ML19114A537
| ML19114A537 | |
| Person / Time | |
|---|---|
| Issue date: | 03/20/2019 |
| From: | Christina Antonescu Advisory Committee on Reactor Safeguards |
| To: | |
| Antonescu C | |
| References | |
| NRC-0219 | |
| Download: ML19114A537 (174) | |
Text
Official Transcript of Proceedings NUCLEAR REGULATORY COMMISSION
Title:
Advisory Committee on Reactor Safeguards Digital instrumentation and Control Systems Docket Number: (n/a)
Location: Rockville, Maryland Date: Wednesday, March 20, 2019 Work Order No.: NRC-0219 Pages 1-174 NEAL R. GROSS AND CO., INC.
Court Reporters and Transcribers 1323 Rhode Island Avenue, N.W.
Washington, D.C. 20005 (202) 234-4433
1 1
2 3
4 DISCLAIMER 5
6 7 UNITED STATES NUCLEAR REGULATORY COMMISSIONS 8 ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 9
10 11 The contents of this transcript of the 12 proceeding of the United States Nuclear Regulatory 13 Commission Advisory Committee on Reactor Safeguards, 14 as reported herein, is a record of the discussions 15 recorded at the meeting.
16 17 This transcript has not been reviewed, 18 corrected, and edited, and it may contain 19 inaccuracies.
20 21 22 23 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com
1 UNITED STATES OF AMERICA NUCLEAR REGULATORY COMMISSION
+ + + + +
ADVISORY COMMITTEE ON REACTOR SAFEGUARDS (ACRS)
+ + + + +
DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS SUBCOMMITTEE
+ + + + +
WEDNESDAY MARCH 20, 2019
+ + + + +
ROCKVILLE, MARYLAND
+ + + + +
The Subcommittee met at the Nuclear Regulatory Commission, Two White Flint North, Room T3B50, 11545 Rockville Pike, at 1:00 p.m., Charles H.
Brown, Jr., Chairman, presiding.
COMMITTEE MEMBERS:
CHARLES H. BROWN, JR., Chairman RONALD G. BALLINGER, Member DENNIS BLEY, Member VESNA B. DIMITRIJEVIC, Member WALTER L. KIRCHNER, Member NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
2 JOSE MARCH-LEUBA, Member HAROLD B. RAY, Member GORDON R. SKILLMAN, Member MATTHEW W. SUNSERI, Member ACRS CONSULTANT:
MYRON HECHT DESIGNATED FEDERAL OFFICIAL:
CHRISTINA ANTONESCU NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
3 1 P R O C E E D I N G S 2 1:22 p.m.
3 CHAIRMAN BROWN: The meeting will now come 4 to order. This is a meeting of the Digital I&C 5 Subcommittee. I am Charles Brown, Chairman of this 6 subcommittee meeting. ACRS members in attendance are 7 Dennis Bley, Walt -- where are you, Walt? Walt 8 Kirchner, Jose March-Leuba, Matt Sunseri, and who else 9 did I -- Myron Hecht, our consultant who is visiting.
10 Oh, and Ron Ballinger decided to attend also. Oh, 11 I forgot Dick. Sorry about that, Dick. Dick Skillman 12 is also with us. Christina Antonescu of the ACRS staff 13 is the Designated Federal Official for this meeting.
14 The purpose of the meeting is for the staff 15 to brief the subcommittee on cyber security oversight 16 program to date and lessons learned from the staff's 17 inspections. The ACRS was established by statute and 18 is governed by the Federal Advisory Committee Act 19 (FACA). That means the committee can only speak 20 through its published letter reports. We hold meetings 21 to gather information to support our deliberations.
22 Interested parties who wish to provide 23 comment can contact our offices requesting time after 24 the Federal Register notice is published. That said, 25 we also set aside 15 minutes for spur-of-the-moment NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
4 1 comments from members of the public attending or 2 listening to our meetings. Written comments are also 3 welcome.
4 The ACRS section of the U.S. NRC public 5 website provides our charter, bylaws, letter reports, 6 and full transcripts of all full and subcommittee 7 meetings, including all slides presented at the 8 meetings. The subcommittee will gather information, 9 analyze relevant issues and facts, and formulate 10 proposed positions and actions, as appropriate, for 11 deliberation by the full Committee.
12 The rules for participation in today's 13 meeting have been announced as part of the notice of 14 this meeting previously published in the Federal 15 Register. We have received no written comment and 16 requests for time to make oral statements as members 17 of the public regarding today's meeting.
18 As always, we have one bridgeline 19 established for interested members of the public to 20 listen in during the open session. Also, the 21 bridgeline will be open after the opening meeting 22 session to see if anyone listening would like to make 23 any comments.
24 The meeting will be open to public 25 attendance with the exception of portions that may be NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
5 1 closed to protect information that is proprietary.
2 We have received no written comments and requests for 3 time to make oral statements from the public regarding 4 today's meeting.
5 A transcript of the meeting is being kept 6 and will be made available as stated in the Federal 7 Register notice. Therefore, we request that 8 participants in this meeting use the microphones 9 located throughout the meeting room -- actually, 10 there's only one -- when addressing the subcommittee.
11 The participants should first identify themselves and 12 speak with sufficient clarity and volume so that they 13 may be readily heard.
14 And then please silence all cell phones, 15 pagers, iPhones, iPads, and any other electronic 16 devices or appliances which you have.
17 We will now proceed with the meeting. I 18 would like to say that -- oh, Harold Ray also, another 19 member, has also joined the meeting.
20 I call upon Ms. Shana Helton to make some 21 introductory comments as Director of the Division of 22 Physical and Cyber Security Policy in the Office of 23 Nuclear Security and Incident Response for some 24 introductory remarks. Shana?
25 MS. HELTON: Thank you very much. It's NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
6 1 a pleasure to be here addressing the ACRS today. With 2 me is Eric Lee and Jim Beardsley from my division, and 3 we hope that this will be a good opportunity to give 4 an overview of where we're at with the implementation 5 of the cyber program.
6 I recognize it's been quite a long time 7 since we've addressed the Committee. Back in the early 8 2010, maybe 2013 time frame I think was the last time 9 that we gave you an update. Around that time, we were 10 in the midst of implementing Milestones 1 through 7, 11 if you recall. We had eight milestones in our phased 12 implementation of the cyber security program. It was 13 a big lift for the industry.
14 We completed Milestones 1 through 7 in 15 2012, and we conducted inspections in 2013, 2014, and 16 2015 to verify that the most significant CDAs were 17 protected and licensees were properly installing the 18 deterministic data diode, which is very important, and 19 you'll hear from the staff about the diode, to isolate 20 the nuclear power plants from external networks.
21 Milestone 7 or, I'm sorry, Milestone 8, 22 for full implementation, was complete by most licensees 23 in December of 2017. We are actively inspecting the 24 implementation. We'll get into the details of that.
25 I think we've inspected about a third of the fleet NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
7 1 at this point. And so far, those inspections are going 2 very well. We have a contractor who assists us on those 3 to help bring some of the very specialized cyber 4 security expertise to the table. We've been working 5 closely with the regions and the regional inspectors 6 to get them familiar with the program, as well.
7 And you'll hear more about it, but, just 8 to tee it up, we are in the midst of a cyber assessment.
9 We feel that we've got enough of the inspections under 10 our belt with that first third of the industry having 11 been inspected under Milestone 8.
12 To pause, not pause because the inspections 13 are ongoing but to take the time now to have an 14 independent team look at what we've done from the rule 15 to the guidance to the oversight program, the entire 16 cyber program, and to see what lessons learned we can 17 gain. So today you won't hear the outcome of that.
18 That self-assessment is ongoing. We anticipate it will 19 be finished up in the June - July time frame and perhaps, 20 if there's interest, we could come back and talk about 21 some of our lessons learned and our planned activities 22 going forward. Maybe in the fall time frame we can 23 look for the right time.
24 Our goal today is to give a general overview 25 to cover where we are at with the cyber security NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
8 1 oversight program. Our remarks are going to focus on 2 the power reactors in general because that's the only 3 area that has a regulatory requirement for cyber.
4 We will give an update later in the meeting, 5 and there won't be a whole lot to say but we'll give 6 an update on the status of the fuel cycle facility 7 rulemaking. Not much going on there.
8 So for the following areas that we're going 9 to cover in the brief, we presume that these are of 10 the ACRS interest. This was our understanding from 11 the planning meetings. But if there's any questions 12 that you have, I'll just say that Eric and Jim are very 13 knowledgeable and we're here to give you the information 14 that you need. So if our agenda doesn't cover it, you 15 know, I hope that we can answer your questions on the 16 fly because we do have the right expertise in the room.
17 So with that, I'll just keep my remarks 18 very brief and get right to the presentation. But thank 19 you again. We look forward to having a good discussion 20 today.
21 MEMBER BLEY: Before you switch off --
22 MS. HELTON: Sure.
23 MEMBER BLEY: -- from what you said, are 24 there no requirements for cyber security for fuel 25 facilities?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
9 1 MR. BEARDSLEY: The post 9/11 orders for 2 the fuel facilities did include mention of cyber 3 security, but the details of that were not well defined.
4 MEMBER BLEY: Okay.
5 MR. BEARDSLEY: And I'll talk a little bit 6 about what --
7 MEMBER BLEY: I know it's not pressing now, 8 but it could be.
9 MR. BEARDSLEY: Sure. And we can talk 10 some more about that when we get to that point. We 11 can give you a little more background on where we believe 12 that's going to go.
13 MS. HELTON: The rulemaking effort, to 14 codify cyber requirements is, the rulemaking efforts 15 to codify those cyber requirements for fuel facilities 16 is not active right now.
17 MEMBER BLEY: Okay. And for me, if you 18 would, I've looked through the slides. A lot of it 19 looks very familiar. Some of our members weren't here 20 the last time we went through it. Could you highlight, 21 if you can, any areas where things have changed since 22 the last time you came to see us --
23 MR. BEARDSLEY: Sure. I can do that.
24 MEMBER BLEY: -- in the requirements or 25 others? And are you going to get into details on any NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
10 1 of the inspections? I think we'd be interested in that.
2 MR. BEARDSLEY: We will definitely talk 3 about the inspections, and we'll talk about, at a high 4 level at least, lessons we've learned so far and the 5 things we're doing about them.
6 MEMBER BLEY: Okay. Very good. Thanks.
7 MR. BEARDSLEY: Okay.
8 CHAIRMAN BROWN: Before you get started, 9 Jim, I'd like to highlight that Vesna Dimitrijevic has 10 also joined us.
11 MR. BEARDSLEY: Well, good afternoon. My 12 name is Jim Beardsley. I'm the Chief of the Cyber 13 Security Branch in NSIR's Division of Physical and Cyber 14 Security Policy. I've been the Cyber Security Branch 15 Chief for three years. Prior to that, I had an 16 extensive period of time in the NSIR as a force-on-force 17 team leader, so I have a very strong background in both 18 physical security and now in cyber security.
19 If there are questions about the program 20 that relate back to long before my time, I brought my 21 lifeline, Eric Lee, who has been our lead for cyber 22 security basically since we stood up the post 9/11 23 orders and instituted our cyber security oversight 24 program.
25 Based on the questions we received or the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
11 1 outline we received when we started preparing for the 2 brief, I'm going to try to follow this time line that 3 you see in front of you, this is the first set of it, 4 and base my remarks off the time line. So you're going 5 to see slides sort of like this repeated as we go through 6 the presentation, and I'm going to highlight where we 7 are as we've developed the program and the lessons that 8 we've learned.
9 Starting in 2001, after the terrorist 10 attacks, the NRC issued orders to all the licensees 11 and those orders included cyber security as a threat 12 but did not provide much guidance or detail on what 13 the licensees were supposed to do. Industry, the power 14 reactor industry undertook a voluntary program to 15 institute cyber security controls and try and put some 16 guidance in place. The staff went out and did 17 assessment visits to various licensee sites to assess 18 how well the cyber security program was being 19 implemented and, based on the results of those 20 assessments, decided to pursue rulemaking for cyber 21 security. That happened in concert with the update 22 of the design basis threat in 2007 where cyber security 23 was added as one of the five primary elements of the 24 DBT.
25 In 2009, the cyber security rulemaking was NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
12 1 completed and instituted. And throughout that time 2 period, the staff did work with industry and understand 3 what industry had, what efforts industry had put in 4 place, so we were observing industry and monitoring 5 what they were doing but we were also in the process 6 of instituting rulemaking to codify specific cyber 7 requirements and try and firm up a little bit better 8 what the licensees needed to protect.
9 So the next few slides are basically 10 cut-and-pasted right out of the cyber security rule, 11 10 CFR 73.54. I just want to briefly highlight it 12 because this helps provide context for basically the 13 entire breadth of our discussion.
14 So operating reactors and licensee 15 applicants must submit a cyber security plan. So that 16 was the first requirement, and by November of 2009 they 17 were all expected to submit their plans. Staff 18 reviewed their plans and eventually approved all of 19 the cyber security plans as a license condition to their 20 license. So the plans themselves, in addition to the 21 regulation and the rule, are specific aspects of their 22 cyber security implementation. And those cyber 23 security plans are somewhere on the order of 25 to 40 24 pages long, depending on the particular licensee.
25 The plans were based on a template that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
13 1 came out of an NEI guidance document, NEI 0809. And 2 that guidance document had been developed using the 3 NRC Reg Guide 5.71 as a rough basis. So the regulatory 4 guide provides guidance on cyber implementation. The 5 latter part of the regulatory guide is a template for 6 a cyber security plan. Most of the licensees elected 7 to use the NEI template versus the NRC template, and 8 there aren't a lot of significant differences between 9 the two but they did elect to use the NEI template, 10 and the staff reviewed and approved all of those cyber 11 security plans.
12 What became very apparent after the 13 implementation of the cyber security plans was that 14 the industry and staff recognized that the cyber 15 implementation was going to be very complex. There 16 was going to be a lot of elements to it, and I'll get 17 into the flow that came out of it. But we did divide 18 up cyber security into eight milestones, and the goal 19 of that was to help the licensees focus on the most 20 significant cyber digital assets or critical digital 21 assets in their initial implementation and then we would 22 give them, arguably, a little more time to implement 23 some of the other aspects of the program. But we 24 recognize that those specific aspects, those specific 25 subset of critical digital assets needed to be NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
14 1 addressed.
2 MEMBER SKILLMAN: Jim, what is the 3 classification of the cyber security plan? Is it 4 safeguards?
5 MR. BEARDSLEY: It is for official use 6 only, security-related information.
7 MEMBER SKILLMAN: Thank you.
8 MR. BEARDSLEY: With the exception of the 9 aspects of cyber security as they apply to physical 10 security systems, those would be safeguards. But the 11 remainder of our cybersecurity implementation is either 12 public or OUO.
13 So as you see on the slide, the rule focuses 14 us on safety, security, and emergency preparedness 15 functions. And so as we've gone through 16 implementation, and I'm going to talk about how that 17 played out, those are the primary areas where we focused 18 our attention and the licensees have focused their 19 effort.
20 And then the bottom of the slide lays out 21 the protection requirements, so they must protect from 22 cyber attacks that adversely impact the elements listed 23 here. And, again, and you're going to see this on the 24 next two slides, the rule is very high level. So the 25 rule doesn't provide a lot of infinite detail. When NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
15 1 you get into the cyber security plans, there is 2 significantly more detail. But the breadth of a cyber 3 security program is so broad that, even with a specific 4 plan commitment, there's still a lot of, I'm not going 5 to say interpretation but there's a lot of elements 6 that need to be better understood that the licensees 7 have then taken sub-tier documents for implementing 8 procedures.
9 So as I get into talking about inspection, 10 one of the lessons we've learned is there's a lot of 11 documentation and a lot of requirements that inspectors 12 have to dig through to really truly understand the 13 licensees' implementation.
14 MEMBER BLEY: Jim, as you've begun to look 15 through the individual plans, have you found any cases 16 where the cyber security plan had conflicts with either 17 safety or EP?
18 MR. BEARDSLEY: We have not. So one of 19 the things we did look at initially in our inspection 20 program and we continue to look at as the safety -
21 security interface, it's one of the primary tenets we 22 use in physical security and we've used that same 23 construct as part of cyber security, and, in general, 24 we have not found any significant issues.
25 MR. LEE: Also, in the cyber security plan, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
16 1 if there's a conflict between safety and security, 2 they're supposed to take the safety first, rather than 3 security, and address the specific security issues 4 alternatively or with different means.
5 MEMBER BLEY: Find some way to integrate 6 them.
7 MR. LEE: Absolutely.
8 MR. BEARDSLEY: So this slide, this is 9 slide four, goes into a little bit more detail on the 10 protections and the methodology that the licensees are 11 required to use. And what I want to highlight on this 12 slide is at the bottom there it talks about applying 13 and maintaining defense-in-depth. So it's relatively 14 simple to look at putting a barrier up, and this is 15 the same philosophical approach we take in physical 16 security. You can put a fence, but, you know, if 17 someone was to be able to defeat that fence, you need 18 to have multiple layers and different aspects. And 19 we do this in both physical security and in safety.
20 Defense-in-depth is a very important aspect of what 21 we've gone.
22 In cyber security, what we've laid out as 23 a requirement for the licensees, and this is pretty 24 well defined in their cyber security plan, is the 25 concept of detection response and recovery or detection NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
17 1 response and elimination we call it. And so what we've 2 done is the licensees have to demonstrate to us through 3 the implementation of their plan and multiple controls 4 in their plan how they can detect, respond, and then 5 recover or eliminate, eliminate and recover from a cyber 6 attack. And that has become somewhat challenging in 7 some respects, and I'll talk about that as we get into 8 it. But there's pretty, there are multiple places in 9 their cyber security plan where they commit to 10 defense-in-depth and we have focused on that in our 11 inspections to make sure that there's no single answer, 12 that there's a multiple layered answer, so, if a cyber 13 attack was to get implemented, they understand the 14 requirements they have to make to identify and then 15 isolate the issue and then recover from it.
16 MEMBER BLEY: Jim, what kind of program 17 do you have on the staff and does industry have to track 18 and understand cyber security attacks in other 19 industries so that you can refer that information back 20 to make sure the plans are adequate?
21 MR. BEARDSLEY: That's a great question.
22 So the staff works closely with our intelligence branch 23 in NSIR to identify both classified and also 24 unclassified law enforcement information as it would 25 relate to a cyber attack. We also, the branch itself NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
18 1 works closely with our colleagues in the Department 2 of Homeland Security to track potential issues with 3 cyber attacks and, in particular, vulnerabilities.
4 But the industry itself, based on a law, has a 5 relationship with Department of Homeland Security that 6 the regulator is actually cut out of, and the reason 7 for that is they want -- and this is not just our 8 industry, this is multiple industries. Most regulated 9 industries have this established relationship with a 10 center of expertise in Department of Homeland Security 11 that allows that industry to feel comfortable to 12 dialogue back and forth with DHS, and the concern would 13 be is, if they potentially had an issue and the regulator 14 was involved, there's concern that that would mitigate 15 their communication with DHS. And we would prefer that 16 they have an open dialogue and make sure that they can 17 identify and resolve any potential cyber issues.
18 We do understand that, and we also 19 coordinate with both industry and DHS to understand 20 how that dialogue is playing out. And to date, we 21 haven't had any issues with the open discussion between 22 them, but the --
23 MEMBER BLEY: Has that mechanism been 24 exercised much between the --
25 MR. BEARDSLEY: It has, it has. And I'll NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
19 1 talk at the end of the presentation about a couple of 2 cyber incidents that have happened in our industry and 3 how the dialogue between the industry, the staff, and 4 Homeland Security played out and I can give you a little 5 piece of that.
