Safeguards Hardware and Software Regulation


E. Katzenson, J. Kornell, “Safeguards Hardware and Software Regulation” Annual Meeting of Institute of Nuclear Materials Management (INMM), Atlanta, GA, USA, 24-28 July 2016.

Nuclear processing equipment relies on complex hardware and software. Software can be altered both by elements internal to the originating group and by externally-sourced insertions. Though discussed less, hardware can be hacked or altered in ways that are difficult to detect, either from within the manufacturer or by covert interdiction and modification. These are widely-acknowledged safeguards concerns. While barriers to greater transparency often come from national interests, some derive from manufacturers’ intellectual property protections. Short of full open source for both hardware and software, a good model of close regulation that nonetheless protects the proprietary interests of the manufacturer can be found in an unexpected place: Las Vegas slot machines. Five aspects of gaming machine regulation are of particular interest to safeguards: (a) all software is on file and any variation from the filed software is cause for immediate shutdown; (b) all computing hardware, including embedded processing chips, is on file, and similarly, variations in hardware are cause for shutdown and investigation; (c) equipment certification is done independently of the manufacturer, with no financial or other influence from the manufacturer on the regulatory procedures or results; (d) regulatory monitoring is constant and adequately funded, so inspections can occur at any time; and (e) the cultural bias is strongly toward clean and transparent operation, so regulators do not hesitate to order stops when justified by evidence. While the scale of the software and computing hardware for nuclear processing and verification is different, the need for commercial manufacturers to protect their proprietary systems can be reconciled both with the need for regulatory control and with the ability to quickly identify and isolate cyber attacks.