Text

THIS PRELIMINARY PROPOSED RULE LANGUAGE AND ACCOMPANYING DISCUSSION IS BEING RELEASED TO SUPPORT INTERACTIONS WITH STAKEHOLDERS AND THE ADVISORY COMMITTEE ON REACTOR SAFEGUARDS (ACRS). THIS LANGUAGE HAS NOT BEEN SUBJECT TO COMPLETE NRC MANAGEMENT OR LEGAL REVIEW, AND ITS CONTENTS SHOULD NOT BE INTERPRETED AS OFFICIAL AGENCY POSITIONS. THE NRC STAFF PLANS TO CONTINUE WORKING ON THE CONCEPTS AND DETAILS PROVIDED IN THIS DOCUMENT AND WILL CONTINUE TO PROVIDE OPPORTUNITIES FOR PUBLIC PARTICIPATION AS PART OF THE RULEMAKING ACTIVITIES.

THE STAFF IS PRIMARILY SEEKING INSIGHTS REGARDING THE CONCEPTS IN THIS PRELIMINARY LANGUAGE AND SECONDARILY SEEKING INSIGHTS RELATED TO DETAILS SUCH AS NUMERICAL VALUES FOR VARIOUS CRITERIA.

STAFF DISCUSSION OF PART 73 CYBER SECURITY - PRELIMINARY RULE LANGUAGE (June 2021)

Preliminary Language Discussion CYBER SECURITY

§ 73.110 - Technology neutral requirements for protection of In lieu of requiring advanced reactor licensees to digital computer and communication systems and networks protect against cyber attacks up to and including the design basis threat as required for power reactors in 10 CFR 73.54, this proposed new section implements a graded approach to determine the level of cyber security protection required for digital computer and communication systems and networks (i.e., protection at the cyber security program level and the security controls implementation level). A graded approach based on consequences is intended to account for the differing risk levels within advanced reactor technologies. Specifically, the proposed new section requires licensees to demonstrate reasonable assurance of cyber security protection against cyber attacks only if the potential consequences from such attacks meet or exceed the consequences defined herein. The graded approach will be further explained as part of a new regulatory guidance development effort.

1

The proposed new section leverages the following:

(1) the operating experience from power reactors and fuel cycle facilities and (2) the 10 CFR 73.54 framework, which contains some of the basic requirements needed for cyber security regardless of type of reactor. Differences between the 10 CFR 73.54 requirements and those discussed herein are primarily based on the implementation of a graded approach to cyber security for advanced reactors as discussed above to accommodate the wide range of technologies to be assessed by the NRC.

(a) Each licensee under 10 CFR part 53 shall establish, implement, This paragraph implements a graded approach to and maintain a cyber security program that is commensurate with the cyber security for advanced reactors to accommodate potential consequences resulting from cyber attacks. Accordingly, the wide range of technologies to be assessed by the each licensee shall provide reasonable assurance that digital NRC. Specifically, this section provides criteria for computer and communication systems and networks are adequately implementing a consequence-based approach to protected against cyber attacks that are capable of causing the cyber security by determining whether the potential following consequences: consequences resulting from a cyber attack would lead to the consequences listed herein. The staff is interested in stakeholder views on whether any additional consequences should be included herein.

(1) Exceeding the criterion in § 53.830(a)(2)(i); This consequence deals with a scenario where the cyber attack leads to offsite radiation hazards that would endanger public health and safety (i.e., the resulting consequence exceeds the first tier safety criteria, as specified in § 53.830(a)(2)(i)).

(2) Adversely impacting the functions performed by the digital assets This consequence is intended to address the physical used by the licensee for implementing the physical security security requirements specified in § 53.830(a)(1). This requirements in § 53.830(a)(1) of this chapter for special nuclear consequence deals with a scenario where the cyber material, source material, and byproduct material. attack adversely impacts the digital assets used by the licensee to prevent unauthorized removal of special nuclear material, source material, and byproduct 2

material (i.e., for protection of material SNM Cat III and Cat II (SSNM Cat I, if applicable) and Cat 1 and Cat 2 material.) Security digital assets include those used for nuclear material control and accounting.

(b) The licensee shall protect digital computer and communication This paragraph is developed from § 73.54(a)(1). The systems and networks associated with the functions listed in intent of the requirement is to identify the types of

[§ 73.54(a)(1)] in a manner that is commensurate with the potential systems and the functions that they support (e.g.,

consequences resulting from cyber attacks. safety functions, security functions, and emergency preparedness functions) that need to be protected from cyber attacks. This paragraph may not ultimately point to § 73.54(a)(1), as the Part 53 Working Group is going to have new definitions for certain functions and eliminate older definitions. For example, import-to-safety will not be used in Part 53, so this paragraph will need to be edited to capture the new terminology for what used to be called the SSEP functions. The adjusted language implements a graded approach to cyber security for advanced reactors to accommodate the wide range of technologies to be assessed by the NRC. The graded approach will be explained as part of a new regulatory guidance development effort.