6 But for the purposes of threat warning, 7 the way it's being viewed today is primarily the 8 responsibility of the Department of Homeland Security.
9 We understand threats, and we are prepared to send 10 out a security advisory if it's appropriate. But the 11 licensees, you know, either through their information 12 technology and/or their industrial control system cyber 13 security programs, have direct relationships with DHS, 14 as do all the critical infrastructure, and they're going 15 to get that information immediately. So we think 16 that's a pretty healthy relationship, and we're pleased 17 with the way that's working out.
18 MEMBER BLEY: The rule is high level enough 19 I have trouble imagining a scenario that would crop 20 up that wouldn't, you couldn't somehow say the rule 21 covers that. But in implementation, maybe it doesn't, 22 so I don't know if anything like that has occurred so 23 far.
24 MR. BEARDSLEY: That's a great question.
25 I'll talk about that as I get into some more of the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
20 1 mechanics of the rule. But there are some areas where 2 licensees, you know, have had cyber attacks that are 3 not reportable to us because of the cognizance of the 4 rule. I'll explain a little bit how that played out.
5 MEMBER BLEY: Thank you.
6 MR. BEARDSLEY: Okay.
7 CHAIRMAN BROWN: Before you leave that, 8 go back a slide, back one. You talk about 9 defense-in-depth and you say detect, respond, and 10 recover. A key element that we've emphasized, and 11 we've chatted about this before the meeting, was 12 isolate. In other words, you never have a door that 13 can be opened.
14 MR. BEARDSLEY: Sure, yes.
15 CHAIRMAN BROWN: And that's -- why isn't 16 that explicitly stated as part of one of your general 17 approaches from the defense-in-depth standpoint?
18 MR. BEARDSLEY: Well, I can't say how the 19 rule was written and why the rule was written. I'm 20 giving you the exact words out of the rule here. But 21 when you go into the licensee cyber security plan that 22 is part of their license, they do have a requirement 23 to provide a deterministic boundary device that 24 isolates the industrial control systems from the 25 internet, effectively, in a cyber attack. So that's NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
21 1 a requirement. It's just not a requirement explicitly 2 stated in the rule.
3 CHAIRMAN BROWN: Okay. Go ahead.
4 MR. BEARDSLEY: And on this slide, we just 5 laid out a few more of the requirements, in particular 6 the training requirements. And the training is one 7 of the areas we do look at closely, we have in our 8 inspection program and we'll continue to, not only just 9 general training for the staff but also specific 10 training in areas like configuration management, change 11 management, and the operators who operate systems that 12 will make sure the licensees are conducting a big 13 picture review of potential cyber incidents.
14 So most of the licensees, in fact, I would 15 say all of the licensees we've inspected to date have 16 demonstrated that they have incorporated cyber security 17 into their change management processes across the 18 board. Any change they make, they have to check and 19 make sure that there's no impact on cyber security.
20 We think it's a very healthy program, and the industry 21 seems to have implemented that sufficiently.
22 CHAIRMAN BROWN: Maybe you get to this 23 later in a couple of slides. Do the programs account 24 for insider possibilities and detection? If I raise 25 anything that you shouldn't talk about in an open NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
22 1 meeting, just say so.
2 MR. BEARDSLEY: Sure, sure. Well, the 3 licensees have insider mitigation programs that are 4 instituted and inspected by the staff. And that's been 5 well documented in physical security inspection space 6 over the years, so we understand that. We also have 7 included the critical group, which are the folks who 8 are, part of that fitness for duty monitoring aspect 9 of insider mitigation. And the implementers of cyber 10 security programs, maintainers of cyber security 11 programs are all included in that critical group, so 12 anyone who has access to any critical digital asset 13 is required to be in the critical group and monitored 14 as part of their insider mitigation program.
15 MR. LEE: Additionally, in their cyber 16 security plan, there are a number of security controls 17 that monitors the unauthorized access and the logging 18 in, things of that nature. That's why we have the 19 detect and mitigate part in there, so there are a number 20 of controls in addition to this access control, to 21 address that particular issue.
22 MR. BEARDSLEY: Thank you. So at the 23 bottom of this slide, I highlighted the cyber security 24 program as part of physical security. If you look at 25 the way cyber security is structured in the regulation, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
23 1 10 CFR 73.55 which is our high-level physical security 2 requirement, that is a higher tier to 73.54. So 73.55 3 leads you to 73.54, and the staff has approached cyber 4 security implementation under the auspices of the 5 physical security program. So I just wanted to make 6 sure I highlighted that there because that's 7 fundamental to the way we've approached cyber security 8 as an entity.
9 MEMBER BLEY: Can I follow up on that --
10 MR. BEARDSLEY: Please.
11 MEMBER BLEY: -- insider question? Most 12 of the questions I've asked I can imagine solutions.
13 This one I have trouble imagining a solution. Suppose 14 an insider did do something to the software in the plant.
15 Is there anything within the plan that helps detect 16 oddly-functioning software along the way?
17 MR. BEARDSLEY: The specifics of the 18 defense-in-depth requirement in the cyber security plan 19 don't get down to a finite detail, but they do require 20 the licensee to identify deviations or malware, 21 something like that, within the system. So if, for 22 instance, if a licensee or if someone who didn't have 23 authorization tried to access to a critical digital 24 asset with a memory stick or trying to log in and change 25 the settings, licensees are required to have password NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
24 1 protection, they're required to have locks and alarms, 2 tamper seals and things --
3 MEMBER BLEY: These are all preventative.
4 MR. BEARDSLEY: These are all 5 preventative. So in --
6 MEMBER BLEY: Protection is what I was 7 asking.
8 MR. BEARDSLEY: But it all comes together.
9 So some of the assets are not high-functioning digital 10 assets, so they don't have a network or modern 11 information technology such that we could install 12 modern monitoring systems on them. In those cases, 13 the licensees have elected, because they understand 14 they have a requirement one way or the other, so in 15 those cases the licensees have used locks and alarms 16 and configuration management and work processes.
17 If the system is digital, and where we see 18 it the most, to be honest with you, is in the physical 19 security implementation system. Those are, in 20 general, newer systems, fully digital, based on network 21 technology. The licensees understand that they have 22 to have protection response and elimination there, 23 which includes network monitoring, host intrusion 24 detection, the kind of techniques they would use.
25 So if someone, for instance, walked in and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
25 1 tried to stick a memory stick into security computers, 2 it would either not be recognized because it's not part 3 of their system or there would be a cyber alert going 4 back to the cyber folks saying, hey, there's something 5 going on that's not authorized. So that is addressed 6 within the bounds of the cyber security plan.
7 MR. HECHT: Those are really for 8 TCP/IP-based systems, which are primarily information 9 systems.
10 MR. BEARDSLEY: Correct.
11 MR. HECHT: That's not going to occur 12 within the control or the safety side of the plant, 13 is it?
14 MR. BEARDSLEY: For those critical digital 15 assets that are network based, they have a requirement 16 to have virus protection, host intrusion detection.
17 They use whitelisting or blacklisting, depending on 18 how -- so there are techniques and tools that they've 19 installed. For those that do not, that don't have their 20 own ability to detect, you know, some kind of malfeasant 21 activity, the licensees have used other physical 22 security boundaries, work control processes, and things 23 like that to prevent someone from having access to the 24 systems.
25 MR. HECHT: So by network based, you mean NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
26 1 specifically TCP/IP network based, as opposed to field 2 bus-based systems, right?
3 MR. BEARDSLEY: Where a licensee can 4 install those monitoring systems, they would. Where 5 they can't because the technology doesn't exist, they 6 would have to use other techniques. But that doesn't 7 get them out of the requirement. They still have to 8 address the requirement one way or the other.
9 MEMBER BLEY: Systems, like the reactor 10 trip system and safeguard systems, are, they're custom 11 designed. They might feed data to a network, but they 12 are not network-based.
13 MR. BEARDSLEY: For most of the fleet we 14 have in place today, that's correct.
15 CHAIRMAN BROWN: All you have there is, 16 you don't have any internal mechanisms built into that 17 other than you're supposed to, the check zone and basic 18 redundancy checks, stuff like that, that you could 19 periodically verify, which would be difficult to modify 20 if you were doing something. You're largely relying 21 on access of control --
22 MR. BEARDSLEY: That's correct, that's 23 correct.
24 CHAIRMAN BROWN: There's no internal stuff 25 to mess up the trip system algorithms.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
27 1 MR. BEARDSLEY: That's correct.
2 CHAIRMAN BROWN: And they are not network 3 based. I'm just addressing Myron's thought because 4 he's right about the network stuff. There are other 5 systems where your controls are actually embedded in 6 a network, and there you do have concerns relative to 7 how somebody could get in and take control of it.
8 MR. BEARDSLEY: That's correct.
9 CHAIRMAN BROWN: Okay. Thank you.
10 MR. BEARDSLEY: So slide six takes us back 11 to the time line showing what has gone on since 2009.
12 Some of this I've already covered, but I'll just run 13 through it quickly.
14 So, again, in 2010, the NRC's Regulatory 15 Guide 571 was put in place and followed up with NEI 16 guidance document 0809. They are both reference 17 documents and a template for a cyber security plan.
18 The staff accepted NEI's document for use and, again, 19 most of the licensees used that template as the template 20 for their cyber security plans, which were subsequently 21 codified as license conditions.
22 In 2011, the staff agreed on a milestone 23 construct, so a phased implementation of cyber 24 security. And I'll talk a lot more in a couple of slides 25 about what that phased implementation was and the things NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
28 1 we put in place early vice those aspects that were a 2 part of Milestone 8 or full implementation, and I'll 3 give you details on that as we go.
4 I think the big thing here is licensees 5 all committed to have their initial milestones in place 6 by the end of 2012, and they all completed that. And 7 then the staff inspected that implementation between 8 2013 and 2015. So by 2015 we had inspected 100 percent 9 of the operating units, interim implementation 10 Milestones 1 through 7. We did identify a number of 11 deviations or differences between the staff's 12 expectation and industry's, and what we put in place 13 was a process where we inspected and identified findings 14 but we gave the industry -- what do we call it?
15 Discretion. So the inspectors used enforcement 16 discretion with the findings that we came up with, and 17 the reason we did that is it became clear that the 18 staff's expectation, the inspection team's expectation 19 of how a licensee would meet a requirement wasn't clear 20 to industry when they went and did their implementation.
21 So we cited them, and they had to make corrective 22 actions and fix those things. And none of them made 23 their programs completely ineffective, but there were 24 some implementation details the staff felt could have 25 been done in a different manner or using different NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
29 1 techniques.
2 MEMBER MARCH-LEUBA: So in that light, now 3 we're fully implemented since last year or two years 4 ago. How is it working? And let me give you more 5 specifics. When we discuss about this a couple of years 6 ago, there was a concern that the licensing would have 7 to spend so much time doing the paperwork for this other 8 plant and they wouldn't have time to implement it.
9 We were talking about you have 500 desktops, you have 10 to do two pages for each desktop or kind of cluster 11 it into 500 of the same.
12 MR. BEARDSLEY: Sure.
13 MEMBER MARCH-LEUBA: How did it work?
14 MR. BEARDSLEY: Well, it did create a lot 15 of paper. And when we, again, do inspections, we do 16 look through a lot of paper. So that all did happen.
17 But what, initially, the licensee is 18 committed to Milestone 1 through 7 by the end of 2012 19 and Milestone 8, the full implementation, by the end 20 of 2014.
21 All of the licensees subsequently 22 submitted license member requests to shift their full 23 implementation dates out. And most of them wound up 24 in December of 2017.
25 So they recognized that this, in fact, I NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
30 1 think the Staff recognized too, that the scope of work 2 was much greater than initially anticipated. And so, 3 while we were inspecting them, we also gave them the 4 relief to go do the solid job and complete the effort 5 that they had planned.
6 MEMBER MARCH-LEUBA: So the licensees are 7 still complaining about the effort or are they happy 8 they did it?
9 MR. BEARDSLEY: Well, they completed it, 10 so.
11 (Laughter.)
12 MEMBER BLEY: The same thing a little 13 differently?
14 MR. BEARDSLEY: Sure.
15 MEMBER BLEY: Back when we last talked with 16 you, as Jose was pointing out, the identification of 17 critical digital assets was the whole world. Anything 18 that could touch a network.
19 You had a line or two as an alternative 20 to use some kind of --
21 MEMBER MARCH-LEUBA: Plastic.
22 MEMBER BLEY: -- I'll say risk-based --
23 MR. BEARDSLEY: Sure.
24 MEMBER BLEY: -- structuring. By the time 25 they did Milestone 3 or 2, and identified all the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
31 1 critical assets, did they do the world or did they do 2 something focused that was defendable?
3 MR. BEARDSLEY: Well --
4 MEMBER BLEY: Was that all in place when 5 you did your inspection?
6 MR. BEARDSLEY: Let me go onto the slide.
7 That's a great question.
8 MEMBER BLEY: Thank you. You're welcome.
9 MR. BEARDSLEY: So, let's just talk about 10 the milestones. So the first thing the licensee had 11 to do was establish a multi-disciplinary team to go 12 identify the assets.
13 So it wasn't just cyber folks, it was 14 operations folks, maintenance folks, physical security 15 and information technology. Because we wanted to make 16 sure, and we still inspect those teams as part of our 17 inspection to make sure they have, including an 18 emergency preparedness as well, make sure they have 19 a multi-disciplinary team because no one in the plants 20 really understands all aspects of what they're doing.
21 So, they did the teams and then they 22 identified the assets. And initially, the licensees 23 had, initially we did not think the broad spectrum of 24 the assets was going to be as large as it is.
25 And there's two reasons for that. One, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
32 1 the true understanding of what a critical digital asset 2 was probably wasn't exactly well understood, both by 3 Industry and the Staff.
4 In the same time period, the NRC signed 5 a memorandum of understanding with the Federal Energy 6 Regulatory Commission to draw a line for cyber 7 cognizance. We called it the bright line agreement.
8 And so, NRC has cognizance over all digital 9 assets that are from the first intertie breaker and 10 the transformer yard, back into the system. There's 11 two reasons for that.
12 One is, the licensees had fear of being 13 dual regulated. And they didn't want to have to be 14 regulated and have to answer to two different 15 regulators.
16 And it also helped us define, clearly, what 17 were the licensees, because at the time, the NRC had 18 our rules in place and FERC CIP standards weren't quite 19 mature, so it helped the licensees understand, okay, 20 yes, we can get to work on these while we're waiting 21 for FERC to complete their CIP standards and what the 22 bulks power system would have to meet.
23 When we did that, we added about 70 percent, 24 somewhere between 70 and 80 percent more critical 25 digital assets. So the average unit in the fleet today NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
33 1 has about 2,000 critical digital assets.
2 And I'll talk a little bit more about what 3 we did about that in the future, but recognizing that, 4 the Staff implemented a risk assessment and a risk-based 5 methodology to reduce the number of controls that 6 licensees had to address for many, many of those assets.
7 And I can get into some more detail on that 8 as we go, but we did --
9 MEMBER BLEY: Has that been documented in 10 the guidance then?
11 MR. BEARDSLEY: Yes, that is documented 12 in NEI Guidance Document 13-10.
13 MEMBER BLEY: NEI document.
14 MR. BEARDSLEY: Which the Staff has 15 accepted for use. And the Staff was heavily involved 16 in that development. And the subsequent updates.
17 In fact, Eric is arguably one of the primary 18 authors of that document.
19 MEMBER MARCH-LEUBA: Is that the public 20 rule? I mean, I'm thinking it should be a safeguard 21 sensitive.
22 If I tell you I am going to protect laptop 23 but then I'm going to protect desktops, I know what 24 I need to attack.
25 MR. BEARDSLEY: Eric?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
34 1 MEMBER MARCH-LEUBA: Do you understand the 2 question?
3 MR. LEE: Yes. But it doesn't tell you 4 exactly, it provides a criteria by which a licensee 5 can use it, therefore it's not a --
6 MEMBER MARCH-LEUBA: The answer, if you 7 have thought about it and you have a, I don't need the 8 answer --
9 MR. BEARDSLEY: Okay.
10 MEMBER MARCH-LEUBA: -- I just want to make 11 sure you've thought about that.
12 MR. BEARDSLEY: Yes, we have. We have.
13 And so, the specifics are not in the document. The 14 methodology for making that determination is in the 15 document.
16 MEMBER MARCH-LEUBA: Okay.
17 MR. BEARDSLEY: Okay. So, Milestone 2, 18 download critical digital assets.
19 Milestone 3, implement a one-way 20 deterministic device. And that's a requirement in 21 their plan.
22 And that was inspected during the initial 23 milestones. And I'll talk a lot more about how that 24 played out and what those are as I go through it.
25 MEMBER BLEY: And really, the definition NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
35 1 of what that means?
2 MR. BEARDSLEY: Right. I will talk about 3 that.
4 MEMBER BLEY: Okay.
5 MR. BEARDSLEY: The next one, access for 6 portable media. This has become one of the major focus 7 areas of our program.
8 Because all these assets, almost all of 9 them, are going to require updates of some kind. Either 10 software updates, virus protection updates, something.
11 And so you have to have a program to screen those 12 updates and anything else that goes beyond.
13 So once you have a deterministic device 14 and build a wall, you have to be able to make sure nothing 15 can get around the wall. And so, I'll talk about how 16 that's implemented.
17 But those were all inspected in that 2013 18 to 2015 time frame.
19 MEMBER MARCH-LEUBA: We have heard from 20 one licensee that they inspect EPROMs when they come 21 into the plant.
22 MR. BEARDSLEY: They do.
23 MEMBER MARCH-LEUBA: They do?
24 MR. BEARDSLEY: They do.
25 MEMBER MARCH-LEUBA: And it's not just NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
36 1 laptop or cell phones --
2 MR. BEARDSLEY: Right.
3 MEMBER MARCH-LEUBA: -- USB drives, they 4 go to the EPROM?
5 MR. BEARDSLEY: Yes. Anything that's 6 identified as a critical digital asset. They have to 7 inspect, and they have specific requirements in their 8 cyber security plan and how they have to maintain 9 control of and test that equipment.
10 And we've spent a lot of time working with 11 Industry, both on a supply chain side and on a portable 12 media side to make sure that, because we recognize 13 that's probably the biggest vulnerability of the entire 14 program.
15 MEMBER MARCH-LEUBA: Yes. And I'm sure 16 they understand they have to do it, but my question 17 is, are they complaining too much?
18 Is this costing them on FTE or 150 FTEs 19 to implement?
20 MR. BEARDSLEY: Going back to your 21 question before, along the same lines. The licensees 22 did push back on some aspects of the program, and we 23 have worked with them to try and develop guidance to 24 be clear on what it is.
25 The bottom line is, they all went and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
37 1 implemented it. So the program is in place today.
2 So the hard work is done, and complaining or not, they've 3 done it.
4 The issue they have now, and this is one 5 of the reasons that Shana mentioned we're doing an 6 assessment is, what's the sustainability of the program 7 and did we miss something.
8 Did we either mischaracterize it in under 9 control and asset or did we put too many controls on 10 assets. And that's where we've really tried to work 11 with Industry to say, okay, show us how you implemented 12 and where did maybe the Staff's understanding and the 13 Industry's understand not quite be in sync.
