ML18227A182
| ML18227A182 | |
| Person / Time | |
|---|---|
| Issue date: | 08/15/2018 |
| From: | Kim Lawson-Jenkins NRC/NSIR/DPCP/CSB |
| To: | |
| References | |
| DG-5061, RG-5.71 | |
| Download: ML18227A182 (12) | |
Text
Revision of RG 5.71 (Draft Guidance 5061)
Kim Lawson-Jenkins Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response 1
Reasons for revising RG 5.71
- RG 5.71 released in 2010
- Since 2010
- New NRC regulation
- Implementation of cyber security plans at licensees plants
- Milestone 1 - 7 cyber security inspections
- Addendums to NEI 08-09
- Work began on DG-5061 in spring 2016 2
Scope of Updates
- Clarify existing interpretation of regulations
- Based on lessons learned from Milestones 1 - 7 inspections
- Changes apply going forward
- New regulation since 2010
- Cyber security event notification
- New IAEA security guidance 3
Dependencies
- Resolution of SFAQs o Deterministic Devices o Data Integrity o Moving Data Between Security Levels o Treatment of Maintenance & Test Equipment
- Outcome of 2016 Table Top Exercises o Detection Response and Elimination o Monitoring and Assessment o Drills and Exercises
- NEI 08-09 Addendums 4
Staff Regulatory Guidance Asset Identification associated with 10 CFR 73.54
- Balance of Plant Equipment
- The importance of identifying attack surfaces and attack pathways in the analysis of digital systems 5
Staff Regulatory Guidance Protection of digital assets 6
Staff Regulatory Guidance Protection of digital assets
- Purpose of security controls
- Control intent added to Appendices B and C
- Reducing or eliminating attack surfaces and attack pathways Effectiveness of security measures
- Cyber security metrics
- What is being measured?
- Why is it being measured?
- What do the metrics mean?
7
Staff Regulatory Guidance The Big Picture Cyber Security Plan SSEP Perform CDA Applied To CDA functions CDA Security CDAs K Controls Knowledge of Continuously Attack Surfaces Monitored for and Pathways Effectiveness 8
Other Changes
- Defensive Architecture
- Glossary
- References
- Appendix A (CSP template) - only editorial changes 9
Appendices B & C (security controls)
DG-5061 NEI 08-09 Rationale for change/difference B.1.9 Previous Logon Notification Removed Intent covered in covered in control logging/audit controls B.1.11 Supervision and Review - Access Removed Intent covered in covered in Control control logging/audit controls B.1.14 Automated Labeling Removed Removed Intent is covered in C.1.3 Media control control Labeling/Marking B.3.5 Resource Priority Removed Removed Any safety requirements for resource control control priority would have precedence.
This control is usually applicable in the design phase of a digital device.
B.3.19 Thin Nodes Removed Removed This control would be covered in the control control B.5.1 Removal of Unnecessary Services and Programs.
B.3.20 Heterogeneity/Diversity Removed Different depending on safety or control security context.
B.3.21 Fail in a known state Removed Important for security control 10
Tentative Schedule
- Public Comment Period - 60 days
- Comments Resolution - late 2018
- Publication of RG 5.71 rev 1- early 2019 11
Questions 12