Presented at INMM in July 1998 (26th-30th), in Naples, Florida.

ABSTRACT

The IAEA's transition from analog to digital surveillance data has opened the door to more efficient and effective data collection via a variety of communications methods—particularly in the area of remote monitoring. The transmission of this electronic data requires a system capable of 1) continuous operation in all environments, 2) flexibility to adapt to different communications methods, and 3) an ability to collect and store large amounts of data from a variety of sensors.

After reviewing lessons learned from initial remote monitoring field tests and the UN monitoring experiences in Iraq, the IAEA and Aquila jointly designed a communications server for remote monitoring applications. The server is capable of collecting data from a number of different sensors, including C&S and NDA systems, via standard computer interfaces; securely storing large quantities of data; and delivering this data through an automated process to IAEA Headquarters in Vienna or one of its field offices. The communications server is currently undergoing successful field tests in a number different countries. The server is also capable of an unattended mode of operations in areas where remote monitoring has not been implemented. This paper will discuss the advantages of this method of data collection and transmission and will examine the issues involved in securing this data.

INTRODUCTION

In January 1997, Aquila was given its first remote monitoring project for the IAEA which consisted of setting up a remote monitoring system for use in South Africa. Throughout the design of the project, the thrust was to use commercially available product to help reduce costs. The first remote monitoring system was installed in South Africa for field testing in the Spring of 1997 and consisted of a shipment of 19 boxes of equipment. During field tests many lessons were learned. The major lessons that are relevant to this paper are:

1. The commercially provided uninterruptible power supply (UPS) provided little protection and duration of operation for the harsh, lightning environment of South Africa.
2. Any system lock ups (computer, modem, etc.) required an Inspector to travel to the site, unseal the system, recycle power on the device and then re-seal the system.
3. In a crowded rack mounted configuration, space was not allocated for external devices required by the host country (modem, encryption devices, etc.).
4. Wiring additional devices into a commercial UPS became rather difficult when trying to account for the different power plug adapters requirements.

Taking into account the lessons learned above, the IAEA and Aquila jointly designed a communications server for remote monitoring applications. The Remote Monitoring Communications Server (RMCS) is a compact unit designed to supplement current and future IAEA Safeguards surveillance and monitoring sensors for remote monitoring applications. Incorporating the lessons learned from the initial installation in South Africa, the RMCS has been streamlined to include only the most essential components to meet the needs required by the IAEA. A standard RMCS system today consists of only four boxes of equipment; a significant reduction from the original shipment which consisted of 19 boxes.

The server provides a redundant, reliable, filtered power management system designed to provide uninterrupted alternating current (AC) and direct current (DC) power for more than three days of server and sensor operation when primary power is lost. The primary function of the server is to act as a secure, unattended data collection and transmission system. Data is collected from any Safeguards surveillance system capable of communicating through the industry standard interfaces (RS-232, RS-485, ethernet, etc.) available in the server's industrial Pentium computer via the Windows NT 4.0 Server operating system. The server provides extensive on-board digital storage for images or sensor provided data using multiple high capacity removable hard drives (9 GB in standard configuration for over 500,000 images; 27 GB in extended configuration for over 1.6 million images). In addition, a flexible suite of communications options including redundant telephone modems, ISDN terminal adapters, and a satellite X.25 pad can be used to facilitate remote transfers of data. The communications capabilities, coupled with extensive internal diagnostics, minimum moving parts, and redundant system design also allows timely remote identification and correction of most technical problems without the necessity of site visits.

HARDWARE

Power Management Subsystem

The power management subsystem uses a heavy duty mains transient suppresser to filter input power to a powerful commercial sine-wave inverter/battery charger connected to two high-capacity deep-discharge gel cell batteries. The circuitry is protected by self-resetting DC fuses, military specification circuit breakers, and a high-reliability back-up commercial battery charger. Output is in conditioned 12 Volt DC and conditioned mains AC matched to local mains voltage and frequency.

Server Computer Subsystem

The computer subsystem uses an industrial Pentium computer, from OR Computer Corporation of Germany, operating with the Windows NT 4.0 Server operating system connected to multiple SCSI high-capacity removable hard drives and an optional SCSI JAZ drive. Standard serial and ethernet interfaces are available for connection to external Safeguards systems. The RMCS also contains two external opto-isolated RS-485/232 converters configured for connecting serial RS-485 sensor systems, such as the Neumann DCM-14, to the computer. Additionally, the computer provides a stable, commercial-standard communications system able to filter most unnecessary or damaging noise entering through the communications channels.