14 MEMBER MARCH-LEUBA: The issue is 15 complacency, even on the TSA --
16 MR. BEARDSLEY: Sure.
17 MEMBER MARCH-LEUBA: -- at the airport.
18 They push bad guys with the guns and bombs through once 19 a month, so they stay vigilant.
20 MR. BEARDSLEY: Sure.
21 MEMBER MARCH-LEUBA: That might be 22 something to do.
23 MR. BEARDSLEY: And that's another area 24 where they're working Industry on as well.
25 MS. HELTON: Jim, and I'll just, and maybe NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
38 1 I'm jumping ahead, and I think we're going to cover 2 this in the presentation, but I think so far, we've 3 gotten a lot of positive feedback from the Industry 4 about the work that we're doing and the cyber 5 assessment.
6 Our team, our independent team that we have 7 conducting the assessment, are doing visits with 8 licensees to gather data. And I think so, yes, we're 9 well aware of the complaints in the past about the number 10 of analyses and the paperwork involved.
11 And I think there is a strong interest in 12 leveraging the assessment that we're doing to make 13 improvements to the program so it's a little more 14 efficient.
15 MEMBER MARCH-LEUBA: Nothing, yes, noting 16 teaches you the lesson as walking into your office and 17 seeing all these screens saying, your computer has been 18 ransomware.
19 (Laughter.)
20 MEMBER MARCH-LEUBA: You say ha --
21 MR. BEARDSLEY: That's right.
22 MEMBER MARCH-LEUBA: -- I need to avoid 23 this. And this has happened to me.
24 MR. BEARDSLEY: Sure.
25 MEMBER BLEY: Have you found much NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
39 1 variability plant-to-plant in how it's been 2 implemented?
3 MR. BEARDSLEY: There's some. It's 4 usually --
5 MEMBER BLEY: Does it do any synthesis that 6 more plants are --
7 MR. BEARDSLEY: Well, what Industry --
8 MEMBER BLEY: -- the Industry be sharing?
9 MR. BEARDSLEY: What the Industry did was 10 they, through NEI they established a cyber security 11 taskforce --
12 MEMBER BLEY: Yes.
13 MR. BEARDSLEY: -- that works very hard 14 to develop guidance and share lessons learned.
15 We do meet with the taskforce on a relative 16 routine basis, just so they can give us status on their 17 initiatives and then we can talk to them about where 18 we're going with whatever programs we have at the time.
19 We've continued to have those meetings.
20 It's become a little more challenging when Entergy and 21 NextEra like to delete NEI, but we've continued to 22 dialogue with Industry and make sure we're sharing 23 lessons, and they're sharing lessons. Because that's 24 an extremely important point.
25 Is there variation, there is definitely NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
40 1 variation. And I'll talk a little bit about some of 2 that variation as we go through. But none of it has 3 deviated from the core set of requirements.
4 So, Milestone 4, I'm talked about Milestone 5 5. This goes back to your insider question. It's the 6 monitoring of obvious tampering.
7 And so, they had to implement that program 8 for the digital asset, the subset of digital assets, 9 that they addressed in Milestone 1 through 7.
10 And then the final, Number 6, is applying 11 the controls. So we actually went through and looked 12 at, in detail, how they put controls in place for that 13 smaller 20 percent of critical digital assets that they 14 identified and protected in the first seven milestones.
15 And then the end, they had to implement 16 an ongoing monitoring assessment program. So, not only 17 did they have to put controls in place, but they have 18 to monitor and assess to make sure those controls 19 remained effective over time.
20 MEMBER BLEY: You said something of which 21 I was not aware. Several of the larger utility 22 companies have left NEI?
23 MR. BEARDSLEY: That's correct. Entergy 24 and NextEra are two of the larger entities, left NEI 25 --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
41 1 MEMBER BLEY: So, any of those programs 2 where NEI was coordinating things among utilities, 3 they're kind of out of the picture now?
4 MR. BEARDSLEY: Kind of. So, one of the 5 approaches is --
6 MEMBER BLEY: So even the flex equipment 7 kind of stuff?
8 MR. BEARDSLEY: Well, one of the 9 approaches that we've taken in cyber, I can't speak 10 to the NRCs overall cognizance of that --
11 MEMBER BLEY: Yes.
12 MR. BEARDSLEY: -- but, when we receive 13 a document from NEI for review, and subsequent approval 14 for use, we ensure that that document is going to be 15 publicly available. Or at least shared through an 16 Industry's standard group.
17 So there's an information technology 18 standards group that Industry has and they share all 19 their documentation through that. So, we verify that 20 those other two licensees have access.
21 MEMBER BLEY: That's good, but it's 22 bringing up other thoughts.
23 MR. BEARDSLEY: Sure. All right, I've 24 talked about this before. I talked about good faith 25 and inspection.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
42 1 And then in 2015, excuse me, in 2016, the 2 Staff followed up the Milestone 1 through 7 inspections 3 with problem of identification and resolution 4 inspections.
5 So, I said before there were a number of 6 findings at almost every site during the initial 7 inspection program. We did a follow-up at every site 8 in 2016 and early 2017, to verify that the corrective 9 actions have been put in place.
10 So we feel very comfortable that Milestone 11 1 through 7 is a robust implementation and it does 12 provide adequate protection for the sites.
13 So, let me just quickly run down, from a 14 regulatory guide 5.71 point of view, what the 15 requirement set sort of is.
16 First, they have to identify a team, as 17 I said before. They have to identify all the critical 18 digital assets.
19 And that's something that we focused our 20 early inspections on. And we did review in the 21 subsequent inspections, but we want to make sure they 22 did not have a robust list, but they had a methodology 23 for continuing to assess and identify critical digital 24 assets as they made changes to the programs.
25 The next one, implement the defensive NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
43 1 architecture. And my follow-on slide shows this 2 picture in the middle of a, this one, in a lot more 3 detail. But this is fundamental to the approach that 4 the licensees have taken.
5 And I think it goes back to Member Brown's 6 concern about isolation and building a wall. And I'm 7 going to tell you in a minute how licensees have done 8 that.
9 And then finally, they implemented the 10 controls. And so, again, we looked at the detailed 11 controls they put in place for those most risk 12 significant critical digital assets in the early part 13 of the program.
14 MEMBER MARCH-LEUBA: I love this figure, 15 but can you describe us this, you have four different 16 types of walls. One of them is of a diode, the other 17 one is probably a firewall.
18 Does it mean something or is it just a 19 pretty figure?
20 MR. BEARDSLEY: You're playing right into 21 my hand.
22 MEMBER MARCH-LEUBA: Okay, excellent.
23 (Laughter.)
24 MR. BEARDSLEY: So on this slide, Slide 25 9, I tried to breakdown, this is a generic topology.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
44 1 Not every licensee has divided up all of their levels 2 in the same way.
3 But for the most part, Level 0 is the 4 internet. Level 1 is protected by a firewall from the 5 internet, but that's a corporate network.
6 So for the larger companies that covers 7 multiple entities, not just nuclear sites but any of 8 their entities, they all have a firewall then between 9 that and the site network. So that's the specific 10 nuclear site.
11 Then all of the licensees have implemented 12 a data diode right in the middle. And that meets that 13 one-way deterministic device requirement that they have 14 in their cybersecurity plant.
15 The way data diode works is, it's a hardware 16 based tool that is basically laser implemented. So 17 it's a --
18 MEMBER BLEY: So the light can only go from 19 here to here.
20 MR. BEARDSLEY: Right. They only have a 21 laser that fires from the high side to the low side.
22 So you can't physically send any information the other 23 direction.
24 MEMBER BLEY: They're all using the same 25 kind of device?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
45 1 MR. BEARDSLEY: Well, there's only two 2 vendors in the U.S. that they're using.
3 MEMBER BLEY: Oh, I didn't know that.
4 MR. BEARDSLEY: And those vendors are 5 heavily implemented within the DoD and the U.S.
6 intelligence community. So, we feel comfortable based 7 on our dialogue with those communities, that these are, 8 these tools are going to do the job.
9 And if there was ever an issue with them, 10 big U.S. government would have a much bigger problem 11 in our Industry, and we would follow along with those 12 issues. So, we feel pretty comfortable with that.
13 So, as you move up the levels, Level 3 and 14 Level 4 are a mix of physical security and safety 15 systems, depending on how the licensee elected to do 16 their implementation. And they've documented in their 17 cybersecurity plans the specific aspects of that. So 18 not every licensee is the same.
19 The other aspect of this that is different 20 is, if a licensee is not part of a large corporation, 21 there isn't a Level 1. They go right from Level 0 to 22 Level 2 because there is no corporate network for it 23 to go to.
24 So, a lot of people have asked why even 25 have a data diode, why not just have an island and put NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
46 1 all of those Industry control systems upstream in the 2 island and you can't get anything there.
3 What we have found over time is the 4 licensees that implemented their requirement for 5 ongoing monitoring and, the question you asked before 6 about, that alerting and making sure that any 7 malfeasance that would happen on the systems gets 8 identified.
9 Many of the sites don't have someone, a 10 cyber person onsite 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> a day, 365 days a year.
11 Especially the companies that are part of large 12 corporations, feed those alerts down to a corporate 13 cyber or security operation center that's monitored 14 by cybersecurity professionals that are, not only are 15 they monitoring the industrial control systems, but 16 they are monitoring the whole corporate network.
17 And so they're going to get alerted to 18 cyber-attacks nationwide, cyber-attacks on the 19 company. And they're going to get alerts and then 20 they'll call back to the licensee site and say, hey, 21 we got an alert on this piece of equipment, you might 22 want to go look at that.
23 MEMBER MARCH-LEUBA: Yes, we were told 24 back in the time that fewer fabricators needed to give 25 access to their customers, direct access to the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
47 1 fabrication as part of the quality control. So, have 2 then been able, they said they couldn't do it?
3 MR. BEARDSLEY: To our knowledge, they 4 have not. But we'll talk about field facilities a 5 little bit later.
6 MEMBER MARCH-LEUBA: So that's not this?
7 MR. BEARDSLEY: They are under a different 8 regulatory construct.
9 MEMBER MARCH-LEUBA: Yes. And second, 10 Level 2 or Level 3 are likely co-located in some places?
11 Meaning, that the cables run --
12 MR. BEARDSLEY: Absolutely. Absolutely.
13 MEMBER MARCH-LEUBA: So, there's always 14 a possibility of a Bluetooth tunnel?
15 Meaning, you put a Bluetooth device here, 16 a Bluetooth device here that goes over?
17 MR. BEARDSLEY: Yes.
18 MEMBER MARCH-LEUBA: Are they cognizant 19 of those things?
20 MR. BEARDSLEY: To a great extent. Level 21 1 and Level 2 implementations are not part of our 22 regulatory cognizance, so we don't inspect those.
23 MEMBER MARCH-LEUBA: No, I'm wondering 24 about Level 2 to 3.
25 MR. BEARDSLEY: So, from Level 2 to 3, that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
48 1 is where we focus 90 percent of our inspection time.
2 We're looking at controls on the systems, Level 3 and 3 Level 4, and then bypasses. And so, any type of bypass, 4 we look for those.
5 There also, the licensees have a 6 requirement to eliminate any wireless networks. So 7 they are not allowed to have wireless networks. And 8 they're required, on at least a 30 day basis, to scan 9 for wireless networks. So they're looking for that.
10 MEMBER MARCH-LEUBA: That's --
11 MR. BEARDSLEY: Right.
12 MEMBER MARCH-LEUBA: -- I think a facility 13 is where there is a van that goes around and if you 14 turn your cell phone --
15 MR. BEARDSLEY: Sure.
16 MEMBER MARCH-LEUBA: -- they come and zap 17 you.
18 MR. BEARDSLEY: Sure.
19 MEMBER MARCH-LEUBA: Based on a facility 20 where they have a classified network and an unclassified 21 network and every IT technician carries a six, a ten 22 centimeter piece of metal. Because that's the distance 23 that the cables have to be checked.
24 MR. BEARDSLEY: Sure. Right.
25 MEMBER MARCH-LEUBA: Everywhere you walk NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
49 1 by. Yes, you're okay.
2 MR. BEARDSLEY: Right. And the licensees 3 have those same type of requirements when they're 4 implementing their networks.
5 MEMBER MARCH-LEUBA: Okay.
6 MR. BEARDSLEY: And so, we have found a 7 number of times where there are potential bypasses as 8 we get into inspections. And we've identified that.
9 That operation and experience has been 10 spread throughout Industry. So, early on in the 11 inspection activity we found some. We find very little 12 to none now.
13 So, as I said before, bypasses and then 14 the portable media program are two of the most important 15 pieces of our inspection program, because one you have 16 the data diode in place and we've inspected all of them 17 to make sure they're properly implemented, now 18 bypassing it is the only way you can get any kind of 19 malfeasance into the system.
20 MEMBER MARCH-LEUBA: Or portable media.
21 MR. BEARDSLEY: Right. So, portable 22 media is extremely important. And I think we'll talk 23 a little bit more about it as we go.
24 But, as I said, the big picture here is, 25 all of those critical digital assets, almost 100 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
50 1 percent, with the exception of a couple of the emergency 2 preparedness computers, are on the Level 3 and Level 3 4 protected by the data diode.
4 So that includes power production, balance 5 of plant, important to safety, safety and security 6 systems. All those assets are behind the data diode.
7 CHAIRMAN BROWN: Question. Why is the log 8 with flames coming out of it between --
9 (Laughter.)
10 CHAIRMAN BROWN: -- and 3?
11 MEMBER MARCH-LEUBA: It's working so hard.
12 CHAIRMAN BROWN: It's obvious we have 13 firewall --
14 MR. BEARDSLEY: Because it's a super 15 important firewall. Because I have Staff that are --
16 CHAIRMAN BROWN: If it's not a one way, 17 it shows one way, but it could be a software-based 18 firewall --
19 MR. BEARDSLEY: It could be a two way --
20 CHAIRMAN BROWN: -- data diode.
21 MR. BEARDSLEY: -- but the way it's 22 implemented at the sites, and we inspect it as such.
23 And we do look at the configurations of those firewalls 24 to verify that they are designed to only pass the 25 information in one direction.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
51 1 Now, as I said, this is a generic topology 2 --
3 CHAIRMAN BROWN: Now, the other key issue 4 there is that orientation, or the directionality, is 5 not controlled by software. In other words, fixed by 6 a hardware arrangement, it's only one way.
7 MR. BEARDSLEY: Well, in the firewalls it 8 is controlled by software. And that's one of the things 9 that we go look at.
10 CHAIRMAN BROWN: Yes, that's a problem.
11 MR. BEARDSLEY: Well, and in some, this 12 is a generic picture. Some of the licensees do have 13 two-way communication, depending on the way they've 14 structured their networks and the controls they have 15 in place.
16 And, again, we've inspected that and 17 verified that it's acceptable based on what they've 18 committed to and how they have structured their 19 networks.
20 So, there is no single picture once you 21 get upstream of the data diode. They have different, 22 depending on the way their sites laid out and the 23 different requirements they have.
24 CHAIRMAN BROWN: Well, I understand that 25 data diode, but I think, I've been trying to relate, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
52 1 not just today or the last few days, but ever since 2 we issued this thing back in 2000, 5.71 back in 2010.
3 With the four levels.
4 We didn't have the little fiery brick or 5 the log and then the, that data. That was just, those 6 were all just white lines with one-way arrows. We 7 argued about it then.
8 But I keep trying to relate this to the 9 plants that we look at. What is a Level 4 system, what 10 is a Level 3 system?
11 In other words, I look at it, I don't know 12 what my patriots do, but I look at trip systems, 13 safeguards, right control, all those pumps, all those 14 basic plant controls are in Level 4.
15 And I view, this is a personal opinion, 16 that that fire, that burning log, anything going out 17 of that ought to be hardware. No software control on 18 the directionality of it.
19 And that's been maintained in all the new 20 designs. I'm not talking about existing plants. Not 21 many of the existing plants, in fact, that a reactor 22 trip systems or others, with microprocessor, computed 23 based systems, there's only a few. A handful at most.
24 Like there's, I think there's just Oconee 25 and Diablo Canyon.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
53 1 MEMBER BLEY: But all of, this is a 2 question.
3 MR. BEARDSLEY: Sure.
4 MEMBER BLEY: All of Level 3 and Level 4 5 are within the plant.
6 CHAIRMAN BROWN: Yes. Yes.
7 MR. BEARDSLEY: Correct.
8 MEMBER BLEY: It says security 9 system/safety. Is that on both sides or is security 10 systems in Level 4?
11 MR. BEARDSLEY: It depends on the specific 12 licensee's implementation.
13 MEMBER BLEY: So, what's the difference 14 between Level 3 and Level 4?
15 MR. BEARDSLEY: It depends on how they 16 define, they broke apart their networks.
17 MEMBER BLEY: Okay.
18 MR. BEARDSLEY: Some of them use Level 4 19 to isolate safety systems.
20 MEMBER BLEY: I mean, I'm kind of happy 21 as long as the combination of Level 3 and Level 4 can't 22 be affected from the outside.
23 MR. BEARDSLEY: Right. That's the big 24 picture we inspected.
25 CHAIRMAN BROWN: And by the way, Dennis, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
54 1 if you just, without talking about who, the last 2 argument we went through where we were looking at it 3 --
4 MEMBER BLEY: Yes.
5 CHAIRMAN BROWN: -- the Level 3 to Level 6 2 communications was a firewall software program.
7 MEMBER BLEY: No, I, this is different.
8 CHAIRMAN BROWN: I know, but if you relate 9 it to our last letter --
10 MEMBER BLEY: Yes.
11 CHAIRMAN BROWN: -- you relate that, this 12 diagram to the last thing we looked at, the big fight 13 was the Level 3 to Level 2.
14 MEMBER BLEY: Yes.
15 CHAIRMAN BROWN: It was a software-based 16 firewall. They changed --
17 MEMBER BLEY: So, I'm happy.
18 CHAIRMAN BROWN: We're happy now.
19 MEMBER BLEY: But I'm not, I don't think 20 I'm worried about level 3 to level 4 since they're kind 21 of not clearly defined in there.
22 CHAIRMAN BROWN: Well, we did --
23 MEMBER BLEY: And they're all inside the 24 plant.
25 CHAIRMAN BROWN: Well, one of the things NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
55 1 you like to do is, there can be networks, as we have 2 seen in 1, inside the Level 3. And you don't want 3 bidirectional communication from that network back into 4 the reactor trip systems and safeguards, where we also 5 have a data diode.
6 MEMBER BLEY: I don't know for sure reactor 7 trips in Level 4.
8 CHAIRMAN BROWN: Yes, it is.
9 MEMBER BLEY: I don't know what's where.
10 MR. BEARDSLEY: Well --
11 CHAIRMAN BROWN: You know, reactor trip 12 and safeguards and all the ones we've talked, every 13 time I've asked a question, they've been in Level 4.
14 MR. BEARDSLEY: A lot of it depends on the 15 licensee's specific implementation. So, what they 16 commit to in their cybersecurity plan we then go in 17 and inspect.
18 Some of them initially have their 19 physically security systems on an island or connected 20 to nothing. But we recognize that, hey, if there was 21 an attack on that, you'd still want to alert like you 22 would with anything else. So it makes sense to do that 23 conductivity.
24 And when the licensee makes a commitment 25 to say, we've put the safety systems, the core safety NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
56 1 systems on Level 4, or Level 4a and there's a firewall 2 that protects it, we then go look at, during 3 inspections, show us this specific configuration of 4 your firewall.
