Prototype Hardware and Software for the Secure Branching of Facility Instrumentation

The Enhanced Data Authentication System (EDAS) is a concept for branching measurement data from existing operator-owned instrumentation to a safeguards inspectorate. Requirements of both the facility operator and the safeguards inspecto r dictated the design and development of EDAS. EDAS does not modify or otherwise affect the original instrumenta tion signal, even with a loss of power or other failure. EDAS gene rates a bit-by-bit replica of the instrumentation signal that is pushed out over a separate “branch” to the safegu ards inspector. The branched signal is digitally signed and encrypted using cryptographic algorith ms approved by the U.S. National Institute of Standards and Technology. A branched signal origin ates from an EDAS junction box, 9.5 cm x 6.0 cm x 4.0 cm, inserted in the operator’s instrumentati on signal line, close to the sensor. So as not to interfere with the original instrumentation signal line, various means are used to ensure effective isolation of the EDAS branch. Within the EDAS box, the operator’s signal line is continuous, but the device senses bidirectional digital data on the line through cap acitive coupling. EDAS incorporates commercial-off-the- shelf (COTS) hardware compone nts and open-source software; a BeagleBone Black embedded processor and the U buntu Linux operating system comprise the core platform driving the EDAS branch. The processor r uns custom software that compiles the sensed data into packets, signs and encrypts each packet, and sends the packets using an Ethernet over USB network connection to a computer monitoring the branched data. EDAS client software, installed on the monitoring computer, receives these packets, decrypts, and authenticates the data. Flexible configuration of the branching software permits EDAS to accommodate varying data rates and burst characteristics of different sensors. Fault toleranc e enables automatic recovery from system errors like loss of power or network connectivity. Prototype units have been built and software developed to operate the branching system . Initial development testing at Sandia National Laboratories is complete. We are now preparing for field test ing EDAS under a joint co llaboration with the European Commission, both the Directorate-Ge neral for Energy (Luxembourg) and the Joint Research Centre (Ispra). The wo rk is supported by the NNSA Inte rnational Nuclea r Safeguards and Engagement Program.