(c) The licensee shall meet the confidentiality, integrity, and This paragraph is developed from § 73.54(a)(2). The availability requirements in § 73.54(a)(2) for the systems and networks intent of the requirement is to address the impacts on covered by paragraph (b) of this section in a manner that is systems and networks (i.e., a compromise in commensurate with the potential consequences resulting from cyber confidentiality, integrity, or availability) from cyber attacks. attacks that need to be prevented. The adjusted language implements a graded approach to cyber security for advanced reactors to accommodate the wide range of technologies to be assessed by the NRC. The graded approach will be explained as part of a new regulatory guidance development effort.

3

(d) The licensee shall: This paragraph implements a graded approach to cyber security for advanced reactors to accommodate (1) Analyze the potential consequences resulting from cyber attacks the wide range of technologies to be assessed by the on digital computer and communication systems and networks and NRC. The graded approach will be explained as part identify those assets that must be protected to satisfy paragraphs (a), of a new regulatory guidance development effort.

(b) and (c) of this section; and, The licensee should analyze and identify which specific (2) Establish, implement, and maintain a cyber security program for digital assets are actually critical digital assets, and the protection of the assets identified under paragraph (d)(1) of this thus within the scope of § 73.110. (Note: A critical section. digital asset is a component of a critical system that consists of or contains a digital device, computer, or communication system or network.)

Subsequently, the licensee shall establish, implement, and maintain a cyber security program for protecting those critical digital assets that makes use of risk insights, including threat information, and considers the resulting level of consequences of the threats.

4

(e) The cyber security program must be designed in a manner that is This paragraph is developed from § 73.54(c). The commensurate with the potential consequences resulting from cyber adjusted language implements a graded approach to attacks through the following steps: cyber security for advanced reactors to accommodate the wide range of technologies to be assessed by the (1) Implement security controls to protect the assets identified under NRC. The graded approach will be explained as part paragraph (d)(1) of this section from cyber attacks, commensurate of a new regulatory guidance development effort.

with their safety and security significance; The overall intent of this requirement is to address the (2) Apply and maintain defense-in-depth protective strategies to need for the licensee to develop a cyber security ensure the capability to detect, delay, respond to, and recover from program that implements a defense-in-depth defensive cyber attacks capable of causing the consequences identified in strategy. A defense-in-depth defensive strategy for paragraph (a) of this section; cyber security is represented by collections of complementary and redundant security controls that (3) Mitigate the adverse effects of cyber attacks capable of causing establish multiple layers of protection to safeguard the consequences identified in paragraph (a) of this section; and critical digital assets. Under a defense-in-depth (4) Ensure that the functions of protected assets identified under defensive strategy, the failure of a single protective paragraph (d)(1) of this section are not adversely impacted due to strategy or security control should not result in the cyber attacks capable of causing the consequences identified in compromise of safety and security functions.

paragraph (a) of this section.

5

(f) The licensee shall implement the following requirements in a This paragraph is developed from §§ 73.54(d) through manner that is commensurate with the potential consequences 73.54(h). The adjusted language implements a graded resulting from cyber attacks: approach to cyber security for advanced reactors to accommodate the wide range of technologies to be (1) As part of the cyber security program, the licensee shall meet the assessed by the NRC. The graded approach will be requirements in §§ 73.54(d)(1), 73.54(d)(2), 73.54(d)(4), and the explained as part of a new regulatory guidance following: development effort.

(i) Ensure that modifications to assets, identified under paragraph The requirement is primarily intended to address the (d)(1) of this section, are evaluated before implementation to ensure implementation of a cyber security program and the that the cyber security performance objectives identified in paragraph associated security life cycle activities for maintaining it (a) of this section are maintained. such as continuous monitoring and assessment, configuration management, ongoing assessment of (2) The licensee shall establish, implement, and maintain a cyber security controls and programs effectiveness, security plan that implements the cyber security program vulnerability scans/assessments, and cyber security requirements of this section in accordance with the requirements in event notifications.

§ 73.54(e).

(3) The licensee shall develop and maintain written policies and procedures to implement the cyber security plan in accordance with the requirements in § 73.54(f).

(4) The licensee shall review the cyber security program in accordance with the requirements in § 73.100(e).

(5) The licensee shall retain all records and supporting technical documentation required to satisfy the requirements in § 73.54(h).

6