5 That's one of the reasons we have 6 contractors out with us during the inspections. And 7 they have tools they use to screen through the 8 configuration data to ensure that the firewalls are 9 configured appropriately.
10 MEMBER BLEY: But the NRC and NEI don't, 11 I think I'm hearing you say this, told people what 12 systems they ought to put in Level 3 or Level 4.
13 MR. BEARDSLEY: We do not.
14 MEMBER BLEY: I don't disagree with what 15 Charlie says --
16 CHAIRMAN BROWN: No, I know.
17 MEMBER BLEY: -- that makes a lot of sense.
18 CHAIRMAN BROWN: All I've done --
19 MEMBER BLEY: And I don't know what 100 20 plants out there have done.
21 CHAIRMAN BROWN: Oh no, we do not know what 22 the existing plants have done, we only have seen the 23 plants that we've been reviewing. Those new designs.
24 And where we have a --
25 MR. BEARDSLEY: Right.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
57 1 CHAIRMAN BROWN: -- pretty clear 2 delineation of where they are.
3 Diablo, two of the existing plants, at 4 least one of them I know, is configured this way.
5 MR. BEARDSLEY: Yes.
6 CHAIRMAN BROWN: One of the other ones --
7 MEMBER BLEY: It would make sense, but 8 there is no guarantee of it.
9 MR. BEARDSLEY: Right.
10 CHAIRMAN BROWN: No, there is no guarantee 11 based on the back fit for the existing plant. They 12 have to be done on a review basis.
13 If they implement computer-based systems 14 for those systems, you have to go back and look at it.
15 And you have to ensure there's associated systems, 16 with their analog units, you can't compromise 17 something.
18 MEMBER BLEY: But if Plant 66 out there, 19 when you go look at it, doesn't have S-PRESS (phonetic) 20 and emergency core cooling and reactor trip in Level 21 4, you wouldn't, that isn't something you would inspect 22 for.
23 MR. BEARDSLEY: It would depend on how they 24 structured it in their cybersecurity plan, which was 25 reviewed as part of the licensing basis. So we inspect NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
58 1 them to their licensing basis.
2 MEMBER KIRCHNER: Now, doesn't that fall 3 under your definition of most important critical 4 digital assets?
5 Wouldn't you use that logic then to zero 6 in on, I'll pick something, the reactor trip system 7 or --
8 MR. BEARDSLEY: We did in the initial 9 inspection program. So we based it on an analysis of 10 those systems that were the smallest subset of critical 11 systems and that's what we looked at, during the initial 12 program.
13 Now, since that time, they've fully 14 implemented and now we look at everything. But yes, 15 we did give those, a focused look during the initial 16 inspection and every licensee was inspected.
17 Any other questions on this picture? I 18 know there's a lot here and this is the focal point 19 of our program.
20 CHAIRMAN BROWN: I just had one other.
21 When, this is me just asking the question personally, 22 okay.
23 If I was the inspector, if I was in your 24 all shoes and I wanted to go out and do the assessment, 25 don't you have to have the app, not the app but the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
59 1 licensee provide some boundary conditions or something?
2 MR. BEARDSLEY: We do.
3 CHAIRMAN BROWN: How do you get the bad 4 things up, boundary condition wise, relative to the 5 5.71 level so you can see how they picture their stuff?
6 And don't they have to setup these bins 7 that this stuff is in this and this stuff is in this 8 and these, and they meet, so that you know what you're 9 looking at, otherwise it's spaghetti.
10 MR. BEARDSLEY: No, we do. And I'll talk 11 about it a little bit more when we get into inspection.
12 But we have a structured process we've agreed to with 13 Industry, after the lessons we learned from the initial 14 inspection program.
15 And the three-phase request for 16 information that the regions use to gather information 17 from the licensees to based their inspection on, the 18 first phase includes network topology diagrams.
19 And we do a detailed look at their 20 cybersecurity commitments and then compare sort of, 21 this is what they said they're going to do, this is 22 how it's laid out, do those all match up. So we are 23 looking very detailed way at that.
24 CHAIRMAN BROWN: Okay. To me a picture 25 is worth a thousand words --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
60 1 MR. BEARDSLEY: Right.
2 CHAIRMAN BROWN: -- circumstance, if you 3 can draw a architecture --
4 MR. BEARDSLEY: Yes. If you --
5 CHAIRMAN BROWN: -- their architecture 6 arraignment of their critical digital asset and which 7 ones are less and where they fall within that 8 architecture framework, it's much easier to assess how 9 much effort you ought to, or even they ought to put 10 into it.
11 MR. BEARDSLEY: Yes. If you were to 12 observe one of our inspection teams in the field, and 13 I had the opportunity to do that a number of times last 14 year, in almost every room they have huge plots of the 15 networks on the wall. And the teams use that as the 16 basis for what they're, for electing their sample for 17 inspections and then conducting the inspection 18 activity.
19 So, that clearly is one of the focus areas 20 that we used during inspections.
21 MEMBER BLEY: Not to beat this to death, 22 but your burning firewall there, when you go 23 plant-to-plant, are some people using the laser diodes 24 in that?
25 MR. BEARDSLEY: We have seen NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
61 1 implementations where licensees have used more than 2 one data diode, yes.
3 MEMBER BLEY: Yes.
4 MR. BEARDSLEY: I can't say the exact 5 details of it because I didn't spend a lot of time, 6 but yes, there were definitely some that have more than 7 one data diode.
8 MEMBER BLEY: So it's been implemented in 9 different ways?
10 MR. BEARDSLEY: Yes. Absolutely.
11 MEMBER BLEY: Okay.
12 MR. HECHT: Can I ask a question about the 13 data diode devices?
14 MR. BEARDSLEY: Sure.
15 MR. HECHT: I've seen them described in 16 various industrial control system conferences, and I 17 was surprised to learn this, but one of the vendors 18 did have the arrangement that there was actually data 19 going the other way, they needed to accommodate things 20 like data historians and remote diagnostics.
21 Are these truly one-way diodes, and if so, 22 what makes a nuclear plant different from other places 23 where are also pretty important that people use data 24 diodes for?
25 MR. BEARDSLEY: So, you raise a great NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
62 1 point. In the intelligence community, they use two-way 2 data diodes and they have logic systems that they use 3 to ensure that the data that gets past is appropriate.
4 For the implementation in our nuclear sites 5 they only have one laser. It only fires in one 6 direction.
7 So it is impossible, physically, for any 8 data to pass from low to high because there is no 9 methodology for that to happen. Through the data 10 diode.
11 MEMBER BLEY: So people in those other 12 fields think they're smarter.
13 (Laughter.)
14 MEMBER BLEY: And they've learned 15 otherwise.
16 MR. HECHT: I'm just following up on that.
17 Does that mean that there is no way for somebody in 18 Level 2 to make a query of a Level 3 system, and if 19 so, how do diagnostics and other commands get run?
20 MR. BEARDSLEY: So there is no, I would 21 say, to my knowledge, there is no instance in our current 22 construct in the fleet, where there is a digital 23 communication between Level 2 and Level 3.
24 MR. HECHT: That means that the control 25 room is basically Level 3 or Level 4?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
63 1 MR. BEARDSLEY: The control rooms are all 2 Level 3 and Level 4, correct. That is absolutely 3 correct.
4 MEMBER BLEY: What about the tech support 5 centers?
6 MR. BEARDSLEY: The tech support centers 7 do have Level 3 and Level 4, level 3 and/or Level 4 8 connection.
9 MEMBER BLEY: No Level 2 tech support --
10 MR. BEARDSLEY: We've also found instances 11 where they have connected Level 3 out to the metrology 12 building out in the OCA and then we inspect to make 13 sure that they've provided adequate controls on the 14 conduit, on the access control on the system.
15 So, I mean, those are areas we do look at.
16 The physical security system in some instances is 17 connected directly to their access points, where they 18 issue badges. Because they have to connect, you know, 19 talk to the physical security system.
20 And, again, we inspect all of that 21 communication path to make sure that it's adequately 22 protected.
23 All right, moving on. So one the things 24 we identified, once the rule was in place, was the 25 licensees had a requirement to notify the Staff, but NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
64 1 it was unclear exactly what level of notification they 2 had to do.
3 So, in 2015 we implemented this 10 CFR 7377.
4 It's the cybersecurity notification rule. Here you 5 go.
6 And so, the rule went into effect in 7 December. The implementation date was in 2016. The 8 Staff released a regulatory guide, 5.83, that described 9 in detail what the licensee's commitments were.
10 NEI turned that around into a NEI guidance 11 document that the Staff accepted for use, that provided 12 some of the details on implementation. And I'll just 13 sort of walk through a couple of examples of that.
14 So, right now the licensees are committed 15 to a one hour notification to the Staff of any cyber 16 attack that adversely impacts a safety, security or 17 emergency preparedness function.
18 If they find one that could have adversely 19 impacted or suspect that there was physical and 20 electronic access to a critical digital asset, they 21 have a four hour notification requirement.
22 And after receipt, an intelligence 23 gathering, they find that there is potential that they 24 would be attacked, they have an eight hour reporting 25 requirement.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
65 1 Anything beyond that is a 24 hour 2 recordable that the Staff looks at, both in inspection 3 space, and our resident inspectors would monitor. So, 4 that is the structure of the reporting role.
5 It is loosely based on our physical 6 security reporting requirements. And so, the 7 methodology is basically the same.
8 And one of the things we do look at during 9 inspection space is, show us your procedure, show us 10 how you would make those notifications. Some of the 11 inspections have actually observed the licensee 12 conducting cyber security drills and walking through 13 the process of where they, and identifying the issue, 14 making notifications and those kind of things.
15 CHAIRMAN BROWN: So, your last bullet says 16 you've received no notifications.
17 MR. BEARDSLEY: Yes.
18 CHAIRMAN BROWN: That kind of says to me 19 that they haven't been hacked.
20 MR. BEARDSLEY: To the best of our 21 knowledge --
22 CHAIRMAN BROWN: That they know of.
23 MR. BEARDSLEY: To the best of our 24 knowledge, no critical digital asset has had a cyber 25 attack or even a potential cyber attack since the rule NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
66 1 went into place.
2 MEMBER BLEY: But the utilities may have?
3 Other computer systems.
4 MR. BEARDSLEY: Yes.
5 MS. HELTON: The corporate, yes.
6 MR. BEARDSLEY: Yes. And we'll talk about 7 that.
8 MEMBER BLEY: Shana, I couldn't hear you.
9 MS. HELTON: Oh, I'm sorry, the corporate 10 networks. We have seen some corporate networks 11 attacked but nothing inside of the data diode.
12 MEMBER BLEY: Do they report to you?
13 MR. BEARDSLEY: Well, we have some 14 examples of that at the end of the presentation. And 15 we'll talk about that process.
16 MEMBER BLEY: Okay.
17 MR. BEARDSLEY: But that is not included 18 in the cognizance of the rule, so they don't have a 19 regulatory requirement to report to us.
20 CHAIRMAN BROWN: Okay, Shana, I didn't 21 understand you. You said nothing inside the data, 22 inside the Level 3, in other words, equivalent to Level 23 3?
24 MR. BEARDSLEY: Right.
25 MS. HELTON: Correct.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
67 1 CHAIRMAN BROWN: That's all they're 2 required to, that's what this rule applies to?
3 MR. BEARDSLEY: Well, it's safety, 4 security, emergency preparedness asset.
5 CHAIRMAN BROWN: Yes, okay.
6 MR. BEARDSLEY: Wherever they are. We do 7 know that most the sites have two or three computers 8 in their emergency preparedness implementation 9 structure that would be included in the scope of the 10 rule but are not in Level 3.
11 And so those have to be protected by 12 firewalls. And that they're also monitored with some 13 extra monitoring.
14 CHAIRMAN BROWN: Okay.
15 MEMBER BLEY: I know you don't generally 16 work with INPO, but are they involved in this somehow 17 or you hear from them on this sort of thing?
18 MR. BEARDSLEY: To the, I guess it depends 19 on the question. So, does INPO monitor licensee's 20 implementations and sort of observe that --
21 MEMBER BLEY: Sure.
22 MR. BEARDSLEY: -- I don't believe they 23 do. They are working with INPO on methods to improve 24 their lessons learned. And in particular, the 25 vulnerability assessment area --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
68 1 MEMBER BLEY: Okay.
2 MR. BEARDSLEY: -- which we'll talk about 3 in full implementation here in a minute.
4 The licensees basically have a requirement 5 to monitor any alert or potential vulnerability on any 6 one of their critical digital assets. Well, trying 7 to monitor potential alerts on 2,000 assets is an 8 incredibly difficult challenge.
9 And so, what INPO has done is setup 10 databases that the licensees can register all of their 11 critical digital assets. And then they, INPO draws 12 in the alerts from DHS and from other sources, and then 13 the licensees then get a report on a daily basis of 14 any potential vulnerabilities, viruses, hacks, 15 anything like that, that potentially makes their 16 digital assets vulnerable.
17 And then they would have to do an assessment 18 to decide whether they would make changes, install 19 upgrades, that kind of thing.
20 But that's really, that and the, INPO has 21 some efforts in place to help licensees characterize 22 the level of controls or protection their assets need.
23 But that's really a future effort that, to be honest 24 with you, is, to some extent, focused on the Vogtle 25 3 and 4 implementation. And so, INPO is involved in NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
69 1 that effort as well.
2 So that brings us to 2017. In mid-2017, 3 our first two licensees committed to completed full 4 implementation. And the Staff then embarked on our 5 full implementation inspection program. And I'll talk 6 a lot more about the program that's in place.
7 There are a few licensees that did not 8 complete full implementation in 2017. There were very 9 particular reasons for that.
10 And the primary one was, we had some 11 licensees that had planned on decommissioning. So they 12 stop worked on their cyber programs, and then either 13 because of interactions with the state or because the 14 licensee was, that particular unit was purchased by 15 another licensee, they then were not going to 16 decommission.
17 And there was no way they could finish their 18 cyber security implementation in the time frame that 19 they committed to, so we then reviewed and approved 20 license amendment requests to extent those.
21 MEMBER BLEY: How many of those are there?
22 MR. BEARDSLEY: I believe there's four --
23 MEMBER BLEY: Okay.
24 MR. BEARDSLEY: -- but I would have to get 25 you an exact answer.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
70 1 MEMBER BLEY: Okay.
2 MR. BEARDSLEY: Most of them have 3 completed their implementations now. I think there 4 is maybe one that hasn't.
5 MEMBER BLEY: Okay. Just ballpark, 6 that's all.
7 MR. BEARDSLEY: It's a ballpark in that 8 period. And we also looked at those licensees that 9 were in the process of decommissioning and evaluating 10 whether or not we felt it was appropriate for them to 11 go through full implementation with the fact that they 12 were going to decommission.
13 And some of them did not fully implement 14 it. And most of them have decommissioned at this point 15 as well.
16 So let's just talk a minute about what full 17 implementation is. I said before that the interim 18 implementation, Milestone 1 through 7, accounted for 19 about 20 percent of their digital assets.
20 So they expanded the scope to, with another 21 80 percent of digital assets. That's a lot of assets 22 when you look at 2,000 overall.
23 And as we did that, the licensees recognize 24 that, and the Staff recognize that's a lot of work.
25 And so, we developed, in concert with the Industry, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
71 1 they developed NEI Guidance Document 13-10, that we 2 mentioned before.
3 And what that does is it breaks down the 4 critical digital assets into a series of classes. If 5 it's a safety asset but it's very low functioning, in 6 other words, there's just not a lot you can do to it, 7 there's a subset of the 138 controls you have to put 8 in place.
9 If it's an emergency preparedness asset 10 or important to safety or balance of plant, there's 11 a smaller set of controls you have to put in place as 12 compared to a safety system or a physical security 13 system.
14 And so, the 13-10 process goes through a 15 mythological assessment and tiers your way down to 16 decide what level of controls you have to put in place.
17 We've spent a good amount of time in 18 inspection space looking at the licensee's processes 19 for dividing up their critical digital assets, to make 20 sure that they're properly classified and that the right 21 controls are put in place.
22 MEMBER BLEY: Is this covered in the NEI 23 guidance document?
24 MR. BEARDSLEY: It's covered in NEI 13-10.
25 MEMBER BLEY: It is, okay.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
72 1 MR. BEARDSLEY: Yes. Yes. And the Staff 2 has approved that for years.
3 MEMBER BLEY: And there's an inspection 4 guidance as well I assume.
5 MR. BEARDSLEY: The inspection procedure 6 does cover the details of this and directs the, so, 7 in an inspection space, which I'll talk some more about 8 it in a minute, there's a structured process for 9 selecting samples.
10 And so, the inspectors are going to look 11 at a sample of sample systems, security systems, and 12 then we're going to give them options on different 13 levels of the indirect critical digital assets. Which 14 are sort of a gross approximation of all of these.
15 And so, they do look at, not only how the 16 licensee choose them, but then what they did to protect 17 them.
18 Going beyond the controls for critical 19 digital assets, full implementation included a 20 significant number of programmatic implementations for 21 the licensees. And so, there is a couple of different 22 examples here.
23 The first one is incident training and 24 drills. They are required to do training and run drills 25 to demonstrate their cyber security response NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
73 1 capabilities. We have observed some of those drills 2 in inspection space.
3 Continuity of operations in training and 4 testing is another one, where they have to identify, 5 this is part of that protection response elimination, 6 how do they recover from a cyber-attack, what systems 7 do they put in place, what backup pieces of equipment 8 do they have. And they have to document those 9 processes. We inspect those as well.
10 The bottom here I mentioned earlier. It's 11 the vulnerability assessment and mitigation process.
12 And this is an area I'll talk about later that we've 13 struggled a little bit with Industry.
14 Because they didn't fully implement it 15 until December of 2017, some of their digital assets 16 had arguably thousands of updates or alerts that had 17 been identified. And they're digging their way through 18 and assessing those.
19 We have agreed to a methodology, so, DHS 20 has a hierarchy they use to classify the urgency of 21 different alerts and changes and updates. And so, 22 we've worked with Industry to try and identify, what's 23 the right threshold that you should be focusing your 24 effort on by spending a lot of time and effort on changes 25 that may or may not be of value.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
74 1 And so, we're working with Industry to try 2 and find the right place in that particular area. What 3 we have asked them to do is make sure that they focus 4 their effort on boundary devices.
5 So those devices that would prevent any 6 malware or malfeasance from getting from the low to 7 the high. We want to make sure that we're getting the 8 strongest review and understanding.
9 Secure communications pathways between the 10 CDAs is another area that's very --
11 (Off microphone comment.)
12 MR. BEARDSLEY: Oh, I'm sorry. Go ahead.
13 MR. HECHT: Yes, I'm sorry. A question 14 on NEI 13-10.
15 MR. BEARDSLEY: Yes.
16 MR. HECHT: I tried to follow it, it's 17 pretty complex, at least for the simple example that 18 they included there of the emergency notification 19 system. It is, it seems almost that you could base 20 an intelligence test on whether somebody could follow 21 it.
22 I guess, what is the state of the Industry's 23 knowledge of that and proficiency with that document?
24 MR. BEARDSLEY: Today we've conducted 23 25 full implementation inspections. And I think we've NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
75 1 had two findings associated with their critical digital 2 asset assessments in their NEI 13-10 process.
3 So, the majority of the licensees either 4 didn't use it and just classified everything as direct, 5 although there's very few of those at this point, or 6 they did understand and implement it in accordance with 7 the intent of the program.
