ML18227A182

From kanterella
Jump to navigation Jump to search
Draft Guidance 5061 Slides for Public Meeting
ML18227A182
Person / Time
Issue date: 08/15/2018
From: Kim Lawson-Jenkins
NRC/NSIR/DPCP/CSB
To:
References
DG-5061, RG-5.71
Download: ML18227A182 (12)


Text

Revision of RG 5.71 (Draft Guidance 5061)

Kim Lawson-Jenkins Cyber Security Branch Division of Physical and Cyber Security Policy Office of Nuclear Security and Incident Response 1

Reasons for revising RG 5.71

  • Since 2010

- New NRC regulation

- Implementation of cyber security plans at licensees plants

- Milestone 1 - 7 cyber security inspections

- NEI 13-10

- Addendums to NEI 08-09

  • Work began on DG-5061 in spring 2016 2

Scope of Updates

  • Clarify existing interpretation of regulations
  • Based on lessons learned from Milestones 1 - 7 inspections
  • Changes apply going forward
  • New regulation since 2010

- Cyber security event notification

  • New IAEA security guidance 3

Dependencies

  • Resolution of SFAQs o Deterministic Devices o Data Integrity o Moving Data Between Security Levels o Treatment of Maintenance & Test Equipment
  • Outcome of 2016 Table Top Exercises o Detection Response and Elimination o Monitoring and Assessment o Drills and Exercises

Staff Regulatory Guidance Asset Identification associated with 10 CFR 73.54

  • Balance of Plant Equipment
  • The importance of identifying attack surfaces and attack pathways in the analysis of digital systems 5

Staff Regulatory Guidance Protection of digital assets 6

Staff Regulatory Guidance Protection of digital assets

  • Purpose of security controls

- Control intent added to Appendices B and C

  • Reducing or eliminating attack surfaces and attack pathways Effectiveness of security measures

- What is being measured?

- Why is it being measured?

- What do the metrics mean?

7

Staff Regulatory Guidance The Big Picture Cyber Security Plan SSEP Perform CDA Applied To CDA functions CDA Security CDAs K Controls Knowledge of Continuously Attack Surfaces Monitored for and Pathways Effectiveness 8

Other Changes

  • Defensive Architecture
  • Glossary
  • References
  • Appendix A (CSP template) - only editorial changes 9

Appendices B & C (security controls)

DG-5061 NEI 08-09 Rationale for change/difference B.1.9 Previous Logon Notification Removed Intent covered in covered in control logging/audit controls B.1.11 Supervision and Review - Access Removed Intent covered in covered in Control control logging/audit controls B.1.14 Automated Labeling Removed Removed Intent is covered in C.1.3 Media control control Labeling/Marking B.3.5 Resource Priority Removed Removed Any safety requirements for resource control control priority would have precedence.

This control is usually applicable in the design phase of a digital device.

B.3.19 Thin Nodes Removed Removed This control would be covered in the control control B.5.1 Removal of Unnecessary Services and Programs.

B.3.20 Heterogeneity/Diversity Removed Different depending on safety or control security context.

B.3.21 Fail in a known state Removed Important for security control 10

Tentative Schedule

  • Public Comment Period - 60 days
  • Comments Resolution - late 2018
  • Publication of RG 5.71 rev 1- early 2019 11

Questions 12