Year
2011
Abstract
Data that will be used as a basis for drawing arms control and safeguards conclusions must be trusted to accurately represent the conditions at the facility or the integrity of the items being monitored in order for those conclusions to be credible. Automated measurement systems must also be trusted to give accurate results. Establishing this trust requires multiple layers of assurances that the equipment or data has not been compromised or altered. The equipment must first be authenticated to verify that it properly performs its functions and has no vulnerabilities or hidden features that would result in falsified results being reported. Once this has been done, the equipment must be properly protected from compromise to maintain confidence in its authenticity. Cables must be protected from the introduction of false signals, and data must be protected either physically or cryptographically to ensure that it is not altered. Recent attacks on cell phones and industrial controllers raised awareness that equipment vulnerabilities and exploits are not limited to our desktop and laptop computers. Almost every instrument used in measurement and monitoring systems should be thought of as a computer that also makes measurements or performs other monitoring functions. All of these computers are potentially vulnerable to attack and compromise. The purpose of this paper is to present some of the methods used to establish and to maintain assurance of the authenticity and integrity of the equipment and data used for verifying arms control agreements and for monitoring systems used in international safeguards. The topics covered include methods for establishing authenticity of equipment, \"authentication by assumption\" - when this approach is justified and when it's not, why calibration should not be confused with authentication, hidden switches that can allow accurate results to be reported during calibration and falsified results during actual use, and how to establish \"how good is good enough\".