8 MR. HECHT: Okay.
9 MS. HELTON: Can I?
10 MR. BEARDSLEY: Yes, go ahead.
11 MS. HELTON: It's an interesting point 12 though, and we heard about this. We had a session at 13 the RIC on cyber and one of the Industry 14 representatives, and I can't recall who it was on the 15 panel, but they did have a good bit of their presentation 16 focused on the Industry's efforts to ensure they've 17 got the right skill sets of Staff employed to 18 successfully carry out their cyber programs.
19 Because it is an interesting mix of 20 engineers and IT specialists. You need both the 21 nuclear and plant operations expertise, along with some 22 computer savvy.
23 So, I think you were raising your comment 24 in the context of the NEI 13-10 document specifically 25 and how complex that document is. But I just wanted NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
76 1 to note that I think that is a focus.
2 And it's a focus for us too, to make sure 3 that we keep the right skill set of Staff onboard at 4 the agency for our programs.
5 MR. BEARDSLEY: So, moving onto slide, 6 supply chain is an area that we did not look at closely 7 in the initial implementation, but we spent a good deal 8 of time looking at it and working with Industry to 9 understand the requirements for.
10 This is one of the areas where we realized 11 that the requirements in the cyber security plan were 12 not specific enough to really help both the inspectors 13 and the Industry to understand what our expectation 14 was.
15 NEI has developed an addendum to NEI 08-09 16 that specifically talks about supply chain and the 17 service maintenance of different assets. And that's 18 an area that we look at closely.
19 During 2018 inspections we didn't have a 20 whole lot of run time, if you want to call it that, 21 with supply chain. Just because they hadn't been 22 implemented all that long.
23 But the Industry is working through that 24 and they're developing processes to work with their 25 vendors, to provide cyber requirements to their vendor NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
77 1 base and include those in contracts, so they can make 2 sure that they're getting cyber safe assets as they 3 purchase them.
4 Let's see, on this slide. Another big one 5 here is configuration management. I mentioned that 6 before.
7 We look closely at configuration 8 management to make sure that the licensees have 9 basically spread that cyber discipline throughout all 10 of their processes and make sure that they understand 11 the potential ramifications of changes or issues with 12 any system and make sure cyber is included in that.
13 It goes sort of back to your question about 14 safety, security interface. And you could almost argue 15 its safety, security, cyber interface.
16 How does those three disciplines mix 17 together and make sure that they don't impact each 18 other's ability to perform their task.
19 I'm going monitoring and management of 20 cyber risk. That's an area that we've looked hard at.
21 The licensees have made a number of commitments in 22 our cyber security plans to ongoing monitoring and 23 assessment requirement.
24 Ninety days for this, 30 days for that.
25 Some of those requirements the licensees committed to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
78 1 on the plan and then when they got into implementation, 2 they realized that it's not really realistic.
3 For instance, if you have a critical 4 digital asset that's in containment and you have a 30 5 day password change requirement, it's just not 6 realistic to think we're going to shut down and go into 7 containment to change passwords.
8 So, we've agreed with licensees, 9 fundamentally, on some control deviations or, what do 10 we call it --
11 PARTICIPANT: Waivers.
12 MR. BEARDSLEY: They're not waivers, 13 alternate. So, in the cyber security plan the 14 licensees are authorized to use an alternative approach 15 to a particular control.
16 And so, there's a serious of these timing 17 and monitoring requirements that we've agreed, yes, 18 that's reasonable. If you have a critical digital 19 asset that sits in the control room and is being 20 monitored by the operators 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> a day and you have 21 work controls before you open the box and go work on 22 it, you probably don't need to change passwords every 23 30 days.
24 Or you probably don't need to go in and 25 check the logs on that system every 30 days because NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
79 1 you'd know if someone opened the box and went and did 2 something to it.
3 Those are a couple small examples of where 4 we tried to be reasonable with Industry and help them 5 focus on those things that really are vulnerable vice 6 the things that maybe they've already covered with other 7 programs of other systems.
8 MEMBER BLEY: Can you say a little more 9 about supply chain?
10 The reason I'm asking is, I did some work 11 with railroads and I've done some work with electrical 12 folks and I know both cases they got and installed 13 equipment that looked right.
14 MR. BEARDSLEY: Sure.
15 MEMBER BLEY: Everything about it was 16 right. Expect when, if you opened it up and got inside, 17 it was bogus. And some of the things in the railroad 18 Industry had the wrong software running --
19 MR. BEARDSLEY: Sure.
20 MEMBER BLEY: -- and they didn't find it 21 out until they had it in the systems for a while.
22 So, are we going all the way back to the 23 inspectors out at the manufacturing facilities or --
24 MR. BEARDSLEY: To the licensees, again, 25 they have a requirement to go maintain their systems NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
80 1 is cyber safe. So, it's not the government's 2 responsibility.
3 But we are involved, the Staff is involved 4 in a number of inter-government agencies that are 5 looking at the cyber supply chain issue, government 6 and critical infrastructure wide.
7 So, in particular, they have a requirement 8 to contract, to include in their contract stream cyber 9 requirements for their vendors. They also have 10 requirements to do robust testing, both receipt 11 inspections and then testing of their systems.
12 So if for instance, so, on the day they 13 committed to be fully cyber implemented, they had a 14 warehouse full of parts. And there was no requirement 15 to do any cyber verification on those parts when they 16 purchased them, because they had not fully implemented 17 their program.
18 So they have, so there's, in the guidance 19 that we've agreed to on supply chain, there are 20 requirements for them to do detailed bench testing, 21 verification of software, do that kind of effort on 22 the things they already have.
23 They can also use that on new purchases 24 if it's just not possible. If it's a commercial off 25 the shelf piece of software, there's only so much they NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
81 1 can do to verify its capabilities and that it came from 2 the right place.
3 But they do have technics they can use to 4 verify receipt of updates to make sure that they are 5 signed and properly documented so they're not getting 6 some kind of malware.
7 MEMBER BLEY: Thanks.
8 MR. BEARDSLEY: But it's a big challenge 9 for sure.
10 So, not only within inter-government, but 11 we also are involved in IEA forums to look at the supply 12 chain problem worldwide and understand how different 13 countries and different industries are implementing 14 it. Because it's not easily a solvable problem.
15 MEMBER BLEY: No, I agree.
16 MR. BEARDSLEY: So, full implementation 17 inspections, let me get into that a little bit. So, 18 the full implementation inspections started in July 19 of 2017.
20 We did two inspections and then we took 21 three months off to sort of take a look back at the 22 inspections and make sure that the inspection program 23 was effective, was being operated in a way we expected 24 it to. And we got feedback, both from the inspection 25 teams and the licensees.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
82 1 So we understood sort of whether or not 2 everyone was on the same page, if you want to call it, 3 with respect to the inspections.
4 In January of 2018 we went into full 5 inspection mode and we conducted 20, 18 inspections 6 in 2018. And we've gotten three more inspections done 7 so far through February. So we have 23 complete so 8 far.
9 And the list here provides you some 10 insights on the things that we found as relatively, 11 sort of repeatable or consistent challenges that both 12 the Staff and Industry have seen in the implementations.
13 The first one is the quality of the critical 14 digital asset assessments. And this really comes down 15 when the licensees are documenting their reasons for, 16 their implementation for alternate controls.
17 We have found that the licensee's 18 documentation has not been as clear and consistent as 19 you would expect if you were using this documentation 20 as part of your configuration management process. And 21 the licensees have acknowledged that.
22 They had a, as you brought up, a huge number 23 of assessments to do. It's a lot of paperwork. And 24 we found multiple examples where the licensees, for 25 instance, cut and pasted huge pieces of matrixes.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
83 1 And then when you ask them questions about 2 it, oh yes, maybe we should have, maybe that one wasn't 3 quite right.
4 So, there have been some findings in this 5 area. But for the most part, it's really just a lesson 6 learned on making sure that those assessments have 7 quality, are endearing for the future.
8 Some of the licensees hire contractors to 9 do the assessments. They did them. They put the 10 controls in place, they put the assessments on a shelf 11 and then the contractors were let go.
12 So then we come in two years later to do 13 an inspection and we say, can you show us the assessment 14 for critical digital asset X, and they're like all 15 right, let us find that for you, and then they get it 16 and you say, well, why did you do this. Hmm, Bob did 17 that, he doesn't work here anymore.
18 And so, that level of documentation just 19 wasn't up to the expectation of the licensees, to be 20 honest, and the Staff.
21 MEMBER BLEY: Jim?
22 MR. BEARDSLEY: Yes.
23 MEMBER BLEY: Have you folks, or do you 24 plan, to put together some kind of summary report on 25 the inspections?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
84 1 MR. BEARDSLEY: We have not to date. We 2 do have a routine dialogue with Industry on these areas.
3 MEMBER BLEY: Okay.
4 MR. BEARDSLEY: And in fact, NEI is 5 conducting a cyber workshop next week where we're going 6 to get into some detailed discussions on these various 7 areas. Because Industry, for the most part, they 8 agree.
9 And in some cases, they, it's clear that 10 there is, just, the guidance isn't there. We didn't 11 identify this particular area and so either Industry 12 or the Staff needs to work on guidance.
13 And on other areas, Industry just 14 acknowledges, we didn't do as good of job as we could 15 have. And that's operating experience that they're 16 working on.
17 So, after finding it at a site or two, 18 they'll put it in their corrective action program.
19 So we'll show up for an inspection and they're like, 20 yes, we acknowledge this is here and we need to work 21 on it, and they're getting better at it.
22 MS. HELTON: And the only thing I'd add 23 is that with our assessment going on, we don't know 24 yet what the outcome of our assessment --
25 MR. BEARDSLEY: Right.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
85 1 MS. HELTON: -- will be and --
2 MEMBER BLEY: I'm sorry, I couldn't --
3 MS. HELTON: I'm sorry, I keep turning my 4 head and looking at Jim instead of looking at the 5 microphone.
6 With our assessment that's ongoing, that 7 started in January, and we've let that team be very 8 independent. These preliminary insights that we have 9 shown on this slide are based on our own observations 10 as we've moved through the oversight program.
11 We will get additional insights from our 12 assessment. So that could very well inform something.
13 But I think it's safe to say that with all 14 of the communication that we have with Industry, and 15 Industry is talking as well, we see good communications 16 happening, for the most part, on how the inspections 17 have been going. Sites are trying to learn from each 18 other. Especially for those within the same fleet.
19 The focus, as Jim was saying, the focus, 20 where we have placed uncertain guidance documents, is 21 reflective of those issues, that they keep coming up 22 in inspections.
23 MEMBER BLEY: I got another question on 24 NEI. I think you told us that all of the guidance 25 documents are public now, so the utilities who no longer NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
86 1 belong to NEI have access to them. Do they also have 2 access to the workshops?
3 MR. BEARDSLEY: So, the, not all of the 4 documents are public, but we've verified with the other 5 licensees that they have gained access to the documents.
6 So some of the time they do it through an Industry 7 consortium.
8 MEMBER BLEY: Okay.
9 MR. BEARDSLEY: So, I just want to make 10 sure I'm clear on that. Because some of them are, for 11 professional use only, security related information 12 because it's sensitivity of the particular information 13 details.
14 The workshop, next week that I mentioned, 15 all licensees are invited. If you're not an NEI member 16 you have to pay a higher fee, but anyone can go.
17 And the Staff has maintained a dialogue 18 with those other two licensees that split from NEI.
19 So any information or any dialogue that we have Industry 20 through NEI, we also make sure that we communicate with 21 the other two entities so that we make sure that they're 22 getting all the same information.
23 MEMBER BLEY: I just had a, I've been 24 around long enough that I remember when EPRI reports 25 were free, and if I did one for them, I get a whole NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
87 1 box of reports, and then people left EPRI and all of 2 a sudden the free documents turned into $50,000 3 documents, and if you weren't offered you got one.
4 (Laughter.)
5 MEMBER BLEY: So, maybe the fees will go 6 up.
7 MR. BEARDSLEY: And that's a challenge 8 that is not a cyber challenge. That's an NRC and 9 Industry challenge. And NRR has an initiative to look 10 at, how are we, what's the right way to communicate 11 with Industry and those two entities as a whole.
12 But we recognize, with the dialogue we've 13 had going with the Industry over the years, that we 14 need to at least make sure that we're doing our part.
15 And I think we're being effective.
16 And I think if you asked the cyber security 17 leads for those two companies, they would agree that 18 we're making the effort to try and keep them involved.
19 The third item there, guidance for portable 20 media and mobile device program. So, I talked about 21 the importance of making sure that the bypasses for 22 any software or any updates, making sure that no malware 23 could pass from low to high and get to the critical 24 digital assets.
25 This is the barrier that stops that. So NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
88 1 what we have is, what the licensees have implemented 2 for the most is a kiosk. They either purchase it from 3 a vendor or they develop their own set of computers, 4 that basically takes a piece of software from the 5 internet and screens it to make sure it's what it's 6 supposed to be, that it doesn't have any viruses or 7 anything like that on that.
8 Where we've run into a challenge with 9 Industry is, the box itself, what controls have to be 10 on that box. Because the box is not a critical digital 11 asset. It provides protection. And it also, it 12 inherits protection for critical digital assets.
13 So, if you have a CDA that doesn't have 14 the capability to run virus protection, it's just a 15 low function, but you still have to install updates 16 on it, we're relying on that kiosk to provide the 17 protection. And so, the Staff has looked closely at 18 the kiosk to make sure that they are robustly built 19 and that they will perform the task.
20 And we've sort of gone back and forth with 21 the Industry on, what are the proper sets of controls 22 on those boxes. And we've just recently had a public 23 meeting with Industry where we provided them some 24 feedback on guidance they developed, and we think we're 25 in the right place in this area as well.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
89 1 But that's, there's been a number of 2 findings in this area because the Staff and Industry 3 were clearly not in sync on this particular requirement.
4 That's the last, no it's not, that's this one here.
5 CHAIRMAN BROWN: You made the comment 6 earlier --
7 MR. BEARDSLEY: Yes.
8 CHAIRMAN BROWN: -- in the session about 9 wireless has not been implemented inside the Level 3 10 and Level 4. At least that's the implication I got 11 from your statement.
12 MR. BEARDSLEY: They, in their cyber 13 security plans, commit they have no wireless connected 14 to Level 3 and Level 4.
15 CHAIRMAN BROWN: That's, okay, that's what 16 I thought you said.
17 Now, that's, does that fundamentally 18 prohibit cell phones and other types of devices like 19 that?
20 MR. BEARDSLEY: It does not. And in fact, 21 they do have wireless networks for monitoring, for 22 performance monitoring and things like that in this 23 plant.
24 But those networks are not connected to 25 the CDAs or the networks associated with Level 3 and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
90 1 Level 4. And they are required to not only show that 2 to us, but they're required to scan a minimum of every 3 31 days to make sure that there is no wireless networks 4 connected to those assets.
5 CHAIRMAN BROWN: Yes, but wireless is 6 wireless, it can penetrate.
7 MR. BEARDSLEY: But you have to have 8 something that will receive it. So they're required 9 to disable --
10 CHAIRMAN BROWN: -- the point is, inside 11 Level 3, Level 4 parts of the plant, cell phones aren't 12 allowed then?
13 MR. BEARDSLEY: No, they are.
14 CHAIRMAN BROWN: Well then, you've got 15 wireless.
16 MR. BEARDSLEY: You do but you have, so 17 wireless sending and receiving from a phone is one 18 thing, wireless capability in the system is, so Level 19 3 and Level 4 are --
20 CHAIRMAN BROWN: Yes, I understand that.
21 MR. BEARDSLEY: -- yes, they're not 22 physical. So, within the physical boundary of the 23 plant, there's Level 3 and Level 4 assets in various 24 different places.
25 They're required to make sure that those NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
91 1 assets, and the networks associated with them, have 2 no wireless connections. That doesn't limit wireless 3 --
4 CHAIRMAN BROWN: So a phone can't send 5 something to --
6 MR. BEARDSLEY: Right.
7 CHAIRMAN BROWN: -- the systems that are 8 within that boundary condition?
9 MR. BEARDSLEY: Right. So one of the 10 things we look at in inspection space is, show us how 11 you've disable USB ports, wireless ports or any other 12 way that that asset or that network could communicate 13 in and out. So we do look at that. And they're 14 required to verify that those networks are connected 15 there.
16 MR. LEE: Additionally, we, as we have 17 mentioned previously, there are a number of security 18 controls to monitor the access to these devices so that 19 the, if somebody tried to do unauthorized access or 20 try to get at it, and the, you'll get alerts and also 21 requirements for detecting such a thing.
22 And also, we have a number of controls to 23 prevent unauthorized connection to these devices.
24 MR. BEARDSLEY: Right.
25 MR. HECHT: Can I ask a question about the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
92 1 digital kiosk?
2 MR. BEARDSLEY: Sure.
3 MR. HECHT: Are there any standards or 4 requirements that are placed on the capabilities of 5 the device and not interested so much in the controls 6 protecting the device, but what functions must the 7 device do? For example, antivirus, what else?
8 MR. BEARDSLEY: There are. So, there are 9 specific requirements that I, and I'm not conversed 10 to them just off the top of my head, but they do commit 11 to a serious of controls or the number of virus engines 12 that have to run.
13 And then we have some guidance that we've 14 approved that give a little more definition to that, 15 on white listing and making sure that the controls, 16 that they have a number of virus, different search 17 engines or different virus protection engines that have 18 to be updated at a certain period. So, there are very 19 specific requirements to that.
20 All right. So, I talked about full 21 implementation. So, I'm going to shift now to the 22 future, and let's talk about the cybersecurity 23 assessment that Shana has teed up and we've touched 24 on over time.
25 So, our intention with the assessment is NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
93 1 twofold. In 2014, the nuclear energy institute 2 submitted a petition for rulemaking to change the scope 3 of the cybersecurity rule.
4 In their opinion, the scope of the rule 5 was too broad and could potentially lead the licensees 6 to be distracted from what they believed was the core 7 safety systems that needed to be protected.
8 The Staff elected not to make a decision 9 on that petition, but to defer a decision on it until 10 we the licensees had fully implemented and we started 11 our inspection program.
12 And the commitment we made was, after we 13 were one third of the way through the inspection 14 program, we would do an assessment of the rule and then 15 make some decisions on the petition.
16 The Staff took the opportunity, given the 17 fact that we were ten years in from implementation, 18 to expand that assessment. And not only look at the 19 rule, but look at the guidance associated with 20 implementation, both the Staff and the Industry 21 guidance, the inspection program and any other external 22 factors or lessons learned.
23 So, the team that is conducting the 24 inspection is a team of NRC Staff and one engineer from 25 the Idaho National Lab. All of whom had little to no NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
94 1 interface or experience with the inspection program.
2 So we brought in people with really a fresh 3 look. We wanted them not to have any preconceived 4 notions.
5 They have gone out to, in the process of 6 meeting with all of our licensee community, we decided 7 that any licensee that had three, four units or more, 8 we would go visit their site and talk to their cyber 9 engineering teams and get feedback from them 10 individually.
11 The team is going to attend the NEI 12 cybersecurity workshop next week and they're going to 13 spend the day and allow any other licensee that's 14 interested in coming and talk to them to provide them 15 feedback.
16 We've done one public meeting to kick off 17 the process. We're going to do another public meeting 18 on the 9th of April.
19 We're also going to send the team down to 20 FERCs headquarters and meet with FERC to talk about 21 the CIP standards and our requirements and make sure 22 that nothing's changed in the last ten years that made 23 us basically to be out of sync between the two.