Communications Subsystem

The communications subsystem is flexible to allow the most cost-effective use of locally available communications systems including analog telephone, ISDN, satellite, and internet (Frame Relay). The different systems connect to the Pentium server via the serial ports. Communication with other IAEA computers is established using the password protected Windows NT DES encrypted Remote Access Service (RAS). Specialized software provides automated data connection and downloading capabilities from Headquarters IAEA and the regional offices to the facility servers.

Container Subsystem

The container subsystem consists of those components necessary to protect the RMCS from attempted surreptitious entry, aid in emplacement, and facilitate remote operations.

RMCS Enclosure

• Tamper Indication: Blue powder-coated metal housing with dual twist locking rings
• Pass through holes in bolts and locking rings for IAEA E-Cup metal seals
• Tamper proof sealed hinges with grooved pivot pins
• Integral metallic overhangs to prevent cover opening if rear hinges removed
• Unit mounting: Lockable wheels or direct mount floor plates
• Enclosure size: Meets airline accompanied luggage shipping criteria

Externally Accessible Control Panel Keypad

• Resets: Single use codes for keypad to initiate IAEA directed hardware resets by facility operator

Internal RMCS Tamper Alarm

• Type: Doppler Proximity alarm (security specifics protected) for remote detection of opening

Computer Access Devices

• No local access devices connected; no floppy drive, keyboard, mouse or monitor on server for normal operations. (Devices attached by technicians during system maintenance)

SOFTWARE

DCMPOLL (DCMP32)

The DCMP32 polling program will operate as a stand-alone program under Windows NT Workstation or Server or as a service under Windows NT. It is designed to download images from the DCM-14 camera modules via the RS-485 party-line. The downloaded images can either be encrypted or unencrypted depending on how the operator initially set up the DCM-14 camera module.

DCM-SET

The DCM-SET program is a stand-alone program running under Windows 95, Windows NT Workstation or Server. It is intended to allow the operator to completely set up the DCM-14 camera module via either the onboard Service port or the RS-485 party-line. The RS-485 party-line mode also allows the operator to set up multiple DCM-14 camera modules.

Gemini Communications Server (GemCMSrv) Service

The purpose of the Gemini Communications Server (GemCMSrv) service is to provide a transparent utility to the user which will allow images downloaded from a DCM-14 system, a GEMINI system, or a MOS/MUX system to be sorted into separate subdirectories on the host computer running this software. GemCMSrv is the method of choice for data handling for several reasons:

1. Makes use of the service features of Microsoft Windows NT Workstation or Microsoft Windows NT Server. (This product will ONLY work with Windows NT Workstation or Windows NT Server.)
2. Any combination of GEMINI, DCM-14 and MOS/MUX images can be integrated into the same host computer.
3. Images are automatically sorted into separate subdirectories and are further sorted by health images (triggered by time) and alarm images (triggered by motion, external trigger, etc.)
4. Image file names will be renamed using the customized file naming convention determined by the IAEA.
5. Unique camera identification (ID) numbers can be assigned to each camera. This unique ID number is reflected in the file name of the image and allows for associating camera numbers to specific locations.
6. At the discretion of the IAEA and host country, image data can be stored on the RMCS in an encrypted format. This ensures that only properly cleared personnel can view the data at anytime provided they have the proper decryption keys.

GEMARC

The purpose of the GEMARC v1.3 program is to offer a simple method of archiving data stored on a data collection machine. This program will operate on either a Windows 95 or Windows NT (Workstation or Server) platform. Designed as a command line program, it can be scheduled to run using the AT Scheduler capabilities of Windows NT Workstation or Server.

UNATTENDED MONITORING MODIFICATIONS

The server is also capable of unattended operations by using an onboard high capacity JAZ drive upon which Safeguards data can be automatically copied for later removal by inspectors. This automated process of backing up the data to the JAZ drive has been incorporated into the Gemini Communications Server service. Exact copies of the data are transferred on a daily basis to the JAZ drive. An inspector merely has to remove the drive and insert another for the continuation of the data collection.

THE DATA COLLECTION PROCESS AND TRANSMISSION/COLLECTION

In normal operation, the image data is collected by the DCM-14, GEMINI, or MOS/MUX systems at a predetermined interval, tagged with an authentication token, and stored locally where the digitization process occurs (e.g. within the camera housing). In the case of the DCM-14 camera module, the polling program discussed above is run as a service on the RMCS. Images are collected via the RS-485 party-line, passed through an RS-485 to RS-232 converter on the RMCS and stored locally on the computer in a directory specified during the initial setup of the polling software.

