or storage, or break down hardware.
Confidential information is handled based on regulatory documents that govern protection of national security information. A shift from processing of paper documents to computerized handling of information demand that these requirements to be fulfilled on a continuous basis. A computerized system intended to process classified data is expected to be organized as these documents require. Thus, one requirement is to have user access to information in computerized systems to be arranged in such manner as defined by the document’s secrecy class or the officer’s access level.
Electronic handling of confidential data involves extra factors which are potentially compromising to an information system. These factors are called security threats. Some security threats are inherited by computerized systems from conventional data processing systems, e.g. theft or disclosure of information. At the same time, however, computerization brings about new threats. These come from the fact that automation of data processing keeps humans away from direct operations with data carriers. Powers are delegated to computer programs which may disturb confidential data handling as the result of premeditated actions or program code errors. To be usable for automated confidential data handling, a computer system needs to counter security threats successfully.
376
Russia, lastly, has a well-established system of information security standards. A system used to handle nuclear material data is expected to satisfy to the criteria required by these standards. This conformity is subject to verification by qualification tests. There are also industry standards and guides in effect at the enterprise level. These contain requirements to be also taken into account.
Therefore, a secure information processing system [2], specifically a computerized NM A&C system, should satisfy to the following three requirements and, subject to these, is expected to:
∙automate confidential data handling processes, including all aspects thereof involved in ensuring security of the data processed;
∙counter security threats that act in a particular environment;
∙meet the requirements and criteria of security information standards.
Secure information processing systems should ensure information security. Information security, as viewed by the expert community, is security of the information environment that supports its formation and evolution in the interests of an organization or the state. Prevention of information security threats and response to these is achieved through a combination of organizational, legal, technical and technological measures known, collectively, as information protection features.
8.2. Information protection in accounting and control of nuclear material
In recent years, security of information technologies has been the cause of an increasingly growing concern, while analytical surveys show a yearly increasing damage from security violations. Here are some figures to illustrate the level of damage from computer viruses for the several past years. The virus-caused damage was about 13 billion US dollars in 2001 and 20 to 30 billion in 2002 reaching, a year later, 55 billion. Nearly the same was the damage, as some estimates show, from the Mydom virus in January 2004. Therefore, there is every reason to speak about a crisis in the field of IT security.
The security crisis has its roots in the rapidly evolving information technologies and the security provisions lagging behind the technological advances both in theoretical and practical terms. The huge computational capabilities of modern computer systems are combined with the handiness of these. The formation of the global information environment makes information resources accessible to a great number of differently skilled users. Most users are not competent enough to keep security of their
377
computer systems at required levels. Most computer-virus plagues could be realized because of users failing to check their computers on a routine basis, update antivirus databases and install timely operating system upgrades which eliminate software errors revealed.
The advancement in computer technologies brings about an explosive development of software. Newly built and distributed software products often fail to conform to security requirements. One example is the software built by Microsoft, the world’s most powerful IT corporation. Microsoft’s operating systems (OS) and database management systems (DBMS) have somewhat limited information security features and feature a great deal of “undocumented capabilities”. These make it possible for intruders to infiltrate information systems via global networks, crack user passwords, give themselves arbitrary access levels and, ultimately, easily manipulate confidential information.
With the theoretical basis of information security lagging behind the technological advances and new security threats coming out continuously, most security systems have their protection systems simply “patched” for the loopholes found therein.
The status of computer security is greatly influenced by the existing national information security standards also lagging behind the requirements imposed on security of modern information technologies. The globalization of the information space has led to the necessity of international security standards to be developed to standardize security requirements, the information security features made feasible and protection features properly realized.
A noteworthy fact is that state authorities and computer/software engineers are well aware of the existing concerns. Recent years have seen efforts to ensure protection of information placed in the forefront also in promotion of novel software. International computer security criteria was established and approved by the International Standardization Organization (ISO) in 1999 [2, 3]. This standard has been in effect in Russia since 1 January 2004. Software developers seek to have their products certified under these criteria, which is expected to improve, in general, the information security level. Thus, in 2002, the Windows 2000 operating system was certified to these criteria, followed by distributives of the Linux operating system certified in 2003.