24 We're also going to meet with the Staff 25 and our contractors who are conducting the inspections NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
95 1 to make sure that there's any feedback from them.
2 MEMBER MARCH-LEUBA: So, the petition is 3 to relax the rule or to relax the inspection --
4 MR. BEARDSLEY: No, that petition is to 5 relax the rule. To change the scope of the rule. And 6 they give some specific examples in the petition. But 7 really, that's what they're looking for.
8 So, after all that data is collected, the 9 team is coalesce and put together an assessment summary 10 report that's going to identify all the areas that we're 11 identified as potential lessons learned on the 12 implementation of the cyber oversight program for power 13 reactors, from 2009 all the way through to 2019.
14 We expect the team to finish that 15 assessment, that summary report, at the end of this 16 June and early July. And then the Staff will use that 17 information to make some decisions on guidance changes, 18 inspection program changes. And to inform the final 19 decision on the NEI petition for rulemaking.
20 MEMBER MARCH-LEUBA: So I guess, without 21 changing the rule, you can change reviews caused by 22 making Regions III and IV smaller. Is that the trend?
23 MR. BEARDSLEY: I would argue that's what 24 Industry would like. If we change the scope of the 25 rule it can reduce the number of assets that have to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
96 1 be included in the program and then it would save them 2 money. I think that's, you'd have to ask NEI.
3 MEMBER MARCH-LEUBA: I can understand if 4 we were too generous in their location of assets because 5 we wanted to be overly conservative. And maybe we're 6 doing a lot of work on something that is not critical.
7 MR. BEARDSLEY: Right.
8 MEMBER MARCH-LEUBA: I don't have any 9 problem removing it.
10 MR. BEARDSLEY: I think there's another 11 aspect of your question that's very important. There 12 is a rule question there and then I think there is a 13 deeper implementation question.
14 And I think what we will, I think what we'll 15 find from the assessment, because I've spent a lot of 16 time talking to licensees over the last three years, 17 is that the licensees arguably took a very conservative 18 approach to determining their critical digital asset 19 pool.
20 They arguably had a little bit of fear that 21 the inspectors were going to take that more conservative 22 approach in what they should have included, so they 23 over assessed.
24 MEMBER MARCH-LEUBA: Yes.
25 MR. BEARDSLEY: And I think that that's NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
97 1 what we're going to learn. And that's one of the 2 reasons we wanted to go out to the sites, to sit down 3 with the engineers that did those assessments and say, 4 hey, explain to us the methodology you use to decide 5 what was included in the program.
6 And then we talked to the Staff that had 7 some expectations of how the program would turn out.
8 And if the licensees were sort of out of sync with 9 what we expected, we may, in the scope of guidance, 10 without changing the rule, be able to provide some 11 relief or help the licensees focus their effort on those 12 assets that are most important.
13 MEMBER MARCH-LEUBA: And I don't know it 14 will work, but often they become too hard headed as 15 a user. I want to have accurate control to that switch 16 jab (phonetic) sensor, which then becomes a critical 17 asset.
18 Where if you can put the little diode on 19 the sensor and say, sure, you can have it, but you cannot 20 modify it. A small hardware change, Charlie will tell 21 you, can save you a lot of money.
22 MR. BEARDSLEY: Sure.
23 MEMBER MARCH-LEUBA: And if, then if they 24 were to think outside the box like that, they can maybe 25 do it. I will not relax the rule, I will give guidance.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
98 1 MS. HELTON: And like Jim said our look 2 at what is appropriate to do with that petition for 3 rulemaking is on hold until we get the results of the 4 assessment.
5 But I think, you know, what you are saying 6 resonates well with us and we heard it also at the 7 Regulatory Information Conference, was it last week, 8 and the quote that I think kind of sums up what you 9 are saying is we took a good performance-based rule 10 and layered a lot of deterministic guidance on top of 11 it.
12 So I think that's really the fundamental 13 question that we will be looking at as we are reviewing 14 the petition, you know, are there things that we can 15 accomplish without a rule change or do we really need 16 to go back and change the fundamentals and the 17 regulations, but we'll need to decide.
18 MEMBER MARCH-LEUBA: Mm-hmm, right.
19 MR. BEARDSLEY: So the other aspect of the 20 assessment that I think is going to be very important 21 is in full implementation inspections we are sending 22 out two inspectors and two contractors for two weeks.
23 They are also doing on the order of 12 weeks 24 worth of preparation for those inspections. That is 25 a lot of work on our part and the licensees are devoting NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
99 1 significantly more assets than we are.
2 And so the question is are we getting the 3 bang for the buck from them? I think we are today 4 because we need to do a deep dive and make sure that 5 they have implemented this vast program in an acceptable 6 level, but do we need to continue that level of effort 7 over time.
8 And licensees have some strong ideas.
9 Arguably the Part 73 rule is a performance-based rule.
10 We have not done a lot of performance-based looking 11 at the implementation so the question that we have 12 talked to industry about but where we're really 13 expecting them to come in with some ideas is what could 14 you do to help, you know, change the scope of this or 15 at least some of the focus into a more performance-based 16 type methodology.
17 Are there performance indicators? Is 18 there some level of testing they could do? Things along 19 those lines that the staff could use to inform us as 20 part of our inspection program and verification of their 21 implementation.
22 You know, I can't say what the industry 23 is going to say as part of their proposal but I think 24 they recognize that there are aspects of their programs.
25 I mean we know today that that reporting NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
100 1 process I talked about where they are sending alerts 2 and logs down to analysis systems and then alerting 3 them to potential issues, they are collecting an immense 4 amount of performance and health data on their systems.
5 Would it make more sense for the staff to 6 review that health and performance data over time or 7 to go look and make sure they had, you know, 138 controls 8 on an individual asset properly configured?
9 If we could look at health data we might 10 be able to see how they have put the controls in place 11 for all the assets in a significantly less period, you 12 know, shorter period of time.
13 So those are some of the things that we 14 have thought about. We are waiting to hear what 15 industry's thoughts are and then we are going to 16 evaluate that as part of the future of inspections.
17 So we are committed to conducting the 18 inspection program we have today through 2020. At the 19 end of 2020 we will have inspected all of the fleet 20 and then we need to make some decisions in the interim 21 on where we go with inspections from there.
22 MEMBER BLEY: What you are describing here 23 is interesting. Now how do you see it resolving?
24 Would it likely be a SECY paper with recommendations 25 to the Commission or is this something you might handle NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
101 1 --
2 MR. BEARDSLEY: That's a great question.
3 MEMBER BLEY: What might we look at --
4 (Simultaneous speaking) 5 MR. BEARDSLEY: In general the staff does 6 not inform the Commission on changes to individual 7 inspection procedures, but --
8 MEMBER BLEY: If there is a rule change 9 here?
10 MR. BEARDSLEY: Well if there is a rule 11 change -- So the petition for rulemaking has to result 12 in a recommendation to the Commission and the staff 13 is committed to making that report to the Commission 14 by the end of 2019.
15 So by December of this year some 16 recommendation from the Petition Review Board will be 17 transferred up to the Commission. That is the 18 commitment we have right now.
19 That would not include details like the 20 inspection program necessarily or some of the guidance 21 --
22 MEMBER BLEY: Well it seems, and this is 23 just off the top of my head, it seems that since there 24 is a recommendation in from NEI your recommendation 25 might be to do what they suggest or if it isn't it NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
102 1 probably needs to be backed up by some of these other 2 arguments.
3 MR. BEARDSLEY: Without a doubt.
4 MEMBER BLEY: Yes. Well that could all 5 be in the paper that goes --
6 (Simultaneous speaking) 7 MR. BEARDSLEY: So if the staff sends a 8 paper up to the Commission that says we don't believe 9 that changes are necessary for the 7254 rule we would 10 have to back that up with why based on NEI's request 11 do we think the current program can be, you know, managed 12 to gain the same level of efficiencies that they were 13 looking for.
14 And that is definitely something that we 15 have talked about, but we have to get -- I mean, you 16 know, the petition review process is a very structured 17 process, it's part of rulemaking, and we have to work 18 our way through that process as we communicate with 19 the Commission.
20 MEMBER BLEY: In any case, the end of this 21 year you have to do something?
22 MR. BEARDSLEY: Right.
23 MEMBER BLEY: Yes.
24 MR. BEARDSLEY: So there will be a 25 Commission paper by the end of 2019 that makes a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
103 1 recommendation to the Commission on NEI's petition.
2 CHAIRMAN BROWN: The petition is in the 3 package that Christina sent out to you. Look at Pages 4 11, 12, and 13. They eviscerated the rule. That's 5 my personal opinion.
6 Okay, I mean they took all the stuff on 7 reactor safety out and put in system structures and 8 components and then they took, they deleted two of the 9 rule items in 73.54(a)(1)(ii) and (iii) and --
10 (Simultaneous speaking) 11 MEMBER BLEY: But still the focus I was 12 going at --
13 CHAIRMAN BROWN: Yes.
14 MEMBER BLEY: -- when will the staff have 15 something put together?
16 CHAIRMAN BROWN: Yes. They said, you 17 know, as they noted they are going to do something.
18 I think we are looking for some additional interaction 19 later in the year once they come to grips with what 20 they are doing so we'll have some idea where they are 21 going on this.
22 MR. BEARDSLEY: And so --
23 CHAIRMAN BROWN: NEI was very aggressive.
24 MR. BEARDSLEY: And what we talked about 25 before the meeting was after the assessment is complete NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
104 1 and the staff has had time to look at, you know, what 2 do we think we can do within the bounds of what we found 3 it would probably make sense for us to come back and 4 update the committee, or the subcommittee anyway, on, 5 you know, where we think we're going to go, and I think 6 that is well within the bounds of what we can do.
7 CHAIRMAN BROWN: You know, both the rule 8 and the -- You're also looking at changes to Reg Guide 9 5.71 if I -- I saw that you all have a draft guide that 10 was floating around.
11 I don't know whether you have issued --Have 12 you issued that for public comment yet?
13 MR. BEARDSLEY: You're a great straight 14 man.
15 (Laughter) 16 CHAIRMAN BROWN: Okay.
17 MR. BEARDSLEY: My last bullet talks to 18 Reg Guide 5.71.
19 CHAIRMAN BROWN: Oh, yes, too bad I didn't 20 read forward.
21 MR. BEARDSLEY: We do have a Revision 1 22 to Reg Guide 5.71. It went out for public comment last 23 summer. We collected a number of comments in the fall 24 and the staff has been reviewing those comments.
25 We have -- We are in the process of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
105 1 finishing up that review, but based on the fact that 2 we are going to do the assessment and there is 3 potentially a lot of changes to the program we're 4 working with NSIR management to make some decisions 5 on whether we even move forward or do we just put on 6 hold the Revision 1 and then re-issue it with a new 7 set of guidance based on where we go with the program, 8 and that's a management decision that we need to get 9 through.
10 MS. HELTON: Yes. And just for absolute 11 clarity on the path forward, there is a lot of the path 12 forward that I don't think we can put products 13 associated with quite yet.
14 So there are certain things that are in 15 play that we know we are going to need to do something 16 with. We've got the cyber assessment, we'll get the 17 results, that will result in some recommendations, and 18 that's really going to drive a lot of our specific 19 products.
20 We've got the petition for rulemaking, we 21 need to resolve that. That will certainly result in 22 a communication to the Commission with whatever 23 recommendation we come to as a result of the petition 24 process. We are not there yet.
25 And the Reg Guide 5.71 that has been issued NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
106 1 for comment. We need to in some way decide what we 2 are going to do, and as Jim said before we know what 3 we are doing with the petition for rulemaking, I mean 4 any time you update if we do wind up making a rule change 5 you always update the guidance along with the rules.
6 So it wouldn't make sense to put Reg Guide 7 5.71 ahead of that if that's where we go, and I don't 8 even know if we are going to go there yet.
9 And then we have lower level documents as 10 well. Our inspection procedures probably, you know, 11 sometimes they do go the Commission if it's a 12 significant change to the reactor oversight process 13 the Commission likes to be engaged.
14 So we just have to see what the nature of 15 the changes are and which regulatory products they 16 impact to have a good sense -- And, again, in the fall 17 timeframe after we have completed our assessment and 18 we have our recommendations and we align in what actions 19 to take we'll have a better picture of what SECY papers, 20 what rulemakings, if any, what regulatory guidance, 21 if any, what inspection procedures, if any.
22 CHAIRMAN BROWN: If I read you right the 23 game plan would be finish the assessment, is that number 24 one?
25 MR. BEARDSLEY: Correct.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
107 1 CHAIRMAN BROWN: Okay. And number two 2 then would be take care of the petition in some way, 3 shape, or form, resolve that?
4 MR. BEARDSLEY: Yes.
5 CHAIRMAN BROWN: Either do it, reject it, 6 whatever you end up doing?
7 MR. BEARDSLEY: Right.
8 CHAIRMAN BROWN: Number three would be 9 then do we change the rule in some other way based on 10 even though we didn't accept the NEI thing, do we make 11 another rule change based on our assessment?
12 MR. BEARDSLEY: I think that would be a 13 result of the petition resolution.
14 CHAIRMAN BROWN: Yes, okay.
15 MR. BEARDSLEY: Yes, if there is any 16 changes to the rule that would come out in our 17 recommendation to the Commission.
18 CHAIRMAN BROWN: Okay. And then the last 19 part would be do we need to do something with RG, the 20 Reg Guide 5.71 depending on how the rule, if we do a 21 rule change or what have you, or any other reason for 22 it?
23 MR. BEARDSLEY: Sure. I think there is 24 two other aspects. One is are there ways within the 25 bounds of the current rule and the guidance that is NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
108 1 implemented to address some of the concerns with either 2 over assessment of CDAs or implementation clarity that 3 could assist both the staff and industry in the 4 implement, and we can do that without changing the rule.
5 6 CHAIRMAN BROWN: Yes. You're really 7 talking about calibrating --
8 MR. BEARDSLEY: Right.
9 CHAIRMAN BROWN: -- what you, how you 10 implement?
11 MR. BEARDSLEY: Right. Right, and that 12 could either be --
13 MS. HELTON: We have to use the current 14 rule.
15 MR. BEARDSLEY: Yes. That could be either 16 be staff, informal guidance through the Security 17 Frequently Asked Questions Program, or NEI guidance 18 or industry guidance they have submitted to us that 19 we have approved for use and the other aspect of it 20 that I think is very important is the potential changes 21 to the future inspection program.
22 And so that's another aspect that is going 23 to come out of the assessment that we are going to have 24 to make some hard decisions and we have to do that before 25 the end of 2020 because right now the provisional NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
109 1 inspection procedure we are using is really only 2 expected to be used until every licensee has received 3 one inspection.
4 CHAIRMAN BROWN: Could you us -- Since I 5 can't write fast enough could you kind of write down 6 your path forward at some point with the stuff you just 7 talked about and just give a copy to Christina so that 8 she can send it to us to see and we'll --
9 MR. BEARDSLEY: Sure. Yes, we can do 10 that.
11 CHAIRMAN BROWN: I'm not -- I can't ask 12 you to do anything. I'm just -- It would be useful 13 for us in our further deliberations and when we do 14 anything would be to have a little bit of clarity, 15 because there is not kind of a path forward that is 16 in one of your slides here.
17 All you have talked about is piece parts 18 of it and I'm not sure I've got them in the right order.
19 MR. BEARDSLEY: Okay.
20 MS. HELTON: Okay.
21 MR. BEARDSLEY: We can do that.
22 CHAIRMAN BROWN: So if you -- And I'm not 23 saying you have to follow that order, it's the game 24 plan. It's kind of a game plan thing, what's your 25 thought process.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
110 1 MR. BEARDSLEY: I think you ask a 2 reasonable question and it probably behooves us to write 3 some of that done, yes.
4 CHAIRMAN BROWN: But, yes, that would be 5 helpful. And, again, it's not official that you have 6 committed, it's not in your list, it's just kind of 7 your thought process.
8 MS. HELTON: Correct. And we would be 9 happy to provide that and I think it would actually 10 be helpful just in looking at what's the next 11 appropriate time to engage between the staff and the 12 ACRS.
13 You'll want to have a sense of when we can 14 complete the assessment, when we are going to the 15 Commission with our determination, what to do with the 16 petition for rulemaking, and, you know, everything else 17 is really a question mark on the path forward because 18 of those two products. They are going to determine 19 our next steps.
20 CHAIRMAN BROWN: Yes. Two big items, 21 final assessment and the petition.
22 MS. HELTON: Two big items.
23 MR. BEARDSLEY: Right.
24 MS. HELTON: Correct.
25 CHAIRMAN BROWN: And the other things if, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
111 1 the other thought you -- You tossed in a couple over, 2 not corrections but expansions relative to how do you 3 make the current rule work better, which is a good plan.
4 MR. BEARDSLEY: Right. And industry had 5 recognized that while they stand by their petition that 6 there are potential areas where in the interim of 7 rulemaking -- because even if we agreed to NEI's 8 petition and made a recommendation to the Commission 9 in December that the rule should be changed it would 10 be a few years before that rule change goes into effect.
11 And, you know, if we could provide some 12 of what they are looking for in guidance space within 13 the cognizance of the rule we could do that, you know, 14 in a few months potentially.
15 MS. HELTON: If we feel it's appropriate.
16 MR. BEARDSLEY: If we feel it's 17 appropriate. I mean it's what we could do. I am surely 18 not saying we are going to do that.
19 MS. HELTON: Right.
20 MR. BEARDSLEY: But we have worked with 21 industry over the last six or seven years to help them 22 develop guidance, not help them, but they've developed 23 guidance, we have worked with them on it, we have 24 approved it for use, they have submitted it to us and 25 we have approved it for use, and I think that has really NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
112 1 helped us to provide clarification in the current 2 inspection program.
3 So I talked a little bit about the milestone 4 one through seven inspections and some of the challenges 5 we had with the staff and industry just not being in 6 sync on a number of areas, we have not seen that in 7 the full implementation inspections.
8 We are not without findings. You know, 9 most of the inspections have had one or two findings, 10 but in general the staff has found that the industry 11 understands the requirement and has implemented it 12 with, you know, with a reasonable assurance that we 13 don't have significant issue with.
14 A number of years ago the staff issued a 15 paper to the Commission called the Cyber Security 16 Roadmap. We updated the roadmap in 2017 and much of 17 what's on the slide here is documented in that paper.
18 So we talked initially about fuel 19 facilities. The fuel facility rulemaking has been 20 briefed to the full committee I believe back a number 21 of years ago.
22 The staff submitted the draft rule to the 23 Commission for release, you know, public release. The 24 Commission has that draft rule and has not made a 25 decision on it, so we've --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
113 1 MEMBER BLEY: A question though --
2 MR. BEARDSLEY: Sure.
3 MEMBER BLEY: Given all the lessons 4 learned you've seen and are developing are you happy 5 with the draft rule you sent up?
6 MR. BEARDSLEY: We informed the draft rule 7 significantly based on the lessons we learned and the 8 feedback we received from the power reactor industry.
9 MEMBER BLEY: You've had enough experience 10 --
11 (Simultaneous speaking) 12 MR. BEARDSLEY: So we believe that that 13 rule includes, you know, a robust set of lessons 14 learned.
15 MEMBER BLEY: Okay.
16 MR. BEARDSLEY: I mean the structure of 17 it is arguably different in many areas than the power 18 reactor, but the fuel cycle facilities are very 19 different than the power reactors as well. So we are 20 waiting for direction from the Commission on where to 21 go with that rule.
