Text

U.S. Nuclear Regulatory Commission Public Meeting Summary

Title:

Public Meeting to Discuss the Nuclear Energy Institute (NEIs) White Paper, Changes to NEI 10-04, and NEI 13-10, Guidance for Identifying and Protecting Digital Assets Associated with the Balance of Plant, Dated November 2019.

Date of Meeting: January 16, 2020 0900 - 1200 Location: U.S. Nuclear Regulatory Commission Three White Flint North, 1C05 11601 Landsdown Street Rockville, MD 20852 Type of Meeting: Category 2 Purpose of the Meeting:

The purpose of this meeting was to discuss with the NEI, the industry, and the public NEIs White Paper titled, Changes to NEI 10-04 and NEI 13-10 Guidance for Identifying and Protecting Digital Assets Associated with the Balance of Plant (BOP), dated November 2019.

As part of the preparation for this meeting, a document titled Talking Points: NEI Approach to Revising Cyber Security Guidance for Balance of Plant Digital Assets was prepared to record the approach to revising NEI guidance as well as a history of the U.S. Nuclear Regulatory Commission (NRC) and the Federal Energy Regulatory Commission (FERC) interactions for BOP digital assets. It will be added to the Agencywide Documents Access and Management System (ADAMS) along with this meeting summary.

General Details:

The NRC staff conducted a public meeting to discuss with NEI, the industry, and the public NEIs White Paper titled, Changes to NEI 10-04 and NEI 13-10 Guidance for Identifying and Protecting Digital Assets Associated with the BOP, dated November 2019. The meeting started at 0900 and ended at 1100. Present at the meeting were 11 NRC staff, 1 representative from the FERC, and 6 industry representatives. On the phone there were 7 NRC staff, 30 industry representatives, and 1 member of the public. Dan Warner from the Office of Nuclear Security and Incident Response began the meeting with introductions from participants in the room and then those on the phone line.

After the introductions, NRC management addressed the attendees with opening remarks providing an overview of the ongoing NRC efforts to further risk-inform the NRC Cyber Security Oversight Program. Management also thanked industry for their participation with the staff to work together to revise NEIs cyber security guidance. The final opening remarks were provided by Rich Mogavero, NEI. Mr. Mogavero reiterated that the guidance changes for BOP are part of a larger effort looking at multiple areas of the NRC Cyber Security Oversight Program including multiple changes to NEI 10-04, and NEI 13-10. A question was raised in the room about how the changes to the NEI guidance documents will be implemented, either with multiple revisions or by generating one large revision for all approved changes. Mr. Mogavero confirmed that NEI intends to revise both NEI 10-04, and NEI 13-10, after the initial set of changes have been approved for use by the NRC.

Summary of Feedback:

Dan Warner, NRC, continued the meeting and stated that the main purpose of the meeting was to provide an opportunity for the public and stakeholders to provide feedback on NEIs White Paper. Brian Young, FirstEnergy Nuclear Operating Company, discussed the content of NEIs White Paper, Changes to NEI 10-04 and NEI 13-10 Guidance for Identifying and Protecting Digital Assets Associated with the Balance of Plant, dated November 2019. The paper can be found in ADAMS under Accession No. ML19330G099.

Following the presentation, Mr. Warner conducted the question and comment portion of the meeting. Shana Helton, NRC, started by asking if the FERC orders would need to be changed.

Jim Beardsley, NRC, responded that the NRC staff will look at the question and coordinate with the Office of the General Counsel and FERC on the review. Bill Gross, NEI followed up by stating the existing order identified assets are either under NRC purview or North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standard requirements. This approach will be maintained as part of the new revision to the guidance documents, it will just allow the use of the graded approach based on impact to the grid.

The following questions and/or comments were received from NRC staff on the White Paper:

• The Paper should explain what is to be gained at the utilities by making this change.

• The Paper should explain how the analytical process for determining Bulk Electric System (BES) impact will be performed.

• Do the changes allow vulnerabilities that could be exploited by an adversary as long as the components dont cause enough of a transient to result in a Scram/Trip?

• The White Paper indicates the controls in NEI 13-10 Section 5.1 would no longer apply under these changes and the section would be removed. Please ensure the White Paper explains the basis for this deletion.

• The introduction to NEI 10-04 states the following, Particularly, the NRC has clarified that, for the purposes of the NRC Cyber Security Rule, systems or equipment performing important-to-safety functions include structures, systems, and components in the balance of plant that have a nexus to radiological health and safety or could directly or indirectly affect reactivity and could result in an unplanned reactor shutdown or transient. The NEI White Paper proposes to change this definition by revising the final section to read [additions in bold], result in an unplanned reactor shutdown or transient with the generated megawatts being reduced to zero within 15 minutes should be identified as BOP CDAs. The paper should be clear on the basis of this change.

The following questions and/or comments were received from FERC staff on the White Paper:

• Is there any awareness of the recent US Government Accountability Office (GAO) report regarding risks to the electric grid? The report indicates BES low impact assets may not be protected enough. The paper should note that future changes to the NERC CIP standards will be evaluated to ensure they do not conflict with the approach proposed in the paper.

o The referenced report is GAO-19-332, Critical Infrastructure Protection: Actions Needed to Address Significant Cybersecurity Risks Facing the Electric Grid, dated August 2019.

• Some assets appear they will be removed from NRC and FERC (CIP) cognizance if these changes are incorporated. The paper should address whether the approach would remove or add digital assets for their current oversight.

• It may be beneficial for the paper to characterize the types of digital assets that may be impacted by the proposed approach.

• Would the changes to guidance include implementing new technology? Ensure the paper would appropriately address impacts to the licensees change management processes.

The following questions and/or comments were received from industry stakeholders on the White Paper:

• Ensure the paper addresses how plants with multiple units handle the analysis for the BES impact categories.

• Do the E.5 controls from NEI 08-09 apply to BOP assets that wont cause a scram/trip that are located outside the protected area? The presenter answered that they do have to meet the controls in question.

Next Steps:

After all comments and questions were received, Mr. Warner, NRC, closed the meeting. NEI stated that they would evaluate the meeting feedback and decide on the next steps for endorsement of the White Paper. Any additional comments received after the public meeting will be available to industry, so the comments can be evaluated and addressed appropriately.