Once the data is stored locally on the RMCS, the Gemini Communications Server (GemCMSrv) program, running as a service on the RMCS, watches the download directory for new images being deposited. When the GemCMSrv service detects new images, these images are renamed according to the naming convention determined by the IAEA, encrypted (if this option was set), and stored in a final data storage location. This predetermined location is identified during the initial setup of the GemCMSrv service and is based on the serial number of the camera and the unique camera identification number. Additionally, if the data is to be backed up to an external backup media (e.g. a JAZ drive), the specific location where the data will be backed up will also be identified during the initial setup of the GemCMSrv service.

After the data has been stored on the RMCS, it is now ready to be remotely collected by any authorized user (typically the IAEA and the host country). The data collection process is initiated at the user's machine and can be accomplished through either an automated or manual download process. For automated operations, the collection process is invoked using the AT Scheduler capabilities of Windows NT Workstation or Server. If manual downloading is preferred, the user must utilize the dial up networking capabilities of the Microsoft products. Once connected to the RMCS machine, the user can browse to the desired directory location as if they were connecting to a remote drive on their own local area network (albeit much slower). It is important to note that if the user manually connects to and browses the remote computer using Windows Explorer, the more files in the subdirectory the longer it takes to display them graphically on the remote computer. As such, the GEMARC program is used to archive the data by sensor directory by month. The result is a smaller number of data files in each subdirectory and a short length of time it takes the user to manually display those files under Windows Explorer. The GEMARC program is invoked either from the command prompt or by using the AT Scheduler capabilities of Microsoft Windows NT. In RMCS units deployed for field testing, the GEMARC program is scheduled to automatically run once per month.

In field tests to date, the primary method for downloading data from the RMCS machine is by using an analog telephone line. In some instances ISDN is the primary method for retrieving the data. The capability of the system to use other techniques to retrieve data is only limited by the technologies supported under Windows NT Server. As such, any data transport mechanism supported by Windows NT Server Remote Access Services (RAS) can be used in installations throughout the world.

SECURING THE DATA

Of primary concern to the IAEA and most host countries is the issue of the security of the data being transferred over international boundaries. This security concern was considered in the development of the RMCS. Specifically, all data is authenticated at the sensor location as a minimum. In the case of the DCM-14 camera module, the data can be encrypted at the camera prior to being transmitted to the RMCS for collection and storage.

The Gemini Communications Server service offers four levels of data encryption which help to ensure that only those individuals cleared to view safeguards confidential information for a country can do so. Each host country is given a set of keys to allow them access to the data agreed upon by the host country and IAEA. Each country officer is given keys allowing them access to the country data for which they are responsible. Each section head is given keys to allow them access to data for their entire section and the same applies to each director. In this pyramid method, no director can view data from another directorate over which he does not have responsibility but can view all the data from all sections for which he is responsible. The same applies at the section head level. No section head can use his/her keys to view data from another section. As such, key management is kept to a minimum and each director/section head can have confidence that only authorized individuals are entitled to view safeguards confidential data.

The data is stored on the RMCS in an encrypted format (assuming this option was selected during configuration). When an authorized user dials into the RMCS, the dial up connection invokes the Microsoft security features inherent in the Remote Access Service (RAS). The default setting for RAS requires the user's password to be encrypted using the MS-CHAP protocol. MS-CHAP implements the RSA Data Security Message Digest Four (MD-4) algorithm over PPP. By using this level of security, you can also require the data to be encrypted ensuring a secure communications link.

Finally, provisions have been made in the design of the RMCS to allow the incorporation of an external encryption device provided by either the IAEA or host country. This is based on lessons learned during the remote monitoring field test in South Africa in which an external encryption device was required by the host country.

SUMMARY

While the transition from analog to digital surveillance continues at the IAEA, the move toward collecting and distributing this data via remote monitoring applications proceeds at lightning speed. The requirements to operate in all environments, adapt to various communications methods and store large amounts of data in an efficient and effective manner has posed a significant challenge to the safeguards community. Reviewing past lessons and incorporating these changes has allowed for the development of a Remote Monitoring Communications Server (RMCS) that will be generic, yet robust enough to handle the needs of the safeguards community for future unattended and remote monitoring needs. With each successful field test and the integration of both image and NDA sensors, the confidence level by the IAEA and host countries in widely implementing remote monitoring applications continues to improve. The RMCS is a significant building block in the entire process.

¹ Matthew Strebe, Charles Perkins, and James Chellis, MCSE: NT Server 4 Study Guide, (Sybex Network Press, 1997), Pgs. 415-416.