22 For non-power reactors, those are 23 primarily the research and test reactors at 24 universities. The staff went out and did a survey of 25 that community and the cyber controls they had in place NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
114 1 and found based on the arguably very analog technology 2 that are implemented in a low security risk that the 3 protections they had in place were adequate.
4 They did collect a number of lessons 5 learned from the different reactors and sites they 6 visited and published those in a best practices guidance 7 document for industry, so that's been provided to the 8 non-power reactor industry.
9 MEMBER BLEY: There is a couple of isotope 10 generation facilities, medical isotope generation 11 facilities that might be getting built in the near 12 future. Did you consider those as well? Do you think 13 you can say the same thing about those?
14 MR. BEARDSLEY: You are almost as good a 15 straight man as Member Brown. That's my next bullet.
16 (Simultaneous speaking) 17 MR. BEARDSLEY: So the non-power 18 production utilization facility --
19 (Simultaneous speaking) 20 MR. BEARDSLEY: Yes. So our challenge 21 there is it is unclear to the staff the digital nature 22 and the safety sort of level of some of those facilities, 23 of the moly-99 facilities for purpose of discussion.
24 MEMBER BLEY: Yes.
25 MR. BEARDSLEY: So we did make a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
115 1 recommendation to the staff, to the Commission, excuse 2 me, that we wait on cyber security decisions for that 3 set of licensees and, you know, right now that's where 4 we stand.
5 We are waiting to see detailed design 6 information. Some of those digital systems, I mean 7 we know they're going to be digital.
8 I mean there is no question about that, 9 virtually everything that is designed today is digital, 10 but what's the risk significance of them, you know, 11 the reactors they have or the production facilities, 12 and we just need to make some decisions on that.
13 MEMBER BLEY: So let me ask, and I'm not, 14 you know, NRC looks at the risk arising from the 15 facility, but if a facility is one of a limited number 16 of sources and medical isotopes interruption of the 17 supply of isotopes is a really major risk to the country 18 and maybe the world.
19 MR. BEARDSLEY: Sure.
20 MEMBER BLEY: Is that part of the 21 calculation?
22 MR. BEARDSLEY: Well --
23 (Simultaneous speaking) 24 MR. BEARDSLEY: -- based on our mandate 25 it probably isn't, but we recognize in engaging with NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
116 1 those licensees they recognize that they have, 2 arguably, a fiduciary responsibility to make sure that 3 they are building a robust cyber implementation so that 4 their systems can keep running.
5 I mean we're really going to be focused 6 on the safety nature based on our mandate, but what 7 we have done is looked at in conjunction with the 8 facilities and sort of understand what are those sort 9 of risk points.
10 Our intent would be not to do a rulemaking 11 for these licensees but to develop a cyber security 12 plan that would be included as a license condition in 13 their license and that would be how we implement any 14 requirements as we move forward.
15 MEMBER BLEY: Given the nature of their 16 product and how it's used and how significant it is 17 to the health and welfare of people is there some other 18 agency who looks at that that you are aware of?
19 MR. BEARDSLEY: I can't answer your 20 question, but we would have to -- I mean I would have 21 to -- I'd have to get a lifeline to answer your question, 22 I don't really know.
23 MEMBER BLEY: If you find out I would be 24 very interested. I mean that's a significant --
25 MR. BEARDSLEY: Sure, absolutely, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
117 1 absolutely. It's a worldwide challenge.
2 MEMBER BLEY: Yes.
3 MR. BEARDSLEY: Okay, moving on.
4 Independent spent fuel installations do not have any 5 cyber requirements to date.
6 The staff has taken a look at safety and 7 security for ISFSIs and stands by that position and 8 has been given direction by the, or has informed the 9 Commission that we don't intend to make any changes 10 in that area.
11 For nuclear materials the NMSS did a very 12 broad survey of the materials community, you know, 13 because it's a very wide community, and they found that 14 most of, or they found adequate the cyber controls that 15 were in place for the various facilities primarily based 16 on their insurance or fiduciary responsibility to 17 maintain the safety of their systems.
18 They did collect up a number of best 19 practices and also communicated with the Department 20 of Energy to get access to best practice guidance 21 documents that have been put together form their surveys 22 worldwide and that is being put together in an 23 information notice that is going to be sent out to the 24 entire nuclear materials licensee community.
25 MEMBER BLEY: So a question on that one, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
118 1 I haven't thought a lot about it, but it seems that 2 perhaps one of the most important ways in which this 3 could be significant would be if through software for 4 cyber attack you could delete the records of sources 5 and they would disappear.
6 If you lose track of all the sources there 7 is a lot of -- and now that, of course, they are 8 distributed in many different organizations, but I am 9 not sure how much, what they looked at for consideration 10 that their cyber security is good enough.
11 MR. BEARDSLEY: I'll be honest, I don't 12 have access to the final results of their assessment 13 but when it comes to recording sources and in managing 14 that I think that's a little different than the 15 licensees themselves.
16 I think that's, you know, the NRC has 17 processes we use to track sources throughout the country 18 and that's an NRC-managed database. It would be under 19 our won cognizance. It wouldn't be included in his 20 particular are of rulemaking.
21 MEMBER BLEY: Well that opens a whole new 22 can of worms.
23 MR. BEARDSLEY: Probably.
24 MEMBER BLEY: What about NRC databases and 25 your resistance to cyber security attack on those NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
119 1 databases?
2 MR. BEARDSLEY: Well, you would have to 3 talk to NMSS and the Office of Chief Information Officer 4 because that's not under --
5 MEMBER BLEY: That doesn't come under 6 cyber security?
7 MR. BEARDSLEY: It does not come under the 8 cyber security oversight program that we have here, 9 that we have here, that we have at NSIR.
10 MS. HELTON: Well, and --
11 MEMBER BLEY: You look at everybody else 12 but not yourselves.
13 MS. HELTON: Correct. Well, right, so for 14 the focus of what we are doing and physical and cyber 15 security policy we are looking at implementation by 16 the licensees.
17 So we have started having more 18 conversations I can just say from the management level 19 about, hey, what about cyber security and the NRC.
20 We're not subject as the agency to the requirements 21 in 73.54, which is really the focus of this 22 presentation, you know, implementing NRC requirements.
23 MR. BEARDSLEY: Yes.
24 MS. HELTON: We have other requirements 25 that we need to meet. So we are starting and we are NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
120 1 just at the early stages of coordinating more between 2 OCIO admin, NSIR, because we recognize that with staff 3 the limited skillsets that we have there is probably 4 some ability to be growing and sharing across the 5 business lines.
6 But, yes, right, so the focus of this 7 presentation is --
8 MEMBER BLEY: And there is information 9 that needs to be protected from getting out --
10 MS. HELTON: Right.
11 MEMBER BLEY: -- and there is information 12 that needs to be protected to be preserved.
13 MR. BEARDSLEY: Sure.
14 MS. HELTON: Correct, right.
15 MEMBER BLEY: So you are -- Somebody is 16 beginning to look at that?
17 MR. BEARDSLEY: Right. The Office of the 18 Chief Information Officer and then the information 19 security program that is run out of NSIR both have a 20 primary responsibility for those areas.
21 But what we have found through some 22 management things that we have been doing under OPM 23 is we have identified all of the cyber specialists in 24 the agency and NSIR has been working very closely with 25 admin and OCIO to develop training programs, to bring NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
121 1 in commercial training programs for the cyber 2 specialists because we don't have enough of them to, 3 you know, to build up a training program here.
4 MEMBER BLEY: Sure.
5 MR. BEARDSLEY: And that's provided two 6 benefits. One, arguably it's going to save us some 7 money because if we can bring training in-house it's 8 cheaper than going outside and taking a $5000 or $6000 9 class.
10 The other thing it does is it allows the 11 specialist from OCIO and the offices in the regions 12 to take classes together and share lessons --
13 MEMBER BLEY: Yes.
14 MR. BEARDSLEY: -- because there is a very 15 small subset of information technology-trained cyber 16 folks in the agency and we recognize that we want to 17 share those resources.
18 And so when we have had some of the 19 challenges, and I'll talk about it on the next slide, 20 in industry NSIR and OCIO have communicated back and 21 forth to make sure that we understand the specialties 22 and some of that background that the different staffs 23 have and we can take advantage of that.
24 MEMBER BLEY: Great.
25 MR. BEARDSLEY: All right, let's go to the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
122 1 next slide. So cyber incidents, there is two 2 particular cyber incidents that I will highlight here.
3 The first one has gotten a lot of public 4 attention. It was initially identified in the Summer 5 of 2017 but the advanced persistent threat attack by 6 the Russians had been going on for well over a year 7 at that point.
8 The attack focused on a number of critical 9 infrastructure industries, including the energy 10 industry, and when it first came to light it was actually 11 the cyber incursion into one of licensees that first 12 went public in this. It was identified --
13 MEMBER BLEY: That was in the electrical 14 systems or something?
15 MR. BEARDSLEY: It was in the --
16 MEMBER BLEY: Distribution I mean?
17 MR. BEARDSLEY: No, it was in the site 18 network, the Level 2 network --
19 MEMBER BLEY: Okay.
20 MR. BEARDSLEY: -- at a licensee that was 21 not part of a major corporation, so they did not have 22 a Level 1.
23 MEMBER BLEY: Yes.
24 MR. BEARDSLEY: And it was identified 25 based on information traffic leaving the site. It was NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
123 1 picked up through the intelligence community and then 2 was identified to the FBI and eventually to DHS and 3 to the staff, so let me just talk a little bit about 4 that.
5 I am not going to talk about the details 6 of it. The Russians got into their corporate network, 7 their business network, but what happened afterwards 8 is Homeland Security notified the staff as part of the 9 FBI -- So the FBI took the lead because they have the 10 lead for a criminal act or a terrorism act.
11 They worked with Homeland Security to put 12 together a team to go out and assist the licensee with 13 basically doing forensics on what happened. In concert 14 with all that the other agencies communicated with the 15 staff and let us know what was going on.
16 We actually helped facilitate access to 17 the site with the licensees because we have contacts, 18 we have residents, so we help them. We also sent some 19 of the cyber engineers in our branch out to observe 20 that forensic analysis so we got a feel for what are 21 they doing, what are their capabilities, and what 22 happened there.
23 And we have continued to dialogue both 24 through the region and with the other government 25 agencies to understand what happened and how to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
124 1 potentially prevent that.
2 There was a security advisory that went 3 out following this incident to all of the power reactor 4 industry just informing them, although most of the 5 information was probably already made public, about 6 a year, about six months later DHS actually stated it 7 was the Russians that did it.
8 Up to that point it was an unknown 9 adversary, but that's pretty public and well 10 understood.
11 Based on that forensic analysis the 12 adversary was not able to penetrate past the data diode 13 to gain access to any of the safety security or merchant 14 preparedness systems that are under our cognizance.
15 So going back to our discussion when we 16 talked about the reporting role, although we were 17 cognizant of what happened and the licensee was, you 18 know, spoke to us with candor about the challenges 19 they had, they had no requirement to make a report to 20 us. So this was not a reportable incident.
21 The second incident on the slide happened 22 just about a year ago. Entergy had a malware attack 23 that penetrated an internet-facing website. So one 24 of their websites that was connected to the internet, 25 they penetrated the website, penetrated the firewall, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
125 1 and installed Bitcoin mining malware on their 2 computers.
3 So if you know what that is we can get into 4 a whole different discussion, but what it did was it 5 spread throughout their corporate network and they 6 identified it at night and we found out because our 7 resident inspector showed up at work the next morning 8 and they heard site-wide announcements telling everyone 9 not to turn their computers on.
10 So the residents called the regions, the 11 regions called NSIR, and then eventually we made contact 12 with the IT folks and the licensing folks at Entergy 13 to find out what had happened.
14 At that point they were still doing 15 forensic analysis and we basically came up with an 16 agreement with the licensee that the staff would stand 17 off and give the licensee 18 hours2.083333e-4 days <br />0.005 hours <br />2.97619e-5 weeks <br />6.849e-6 months <br /> to go figure out 18 what happened and clean it up.
19 They were able to isolate the infections 20 and clean them off their networks. Again, based on 21 forensic analysis of the attack there were no, none 22 of the regulated critical digital assets were impacted.
23 There was the potential -- Remember I said 24 before that some other EP assets were on Level 2?
25 MEMBER BLEY: Yes.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
126 1 MR. BEARDSLEY: So they did detect an area 2 where they thought the malware tried to gain access 3 to some emergency preparedness assets, as it turned 4 out, and although I did say it on this slide, the 5 licensee made it a recordable event and then later came 6 back to the staff and said based on their further 7 analysis they found that that was not, in fact, true.
8 It was an indication that they thought they 9 had. It was a false positive basically. But this is 10 another example of where we believe that the controls 11 have been in place with the data diodes and the other 12 controls that we have inspected and we're taking a 13 strong look at are protecting the critical digital 14 assets from, you know, internet facing attacks and that 15 kind of thing.
16 Any questions about those?
17 (No audible response) 18 MR. BEARDSLEY: Both of these are public.
19 They are not professional use only. They have been 20 acknowledged by both the licensees publicly. That 21 completes my remarks subject to your questions.
22 CHAIRMAN BROWN: Before I got to public 23 comments -- or should I do that first?
24 MEMBER BLEY: Go to public comments and 25 then get the phone line open.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
127 1 CHAIRMAN BROWN: Yes, okay. I'm pretty 2 sure it's -- Is it open Paula?
3 (No audible response) 4 CHAIRMAN BROWN: Yes, it's open. I'd like 5 to know if anybody is on the phone line listening to 6 this subcommittee meeting. Could you just say hello 7 or something?
8 PARTICIPANT: Hello.
9 CHAIRMAN BROWN: Okay. Now that we know 10 that somebody is there was there anybody on the public 11 line that would like to make a comment?
12 (No audible response) 13 CHAIRMAN BROWN: Hearing none I will now 14 ask the audience, the public attenders does anybody 15 want to make a comment?
16 (No audible response) 17 CHAIRMAN BROWN: It doesn't look like we 18 have anybody. I will now transition to the staff and 19 we'll make a round from the staff starting with Vesna.
20 MEMBER DIMITRIJEVIC: I have none.
21 CHAIRMAN BROWN: Myron, do you have to 22 leave?
23 (No audible response) 24 CHAIRMAN BROWN: Oh, okay. Go ahead, 25 Vesna.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
128 1 MEMBER DIMITRIJEVIC: No, nothing.
2 CHAIRMAN BROWN: Ron?
3 MEMBER BALLINGER: This is very cool. I 4 appreciate it.
5 CHAIRMAN BROWN: You are a welcome member 6 of our committee any time you want to attend. Jose?
7 MEMBER MARCH-LEUBA: I don't have any 8 comments. I just wanted to thank the staff. It is 9 a pleasure to have a presentation by people that 10 actually know what they are doing and enthusiastic about 11 it and understand my questions.
12 MR. BEARDSLEY: Thank you.
13 MEMBER RAY: I'll just add to what, or 14 agree with what Jose said.
15 CHAIRMAN BROWN: Okay. Dick?
16 MEMBER SKILLMAN: I agree with Jose.
17 Thank you.
18 CHAIRMAN BROWN: Boy, you're popular.
19 Dennis?
20 MEMBER BLEY: I looked at the slides last 21 week and sent Charlie a note, I don't think there is 22 anything in here we didn't hear before, why are we having 23 a meeting.
24 I take it all back. There were excellent 25 discussions, excellent response to all the questions NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
129 1 and thank you. It was a good afternoon.
2 CHAIRMAN BROWN: Walt?
3 MEMBER KIRCHNER: Just thank you for the 4 presentation.
5 CHAIRMAN BROWN: Okay. And I don't have 6 anything else other than just if you could write those 7 kind of a path forward type thing down and then we can 8 maintain some communications and determine when we'd 9 like to have another update or what have you or what 10 our next actions or appropriate actions would be.
11 I mean we certainly don't have anything 12 to deal with right now other than to let you finish 13 your work and we'll try to stay out of your hair. I 14 say that figuratively.
15 MS. HELTON: Yes.
16 CHAIRMAN BROWN: Other than that, thank 17 you very much and I thought it was an excellent 18 presentation by the way. I do appreciate you all coming 19 in and giving us this update.
20 It has been a long time and I have to agree 21 wholeheartedly with Jose and Dennis, particularly 22 Dennis, in that it was very, very insightful and 23 provided a lot of very good information.
24 The fact is I think I've about gone into 25 brain overload. Anyway, now the meeting is adjourned.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
130 1 MS. HELTON: Thank you.
2 CHAIRMAN BROWN: All right. Thank you.
3 (Whereupon, the above-entitled matter went 4 off the record at 3:26 p.m.)
5 6
7 8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
NRC Cyber Security Oversight Program Status Jim Beardsley, Chief Cyber Security Branch (CSB)
Division of Physical and Cyber Security Policy (DPCP)
Office of Nuclear Security and Incident Response (NSIR) james.beardsley@nrc.gov 03/20/2019 1
Overview of US NRC Cyber Security Program Development of the Cyber Rule 10 CFR73.54 for NPPs Industrys Voluntary Implementation of an Interim Cyber Security Program NRC Conducts Assessment Visits NRC Issues various Orders &
Guidance Documents for NPPs to address the Physical
& Cyber Threat Updated DBT 10 CFR 73.1 DBT Update Public Law 109-58 Energy Policy Act 2005 03/20/2019 2
10 CFR 73.54 Protection of Digital Computer &
Communication Systems & Networks
- Op Rx and license applicants must submit a Cyber Security Plan by November 2009
- Protect digital computer and communication systems and networks associated with
- Safety, Security & Emergency Preparedness (SSEP) functions
- Support systems and equipment which, if compromised, would adversely impact SSEP functions
- Protect from cyber attacks that adversely impact
- Integrity or Confidentiality of data and/or software
- Deny access to systems, services, and/or data
- Operation of systems, networks, & associated equipment 03/21/2019 3
10 CFR 73.54 Protection of Digital Computer &
Communication Systems & Networks
- The licensee shall:
- Analysis of equipment that needs to be protected (SSEP)
- Establish, implement, and maintain a cyber security program for the protection of the assets identified
- The Cyber Security Program is designed to:
- Implement security controls to protect the assets
- Apply & maintain Defense-In-Depth
- Detect, respond, & recover from cyber attacks
- Mitigate adverse effects of a cyber attack
- Maintain SSEP functions 03/21/2019 4
10 CFR 73.54 Protection of Digital Computer &
Communication Systems & Networks
- The Cyber Security Program must include:
- Training for all Personnel, including contractors
- Awareness
- Specialized training commensurate with roles & responsibilities
- Evaluate & manage cyber risks
- Evaluate modification to assets
- Conduct cyber security event notifications
- Review the cyber security program as part of the physical security program 03/21/2019 5
Overview of US NRC Cyber Security Program RG 5.71 & NEI 08-09 Pilot Inspections Implementation Conducted at 2 NPPs NRC Cyber Guidance Acceptable Security for Use Notification Rule Full 10 CFR 73.77 Implementation NRC & Industry agree on MS 1 - 7 Implementation Schedule Industrys Interim Implementation Schedule MS 1 - 7 Inspections Cyber Security 2009 2010 2011 2012 2013 2014 2015 2016 2017 Implementation Inspections All NPPs Cyber NRC & Industry collaborative work on implementation guidance:
Security Plans &
- Security Frequently Asked Questions (SFAQs)
Implementation Schedules Approved
- NEI 13-10 Assessment of Security Controls
- NRC Participates in Industry Workshops & Tabletops to assess inspection procedure
- Development of Additional Guidance for Implementation Schedules 03/20/2019 6
7 Interim Milestones 2013 2015 MS 1 MS 2 MS 3 MS 4 MS 5 MS 6 MS 7 Apply Establish the Implement Implement Identify Access Security Implement Observation & Ongoing &
Cyber Control for Controls to Critical One-way Identification Assessment Security Portable & Most Activities for Digital Deterministic of Obvious Assessment Mobile Important Assets Device Cyber Controls Team Devices Critical Digital Tampering Applied Assets
- Inspections conducted using a Temporary Instruction
- Good Faith Enforcement Direction used for findings
- Findings followed-up through Problem Identification & Resolution Inspections 03/20/2019 7
Regulatory Guide 5.71, Cyber Security Program for Nuclear Facilities
- 1. Cyber Security Assessment Team
- 2. Identify Critical Digital Assets (CDAs)
- 3. Implement Defensive Architecture Most Risk 4. Apply Security Significant CDAs Controls 03/20/2019 4 8
Generic Defensive Architecture Security / Safety Site Corporate Internet Systems Network Network One-way Deterministic Device 03/20/2019 9
Overview of US NRC Cyber Security Program RG 5.71 & NEI 08-09 Pilot Inspections Implementation Conducted at 2 NPPs NRC Cyber Guidance Acceptable Security for Use Notification Rule Full 10 CFR 73.77 Implementation NRC & Industry agree on MS 1 - 7 Implementation Schedule Industrys Interim Implementation Schedule MS 1 - 7 Inspections Cyber Security 2009 2010 2011 2012 2013 2014 2015 2016 2017 Implementation Inspections All NPPs Cyber NRC & Industry collaborative work on implementation guidance:
Security Plans &
- Security Frequently Asked Questions (SFAQs)
Implementation Schedules Approved
- NEI 13-10 Assessment of Security Controls
- NRC Participates in Industry Workshops & Tabletops to assess inspection procedure
- Development of Additional Guidance for Implementation Schedules 03/20/2019 10
Cyber Security Notification Rule, 10 CFR 73.77
- Effective on December 2, 2015
- Implementation date - May 2, 2016
- Requires licensees to notify NRC of certain cyber incidents within timelines based on the severity of the incident.
