Text

Michael Brown NSIR/DPCP/CSB Michael.brown@nrc.gov ML19081A048 3/7/19 1

• In 2009, 10CFR73.54 was issued which required licensees to submit a cyber security plan (CSP) that protects critical digital assets (CDAs) from a cyber attack.

• Some licensees determined that kiosks were not CDAs.

• However, all were in agreement that kiosks which protect the portable media attack pathway need to be protected.

• Confusion existed as to what controls need to be implemented.

2

As part of a phased implementation of cyber security controls, milestones 1-7 were issued in 2011 and inspected between 2013 and 2015 to ensure a level of protection at each power reactor until full implementation could be reached.

As part of this, the NRC issued some initial guidance on minimum protections that need to be placed on the kiosk, however, with the understanding that additional protections would be needed.

3

Beginning in 2017, full implementation inspections were begun with 2 pilot inspections.

When both of these inspections resulted in violations against kiosks it became evident that additional guidance was needed.

4

Industry developed high level Key protections/Security Controls which if implemented would protect the kiosk.

- Account and Access Enforcement

- Application Whitelisting

- Review of OS Logs every 14 Days

- Admin / BIOS / Reboot Password Controls

- Physical Protection - PA and Key Control or E-5 Controls

- Ensure Kiosk User Interface does not Block OS Alerts

- Detection

- SIEM Monitored (near-real-time), or

- Whitelisting / Automated Kiosk Indication

- Training 5

As a result of this workshop, Industry developed NEI 18-08, Portable Media Scanning Stations/Kiosk Cyber Security Controls Evaluation Template, Rev. 0 to provide licensees with a method of addressing the high level controls from the NEI workshop and ensuring the kiosk is adequately protected.

Of course, the devil is in the details.

The NRC has reviewed NEI 18-08 and believes that for it to as effective and complete guidance on kiosks a few areas need to be addressed to resolve cyber security oversight issues identified during inspections and to incorporate additional guidance that has been issued.

6

Item 1 - P7, Section 1.1 Background Change wording of bullet 3 second sentence, to read:

In this guidance document, the term isolated network means a dedicated network that has no connectivity to any other network except through a deterministic device (e.g., a data diode) that only allows one way communication with a network at a lower defensive level for the purpose of communicating out-going alerts, alarms, and logs.

7

Item 2 - P12 - Mitigation of the Supply Chain Pathway Delete the second paragraph and replace with Licensees should follow the guidance provided in NEI 08-09, Addendum 3, System and Services Acquisition Guidance. Specifically, kiosks that have been installed in the plant prior to CSP full implementation have already been through the acquisition and the associated licensee installation testing process, thus further action is not necessary to meet the E.11 requirements in the cyber security plan. The E.11.6 requirements for audits of kiosks applicable to previously installed kiosks are part of the ongoing monitoring and assessment process. However, E.11 controls are applicable for purchase of new kiosks.

8

Item 3 - P14 - Control D1.2 - Account Management Insert the following after the second paragraph:

If the kiosk has to be run with the ADMINISTRATOR account, all of the following additional controls should be implemented:

Application whitelisting should be installed.

User Account Controls (UAC) are enabled. UAC requires administrative authentication prior to system and configuration changes.

A comprehensive end point protection product that provides independent Anti-Virus (AV) and monitors the OS for change.

Kiosks are configured to provide a user identifiable indication if a service or application fails (e.g., Notification on the User Screen, System Reboot requiring Administrator action to login, audible warning, etc.).

A log review is performed biweekly during AV updates and all unexpected reboots. (Note - This also affects D1.5 and D1.6 controls.)"

9

Item 4 - P17 - D2.5 - Response to Audit Process Failures Between when and all insert an audit processing failure occurs or Sentence should read - Ensure kiosks provide a warning when an audit processing failure occurs or allocated audit record storage space reaches a defined percentage of maximum audit record storage capacity and ensure organization response.

10

Item 5 - P17 - D2.6 Audit Review, Analysis and Reporting Change the last sentence of the guidance to read as follows - For networked kiosks that provide real-time alerts to the designated official of inappropriate or unusual activity, log reviews are not required every 14 days but should be periodically reviewed (at least every two years )

to ensure that the monitoring alerts have been appropriately set.

11

Item 6 - P19 - D5.2 - Host Intrusion Detection System (HIDS)

Change wording of the second bullet to read Kiosks are configured to provide a user identifiable indication if a service or application fails (e.g.,

notification on the user screen, system reboot requiring administrator action to login, audible warning). (Editorial)

Delete the third bullet 12

Item 7 - P21 - E3.4 - Monitoring Tools and Techniques Insert the following after the second bullet:

Kiosks are configured to provide a user identifiable indication if a service or application fails (e.g., notification on the user screen, system reboot requiring administrator action to login, audible warning).

User Account Controls (UAC) are enabled. UAC requires administrative authentication prior to system and configuration changes.

Incident response procedures should evaluate addressing the loss of a kiosk and also actions to be taken if a Department of Homeland Security (DHS) alert or other credible source indicate targeted attacks on kiosks.

For kiosks that are networked the following additional controls would apply:

Network traffic should be monitored/analyzed, log files are sent to a Security Information and Event Management system or other secured location, and the network should be evaluated for a Network Intrusion Detection System installation 13

Item 8 - P21 - E3.7 - Software and Information Integrity Insert the following: In addition, software and information integrity is ensured by performing the following:

A comprehensive end point protection (EPP) product that provides independent AV and monitors the OS for change and Either an EPP, Windows data integrity scan, system file checker, or some equivalent product is run at least every two weeks to verify integrity and document the results; and.

If kiosks are networked, the following should be evaluated for feasibility:

Using centrally managed integrity verification tools Using automated tools that provide notification to designated individuals upon discovering discrepancies during integrity verification 14

Item 9 - P22 - E5.1 - Physical and Operational Environment Protection Policies and Procedures Delete the licensees physical protection policy and the below E5 guidance and replace with NEI 08-09, Revision 6 E.5 controls and the guidance provided in NEI 08-09, Addendum 4.

Delete E5.2 to E5.9 - Covered by section E.5 of the licensees NRC-approved CSP and NEI 08-09 Addendum 4 15

Item 10 - P23 - E10.8 - Least functionality Delete guidance as written. Insert the following: This security control configures and documents the kiosk configuration settings to provide essential capabilities and prohibits, protects, and restricts the use of insecure functions, ports, protocols, and services. Automated mechanisms are documented and employed to prevent program execution.

16

Item 11 - P23 - E11.1 - System Services and Acquisition Policy Delete E11.6 requirements and insert the requirements in NEI 08-09 revision 6, section E.11 of the licensees NRC approved CSP. The NRC staff has determined that implementing the guidance in NEI 08-09, Addendum 3 is one means of meeting these requirements.

Delete E11.6 - Licensee testing 17

18