Russia, by and large, sees its information security technologies evolving in the stream of global trends. Still, some specific points exist. This country shows a slower IT dissemination pace than economically developed countries. One explanation for this is that Russia was somewhat later in
378
building its capability to evolve commonly available information systems than more developed countries; the other one is that most Russian people cannot afford using information technologies for economic reasons. This, in turn, leads to a worse dynamics in the development of regulatory documentation for the field of information security. Thus, the first data access security guidance documents of Gostekhkomissiya under the President of the Russian Federation [4 – 8] were ad opted in 1992. The ideology of these documents was modeled after that of the US Department of Defense’s criteria, known as Orange Book, passed in 1983. Close to these is also a guide adopted in 1997 to regulate security of information in automated NM accounting and control systems [9]. It was only in 2004 that international criteria were adopted as standards in Russia.
There are no practically dedicated classified data handling systems, such as operating systems and DBMSs, offered in Russia’s home market. Those systems used as the base software are beneath criticism in security terms. Often these are commercial systems for small business and office applications that cannot be used, in principle, for the confidential data handling purposes. The existing software security products can be used for some, e.g. cryptographic, tasks, still cannot offer a solution to the problem as the whole.
A point to security of information in accounting and control of nuclear material is that use of foreign-made commercial base software to process national security information can hardly be thought normal. So governments in many countries tend to give up imported software for domestically developed software systems. One recent example is a number of countries having given up use of Microsoft products for national and regional management and control purposes. Here, two solutions are possible. The first one is to build domestic software based on a homedeveloped platform. The second solution is to update the existing software through creation of domestic information security systems (ISS) and incorporation of these in the current systems subject to license agreements. The first approach is very costly to take, so the second concept has been adopted by the Ministry for Atomic Energy to implement. As is known [3], in 2003, Microsoft made source codes of its operating systems available to authorized organizations in a number of countries as part of its GSP (Government Security Program). In Russia, such agreement with Microsoft was signed by the Federal Agency for Government Communications and Information. Microsoft was also announced to provide in due manner for appraisal the required design documentation and enable program modules
379
to be developed where no functional capabilities sought for had been realized in Microsoft products.
8.3. Threats to information security and countermeasures
Threats to information securities are understood as factors seeking to violate normal operations of a system. Threats may be purposeful (subjective) and random (objective). Russian standards focus chiefly on purposeful threats, that is, on information access security. Objective factors pose no smaller threats to normal operation of information systems. Thus, a loss of information integrity from an inadequately designed database may nullify the value of existing data. Information may be also lost throughout as the result of a hardware breakdown unless special measures are taken to archive and copy this.
The following three broad classes of threat types are identified:
∙threats to confidentiality;
∙threats to integrity;
∙threats of denial of service.
Countermeasures to objective threats relate to the system reliability. Countermeasures to subjective threats are a key information security task.
Information security experts consider different influences of threats on a computerized information system. Information, software, physical, and organizational and legal influences are identified.
Information influences mean all kinds of unauthorized manipulations of database data. These include illegal access to data, theft and unauthorized duplication of information, concealment and premeditated corruption of information, as well as compromise of the handling technology and timeliness.
Software influences mean influences on the protected system through insertion of malicious programs or hardware. These programs or devices are capable of realizing undocumented functions leading to thefts or corruption of data. Foreign-made hardware and software products are used chiefly to build automated NM A&C systems, so insertion of special “bugs” therein is very likely. Moreover, real cases of such insertions are known. A form of software influences from information security threats are currently common virus influences on computers.
Physical influences are implemented through physical impacts of various factors on computers, network components, data carriers and, ultimately, on the personnel operating confidential information and security systems. Physical threats, as evidenced by estimates from the US
380