- Associated Guidance:
- NRC Regulatory Guide 5.83
- NEI Guidance Document (NEI 15-09)
- The NRC has received no 10 CFR 73.77 notifications to date 03/20/2019 11
Overview of US NRC Cyber Security Program RG 5.71 & NEI 08-09 Pilot Inspections Implementation Conducted at 2 NPPs NRC Cyber Guidance Acceptable Security for Use Notification Rule Full 10 CFR 73.77 Implementation NRC & Industry agree on MS 1 - 7 Implementation Schedule Industrys Interim Implementation Schedule MS 1 - 7 Inspections Cyber Security 2009 2010 2011 2012 2013 2014 2015 2016 2017 Implementation Inspections All NPPs Cyber NRC & Industry collaborative work on implementation guidance:
Security Plans &
- Security Frequently Asked Questions (SFAQs)
Implementation Schedules Approved
- NEI 13-10 Assessment of Security Controls
- NRC Participates in Industry Workshops & Tabletops to assess inspection procedure
- Development of Additional Guidance for Implementation Schedules 03/20/2019 12
Full Implementation Details
- Expands scope to include all Critical Digital Assets (CDAs)
- All Safety & Security - Full Cyber Controls
- Graded Approach for Important-to-Safety, Emergency Preparedness (EP) & Balance-of-Plant (BoP)
- Some Important-to-Safety, the EP and BoP CDAs are evaluated as Non-Direct and have a minimal set of controls applied
- Attack Mitigation and Incident Response Testing and Drills
- Continuity of Operations Training and Testing
- Vulnerability Assessment and Mitigation Non-Direct CDA: CDAs that cannot have an adverse impact on Safety or Security functions prior to their compromise or failure being detected and compensatory measures being implemented by a licensee 03/20/2019 13
Full Implementation Details
- Secure Communication Pathways to CDAs
- Ensure only authorized, protected communication from known devices is permitted
- Supply Chain
- Adds security requirements relevant to vendors, contractors, and developers
- Ensure Availability and Integrity of Information to, from, and on CDAs
- Prevent CDAs from accessing, receiving, transmitting, or producing unverified or untrusted information
- Configuration Management
- Ongoing Evaluation and Management of Cyber Risk
- Audit and Accountability
- Validates effectiveness of the cyber security program and controls 03/20/2019 14
Overview of US NRC Cyber Security Program RG 5.71 & NEI 08-09 Pilot Inspections Implementation Conducted at 2 NPPs NRC Cyber Guidance Acceptable Security for Use Notification Rule Full 10 CFR 73.77 Implementation NRC & Industry agree on MS 1 - 7 Implementation Schedule Industrys Interim TODAY Implementation Schedule MS 1 - 7 Inspections Cyber Security 2009 2010 2011 2012 2013 2014 2015 2016 2017 Implementation Inspections All NPPs Cyber NRC & Industry collaborative work on implementation guidance:
Security Plans &
- Security Frequently Asked Questions (SFAQs)
Implementation Schedules Approved
- NEI 13-10 Assessment of Security Controls
- NRC Participates in Industry Workshops & Tabletops to assess inspection procedure
- Development of Additional Guidance for Implementation Schedules 03/20/2019 15
Full Implementation Inspections
- As of February 2019, 23 inspections are complete.
- Preliminary insights on potential areas for improvement:
- Quality of licensee critical digital asset and system assessments
- Quality of description / justification for the use of alternate controls.
- Implementation of the licensees vulnerability assessment program, including past vulnerabilities.
- Guidance on portable media & mobile device program, in particular configuration of transfer kiosk.
- Guidance on periodicity for ongoing monitoring & assessment modifications.
03/20/2019 16
Future of US NRC Cyber Security Program RG 5.71 & NEI 08-09 Pilot Inspections Implementation Conducted at 2 NPPs NRC Cyber Guidance Acceptable Security for Use Notification Rule Full 10 CFR 73.77 Implementation NRC & Industry agree on MS 1 - 7 Implementation Full Implementation Schedule Industrys Interim Inspections at all Implementation Schedule Licensee Sites MS 1 - 7 Inspections Future 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 Inspection Program All NPPs Cyber NRC & Industry collaborative work on implementation guidance:
Security Plans &
- Security Frequently Asked Questions (SFAQs) Power Reactor Implementation
- NEI 13-10 Assessment of Security Controls Cyber Security Schedules Approved Self-Assessment
- NRC Participates in Industry Workshops & Tabletops to assess inspection procedure
- Development of Additional Guidance for Implementation Schedules 03/20/2019 17
Future Plans
- In 2019 the NRC plans to conduct an overall assessment of the power reactor cyber security program to include:
- Effectiveness of the 10 CFR 73.54 rule
- Effectiveness of the guidance and licensee implementation of the rule
- Effectiveness of the full implementation inspection program
- External factors and lessons learned over the course of program implementation
- The assessment will inform the staffs evaluation of the NEI Petition for Cyber Security Rulemaking.
- Assessment results will be used to evaluate future inspection
- Regulatory Guide 5.71 Revision 1 in comment resolution 03/20/2019 18
Other NRC Cyber Initiatives
- Fuel Cycle Facilities
- Cyber Security Rulemaking in progress
- Lessons learned from power reactor implementation
- Non-Power Reactors
- Best Practices Guidance
- Non-power Production or Utilization Facilities
- Under evaluation by the NRC staff
- Independent Spent Fuel Storage Installations
- No cyber requirement, may re-evaluate in the future
- Nuclear Materials
- Best Practices Guidance
- Decommissioning
- Cyber Security is included in the decommissioning rulemaking 03/20/2019 19
Industry Cyber Incidents 2015-2018
- Advanced Persistent Threat (APT) campaign targeting energy sector (2016-2017)
- Well publicized attack on multiple sectors of the critical infrastructure.
- March 15th, DHS identified Russia as the source of these incursions.
- Staff follow-up the incident with a security advisory for industry.
- Malware Event impacting multiple Entergy facilities, including nuclear sites (2018)
- In February 2018, malware was detected on Entergys business networks
- Attempted access of EP CDAs identified as a recordable event at two sites.
- Attack attributed to hacking an internet facing company site.
03/20/2019 20
Questions 03/20/2019 21
NRC Cyber Security Oversight Program Status Jim Beardsley, Chief Cyber Security Branch (CSB)
Division of Physical and Cyber Security Policy (DPCP)
Office of Nuclear Security and Incident Response (NSIR) james.beardsley@nrc.gov 03/20/2019 1
Overview of US NRC Cyber Security Program Development of the Cyber Rule 10 CFR73.54 for NPPs Industrys Voluntary Implementation of an Interim Cyber Security Program NRC Conducts Assessment Visits NRC Issues various Orders &
Guidance Documents for NPPs to address the Physical
& Cyber Threat Updated DBT 10 CFR 73.1 DBT Update Public Law 109-58 Energy Policy Act 2005 03/20/2019 2
10 CFR 73.54 Protection of Digital Computer &
Communication Systems & Networks
- Op Rx and license applicants must submit a Cyber Security Plan by November 2009
- Protect digital computer and communication systems and networks associated with
- Safety, Security & Emergency Preparedness (SSEP) functions
- Support systems and equipment which, if compromised, would adversely impact SSEP functions
- Protect from cyber attacks that adversely impact
- Integrity or Confidentiality of data and/or software
- Deny access to systems, services, and/or data
- Operation of systems, networks, & associated equipment 03/21/2019 3
10 CFR 73.54 Protection of Digital Computer &
Communication Systems & Networks
- The licensee shall:
- Analysis of equipment that needs to be protected (SSEP)
- Establish, implement, and maintain a cyber security program for the protection of the assets identified
- The Cyber Security Program is designed to:
- Implement security controls to protect the assets
- Apply & maintain Defense-In-Depth
- Detect, respond, & recover from cyber attacks
- Mitigate adverse effects of a cyber attack
- Maintain SSEP functions 03/21/2019 4
10 CFR 73.54 Protection of Digital Computer &
Communication Systems & Networks
- The Cyber Security Program must include:
- Training for all Personnel, including contractors
- Awareness
- Specialized training commensurate with roles & responsibilities
- Evaluate & manage cyber risks
- Evaluate modification to assets
- Conduct cyber security event notifications
- Review the cyber security program as part of the physical security program 03/21/2019 5
Overview of US NRC Cyber Security Program RG 5.71 & NEI 08-09 Pilot Inspections Implementation Conducted at 2 NPPs NRC Cyber Guidance Acceptable Security for Use Notification Rule Full 10 CFR 73.77 Implementation NRC & Industry agree on MS 1 - 7 Implementation Schedule Industrys Interim Implementation Schedule MS 1 - 7 Inspections Cyber Security 2009 2010 2011 2012 2013 2014 2015 2016 2017 Implementation Inspections All NPPs Cyber NRC & Industry collaborative work on implementation guidance:
Security Plans &
- Security Frequently Asked Questions (SFAQs)
Implementation Schedules Approved
- NEI 13-10 Assessment of Security Controls
- NRC Participates in Industry Workshops & Tabletops to assess inspection procedure
- Development of Additional Guidance for Implementation Schedules 03/20/2019 6
7 Interim Milestones 2013 2015 MS 1 MS 2 MS 3 MS 4 MS 5 MS 6 MS 7 Apply Establish the Implement Implement Identify Access Security Implement Observation & Ongoing &
Cyber Control for Controls to Critical One-way Identification Assessment Security Portable & Most Activities for Digital Deterministic of Obvious Assessment Mobile Important Assets Device Cyber Controls Team Devices Critical Digital Tampering Applied Assets
- Inspections conducted using a Temporary Instruction
- Good Faith Enforcement Direction used for findings
- Findings followed-up through Problem Identification & Resolution Inspections 03/20/2019 7
Regulatory Guide 5.71, Cyber Security Program for Nuclear Facilities
- 1. Cyber Security Assessment Team
- 2. Identify Critical Digital Assets (CDAs)
- 3. Implement Defensive Architecture Most Risk 4. Apply Security Significant CDAs Controls 03/20/2019 4 8
Generic Defensive Architecture Security / Safety Site Corporate Internet Systems Network Network One-way Deterministic Device 03/20/2019 9
Overview of US NRC Cyber Security Program RG 5.71 & NEI 08-09 Pilot Inspections Implementation Conducted at 2 NPPs NRC Cyber Guidance Acceptable Security for Use Notification Rule Full 10 CFR 73.77 Implementation NRC & Industry agree on MS 1 - 7 Implementation Schedule Industrys Interim Implementation Schedule MS 1 - 7 Inspections Cyber Security 2009 2010 2011 2012 2013 2014 2015 2016 2017 Implementation Inspections All NPPs Cyber NRC & Industry collaborative work on implementation guidance:
Security Plans &
- Security Frequently Asked Questions (SFAQs)
Implementation Schedules Approved
- NEI 13-10 Assessment of Security Controls
- NRC Participates in Industry Workshops & Tabletops to assess inspection procedure
- Development of Additional Guidance for Implementation Schedules 03/20/2019 10
Cyber Security Notification Rule, 10 CFR 73.77
- Effective on December 2, 2015
- Implementation date - May 2, 2016
- Requires licensees to notify NRC of certain cyber incidents within timelines based on the severity of the incident.
- Associated Guidance:
- NRC Regulatory Guide 5.83
- NEI Guidance Document (NEI 15-09)
- The NRC has received no 10 CFR 73.77 notifications to date 03/20/2019 11
Overview of US NRC Cyber Security Program RG 5.71 & NEI 08-09 Pilot Inspections Implementation Conducted at 2 NPPs NRC Cyber Guidance Acceptable Security for Use Notification Rule Full 10 CFR 73.77 Implementation NRC & Industry agree on MS 1 - 7 Implementation Schedule Industrys Interim Implementation Schedule MS 1 - 7 Inspections Cyber Security 2009 2010 2011 2012 2013 2014 2015 2016 2017 Implementation Inspections All NPPs Cyber NRC & Industry collaborative work on implementation guidance:
Security Plans &
- Security Frequently Asked Questions (SFAQs)
Implementation Schedules Approved
- NEI 13-10 Assessment of Security Controls
- NRC Participates in Industry Workshops & Tabletops to assess inspection procedure
- Development of Additional Guidance for Implementation Schedules 03/20/2019 12
Full Implementation Details
- Expands scope to include all Critical Digital Assets (CDAs)
- All Safety & Security - Full Cyber Controls
- Graded Approach for Important-to-Safety, Emergency Preparedness (EP) & Balance-of-Plant (BoP)
- Some Important-to-Safety, the EP and BoP CDAs are evaluated as Non-Direct and have a minimal set of controls applied
- Attack Mitigation and Incident Response Testing and Drills
- Continuity of Operations Training and Testing
- Vulnerability Assessment and Mitigation Non-Direct CDA: CDAs that cannot have an adverse impact on Safety or Security functions prior to their compromise or failure being detected and compensatory measures being implemented by a licensee 03/20/2019 13
Full Implementation Details
- Secure Communication Pathways to CDAs
- Ensure only authorized, protected communication from known devices is permitted
- Supply Chain
- Adds security requirements relevant to vendors, contractors, and developers
- Ensure Availability and Integrity of Information to, from, and on CDAs
- Prevent CDAs from accessing, receiving, transmitting, or producing unverified or untrusted information
- Configuration Management
- Ongoing Evaluation and Management of Cyber Risk
- Audit and Accountability
- Validates effectiveness of the cyber security program and controls 03/20/2019 14
Overview of US NRC Cyber Security Program RG 5.71 & NEI 08-09 Pilot Inspections Implementation Conducted at 2 NPPs NRC Cyber Guidance Acceptable Security for Use Notification Rule Full 10 CFR 73.77 Implementation NRC & Industry agree on MS 1 - 7 Implementation Schedule Industrys Interim TODAY Implementation Schedule MS 1 - 7 Inspections Cyber Security 2009 2010 2011 2012 2013 2014 2015 2016 2017 Implementation Inspections All NPPs Cyber NRC & Industry collaborative work on implementation guidance:
Security Plans &
- Security Frequently Asked Questions (SFAQs)
Implementation Schedules Approved
- NEI 13-10 Assessment of Security Controls
- NRC Participates in Industry Workshops & Tabletops to assess inspection procedure
- Development of Additional Guidance for Implementation Schedules 03/20/2019 15
Full Implementation Inspections
- As of February 2019, 23 inspections are complete.
- Preliminary insights on potential areas for improvement:
- Quality of licensee critical digital asset and system assessments
- Quality of description / justification for the use of alternate controls.
- Implementation of the licensees vulnerability assessment program, including past vulnerabilities.
- Guidance on portable media & mobile device program, in particular configuration of transfer kiosk.
- Guidance on periodicity for ongoing monitoring & assessment modifications.
03/20/2019 16
Future of US NRC Cyber Security Program RG 5.71 & NEI 08-09 Pilot Inspections Implementation Conducted at 2 NPPs NRC Cyber Guidance Acceptable Security for Use Notification Rule Full 10 CFR 73.77 Implementation NRC & Industry agree on MS 1 - 7 Implementation Full Implementation Schedule Industrys Interim Inspections at all Implementation Schedule Licensee Sites MS 1 - 7 Inspections Future 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 Inspection Program All NPPs Cyber NRC & Industry collaborative work on implementation guidance:
Security Plans &
- Security Frequently Asked Questions (SFAQs) Power Reactor Implementation
- NEI 13-10 Assessment of Security Controls Cyber Security Schedules Approved Self-Assessment
- NRC Participates in Industry Workshops & Tabletops to assess inspection procedure
- Development of Additional Guidance for Implementation Schedules 03/20/2019 17
Future Plans
- In 2019 the NRC plans to conduct an overall assessment of the power reactor cyber security program to include:
- Effectiveness of the 10 CFR 73.54 rule
- Effectiveness of the guidance and licensee implementation of the rule
- Effectiveness of the full implementation inspection program
- External factors and lessons learned over the course of program implementation
- The assessment will inform the staffs evaluation of the NEI Petition for Cyber Security Rulemaking.
- Assessment results will be used to evaluate future inspection
- Regulatory Guide 5.71 Revision 1 in comment resolution 03/20/2019 18
Other NRC Cyber Initiatives
- Fuel Cycle Facilities
- Cyber Security Rulemaking in progress
- Lessons learned from power reactor implementation
- Non-Power Reactors
- Best Practices Guidance
- Non-power Production or Utilization Facilities
- Under evaluation by the NRC staff
- Independent Spent Fuel Storage Installations
- No cyber requirement, may re-evaluate in the future
- Nuclear Materials
- Best Practices Guidance
- Decommissioning
- Cyber Security is included in the decommissioning rulemaking 03/20/2019 19
Industry Cyber Incidents 2015-2018
- Advanced Persistent Threat (APT) campaign targeting energy sector (2016-2017)
- Well publicized attack on multiple sectors of the critical infrastructure.
- March 15th, DHS identified Russia as the source of these incursions.
- Staff follow-up the incident with a security advisory for industry.
- Malware Event impacting multiple Entergy facilities, including nuclear sites (2018)
- In February 2018, malware was detected on Entergys business networks
- Attempted access of EP CDAs identified as a recordable event at two sites.
- Attack attributed to hacking an internet facing company site.
03/20/2019 20
Questions 03/20/2019 21